Reject Users who are expired in DS 389( Based on LDAP V3)

luckydog xf luckydogxf at gmail.com
Fri Apr 10 08:09:50 CEST 2020 

I see, so which radius attribute is good for this mapping ?

Like control:Password-With-Header , which one shall I use ?



On Thu, Apr 9, 2020 at 8:13 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Apr 9, 2020, at 5:18 AM, luckydog xf <luckydogxf at gmail.com> wrote:
> >
> >  Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module
> > to do AAA.
> >
> >  Users's password in DS389 may be expired and the weird thing is that
> user
> > can still login on NAS( VPN.etc).
> >
> > There only exists an attribute named 'krbPasswordExpiration' and its
> value
> > is something like 20201022032134Z.
>
>   That's a time format with the years, months, and days all mashed into
> one field.  Definitely not the normal LDAP user expiration field, or format.
>
> >  So once user logins on, I will extract this value and compare with
> > current date ( Guess this is a runtime variable, "%l ") to decide whether
> > to continue or  reject it immediately.
>
>   That's a good start, but it won't work.  "%l" is the current Unix epoch
> time in seconds.  The krbPasswordExpiration field is not in the same
> format.  You will need to convert one format to the other.  See
> mods-available/date, which can do some date conversion.
>
> > I tried to set in the ../module-enabled/ldap
> > ----
> >                control:Password-With-Header    += 'userPassword'
> >
> >                control:                        += '
> krbPasswordExpiration '
> >
> > ---
> >  It always throws an exception.  So how to resolve this?
>
>   Read the documentation and follow it.  You cannot just put a bare
> "control:"  into the LDAP map. The "control" name means that the attribute
> is being put into the "control" list.  Except you didn't specify which
> attribute to use.
>
>   So... follow the rest of the examples, and add an attribute name.
>
>   And when you post messages, include the *actual error*.  It's
> important.  When you say "it throws an exception", that's not true, and
> misleading.  It gives a very specific error message, which you are ignoring.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list