0

The requirement is to find user password expiration time.

Now in ldap, you enforce expiration through password policy. The password policy attribute pwdMaxAge specifies after how many seconds from the time the password was changed does the password expire.

ldap password policy

The moment you change/create user password, the operational attribute pwdChangedTime gets added with the timestamp. Sadly, ldap does not add any operational attribute for the expiration time, it's something we need to calculate, by doing a pwdChangedTime + pwdMaxAge < current_time

In your mods-enabled/ldap file you can fetch the pwdChangedTime attribute. Cool! But how do I fetch pwdMaxAge attribute. This file only has structure for users, groups, profiles, clients but not for the password policy. raddb mods-available details here.

(I can do this programmatically, by writing code/script for fetching these attributes using cli and then doing my manipulation, but is it possible doing this through the config? Coz, if you look at it, this expiration time is something related to user attribute and there should be a way to return it along with bare minimum user data like name and organization that we return)

Thanks!

inquisitive
  • 3,738
  • 6
  • 30
  • 56
  • Which LDAP server are you using? For which reason do you want to fetch the password policy? – Michael Ströder Oct 22 '18 at 07:38
  • @MichaelStröder I'm using openldap. I want to fetch pwdMaxAge attribute of password policy, to know the time when password will expire. – inquisitive Oct 22 '18 at 09:24
  • But what's the exact use-case? Inform the user with password warning during login or send password expiry warning with a CRON job? Yes, it makes a difference. – Michael Ströder Oct 22 '18 at 09:48
  • Redirect them to reset password page if password has expired, after they login during the grace authentication attempts. – inquisitive Oct 22 '18 at 10:13

1 Answers1

1

There is no such operational attribute pwdMaxAge in the user's entry.

The password expiry warning during checking the password is returned by the server in a response control if the client sends the bind request with the appropriate request control (see draft-behera-ldap-password-policy, section 6.1 and 6.2).

This means that the LDAP client (FreeRADIUS in your case) has to support this. Furthermore all intermediate components (RADIUS server, Wifi access point, etc.) have to propely handle the response and return some useful information up the chain to the user. In practice this does not really work.

Therefore I'd recommend to send password expiry warning via e-mail. There are ready-to-use scripts out there like checkLdapPwdExpiration.sh provided by LDAP Tool Box project.

Community
  • 1
  • 1
Michael Ströder
  • 1,248
  • 8
  • 12
  • thanks. This helps! Do you also have any idea on https://stackoverflow.com/questions/51982547/ldap3-python-modify-replace-an-object-with-filter – inquisitive Jan 24 '19 at 09:11