Reject Users who are expired in DS 389( Based on LDAP V3)
luckydogxf at gmail.com
Thu Apr 9 11:18:27 CEST 2020
Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module
to do AAA.
Users's password in DS389 may be expired and the weird thing is that user
can still login on NAS( VPN.etc).
There only exists an attribute named 'krbPasswordExpiration' and its value
is something like 20201022032134Z.
So once user logins on, I will extract this value and compare with
current date ( Guess this is a runtime variable, "%l ") to decide whether
to continue or reject it immediately.
I tried to set in the ../module-enabled/ldap
control:Password-With-Header += 'userPassword'
control: += ' krbPasswordExpiration '
It always throws an exception. So how to resolve this?
More information about the Freeradius-Users