[afnog] Cisco, Radius & LDAP Problem

Brian Candler B.Candler at pobox.com
Tue Apr 25 11:06:46 EAT 2006 

On Tue, Apr 25, 2006 at 09:23:07AM +0200, Thato Molise wrote:
> > By setting them I meant entering the Expiry date values for my users in 
> > LDAP database by webmin interface

... which you say in turn sets an attribute called 'radiusExpiration'. But:

(1) What format is this value? Does webmin set it as a Unix time (number of
seconds since Jan 1st 1970), or an LDAP time (YYYYMMDDHHMMSSZ), or some
other format?

(2) does freeradius have a configuration option to choose an LDAP attribute
for expiry date? Have you set it?

In other words - I'm afraid you'll need to read your server documentation.
If you say "the expiry date set by webmin is ignored by my RADIUS server"
then I'll say "OK, I believe you, it is". If you want to make it so this
attribute is honoured, you'll need to learn a bit more about freeradius
configuration.

> > at the 
> > beggining of  my /etc/raddb/users conf file I have added the following
> >
> > DEFAULT Group = = "disabled", Auth-Type := Reject
> >                Reply-Message = "Your account has been disabled."
> >
> > DEFAULT Auth-Type = System
> >        Fall-Through = Yes
> >
> > DEFAULT Auth-Type := LDAP
> >        Fall-Through = Yes

I see nothing there which makes it look for a radiusExpiration attribute.
You would be lucky if this were the default behaviour. I exepct there's
probably a whole bunch of customisation you can do for the LDAP module, such
as telling it which LDAP attributes to map to which RADIUS attributes, so
you'll need to look for an LDAP configuration file and some documentation
about how freeradius interfaces to LDAP.

> > I could see that in the radius dictionary the Expiry date attribute for 
> > LDAP "Expiration" is mapped to radiusExpiration attribute but I dont 
> > really know how to compare the System date Expiry value with radius Expiry 
> > date .

Well, maybe freeradius has an option for that somewhere in its LDAP module.
Maybe it doesn't. Start by reading the docs.

(For comparison, I know that what you want is possible with OpenRADIUS;
however that wouldn't happen by default either. In OpenRADIUS, the
processing of each RADIUS packet is handled by a 'behaviour' file which is
really a mini programming language specific to RADIUS handling. You can add
a test which compares the LDAP attribute of interest to the current system
time)

Regards,

Brian.

More information about the afnog mailing list