> On 03/06/2012 02:10 AM, u...@3.am wrote:
>>> On 28/02/12 21:16, u...@3.am wrote:
>>>> However, we just noticed that password expiry isn't working. I suspect
>>>> this is
>> because we are still using all the original POSIX attributes and none of
>> them look
>>>> like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem
>> Expiration radiusExpiration Our LDAP attributes use
>> the
>> following POSIX attributes to determine expiry: shadowMax: 90
>>>> shadowLastChange: 15215
>>> Other replies should have convinced you that there's no built-in support for
>> this. You will need to either:
>>> 1. Arrange for a FreeRADIUS-ready "radiusExpiration" attribute to be
>>> set in LDAP alongside the POSIX/shadow schemas
>>> 2. Synthesize an Expiration attribute, or otherwise locally check the
>>> POSIX/shadow attributes.
>>> One way you might accomplish the 2nd is as follows:
>>> == Create some local RADIUS attributes for the shadow values ==
/etc/raddb/dictionary:
>>> ATTRIBUTE Shadow-Max-Age 3000 integer
>>> ATTRIBUTE Shadow-Last-Change 3001 integer
>>> ATTRIBUTE Shadow-Expires 3002 integer
>>> ATTRIBUTE Shadow-Current 3003 integer
>>> /etc/raddb/ldap.attrmap:
>>> checkItem Shadow-Max-Age shadowMax
>>> checkItem Shadow-Last-Change shadowLastChange
>>> == Read these attributes from LDAP, then perform some maths ==
/etc/raddb/sites-enabled/<server>:
>>> authorize {
>>> ...
>>> ldap
>>> update control {
>>> Shadow-Expires := "%{expr:%{control:Shadow-Last-Change} +
>>> %{control:Shadow-Max-Age}}"
>>> Shadow-Current := "%{expr:%l / 86400}"
>>> }
>>> if (control:Shadow-Current> control:Shadow-Expires) {
>>> reject
>>> }
>>> ...
>>> }
>>> Hopefully it's clear what this does, but basically:
>>> 1. Pulls last-change& max-age from LDAP
>>> 2. Adds them together, to get expiry (in days since epoch)
>>> 3. Divides %l (epoch) by 86400 to get today, in days since epoch 4.
Compares
>> them
>>> -
>> It looks to me like it should do all of those things swimmingly...however, I
>> am
running into an issue that looks like it might be because we run redundant LDAP
servers. I put your 'update control' here, in the authorize :
>> redundant LDAP{
>> ldap1
>> ldap2
>> update control {<ETC>
>> }
>> }
>
>
> Ok, so do:
>
> redundant {
> ldap1
> ldap2
> }
> update control {
> ..
> }
Ok, that got it starting and it looks tantalizingly close, but somehow
Shadow-Expires isn't getting parsed:
++- entering group LDAP {...}
[ldap1] performing user authorization for ldaptestuser
[ldap1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap1] ... expanding second conditional
[ldap1] expand: %{User-Name} -> ldaptestuser
[ldap1] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=ldaptestuser)
[ldap1] expand: dc=domain,dc=com -> dc=domain,dc=com
[ldap1] ldap_get_conn: Checking Id: 0
[ldap1] ldap_get_conn: Got Id: 0
[ldap1] performing search in dc=domain,dc=com, with filter (uid=ldaptestuser)
[ldap1] looking for check items in directory...
[ldap1] shadowLastChange -> Shadow-Last-Change == 15215
[ldap1] shadowMax -> Shadow-Max-Age == 90
[ldap1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user
is configured correctly?
[ldap1] user ldaptestuser authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- group LDAP returns ok
expand: %{control:Shadow-Last-Change} + %{control:Shadow-Max-Age} ->
15215 + 90
expand: %{expr:%{control:Shadow-Last-Change} + %{control:Shadow-Max-Age}} ->
15305
expand: %l / 86400 -> 1331041623 / 86400
expand: %{expr:%l / 86400} -> 15405
++[control] returns ok
++? if (control:Shadow-Current > control:Shadow-Expires)
Failed parsing "control:Shadow-Expires": Unknown value control:Shadow-Expires
for
attribute Shadow-Current
-----------
To make sure I got the mapping and dictionary definitions right, here's what I
have (pretty much just copied and pasted from you):
[root@host]# grep -i shadow /etc/raddb/dictionary
ATTRIBUTE Shadow-Max-Age 3000 integer
ATTRIBUTE Shadow-Last-Change 3001 integer
ATTRIBUTE Shadow-Expires 3002 integer
ATTRIBUTE Shadow-Current 3003 integer
[root@host]# grep -i shadow /etc/raddb/ldap.attrmap
checkItem Shadow-Max-Age shadowMax
checkItem Shadow-Last-Change shadowLastChange
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
