<div dir="ltr">That is what I tried. So I set<div><br></div><div><div>base_filter = "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"</div></div><div><br></div><div style>But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows</div>
<div style><br></div><div style>[ldap] user XXXXXX authorized to use remote access<br></div><div style><br></div><div style>So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)?</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">Matthew Ceroni wrote:<br>
> I am using LDAP authorization. What I am looking to accomplish is to<br>
> reject/deny (so not even attempt authentication) for disabled users.<br>
><br>
> I am authentication against AD (use LDAP for authorize and ntlm for<br>
> authentication).<br>
><br>
> If I were to search for all none disabled users using ldapsearch, the<br>
> filter query for this would<br>
> be: !(userAccountControl:1.2.840.113556.1.4.803:=2)<br>
<br>
</div> You can add this to the LDAP query which finds users. That's why the<br>
query is editable in the config files.<br>
<div class="im"><br>
> That is the part that limits the results to only enabled users.<br>
> Wondering how I would do this in FreeRadius? Even on a more general<br>
> level how I would reject based off certain returned attributes.<br>
<br>
</div> That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS<br>
attributes. Then, use unlang to write your policy.<br>
<span class="HOEnZb"><font color="#888888"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</font></span></blockquote></div><br></div>