That is what I tried. So I set base_filter = "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows [ldap] user XXXXXX authorized to use remote access So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)? On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok <aland@deployingradius.com>wrote:
Matthew Ceroni wrote:
I am using LDAP authorization. What I am looking to accomplish is to reject/deny (so not even attempt authentication) for disabled users.
I am authentication against AD (use LDAP for authorize and ntlm for authentication).
If I were to search for all none disabled users using ldapsearch, the filter query for this would be: !(userAccountControl:1.2.840.113556.1.4.803:=2)
You can add this to the LDAP query which finds users. That's why the query is editable in the config files.
That is the part that limits the results to only enabled users. Wondering how I would do this in FreeRadius? Even on a more general level how I would reject based off certain returned attributes.
That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS attributes. Then, use unlang to write your policy.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html