inactive users can authenticate

Arran Cudbard-Bell a.cudbardb at
Wed Jun 26 18:04:11 CEST 2013

On 26 Jun 2013, at 16:49, Mathieu Simon <mathieu.sim at> wrote:

> G'day all
> I've been working with Mihailo on this matter although he's been more into it
> I try to provide the data you ask for:
> Prelude:
> A Samba-disabled user has the following sambaAcctFlags in the LDAP Directory during an ldapsearch i.e.:
> The user kw978 used for this is a disabled user and thus ldapsearch lists: sambaAcctFlags: [UD         ]
> A not-disabled user would  have: sambaAcctFlags: [U          ]
> The radtest command used was:
> radtest -x kw978 TestRadius1234$ localhost 10 testing123
> Now what follows is the output of 'freeradius -X' with the authentication test.
> Using '-t mschap' doesn't change anything so I guess testing with PAP is (yet?) ok.
> I hope that help shedding some light - as you can see base_filter is read while starting the daemon, 
> but no matter what is set in base_filter, even invalid stuff, it's simply going to get ignored.
> The server does LDAP group matching with if-else unlang statements - removing them
> didnt change the behaviour so I don't think they're the cause.

Weird. Well if no one on the list can spot an obvious issue it's probably worth upgrading to 3.0.0 and using the module there. It's much better.

else, have you tried the same query with something like ldapsearch?

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list