LDAP (POSIX attibutes) password expiry

up at 3.am up at 3.am
Thu Mar 1 15:41:21 CET 2012 

> up at 3.am wrote:
>>>> checkItem       Expiration                      radiusExpiration
>>>   Did you check that the LDAP module is returning this attribute for the
>>> query?
>>
>> No, I don't expect it to, since I don't have that attribute or anything that
>> looks
>> like it might be a good substitute.
>
>   So... why would you ever expect that expiration will work?

I expect it would take some fiddling.  I was showing what I had done so far for
background reference.  From a couple of other responses, it appears there might be
ways to get this working.

>>>   Did you check that Expiration works if you put it into the "users" file?
>>
>> I'm not worried about that...expiry worked with the old rlm_pam using Unix
>> expiry.
>
>   I see.  You ask for help, and you ignore the response.

I didn't ignore any response.  I have no reason to worry about whether Expiration
will work in "users" because A) I'm not using users, I'm using LDAP and B) expiry
worked fine using rlm_pam and /etc/shadow.

My first thought (hope) was that there was some config option in rlm_ldap that I
was missing that might be an easy fix.  I knew it was a long shot, but I didn't
see the harm in asking.

>   If you do this again, you will be unsubscribed and banned.

Alan:  I have been using your software for many years, and received a lot of help
from you and other members of this list and know you have little patience for
requests for help that don't include adequate debug output and inclusion of
relevant configuration information.

I've obviously pissed you off with my reply to you and for that, I apologize.  It
was not my intention.  My cognitive ability is still recovering from a lot of
chemotherapy over the past year and this may be reflected in the way I parse and
post.

>> When exporting Unix to LDAP, the expiry data was exported from /etc/shadow to
>> the
>> two LDAP attributes mentioned.  I was hoping that perhaps there was a module
>> that
>> could calculate between the two and figure out that the password was expired and
>> take it from there.  I figured it a long shot but worth asking.
>
>   Was there documentation saying that such a module existed?

Not that I could find, hence my post here.  It looks like more clueful people than
I have some potential workarounds, so from that standpoint, it may have paid off.

More information about the Freeradius-Users mailing list