LDAP (POSIX attibutes) password expiry

Wed Feb 29 02:37:18 CET 2012

> On Wed, Feb 29, 2012 at 4:16 AM,  <up at 3.am> wrote:
>> Hi:
>>
>> We've been running various versions of FreeRadius for years, currently 2.1.10 in
>> this application.  A while ago, we switched from PAM (unix) auth to LDAP auth.
>> Everything worked fine after the switch...POSIX attributes for group membership
>> correctly allocated the right ippools, etc.
>>
>> However, we just noticed that password expiry isn't working.  I suspect this is
>> because we are still using all the original POSIX attributes and none of them
>> look
>> like good for mapping to the ones supplied by FreeRADIUS.  I see:
>>
>> checkItem       Expiration                      radiusExpiration
>>
>> Our LDAP attributes use the following POSIX attributes to determine expiry:
>>
>> shadowMax: 90
>> shadowLastChange: 15215
>>
>> With the first being the maximum age of the password and the second being the
>> number of days since the Epoch.  I will post the obligatory debug output below
>> (with sensitive or irrelevant stuff snipped out) for a successful authentication
>> for an expired password that shouldn't have succeeded.  If anybody has an idea
>> how
>> to fix this with the minimal of messing around with our LDAP config itself, I'd
>> greatly appreciate it...or, if that's unrealistic, what should be done.  TIA!
>
> IIRC the Expiration attribute requires the format of "01 Jan 2011
> 01:00:00" (or something like that, other format might work, test it
> first). From the two LDAP attributes, you should be able to process
> them and present it as a new attribute.
>
> I see no easy way to do that without additional module though. You
> COULD use something like this on ldap.attrmap:
>
> checkItem       Tmp-Integer-0                      shadowMax
> checkItem       Tmp-Integer-1                      shadowLastChange
>
> ... then convert it to expiration with rlm_perl/rlm_sql/whatever. If
> you already have a mysql instance (e.g. for accounting), you could
> probably use it to do the processing. Something like this (see
> http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html):
>
> update control {
>   Expiration := "%{sql: SELECT FROM_UNIXTIME( ( %{Tmp-Integer-0} +
> %{Tmp-Integer-1} ) * 86400, '%d %b %Y %H:%i%s' )}"
> }

Fajar, thanks for taking the time with this reply.  No, I'm not running MySQL for
accounting...just the standard flat files on separate remote server and of course
for auth, LDAP.  I'll have to take a look and see what rlm_perl can do for us.  I
don't see a problem getting the attributes using perl (even if it just invokes
shell commands), but how to process it back to FreeRADIUS without interfering with
anything else.