LDAP (POSIX attibutes) password expiry

Fajar A. Nugraha list at fajar.net
Wed Feb 29 00:11:14 CET 2012 

On Wed, Feb 29, 2012 at 4:16 AM,  <up at 3.am> wrote:
> Hi:
>
> We've been running various versions of FreeRadius for years, currently 2.1.10 in
> this application.  A while ago, we switched from PAM (unix) auth to LDAP auth.
> Everything worked fine after the switch...POSIX attributes for group membership
> correctly allocated the right ippools, etc.
>
> However, we just noticed that password expiry isn't working.  I suspect this is
> because we are still using all the original POSIX attributes and none of them look
> like good for mapping to the ones supplied by FreeRADIUS.  I see:
>
> checkItem       Expiration                      radiusExpiration
>
> Our LDAP attributes use the following POSIX attributes to determine expiry:
>
> shadowMax: 90
> shadowLastChange: 15215
>
> With the first being the maximum age of the password and the second being the
> number of days since the Epoch.  I will post the obligatory debug output below
> (with sensitive or irrelevant stuff snipped out) for a successful authentication
> for an expired password that shouldn't have succeeded.  If anybody has an idea how
> to fix this with the minimal of messing around with our LDAP config itself, I'd
> greatly appreciate it...or, if that's unrealistic, what should be done.  TIA!

IIRC the Expiration attribute requires the format of "01 Jan 2011
01:00:00" (or something like that, other format might work, test it
first). From the two LDAP attributes, you should be able to process
them and present it as a new attribute.

I see no easy way to do that without additional module though. You
COULD use something like this on ldap.attrmap:

checkItem       Tmp-Integer-0                      shadowMax
checkItem       Tmp-Integer-1                      shadowLastChange

... then convert it to expiration with rlm_perl/rlm_sql/whatever. If
you already have a mysql instance (e.g. for accounting), you could
probably use it to do the processing. Something like this (see
http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html):

update control {
  Expiration := "%{sql: SELECT FROM_UNIXTIME( ( %{Tmp-Integer-0} +
%{Tmp-Integer-1} ) * 86400, '%d %b %Y %H:%i%s' )}"
}

-- 
Fajar

More information about the Freeradius-Users mailing list