Reject Users who are expired in DS 389( Based on LDAP V3)
luckydog xf
luckydogxf at gmail.com
Fri Apr 17 04:42:37 CEST 2020
Oh, thanks Alan. it works, here is my site-enabled/default
---------
krbpasswdexpireDate :=
"%{date:&control:krbpasswdexpireString}"
-------------
and
if ( "%{control:krbpasswdexpireDate}" < "%l" ) {
reject
}
Thanks for your help and have a good day.
On Thu, Apr 16, 2020 at 8:37 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Apr 16, 2020, at 3:52 AM, luckydog xf <luckydogxf at gmail.com> wrote:
> >
> > I did them as your suggestion,
> >
> > Now ldap module works, here is output of `radiusd -X`
> > (0) ldap: control:krbpasswdexpireString += '20200706030533Z'
> >
> > ....
> >
> > rlm_ldap (ldap): Bind successful
> > (0) [ldap] = updated
> > (0) update control {
> > (0) EXPAND %{date:&(control:krbpasswdexpireString)}
>
> ? The debug output doesn't add round brackets. This should be:
>
> EXPAND %{date:&control:krbpasswdexpireString}
>
> > (0) -->
> > (0) krbpasswdexpireDate := Jan 1 1970 08:00:00 HKT
> >
> > It seems that date does not get correct input, here is my
> > site-available/default
> >
> > -------
> >
> > ldap
> >
> > update control {
> >
> > krbpasswdexpireDate :=
> > "%{date:&control:krbpasswdexpireString}"
>
> Which isn't the same as shown in the debug output.
>
> > # I want to convert it to unix epoch time.
> > if ( krbpasswdexpireDate >"%l" ) {
>
> You can't put "if" statements inside of an "update" section. It won't
> work.
>
> I tried parsing that date here and it works:
>
> (0) update request {
> (0) Filter-Id := "20200706030533Z"
> (0) } # update request = noop
> (0) update control {
> (0) EXPAND %{krb2date:&Filter-Id}
> (0) --> 1594022733
> (0) Event-Timestamp := Jul 6 2020 04:05:33 EDT
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list