On Wed, Feb 29, 2012 at 4:16 AM, <u...@3.am> wrote: > Hi: > > We've been running various versions of FreeRadius for years, currently 2.1.10 > in > this application. A while ago, we switched from PAM (unix) auth to LDAP auth. > Everything worked fine after the switch...POSIX attributes for group > membership > correctly allocated the right ippools, etc. > > However, we just noticed that password expiry isn't working. I suspect this > is > because we are still using all the original POSIX attributes and none of them > look > like good for mapping to the ones supplied by FreeRADIUS. I see: > > checkItem Expiration radiusExpiration > > Our LDAP attributes use the following POSIX attributes to determine expiry: > > shadowMax: 90 > shadowLastChange: 15215 > > With the first being the maximum age of the password and the second being the > number of days since the Epoch. I will post the obligatory debug output below > (with sensitive or irrelevant stuff snipped out) for a successful > authentication > for an expired password that shouldn't have succeeded. If anybody has an > idea how > to fix this with the minimal of messing around with our LDAP config itself, > I'd > greatly appreciate it...or, if that's unrealistic, what should be done. TIA!
IIRC the Expiration attribute requires the format of "01 Jan 2011 01:00:00" (or something like that, other format might work, test it first). From the two LDAP attributes, you should be able to process them and present it as a new attribute. I see no easy way to do that without additional module though. You COULD use something like this on ldap.attrmap: checkItem Tmp-Integer-0 shadowMax checkItem Tmp-Integer-1 shadowLastChange ... then convert it to expiration with rlm_perl/rlm_sql/whatever. If you already have a mysql instance (e.g. for accounting), you could probably use it to do the processing. Something like this (see http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html): update control { Expiration := "%{sql: SELECT FROM_UNIXTIME( ( %{Tmp-Integer-0} + %{Tmp-Integer-1} ) * 86400, '%d %b %Y %H:%i%s' )}" } -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html