Reject Users who are expired in DS 389( Based on LDAP V3)
luckydog xf
luckydogxf at gmail.com
Thu Apr 16 09:52:28 CEST 2020
I did them as your suggestion,
Now ldap module works, here is output of `radiusd -X`
(0) ldap: control:krbpasswdexpireString += '20200706030533Z'
....
rlm_ldap (ldap): Bind successful
(0) [ldap] = updated
(0) update control {
(0) EXPAND %{date:&(control:krbpasswdexpireString)}
(0) -->
(0) krbpasswdexpireDate := Jan 1 1970 08:00:00 HKT
It seems that date does not get correct input, here is my
site-available/default
-------
ldap
update control {
krbpasswdexpireDate :=
"%{date:&control:krbpasswdexpireString}"
# I want to convert it to unix epoch time.
if ( krbpasswdexpireDate >"%l" ) {
reject
}
}
Thanks,
On Wed, Apr 15, 2020 at 9:00 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Apr 15, 2020, at 2:29 AM, luckydog xf <luckydogxf at gmail.com> wrote:
> >
> > I added a dictionary named krbpasswdexpire in /etc/raddb/dictionary.
> >
> > And update /etc/raddb/mod-enabled/ldap
> >
> > control:krbpasswdexpire += "%{date:krbPasswordExpiration}"
>
> That don't work. The "krbPasswordExpiration" string is NOT something
> which is available to the dynamic string expansions.
>
> You must do this:
>
> edit raddb/dictionary
>
> Add krbpasswdexpireString as a "string" attribute.
>
> Add a krbpasswdexpireDate as a "date" attribute
>
> update /etc/raddb/mod-enabled/ldap
>
> control:krbpasswdexpireString += krbPasswordExpiration
>
> Which assigns the "2020...Z" string to the krbpasswdexpireString
> attribute.
>
> Then after the LDAP module has run, parse the date:
>
> update control {
> krbpasswdexpireDate := %{date:&control:
> krbpasswdexpireString}"
> }
>
> That should work.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list