Reject Users who are expired in DS 389( Based on LDAP V3)

Alan DeKok aland at
Wed Apr 15 14:59:53 CEST 2020

On Apr 15, 2020, at 2:29 AM, luckydog xf <luckydogxf at> wrote:
> I added a dictionary named  krbpasswdexpire  in /etc/raddb/dictionary.
> And update /etc/raddb/mod-enabled/ldap
> control:krbpasswdexpire         += "%{date:krbPasswordExpiration}"

  That don't work.  The "krbPasswordExpiration" string is NOT something which is available to the dynamic string expansions.

  You must do this:

edit raddb/dictionary

  Add krbpasswdexpireString as a "string" attribute.

  Add a krbpasswdexpireDate as a "date" attribute

update /etc/raddb/mod-enabled/ldap

control:krbpasswdexpireString         += krbPasswordExpiration

  Which assigns the "2020...Z" string to the krbpasswdexpireString attribute.

  Then after the LDAP module has run, parse the date:

	update control {
		krbpasswdexpireDate := %{date:&control: krbpasswdexpireString}"

  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list