Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

[Alan DeKok]

On Dec 19, 2015, at 7:53 AM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
> 2015-12-17 1:46 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
>> On Dec 16, 2015, at 6:34 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
>>> As you suggest it, how can I prevent freeradius to go in authenticate
>>> section when LDAP return no user record ?
>> 
>>  For EAP, you can't.  EAP requires that the server return an EAP failure at the appropriate stage.
>> 
>>  The EAP protocol is designed to work a certain way.  Forcing it to behave in a different way means that nothing good will happen.
> 
> Is this really an EAP matter ?

  Yes.  See where I said "the EAP protocol is designed to work a certain way".

> Freeradius won't go in authenticate section when the access_attribute
> is set to false in the LDAP user account with access_positive = yes in
> ldap module conf.
> Because the account is locked out.

  Sure.  But bailing early on an EAP authentication *might* work.  i.e. it won't work by design.

> It would be great to reject the request the same way when no user is
> found in the ldap.

  See where I said "people other than you use FreeRADIUS".  Your needs are *not* everyone else's needs.

  If you want it to bail early when no user is found in LDAP, this is trivial.  And documented.  See "man unlang".

	ldap
	if (notfound)  {
		reject
	}

  This can cause problems for some EAP clients.  But it's your network.   If you want to violate the protocols and break things, it's up to you.

  Alan DeKok.