Reject Users who are expired in DS 389( Based on LDAP V3)
Alan DeKok
aland at deployingradius.com
Thu Apr 16 14:36:49 CEST 2020
On Apr 16, 2020, at 3:52 AM, luckydog xf <luckydogxf at gmail.com> wrote:
>
> I did them as your suggestion,
>
> Now ldap module works, here is output of `radiusd -X`
> (0) ldap: control:krbpasswdexpireString += '20200706030533Z'
>
> ....
>
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = updated
> (0) update control {
> (0) EXPAND %{date:&(control:krbpasswdexpireString)}
? The debug output doesn't add round brackets. This should be:
EXPAND %{date:&control:krbpasswdexpireString}
> (0) -->
> (0) krbpasswdexpireDate := Jan 1 1970 08:00:00 HKT
>
> It seems that date does not get correct input, here is my
> site-available/default
>
> -------
>
> ldap
>
> update control {
>
> krbpasswdexpireDate :=
> "%{date:&control:krbpasswdexpireString}"
Which isn't the same as shown in the debug output.
> # I want to convert it to unix epoch time.
> if ( krbpasswdexpireDate >"%l" ) {
You can't put "if" statements inside of an "update" section. It won't work.
I tried parsing that date here and it works:
(0) update request {
(0) Filter-Id := "20200706030533Z"
(0) } # update request = noop
(0) update control {
(0) EXPAND %{krb2date:&Filter-Id}
(0) --> 1594022733
(0) Event-Timestamp := Jul 6 2020 04:05:33 EDT
Alan DeKok.
More information about the Freeradius-Users
mailing list