Reject Users who are expired in DS 389( Based on LDAP V3)

Wed Apr 15 08:29:22 CEST 2020

I added a dictionary named  krbpasswdexpire  in /etc/raddb/dictionary.

And update /etc/raddb/mod-enabled/ldap

 control:krbpasswdexpire         += "%{date:krbPasswordExpiration}"

Here is my date module,

date {
        format = *"%Y%m%d%H%M%SZ"  *

        # Use UTC instead of local time.
        #
        #  default = no
        utc = yes
}

---------------
Here is part of  `radiusd -X`,
----------------
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0) ldap: EXPAND %{date:krbPasswordExpiration}
(0) ldap:    -->
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=tom)

Note, this did not expand  value

  (0) ldap: EXPAND %{date:krbPasswordExpiration}
(0) ldap:    -->

So anything wrong ? Thanks.

On Thu, Apr 9, 2020 at 8:13 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Apr 9, 2020, at 5:18 AM, luckydog xf <luckydogxf at gmail.com> wrote:
> >
> >  Currently I'm using FreeIPA (Based on DS389 ) as backend and LDAP module
> > to do AAA.
> >
> >  Users's password in DS389 may be expired and the weird thing is that
> user
> > can still login on NAS( VPN.etc).
> >
> > There only exists an attribute named 'krbPasswordExpiration' and its
> value
> > is something like 20201022032134Z.
>
>   That's a time format with the years, months, and days all mashed into
> one field.  Definitely not the normal LDAP user expiration field, or format.
>
> >  So once user logins on, I will extract this value and compare with
> > current date ( Guess this is a runtime variable, "%l ") to decide whether
> > to continue or  reject it immediately.
>
>   That's a good start, but it won't work.  "%l" is the current Unix epoch
> time in seconds.  The krbPasswordExpiration field is not in the same
> format.  You will need to convert one format to the other.  See
> mods-available/date, which can do some date conversion.
>
> > I tried to set in the ../module-enabled/ldap
> > ----
> >                control:Password-With-Header    += 'userPassword'
> >
> >                control:                        += '
> krbPasswordExpiration '
> >
> > ---
> >  It always throws an exception.  So how to resolve this?
>
>   Read the documentation and follow it.  You cannot just put a bare
> "control:"  into the LDAP map. The "control" name means that the attribute
> is being put into the "control" list.  Except you didn't specify which
> attribute to use.
>
>   So... follow the rest of the examples, and add an attribute name.
>
>   And when you post messages, include the *actual error*.  It's
> important.  When you say "it throws an exception", that's not true, and
> misleading.  It gives a very specific error message, which you are ignoring.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html