LDAP (POSIX attibutes) password expiry

Wed Feb 29 00:12:02 CET 2012

On Wed, Feb 29, 2012 at 6:11 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> On Wed, Feb 29, 2012 at 4:16 AM,  <up at 3.am> wrote:
>> Hi:
>>
>> We've been running various versions of FreeRadius for years, currently 2.1.10 in
>> this application.  A while ago, we switched from PAM (unix) auth to LDAP auth.
>> Everything worked fine after the switch...POSIX attributes for group membership
>> correctly allocated the right ippools, etc.
>>
>> However, we just noticed that password expiry isn't working.  I suspect this is
>> because we are still using all the original POSIX attributes and none of them look
>> like good for mapping to the ones supplied by FreeRADIUS.  I see:
>>
>> checkItem       Expiration                      radiusExpiration
>>
>> Our LDAP attributes use the following POSIX attributes to determine expiry:
>>
>> shadowMax: 90
>> shadowLastChange: 15215
>>
>> With the first being the maximum age of the password and the second being the
>> number of days since the Epoch.  I will post the obligatory debug output below
>> (with sensitive or irrelevant stuff snipped out) for a successful authentication
>> for an expired password that shouldn't have succeeded.  If anybody has an idea how
>> to fix this with the minimal of messing around with our LDAP config itself, I'd
>> greatly appreciate it...or, if that's unrealistic, what should be done.  TIA!
>
> IIRC the Expiration attribute requires the format of "01 Jan 2011
> 01:00:00" (or something like that, other format might work, test it
> first). From the two LDAP attributes, you should be able to process
> them and present it as a new attribute.
>
> I see no easy way to do that without additional module though. You
> COULD use something like this on ldap.attrmap:
>
> checkItem       Tmp-Integer-0                      shadowMax
> checkItem       Tmp-Integer-1                      shadowLastChange
>
> ... then convert it to expiration with rlm_perl/rlm_sql/whatever. If
> you already have a mysql instance (e.g. for accounting), you could
> probably use it to do the processing. Something like this (see
> http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html):
>
> update control {
>  Expiration := "%{sql: SELECT FROM_UNIXTIME( ( %{Tmp-Integer-0} +
> %{Tmp-Integer-1} ) * 86400, '%d %b %Y %H:%i%s' )}"
> }

Sorry. Should be something like

update control {
  Expiration := "%{sql: SELECT FROM_UNIXTIME( ( %{control:Tmp-Integer-0} +
 %{control:Tmp-Integer-1} ) * 86400, '%d %b %Y %H:%i%s' )}"
}

-- 
Fajar