CentOS OpenLDAP pwdReset Attribute

Alan DeKok aland at deployingradius.com
Mon Oct 25 23:09:23 CEST 2021

On Oct 25, 2021, at 1:41 PM, Th1am1dMonozoicK4runa via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Issue:
> FreeRADIUS ignores pwdReset attribute, because it only needs the initial OpenLDAP bind to be successful.

  FreeRADIUS treats LDAP as a database, and doesn't try to use / validate the entire user object.

> Description:
> If there are any users on the list with the above config, how do you get around the issue of password resets, specifically having the pwdReset attribute set? Our users primarily use RADIUS for network device authentication, but then we also have a few web apps that only work with LDAP. So, we pointed FreeRADIUS at OpenLDAP, and use LDAP's password policy to adhere to company security policies. Seems like this would be a common config, and everything generally works great. The only main issue is when it comes time to reset a user's password. We have the pwdMustChange option set to TRUE, and when an admin resets a user's password (from out lockout or forgotten) the pwdReset attribute shows up as expected and is set to TRUE. Since FreeRADIUS only cares about a simple BIND to OpenLDAP, the end user can continue to use the given (temp) password, because the initial BIND works as expected. FreeRADIUS doesn't care about the pwdReset attribute, so just lets the user login to the network device.

  You can always run an LDAP query manually via "unlang" to check the status of the pwdReset field.

> In the documentation, right above the "Auth-Type LDAP" section, I noticed the lines "We do NOT recommend using this". So I'm curious what is the recommended best practice for situations that require both LDAP and RADIUS authentication for their various apps and devices?

  The recommendation against using "Auth-Type = LDAP" is that it only works for clear-text passwords.  If the user tries CHAP / MS-CHAP / EAP, then "Auth-Type = LDAP" simply won't work.

  If all of your authentication is via clear-text passwords, then it should be fine.

  Note also that there's no standard for doing password changes via RADIUS.  So the only thing you'll get by setting / checking pwdReset is that users won't be able to login via RADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list