Freeradius a openldap password policy

Arran Cudbard-Bell a.cudbardb at
Thu Mar 12 14:22:57 CET 2015

> On 12 Mar 2015, at 04:58, Angel L. Mateo <amateo at> wrote:
> Hello,
> 	I am developing a freeradius3 server for eduroam authentication. My users are in a openldap directory where I have ppolicy to ensure that users change their password.
> 	When authenticating from radius, I can use ldap as an authenticate module, so it does a ldap bind as the user trying to connect and password policy is handle correctly.
> 	My problem is with EAP-PEAP using MSCHAP authentication. Is this scenario, I can't use ldap to authenticate, only as authorize module retrieving nt and lm passwords. So, is there any way to check that the password used is not expired?

Add the expiry attribute to the ldap/radius mappings and compare it locally on the server.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list