Matthew Ceroni wrote:
I am using LDAP authorization. What I am looking to accomplish is to reject/deny (so not even attempt authentication) for disabled users.
I am authentication against AD (use LDAP for authorize and ntlm for authentication).
If I were to search for all none disabled users using ldapsearch, the filter query for this would be: !(userAccountControl:1.2.840.113556.1.4.803:=2)
You can add this to the LDAP query which finds users. That's why the query is editable in the config files.
That is the part that limits the results to only enabled users. Wondering how I would do this in FreeRadius? Even on a more general level how I would reject based off certain returned attributes.
That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS attributes. Then, use unlang to write your policy. Alan DeKok.