Re: LDAP (POSIX attibutes) password expiry

Thu, 01 Mar 2012 06:59:32 -0800 

> On 28/02/12 21:16, u...@3.am wrote:
>> Hi:
>>
>> We've been running various versions of FreeRadius for years, currently 
>> 2.1.10 in
>> this application.  A while ago, we switched from PAM (unix) auth to LDAP 
>> auth.
>> Everything worked fine after the switch...POSIX attributes for group 
>> membership
>> correctly allocated the right ippools, etc.
>>
>> However, we just noticed that password expiry isn't working.  I suspect this 
>> is
>> because we are still using all the original POSIX attributes and none of them
>> look
>> like good for mapping to the ones supplied by FreeRADIUS.  I see:
>>
>> checkItem       Expiration                      radiusExpiration
>>
>> Our LDAP attributes use the following POSIX attributes to determine expiry:
>>
>> shadowMax: 90
>> shadowLastChange: 15215
>
> Other replies should have convinced you that there's no built-in support
> for this. You will need to either:
>
>   1. Arrange for a FreeRADIUS-ready "radiusExpiration" attribute to be
> set in LDAP alongside the POSIX/shadow schemas
>
>   2. Synthesize an Expiration attribute, or otherwise locally check the
> POSIX/shadow attributes.
>
>
> One way you might accomplish the 2nd is as follows:
>
> == Create some local RADIUS attributes for the shadow values ==
>
> /etc/raddb/dictionary:
>
> ATTRIBUTE     Shadow-Max-Age          3000    integer
> ATTRIBUTE     Shadow-Last-Change      3001    integer
> ATTRIBUTE     Shadow-Expires          3002    integer
> ATTRIBUTE     Shadow-Current          3003    integer
>
> /etc/raddb/ldap.attrmap:
>
> checkItem     Shadow-Max-Age          shadowMax
> checkItem     Shadow-Last-Change      shadowLastChange
>
> == Read these attributes from LDAP, then perform some maths ==
>
> /etc/raddb/sites-enabled/<server>:
>
> authorize {
>    ...
>    ldap
>    update control {
>      Shadow-Expires := "%{expr:%{control:Shadow-Last-Change} +
> %{control:Shadow-Max-Age}}"
>      Shadow-Current := "%{expr:%l / 86400}"
>    }
>    if (control:Shadow-Current > control:Shadow-Expires) {
>      reject
>    }
>    ...
> }
>
> Hopefully it's clear what this does, but basically:
>
>   1. Pulls last-change & max-age from LDAP
>   2. Adds them together, to get expiry (in days since epoch)
>   3. Divides %l (epoch) by 86400 to get today, in days since epoch
>   4. Compares them
> -

It's very clear...I had no idea that the ldap module could do math functions. 
This is just the kind of thing I was looking for.

Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to