LDAP Access Server Authenticating Expired Accounts

[leacho73]

Hi,

I'm just doing some testing with an LDAP Access server, and I noticed that I am still able to successfully authenticate even though my account password has expired. I would expect the authentication to fail at this point, even if it is unable to prompt you to change your password. I am reading user attributes, and when I test the connection, I can see that the password expiry has expired.

Is there any way to get OpnSense to refuse authentication should an LDAP password have expired?

Thanks

[Fright]

Using 20.1.9.
Auth failed for users with password expired or account expired.
whats your config for LDAP?

[leacho73]

Hi,

I am polling a FreeIPA LDAP server - using LDAP over 636 with a bind user - then polling a specific OU for the UID of the user - I'm also using an extended query that limits the result based on group membership - ie, you have to be part of this group to pass authentication.

Do I need an extended query for the password expiration?

Thanks

[Fright]

Sorry, Im using Active Directory as LDAP servers.
In AD simple filter (or " extended query") cannot be used to filter expired passwords or account out.
Its not in simple attributes. Some additional calculations with dates needed.
May be FreeIPA uses special attributes to mark password\account expiry and you can use filter for it

[Fright]

https://serverfault.com/questions/716556/freeipa-ldap-refuse-auth-for-users-with-expired-password
https://pagure.io/freeipa/issue/1539
issue is still open

[leacho73]

Thanks for the update! Looks like there isn't much I can do then! Appreciate the links though