Reject Users who are expired in DS 389( Based on LDAP V3)
Hi,list, Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module to do AAA. Users's password in DS389 may be expired and the weird thing is that user can still login on NAS( VPN.etc). There only exists an attribute named 'krbPasswordExpiration' and its value is something like 20201022032134Z. So once user logins on, I will extract this value and compare with current date ( Guess this is a runtime variable, "%l ") to decide whether to continue or reject it immediately. I tried to set in the ../module-enabled/ldap ---- control:Password-With-Header += 'userPassword' control: += ' krbPasswordExpiration ' --- It always throws an exception. So how to resolve this? Thanks. Regards
On Apr 9, 2020, at 5:18 AM, luckydog xf <luckydogxf@gmail.com> wrote:
Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module to do AAA.
Users's password in DS389 may be expired and the weird thing is that user can still login on NAS( VPN.etc).
There only exists an attribute named 'krbPasswordExpiration' and its value is something like 20201022032134Z.
That's a time format with the years, months, and days all mashed into one field. Definitely not the normal LDAP user expiration field, or format.
So once user logins on, I will extract this value and compare with current date ( Guess this is a runtime variable, "%l ") to decide whether to continue or reject it immediately.
That's a good start, but it won't work. "%l" is the current Unix epoch time in seconds. The krbPasswordExpiration field is not in the same format. You will need to convert one format to the other. See mods-available/date, which can do some date conversion.
I tried to set in the ../module-enabled/ldap ---- control:Password-With-Header += 'userPassword'
control: += ' krbPasswordExpiration '
--- It always throws an exception. So how to resolve this?
Read the documentation and follow it. You cannot just put a bare "control:" into the LDAP map. The "control" name means that the attribute is being put into the "control" list. Except you didn't specify which attribute to use. So... follow the rest of the examples, and add an attribute name. And when you post messages, include the *actual error*. It's important. When you say "it throws an exception", that's not true, and misleading. It gives a very specific error message, which you are ignoring. Alan DeKok.
I see, so which radius attribute is good for this mapping ? Like control:Password-With-Header , which one shall I use ? On Thu, Apr 9, 2020 at 8:13 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 9, 2020, at 5:18 AM, luckydog xf <luckydogxf@gmail.com> wrote:
Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module to do AAA.
Users's password in DS389 may be expired and the weird thing is that
user
can still login on NAS( VPN.etc).
There only exists an attribute named 'krbPasswordExpiration' and its value is something like 20201022032134Z.
That's a time format with the years, months, and days all mashed into one field. Definitely not the normal LDAP user expiration field, or format.
So once user logins on, I will extract this value and compare with current date ( Guess this is a runtime variable, "%l ") to decide whether to continue or reject it immediately.
That's a good start, but it won't work. "%l" is the current Unix epoch time in seconds. The krbPasswordExpiration field is not in the same format. You will need to convert one format to the other. See mods-available/date, which can do some date conversion.
I tried to set in the ../module-enabled/ldap ---- control:Password-With-Header += 'userPassword'
control: += ' krbPasswordExpiration '
--- It always throws an exception. So how to resolve this?
Read the documentation and follow it. You cannot just put a bare "control:" into the LDAP map. The "control" name means that the attribute is being put into the "control" list. Except you didn't specify which attribute to use.
So... follow the rest of the examples, and add an attribute name.
And when you post messages, include the *actual error*. It's important. When you say "it throws an exception", that's not true, and misleading. It gives a very specific error message, which you are ignoring.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I added a dictionary named krbpasswdexpire in /etc/raddb/dictionary. And update /etc/raddb/mod-enabled/ldap control:krbpasswdexpire += "%{date:krbPasswordExpiration}" Here is my date module, date { format = *"%Y%m%d%H%M%SZ" * # Use UTC instead of local time. # # default = no utc = yes } --------------- Here is part of `radiusd -X`, ---------------- (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) ldap: EXPAND %{date:krbPasswordExpiration} (0) ldap: --> rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=tom) Note, this did not expand value (0) ldap: EXPAND %{date:krbPasswordExpiration} (0) ldap: --> So anything wrong ? Thanks. On Thu, Apr 9, 2020 at 8:13 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 9, 2020, at 5:18 AM, luckydog xf <luckydogxf@gmail.com> wrote:
Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module to do AAA.
Users's password in DS389 may be expired and the weird thing is that
user
can still login on NAS( VPN.etc).
There only exists an attribute named 'krbPasswordExpiration' and its value is something like 20201022032134Z.
That's a time format with the years, months, and days all mashed into one field. Definitely not the normal LDAP user expiration field, or format.
So once user logins on, I will extract this value and compare with current date ( Guess this is a runtime variable, "%l ") to decide whether to continue or reject it immediately.
That's a good start, but it won't work. "%l" is the current Unix epoch time in seconds. The krbPasswordExpiration field is not in the same format. You will need to convert one format to the other. See mods-available/date, which can do some date conversion.
I tried to set in the ../module-enabled/ldap ---- control:Password-With-Header += 'userPassword'
control: += ' krbPasswordExpiration '
--- It always throws an exception. So how to resolve this?
Read the documentation and follow it. You cannot just put a bare "control:" into the LDAP map. The "control" name means that the attribute is being put into the "control" list. Except you didn't specify which attribute to use.
So... follow the rest of the examples, and add an attribute name.
And when you post messages, include the *actual error*. It's important. When you say "it throws an exception", that's not true, and misleading. It gives a very specific error message, which you are ignoring.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 15, 2020, at 2:29 AM, luckydog xf <luckydogxf@gmail.com> wrote:
I added a dictionary named krbpasswdexpire in /etc/raddb/dictionary.
And update /etc/raddb/mod-enabled/ldap
control:krbpasswdexpire += "%{date:krbPasswordExpiration}"
That don't work. The "krbPasswordExpiration" string is NOT something which is available to the dynamic string expansions. You must do this: edit raddb/dictionary Add krbpasswdexpireString as a "string" attribute. Add a krbpasswdexpireDate as a "date" attribute update /etc/raddb/mod-enabled/ldap control:krbpasswdexpireString += krbPasswordExpiration Which assigns the "2020...Z" string to the krbpasswdexpireString attribute. Then after the LDAP module has run, parse the date: update control { krbpasswdexpireDate := %{date:&control: krbpasswdexpireString}" } That should work. Alan DeKok.
I did them as your suggestion, Now ldap module works, here is output of `radiusd -X` (0) ldap: control:krbpasswdexpireString += '20200706030533Z' .... rlm_ldap (ldap): Bind successful (0) [ldap] = updated (0) update control { (0) EXPAND %{date:&(control:krbpasswdexpireString)} (0) --> (0) krbpasswdexpireDate := Jan 1 1970 08:00:00 HKT It seems that date does not get correct input, here is my site-available/default ------- ldap update control { krbpasswdexpireDate := "%{date:&control:krbpasswdexpireString}" # I want to convert it to unix epoch time. if ( krbpasswdexpireDate >"%l" ) { reject } } Thanks, On Wed, Apr 15, 2020 at 9:00 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 15, 2020, at 2:29 AM, luckydog xf <luckydogxf@gmail.com> wrote:
I added a dictionary named krbpasswdexpire in /etc/raddb/dictionary.
And update /etc/raddb/mod-enabled/ldap
control:krbpasswdexpire += "%{date:krbPasswordExpiration}"
That don't work. The "krbPasswordExpiration" string is NOT something which is available to the dynamic string expansions.
You must do this:
edit raddb/dictionary
Add krbpasswdexpireString as a "string" attribute.
Add a krbpasswdexpireDate as a "date" attribute
update /etc/raddb/mod-enabled/ldap
control:krbpasswdexpireString += krbPasswordExpiration
Which assigns the "2020...Z" string to the krbpasswdexpireString attribute.
Then after the LDAP module has run, parse the date:
update control { krbpasswdexpireDate := %{date:&control: krbpasswdexpireString}" }
That should work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 16, 2020, at 3:52 AM, luckydog xf <luckydogxf@gmail.com> wrote:
I did them as your suggestion,
Now ldap module works, here is output of `radiusd -X` (0) ldap: control:krbpasswdexpireString += '20200706030533Z'
....
rlm_ldap (ldap): Bind successful (0) [ldap] = updated (0) update control { (0) EXPAND %{date:&(control:krbpasswdexpireString)}
? The debug output doesn't add round brackets. This should be: EXPAND %{date:&control:krbpasswdexpireString}
(0) --> (0) krbpasswdexpireDate := Jan 1 1970 08:00:00 HKT
It seems that date does not get correct input, here is my site-available/default
-------
ldap
update control {
krbpasswdexpireDate := "%{date:&control:krbpasswdexpireString}"
Which isn't the same as shown in the debug output.
# I want to convert it to unix epoch time. if ( krbpasswdexpireDate >"%l" ) {
You can't put "if" statements inside of an "update" section. It won't work. I tried parsing that date here and it works: (0) update request { (0) Filter-Id := "20200706030533Z" (0) } # update request = noop (0) update control { (0) EXPAND %{krb2date:&Filter-Id} (0) --> 1594022733 (0) Event-Timestamp := Jul 6 2020 04:05:33 EDT Alan DeKok.
Oh, thanks Alan. it works, here is my site-enabled/default --------- krbpasswdexpireDate := "%{date:&control:krbpasswdexpireString}" ------------- and if ( "%{control:krbpasswdexpireDate}" < "%l" ) { reject } Thanks for your help and have a good day. On Thu, Apr 16, 2020 at 8:37 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 16, 2020, at 3:52 AM, luckydog xf <luckydogxf@gmail.com> wrote:
I did them as your suggestion,
Now ldap module works, here is output of `radiusd -X` (0) ldap: control:krbpasswdexpireString += '20200706030533Z'
....
rlm_ldap (ldap): Bind successful (0) [ldap] = updated (0) update control { (0) EXPAND %{date:&(control:krbpasswdexpireString)}
? The debug output doesn't add round brackets. This should be:
EXPAND %{date:&control:krbpasswdexpireString}
(0) --> (0) krbpasswdexpireDate := Jan 1 1970 08:00:00 HKT
It seems that date does not get correct input, here is my site-available/default
-------
ldap
update control {
krbpasswdexpireDate := "%{date:&control:krbpasswdexpireString}"
Which isn't the same as shown in the debug output.
# I want to convert it to unix epoch time. if ( krbpasswdexpireDate >"%l" ) {
You can't put "if" statements inside of an "update" section. It won't work.
I tried parsing that date here and it works:
(0) update request { (0) Filter-Id := "20200706030533Z" (0) } # update request = noop (0) update control { (0) EXPAND %{krb2date:&Filter-Id} (0) --> 1594022733 (0) Event-Timestamp := Jul 6 2020 04:05:33 EDT
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
luckydog xf -
Matthew Newton