inactive users can authenticate

Mathieu Simon mathieu.sim at gmail.com
Fri Jun 28 09:14:04 CEST 2013


G'day all, and thanks Phil for your hints

(Arran I'd want to leave 3.0 as an option of last resort even though it's
considered RC by now) ;-)

> try moving mschap after LDAP in "authorise"
Tried this one, no change unfortunately.

>Second, I can't remember if mschap checks the acct control flags in
"authorize"
> or "authenticate". If the latter you'll need to move away from using LDAP
bind for auth
Hmm, I guess that would require me studying the code :-\

Anyway, I'm not entirely sure if I'm going to stay with this setup of this
Debian derivative since
it uses its own AD to local OpenLDAP replication and It didn't entirely
convince me
(too many replications and components talking to each other)

Best regards
Mathieu




2013/6/26 Phil Mayers <p.mayers at imperial.ac.uk>

> Couple of things:
>
> IIRC the account control flags are checked by the "mschap" module, which I
> see is running before the LDAP lookup - try moving mschap after LDAP in
> "authorise"
>
> Second, I can't remember if mschap checks the acct control flags in
> "authorize" or "authenticate". If the latter you'll need to move away from
> using LDAP bind for auth
> --
> Sent from my phone with, please excuse brevity and typos
>



-- 
Mathieu Simon
mathieu.sim at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130628/e2bc19e3/attachment.html>


More information about the Freeradius-Users mailing list