I did them as your suggestion, Now ldap module works, here is output of `radiusd -X` (0) ldap: control:krbpasswdexpireString += '20200706030533Z' .... rlm_ldap (ldap): Bind successful (0) [ldap] = updated (0) update control { (0) EXPAND %{date:&(control:krbpasswdexpireString)} (0) --> (0) krbpasswdexpireDate := Jan 1 1970 08:00:00 HKT It seems that date does not get correct input, here is my site-available/default ------- ldap update control { krbpasswdexpireDate := "%{date:&control:krbpasswdexpireString}" # I want to convert it to unix epoch time. if ( krbpasswdexpireDate >"%l" ) { reject } } Thanks, On Wed, Apr 15, 2020 at 9:00 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 15, 2020, at 2:29 AM, luckydog xf <luckydogxf@gmail.com> wrote:
I added a dictionary named krbpasswdexpire in /etc/raddb/dictionary.
And update /etc/raddb/mod-enabled/ldap
control:krbpasswdexpire += "%{date:krbPasswordExpiration}"
That don't work. The "krbPasswordExpiration" string is NOT something which is available to the dynamic string expansions.
You must do this:
edit raddb/dictionary
Add krbpasswdexpireString as a "string" attribute.
Add a krbpasswdexpireDate as a "date" attribute
update /etc/raddb/mod-enabled/ldap
control:krbpasswdexpireString += krbPasswordExpiration
Which assigns the "2020...Z" string to the krbpasswdexpireString attribute.
Then after the LDAP module has run, parse the date:
update control { krbpasswdexpireDate := %{date:&control: krbpasswdexpireString}" }
That should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html