Reject Users who are expired in DS 389( Based on LDAP V3)

luckydog xf luckydogxf at gmail.com
Thu Apr 9 11:18:27 CEST 2020


Hi,list,

  Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module
to do AAA.

  Users's password in DS389 may be expired and the weird thing is that user
can still login on NAS( VPN.etc).

 There only exists an attribute named 'krbPasswordExpiration' and its value
is something like 20201022032134Z.
  So once user logins on, I will extract this value and compare with
current date ( Guess this is a runtime variable, "%l ") to decide whether
to continue or  reject it immediately.

 I tried to set in the ../module-enabled/ldap
----
                control:Password-With-Header    += 'userPassword'

                control:                        += ' krbPasswordExpiration '

---
  It always throws an exception.  So how to resolve this?

 Thanks. Regards


More information about the Freeradius-Users mailing list