rlm_logintime

Synopsis

The logintime module implements support for some date related attributes.

The Login-Time attribute defines the time span during which a user may login to the system. The format of a so-called time string is similar to the format used by UUCP. A time string may be a simple time string, or it may be a list of simple time strings separated by "|" or ",".

Each simple time string must begin with a day definition, which can be either one day, multiple days, or a range of days separated by a hyphen. A day is defined as either Mo, Tu, We, Th, Fr, Sa, or Su. The range of days encompassing Mo-Fr is defined as Wk. "Any" or "Al" means all days.

The day definition is followed by a range of hours in hhmm-hhmm format.

For example, a valid Login-Time string is Wk2305-0855,Sa,Su2305-1655.

The Current-Time attribute always contains the time at which the request was received. The format is a normal date format.

The Time-of-Day attribute can be used to check the time of day when a request is received.

Processing Sections

authorize

When listed in the authorize section, the logintime module enforces the Login-Time attribute. When the Login-Time has a limited range of validity, the Session-Timeout attribute is updated to reflect this limited range.

If the Session-Timeout attribute already exists, then the logintime module may decrease the value, but will never increase the value, of this attribute.

Return codes

noop The module did not find a control:Login-Time attribute.

ok There are no restrictions on the users login.

userlock The user is outside of the allowed Login-Time.

updated The user is within the allowed Login-Time, and the reply:Session-Timeout attribute has been updated to reflect their allowed session duration.

post-auth

Operates identically to the authorize section.

Available after version 3.0.4

Expansions

None.

Directives

minimum_timeout
Syntax

minimum-timeout = integer

Default

60

Description

The minimum timeout (in seconds) for a user session. If the calculated timeout is lower than this value, then the user is rejected.

Many NASes are unable to enforce a Session-Timeout that is smaller than 60 seconds.