Reject Users who are expired in DS 389( Based on LDAP V3)
Alan DeKok
aland at deployingradius.com
Wed Apr 15 14:59:53 CEST 2020
On Apr 15, 2020, at 2:29 AM, luckydog xf <luckydogxf at gmail.com> wrote:
>
> I added a dictionary named krbpasswdexpire in /etc/raddb/dictionary.
>
> And update /etc/raddb/mod-enabled/ldap
>
> control:krbpasswdexpire += "%{date:krbPasswordExpiration}"
That don't work. The "krbPasswordExpiration" string is NOT something which is available to the dynamic string expansions.
You must do this:
edit raddb/dictionary
Add krbpasswdexpireString as a "string" attribute.
Add a krbpasswdexpireDate as a "date" attribute
update /etc/raddb/mod-enabled/ldap
control:krbpasswdexpireString += krbPasswordExpiration
Which assigns the "2020...Z" string to the krbpasswdexpireString attribute.
Then after the LDAP module has run, parse the date:
update control {
krbpasswdexpireDate := %{date:&control: krbpasswdexpireString}"
}
That should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list