Hi,list, Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module to do AAA. Users's password in DS389 may be expired and the weird thing is that user can still login on NAS( VPN.etc). There only exists an attribute named 'krbPasswordExpiration' and its value is something like 20201022032134Z. So once user logins on, I will extract this value and compare with current date ( Guess this is a runtime variable, "%l ") to decide whether to continue or reject it immediately. I tried to set in the ../module-enabled/ldap ---- control:Password-With-Header += 'userPassword' control: += ' krbPasswordExpiration ' --- It always throws an exception. So how to resolve this? Thanks. Regards