That is what I tried. So I set

base_filter = "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows

[ldap] user XXXXXX authorized to use remote access

So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)?


On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok <aland@deployingradius.com> wrote:
Matthew Ceroni wrote:
> I am using LDAP authorization. What I am looking to accomplish is to
> reject/deny (so not even attempt authentication) for disabled users.
>
> I am authentication against AD (use LDAP for authorize and ntlm for
> authentication).
>
> If I were to search for all none disabled users using ldapsearch, the
> filter query for this would
> be: !(userAccountControl:1.2.840.113556.1.4.803:=2)

  You can add this to the LDAP query which finds users.  That's why the
query is editable in the config files.

> That is the part that limits the results to only enabled users.
> Wondering how I would do this in FreeRadius? Even on a more general
> level how I would reject based off certain returned attributes.

  That's what ldap.attrmap is for.  Map the LDAP attributes to RADIUS
attributes.  Then, use unlang to write your policy.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html