Re: LDAP (POSIX attibutes) password expiry
> On 03/06/2012 02:10 AM, up@3.am wrote:
>>> On 28/02/12 21:16, up@3.am wrote:
>>>> However, we just noticed that password expiry isn't working. I suspect this is
>> because we are still using all the original POSIX attributes and none of them look
>>>> like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem
>> Expiration radiusExpiration Our LDAP attributes use the
>> following POSIX attributes to determine expiry: shadowMax: 90
>>>> shadowLastChange: 15215
>>> Other replies should have convinced you that there's no built-in support for
>> this. You will need to either:
>>> 1. Arrange for a FreeRADIUS-ready "radiusExpiration" attribute to be
>>> set in LDAP alongside the POSIX/shadow schemas
>>> 2. Synthesize an Expiration attribute, or otherwise locally check the
>>> POSIX/shadow attributes.
>>> One way you might accomplish the 2nd is as follows:
>>> == Create some local RADIUS attributes for the shadow values ==
/etc/raddb/dictionary:
>>> ATTRIBUTE Shadow-Max-Age 3000 integer
>>> ATTRIBUTE Shadow-Last-Change 3001 integer
>>> ATTRIBUTE Shadow-Expires 3002 integer
>>> ATTRIBUTE Shadow-Current 3003 integer
>>> /etc/raddb/ldap.attrmap:
>>> checkItem Shadow-Max-Age shadowMax
>>> checkItem Shadow-Last-Change shadowLastChange
>>> == Read these attributes from LDAP, then perform some maths ==
/etc/raddb/sites-enabled/<server>:
>>> authorize {
>>> ...
>>> ldap
>>> update control {
>>> Shadow-Expires := "%{expr:%{control:Shadow-Last-Change} +
>>> %{control:Shadow-Max-Age}}"
>>> Shadow-Current := "%{expr:%l / 86400}"
>>> }
>>> if (control:Shadow-Current> control:Shadow-Expires) {
>>> reject
>>> }
>>> ...
>>> }
>>> Hopefully it's clear what this does, but basically:
>>> 1. Pulls last-change& max-age from LDAP
>>> 2. Adds them together, to get expiry (in days since epoch)
>>> 3. Divides %l (epoch) by 86400 to get today, in days since epoch 4.
Compares
>> them
>>> -
>> It looks to me like it should do all of those things swimmingly...however, I am
running into an issue that looks like it might be because we run redundant LDAP
servers. I put your 'update control' here, in the authorize :
>> redundant LDAP{
>> ldap1
>> ldap2
>> update control {<ETC>
>> }
>> }
>
>
> Ok, so do:
>
> redundant {
> ldap1
> ldap2
> }
> update control {
> ..
> }
Ok, that got it starting and it looks tantalizingly close, but somehow
Shadow-Expires isn't getting parsed:
++- entering group LDAP {...}
[ldap1] performing user authorization for ldaptestuser
[ldap1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap1] ... expanding second conditional
[ldap1] expand: %{User-Name} -> ldaptestuser
[ldap1] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=ldaptestuser)
[ldap1] expand: dc=domain,dc=com -> dc=domain,dc=com
[ldap1] ldap_get_conn: Checking Id: 0
[ldap1] ldap_get_conn: Got Id: 0
[ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptestuser)
[ldap1] looking for check items in directory...
[ldap1] shadowLastChange -> Shadow-Last-Change == 15215
[ldap1] shadowMax -> Shadow-Max-Age == 90
[ldap1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user
is configured correctly?
[ldap1] user ldaptestuser authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- group LDAP returns ok
expand: %{control:Shadow-Last-Change} + %{control:Shadow-Max-Age} -> 15215 + 90
expand: %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} ->
15305
expand: %l / 86400 -> 1331041623 / 86400
expand: %{expr:%l / 86400} -> 15405
++[control] returns ok
++? if (control:Shadow-Current > control:Shadow-Expires)
Failed parsing "control:Shadow-Expires": Unknown value control:Shadow-Expires for
attribute Shadow-Current
-----------
To make sure I got the mapping and dictionary definitions right, here's what I
have (pretty much just copied and pasted from you):
[root@host]# grep -i shadow /etc/raddb/dictionary
ATTRIBUTE Shadow-Max-Age 3000 integer
ATTRIBUTE Shadow-Last-Change 3001 integer
ATTRIBUTE Shadow-Expires 3002 integer
ATTRIBUTE Shadow-Current 3003 integer
[root@host]# grep -i shadow /etc/raddb/ldap.attrmap
checkItem Shadow-Max-Age shadowMax
checkItem Shadow-Last-Change shadowLastChange
On Tue, Mar 6, 2012 at 9:20 PM, <up@3.am> wrote:
++? if (control:Shadow-Current > control:Shadow-Expires) Failed parsing "control:Shadow-Expires": Unknown value control:Shadow-Expires for attribute Shadow-Current
Try if (control:Shadow-Current > "%{control:Shadow-Expires}") -- Fajar
On Tue, Mar 6, 2012 at 9:20 PM, <up@3.am> wrote:
++? if (control:Shadow-Current > control:Shadow-Expires) Failed parsing "control:Shadow-Expires": Unknown value control:Shadow-Expires for attribute Shadow-Current
Try
if (control:Shadow-Current > "%{control:Shadow-Expires}")
That did it! Thank you Fajar, Phil and Alan! It never ceases to amaze me the things that can be done with FreeRADIUS that would have been unthinkable with Cistron or Livingston. For anyone else interested, I'll paste the final modifications here (unwrap lines, of course): raddb/sites-available/<servername>: update control { Shadow-Expires := "%{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}}" Shadow-Current := "%{expr:%l / 86400}" } if (control:Shadow-Current > "%{control:Shadow-Expires}") { reject } -------------- raddb/dictionary: ATTRIBUTE Shadow-Max-Age 3000 integer ATTRIBUTE Shadow-Last-Change 3001 integer ATTRIBUTE Shadow-Expires 3002 integer ATTRIBUTE Shadow-Current 3003 integer -------------- raddb/ldap.attrmap checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange ---------------
participants (2)
-
Fajar A. Nugraha -
up@3.am