up@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect this is because we are still using all the original POSIX attributes and none of them look like good for mapping to the ones supplied by FreeRADIUS. I see:
checkItem Expiration radiusExpiration
Did you check that the LDAP module is returning this attribute for the query?
No, I don't expect it to, since I don't have that attribute or anything that looks like it might be a good substitute.
Did you check that Expiration works if you put it into the "users" file?
I'm not worried about that...expiry worked with the old rlm_pam using Unix expiry. When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to the two LDAP attributes mentioned. I was hoping that perhaps there was a module that could calculate between the two and figure out that the password was expired and take it from there. I figured it a long shot but worth asking. Thanks!