LDAP and deactivated users

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Oct 4 22:30:45 CEST 2019



> On 3 Oct 2019, at 07:02, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Oct 3, 2019, at 6:20 AM, R3DNano <r3dnano at gmail.com> wrote:
>> 
>> There are some deactivated user on the ldap directory that we need to
>> reject their access to.
>> Instead, the ldap module returns a correct password, and the user is
>> validated - even though the user is deactivated.
>> That is, at least, the impression I get.
> 
> It's possible.  If your LDAP server is configured that way.


Well there is that handy "access_attribute" setting in the LDAP module...

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap#L239

>> I've also noticed that, in cases there's an issue with the password: i.e.:
>> user needs to change their password due to it being insecure, the ldap
>> seems to return this message and freeradius seems to interpret this as the
>> password, even though the password is correct and the authentication fails:
>> Does what I'm saying make sense? (from my limited ldap knowledge) and, is
>> there a way to control this?

I'm pretty sure what you've just described isn't possible within the LDAP protocol, or at least not done by any LDAP server I'm aware of.  But if it's visible to the LDAP client, send over a PCAP and I'll add support so that it's at least logged...

-Arran


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2




More information about the Freeradius-Users mailing list