LDAP (POSIX attibutes) password expiry

up at 3.am up at 3.am
Tue Mar 6 15:20:38 CET 2012


> On 03/06/2012 02:10 AM, up at 3.am wrote:
>>> On 28/02/12 21:16, up at 3.am wrote:
>>>> However, we just noticed that password expiry isn't working.  I suspect this is
>> because we are still using all the original POSIX attributes and none of them look
>>>> like good for mapping to the ones supplied by FreeRADIUS.  I see: checkItem
>>    Expiration                      radiusExpiration Our LDAP attributes use the
>> following POSIX attributes to determine expiry: shadowMax: 90
>>>> shadowLastChange: 15215
>>> Other replies should have convinced you that there's no built-in support for
>> this. You will need to either:
>>>    1. Arrange for a FreeRADIUS-ready "radiusExpiration" attribute to be
>>> set in LDAP alongside the POSIX/shadow schemas
>>>    2. Synthesize an Expiration attribute, or otherwise locally check the
>>> POSIX/shadow attributes.
>>> One way you might accomplish the 2nd is as follows:
>>> == Create some local RADIUS attributes for the shadow values ==
/etc/raddb/dictionary:
>>> ATTRIBUTE	Shadow-Max-Age		3000	integer
>>> ATTRIBUTE	Shadow-Last-Change	3001	integer
>>> ATTRIBUTE	Shadow-Expires		3002	integer
>>> ATTRIBUTE	Shadow-Current		3003	integer
>>> /etc/raddb/ldap.attrmap:
>>> checkItem	Shadow-Max-Age		shadowMax
>>> checkItem	Shadow-Last-Change	shadowLastChange
>>> == Read these attributes from LDAP, then perform some maths ==
/etc/raddb/sites-enabled/<server>:
>>> authorize {
>>>     ...
>>>     ldap
>>>     update control {
>>>       Shadow-Expires := "%{expr:%{control:Shadow-Last-Change} +
>>> %{control:Shadow-Max-Age}}"
>>>       Shadow-Current := "%{expr:%l / 86400}"
>>>     }
>>>     if (control:Shadow-Current>  control:Shadow-Expires) {
>>>       reject
>>>     }
>>>     ...
>>> }
>>> Hopefully it's clear what this does, but basically:
>>>    1. Pulls last-change&  max-age from LDAP
>>>    2. Adds them together, to get expiry (in days since epoch)
>>>    3. Divides %l (epoch) by 86400 to get today, in days since epoch 4.
Compares
>> them
>>> -
>> It looks to me like it should do all of those things swimmingly...however, I am
running into an issue that looks like it might be because we run redundant LDAP
servers.  I put your 'update control' here, in the authorize :
>>   	redundant LDAP{
>>                  ldap1
>>                  ldap2
>>                  update control {<ETC>
>>            }
>>          }
>
>
> Ok, so do:
>
>    redundant {
>      ldap1
>      ldap2
>    }
>    update control {
>     ..
>    }


Ok, that got it starting and it looks tantalizingly close, but somehow
Shadow-Expires isn't getting parsed:

++- entering group LDAP {...}
[ldap1] performing user authorization for ldaptestuser
[ldap1] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap1] 	... expanding second conditional
[ldap1] 	expand: %{User-Name} -> ldaptestuser
[ldap1] 	expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=ldaptestuser)
[ldap1] 	expand: dc=domain,dc=com -> dc=domain,dc=com
  [ldap1] ldap_get_conn: Checking Id: 0
  [ldap1] ldap_get_conn: Got Id: 0
  [ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptestuser)
[ldap1] looking for check items in directory...
  [ldap1] shadowLastChange -> Shadow-Last-Change == 15215
  [ldap1] shadowMax -> Shadow-Max-Age == 90
[ldap1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user
is configured correctly?
[ldap1] user ldaptestuser authorized to use remote access
  [ldap1] ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- group LDAP returns ok
	expand: %{control:Shadow-Last-Change} + %{control:Shadow-Max-Age} -> 15215 + 90
expand: %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} ->
15305
	expand: %l / 86400 -> 1331041623 / 86400
	expand: %{expr:%l / 86400} -> 15405
++[control] returns ok
++? if (control:Shadow-Current > control:Shadow-Expires)
Failed parsing "control:Shadow-Expires": Unknown value control:Shadow-Expires for
attribute Shadow-Current

-----------

To make sure I got the mapping and dictionary definitions right, here's what I
have (pretty much just copied and pasted from you):

[root at host]# grep -i shadow /etc/raddb/dictionary
ATTRIBUTE        Shadow-Max-Age            3000        integer
ATTRIBUTE        Shadow-Last-Change        3001        integer
ATTRIBUTE        Shadow-Expires            3002        integer
ATTRIBUTE        Shadow-Current            3003        integer
[root at host]# grep -i shadow /etc/raddb/ldap.attrmap
checkItem	Shadow-Max-Age			shadowMax
checkItem     	Shadow-Last-Change              shadowLastChange




More information about the Freeradius-Users mailing list