Shooting from the hip here, Mike DiBella <mike@dibella.net> wrote:
I seem to be misunderstanding how authentication and authorization works under FreeRadius. ... I can see the in logs that the bind is successful and that the search does not return any object matching the filter criteria, as expected. However, an access-accept is still returned to the test client.
I am expecting that unix type will only be used for authentication, and that authorization depends on the ldap search being successful
Normally ldap is used to look up an attribute or group membership and based on it's value reject or accept. If a user is not found when you call one module then other modules are checked in a failover fashion. The log shows that the pap module gets the request and authorizes it. Shooting from the hip here so I may be wrong, but try changing "ldap" in authorize to: ldap { notfound = reject }
If I comment out unix from the authorize section of the default site, then access-reject is returned even when the password is valid and the search is successful.
The authorize section is special, it is not considered a failover group at the top level. Any module called at the top level only sets the Autz-Type to decide which subsection to run. It could use some gloss, but https://wiki.freeradius.org/config/Fail-over explains this.