RADIUS , LDAP Authentication Problem

Thato Molise info at datacom.co.ls
Fri Jul 14 08:42:09 CEST 2006


Hi,

The expiry Module still does not work; Let me show you my LDAP Attribute

 Attribute name Values
shadowLastChange 13284
uid tmolise cn Thato Molise
homeDirectory /home/tmolise
uidNumber 501
objectClass posixAccount , shadowAccount , account , top
shadowExpire 13269
gidNumber 100
gecos Thato Molise
userPassword {encryp}

I dont see the actual expiry date attribute but I see shadowExpire! Maybe 
the above attributes may help to see whats wrong.....

In my ldap.attrmap I still have:

 checkItem Expiration radiusExpiration


----- Original Message ----- 
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, July 12, 2006 7:43 PM
Subject: Re: RADIUS , LDAP Authentication Problem


> Thato Molise wrote:
>> How do I tell freeRADIUS to use LDAP expiration in my Configuration 
>> files. That's Exactly what to tell the server to do... Please help...
>
> There is no built-in way, because this is not a standardised config.
>
> What format does the ldap expiration attribute have?
>
> There's an "rlm_expiration" in CVS (and possibly >1.1.0) versions of the 
> server. If your expiration attribute is a unix timestamp (seconds since 
> 1970) you could simply do this in ldap.attrmap:
>
> checkItem Expiration myLdapExpiryAttribute
>
> ...alternatively you could use rlm_exec to do it - for example if you 
> have:
>
> dn: cn=username,blah
> objectClass: inetOrgPerson
> expiryDate: Wed 12 Jul 2006
>
> ...then in ldap.attrmap do this:
>
> checkItem Expiration expiryDate
>
> ...and in radiusd.conf:
>
> modules {
>   exec expiry {
>     wait = yes
>     program = "/path/to/expiry.sh"
>     input_pairs = config
>     output_pairs = reply
>   }
> }
>
> authorize {
>   preprocess
>   ldap
>   expiry
>   # maybe other stuff
> }
>
> ...and make "expiry.sh" be this:
>
> #!/bin/sh
>
> EXPIRY_IN_LDAP=`date -d "$EXPIRATION" +%s`
> NOW=`date +%s`
>
> if [ $EXPIRY -lt $NOW ]
> then
> echo "Auth-Type := Reject"
> echo "Reply-Message = \"Your account has expires\""
> fi
>
> This is untested, but I don't see why it shouldn't work.
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html 




More information about the Freeradius-Users mailing list