RADIUS , LDAP Authentication Problem

Phil Mayers p.mayers at imperial.ac.uk
Wed Jul 12 19:43:30 CEST 2006

Thato Molise wrote:
> How do I tell freeRADIUS to use LDAP expiration in my Configuration 
> files. That's Exactly what to tell the server to do... Please help...

There is no built-in way, because this is not a standardised config.

What format does the ldap expiration attribute have?

There's an "rlm_expiration" in CVS (and possibly >1.1.0) versions of the 
server. If your expiration attribute is a unix timestamp (seconds since 
1970) you could simply do this in ldap.attrmap:

checkItem Expiration myLdapExpiryAttribute

...alternatively you could use rlm_exec to do it - for example if you have:

dn: cn=username,blah
objectClass: inetOrgPerson
expiryDate: Wed 12 Jul 2006

...then in ldap.attrmap do this:

checkItem Expiration expiryDate

...and in radiusd.conf:

modules {
   exec expiry {
     wait = yes
     program = "/path/to/expiry.sh"
     input_pairs = config
     output_pairs = reply

authorize {
   # maybe other stuff

...and make "expiry.sh" be this:


NOW=`date +%s`

if [ $EXPIRY -lt $NOW ]
	echo "Auth-Type := Reject"
	echo "Reply-Message = \"Your account has expires\""

This is untested, but I don't see why it shouldn't work.

More information about the Freeradius-Users mailing list