> On 03/06/2012 02:10 AM, u...@3.am wrote: >>> On 28/02/12 21:16, u...@3.am wrote: >>>> However, we just noticed that password expiry isn't working. I suspect >>>> this is >> because we are still using all the original POSIX attributes and none of >> them look >>>> like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem >> Expiration radiusExpiration Our LDAP attributes use >> the >> following POSIX attributes to determine expiry: shadowMax: 90 >>>> shadowLastChange: 15215 >>> Other replies should have convinced you that there's no built-in support for >> this. You will need to either: >>> 1. Arrange for a FreeRADIUS-ready "radiusExpiration" attribute to be >>> set in LDAP alongside the POSIX/shadow schemas >>> 2. Synthesize an Expiration attribute, or otherwise locally check the >>> POSIX/shadow attributes. >>> One way you might accomplish the 2nd is as follows: >>> == Create some local RADIUS attributes for the shadow values == /etc/raddb/dictionary: >>> ATTRIBUTE Shadow-Max-Age 3000 integer >>> ATTRIBUTE Shadow-Last-Change 3001 integer >>> ATTRIBUTE Shadow-Expires 3002 integer >>> ATTRIBUTE Shadow-Current 3003 integer >>> /etc/raddb/ldap.attrmap: >>> checkItem Shadow-Max-Age shadowMax >>> checkItem Shadow-Last-Change shadowLastChange >>> == Read these attributes from LDAP, then perform some maths == /etc/raddb/sites-enabled/<server>: >>> authorize { >>> ... >>> ldap >>> update control { >>> Shadow-Expires := "%{expr:%{control:Shadow-Last-Change} + >>> %{control:Shadow-Max-Age}}" >>> Shadow-Current := "%{expr:%l / 86400}" >>> } >>> if (control:Shadow-Current> control:Shadow-Expires) { >>> reject >>> } >>> ... >>> } >>> Hopefully it's clear what this does, but basically: >>> 1. Pulls last-change& max-age from LDAP >>> 2. Adds them together, to get expiry (in days since epoch) >>> 3. Divides %l (epoch) by 86400 to get today, in days since epoch 4. Compares >> them >>> - >> It looks to me like it should do all of those things swimmingly...however, I >> am running into an issue that looks like it might be because we run redundant LDAP servers. I put your 'update control' here, in the authorize : >> redundant LDAP{ >> ldap1 >> ldap2 >> update control {<ETC> >> } >> } > > > Ok, so do: > > redundant { > ldap1 > ldap2 > } > update control { > .. > }
Ok, that got it starting and it looks tantalizingly close, but somehow Shadow-Expires isn't getting parsed: ++- entering group LDAP {...} [ldap1] performing user authorization for ldaptestuser [ldap1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap1] ... expanding second conditional [ldap1] expand: %{User-Name} -> ldaptestuser [ldap1] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=ldaptestuser) [ldap1] expand: dc=domain,dc=com -> dc=domain,dc=com [ldap1] ldap_get_conn: Checking Id: 0 [ldap1] ldap_get_conn: Got Id: 0 [ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptestuser) [ldap1] looking for check items in directory... [ldap1] shadowLastChange -> Shadow-Last-Change == 15215 [ldap1] shadowMax -> Shadow-Max-Age == 90 [ldap1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ldaptestuser authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- group LDAP returns ok expand: %{control:Shadow-Last-Change} + %{control:Shadow-Max-Age} -> 15215 + 90 expand: %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} -> 15305 expand: %l / 86400 -> 1331041623 / 86400 expand: %{expr:%l / 86400} -> 15405 ++[control] returns ok ++? if (control:Shadow-Current > control:Shadow-Expires) Failed parsing "control:Shadow-Expires": Unknown value control:Shadow-Expires for attribute Shadow-Current ----------- To make sure I got the mapping and dictionary definitions right, here's what I have (pretty much just copied and pasted from you): [root@host]# grep -i shadow /etc/raddb/dictionary ATTRIBUTE Shadow-Max-Age 3000 integer ATTRIBUTE Shadow-Last-Change 3001 integer ATTRIBUTE Shadow-Expires 3002 integer ATTRIBUTE Shadow-Current 3003 integer [root@host]# grep -i shadow /etc/raddb/ldap.attrmap checkItem Shadow-Max-Age shadowMax checkItem Shadow-Last-Change shadowLastChange - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html