Help on TLS+Active Directory

tnt at kalik.net tnt at kalik.net
Wed Dec 2 22:51:18 CET 2009


> BUT, we noted an interesting behaviour. If the client specify Windows to
> use
> another username to login, although freeradius complaints that the user
> doesn't exist on ldap, it seems it still accepts this user, as long as the
> certificate is fine. So, in this case, if the user isn't allowed to login
> because of simultaneous use, he still can change the username which he
> uses
> specifying another one (whichever, even if it doesn't exist) and voilá! He
> can
> now log in.
>
> I'm sure I'm missing something, but I'm not sure what.
>
> Any clue?

Read doc/rlm_ldap, bit about access attribute.

Ivan Kalik




More information about the Freeradius-Users mailing list