Hi Alan, 2015-12-17 1:46 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Dec 16, 2015, at 6:34 PM, François Lacombe <fl.infosreseaux@gmail.com> wrote:
As you suggest it, how can I prevent freeradius to go in authenticate section when LDAP return no user record ?
For EAP, you can't. EAP requires that the server return an EAP failure at the appropriate stage.
The EAP protocol is designed to work a certain way. Forcing it to behave in a different way means that nothing good will happen.
Is this really an EAP matter ? Freeradius won't go in authenticate section when the access_attribute is set to false in the LDAP user account with access_positive = yes in ldap module conf. Because the account is locked out. (0) ldap: User object found at DN "uid=*my_login*,ou=users,..." (0) ldap: "dialupAccess" attribute exists but is set to 'false' - user locked out rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = userlock (0) } # authorize = userlock (0) Invalid user: [*my_login*/<no User-Password attribute>] (from client STRONGSWAN) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/mercure_def.ldap (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> *my_login* (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap: Request was previously rejected, inserting EAP-Failure (0) eap: Sending EAP Failure (code 4) ID 0 length 4 (0) [eap] = updated (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds It would be great to reject the request the same way when no user is found in the ldap. François L.