Reject Users who are expired in DS 389( Based on LDAP V3)

Alan DeKok aland at
Thu Apr 9 14:13:11 CEST 2020

On Apr 9, 2020, at 5:18 AM, luckydog xf <luckydogxf at> wrote:
>  Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module
> to do AAA.
>  Users's password in DS389 may be expired and the weird thing is that user
> can still login on NAS( VPN.etc).
> There only exists an attribute named 'krbPasswordExpiration' and its value
> is something like 20201022032134Z.

  That's a time format with the years, months, and days all mashed into one field.  Definitely not the normal LDAP user expiration field, or format.

>  So once user logins on, I will extract this value and compare with
> current date ( Guess this is a runtime variable, "%l ") to decide whether
> to continue or  reject it immediately.

  That's a good start, but it won't work.  "%l" is the current Unix epoch time in seconds.  The krbPasswordExpiration field is not in the same format.  You will need to convert one format to the other.  See mods-available/date, which can do some date conversion.

> I tried to set in the ../module-enabled/ldap
> ----
>                control:Password-With-Header    += 'userPassword'
>                control:                        += ' krbPasswordExpiration '
> ---
>  It always throws an exception.  So how to resolve this?

  Read the documentation and follow it.  You cannot just put a bare "control:"  into the LDAP map. The "control" name means that the attribute is being put into the "control" list.  Except you didn't specify which attribute to use.

  So... follow the rest of the examples, and add an attribute name.

  And when you post messages, include the *actual error*.  It's important.  When you say "it throws an exception", that's not true, and misleading.  It gives a very specific error message, which you are ignoring.

  Alan DeKok.

More information about the Freeradius-Users mailing list