Reject Users who are expired in DS 389( Based on LDAP V3)

luckydog xf luckydogxf at
Thu Apr 9 11:18:27 CEST 2020


  Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module
to do AAA.

  Users's password in DS389 may be expired and the weird thing is that user
can still login on NAS( VPN.etc).

 There only exists an attribute named 'krbPasswordExpiration' and its value
is something like 20201022032134Z.
  So once user logins on, I will extract this value and compare with
current date ( Guess this is a runtime variable, "%l ") to decide whether
to continue or  reject it immediately.

 I tried to set in the ../module-enabled/ldap
                control:Password-With-Header    += 'userPassword'

                control:                        += ' krbPasswordExpiration '

  It always throws an exception.  So how to resolve this?

 Thanks. Regards

More information about the Freeradius-Users mailing list