RADIUS , LDAP Authentication Problem
Thato Molise
info at datacom.co.ls
Fri Jul 14 08:42:09 CEST 2006
Hi,
The expiry Module still does not work; Let me show you my LDAP Attribute
Attribute name Values
shadowLastChange 13284
uid tmolise cn Thato Molise
homeDirectory /home/tmolise
uidNumber 501
objectClass posixAccount , shadowAccount , account , top
shadowExpire 13269
gidNumber 100
gecos Thato Molise
userPassword {encryp}
I dont see the actual expiry date attribute but I see shadowExpire! Maybe
the above attributes may help to see whats wrong.....
In my ldap.attrmap I still have:
checkItem Expiration radiusExpiration
----- Original Message -----
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, July 12, 2006 7:43 PM
Subject: Re: RADIUS , LDAP Authentication Problem
> Thato Molise wrote:
>> How do I tell freeRADIUS to use LDAP expiration in my Configuration
>> files. That's Exactly what to tell the server to do... Please help...
>
> There is no built-in way, because this is not a standardised config.
>
> What format does the ldap expiration attribute have?
>
> There's an "rlm_expiration" in CVS (and possibly >1.1.0) versions of the
> server. If your expiration attribute is a unix timestamp (seconds since
> 1970) you could simply do this in ldap.attrmap:
>
> checkItem Expiration myLdapExpiryAttribute
>
> ...alternatively you could use rlm_exec to do it - for example if you
> have:
>
> dn: cn=username,blah
> objectClass: inetOrgPerson
> expiryDate: Wed 12 Jul 2006
>
> ...then in ldap.attrmap do this:
>
> checkItem Expiration expiryDate
>
> ...and in radiusd.conf:
>
> modules {
> exec expiry {
> wait = yes
> program = "/path/to/expiry.sh"
> input_pairs = config
> output_pairs = reply
> }
> }
>
> authorize {
> preprocess
> ldap
> expiry
> # maybe other stuff
> }
>
> ...and make "expiry.sh" be this:
>
> #!/bin/sh
>
> EXPIRY_IN_LDAP=`date -d "$EXPIRATION" +%s`
> NOW=`date +%s`
>
> if [ $EXPIRY -lt $NOW ]
> then
> echo "Auth-Type := Reject"
> echo "Reply-Message = \"Your account has expires\""
> fi
>
> This is untested, but I don't see why it shouldn't work.
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list