RADIUS , LDAP Authentication Problem
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jul 12 19:43:30 CEST 2006
Thato Molise wrote:
> How do I tell freeRADIUS to use LDAP expiration in my Configuration
> files. That's Exactly what to tell the server to do... Please help...
There is no built-in way, because this is not a standardised config.
What format does the ldap expiration attribute have?
There's an "rlm_expiration" in CVS (and possibly >1.1.0) versions of the
server. If your expiration attribute is a unix timestamp (seconds since
1970) you could simply do this in ldap.attrmap:
checkItem Expiration myLdapExpiryAttribute
...alternatively you could use rlm_exec to do it - for example if you have:
dn: cn=username,blah
objectClass: inetOrgPerson
expiryDate: Wed 12 Jul 2006
...then in ldap.attrmap do this:
checkItem Expiration expiryDate
...and in radiusd.conf:
modules {
exec expiry {
wait = yes
program = "/path/to/expiry.sh"
input_pairs = config
output_pairs = reply
}
}
authorize {
preprocess
ldap
expiry
# maybe other stuff
}
...and make "expiry.sh" be this:
#!/bin/sh
EXPIRY_IN_LDAP=`date -d "$EXPIRATION" +%s`
NOW=`date +%s`
if [ $EXPIRY -lt $NOW ]
then
echo "Auth-Type := Reject"
echo "Reply-Message = \"Your account has expires\""
fi
This is untested, but I don't see why it shouldn't work.
More information about the Freeradius-Users
mailing list