inactive users can authenticate

Michael Rigoni michael.rigoni+freeradius-users at gmail.com
Fri Jun 28 11:45:39 CEST 2013


I had a quick look at the output you sent, and I see this:

>  base_filter = "*(*sambaAcctFlags=[U          ]"
>
Seems like your are missing a closing bracket... but that should have
triggered an error, so I looked at rlm_ldap source, and it seems base
filter is only used for the "profile user" whatever that is... (seems to be
an entry in the directory that store extra checks to be made, but I never
used that)

I would suggest you trying to set the filter to:
"(&(uid=%{mschap:User-Name:-%{User-Name}})(sambaAcctFlags=[U          ]))"
(or something like that, my LDAP is rusty), and leave the base_filter
commented.


I hope this helps,

Michael


On Fri, Jun 28, 2013 at 9:14 AM, Mathieu Simon <mathieu.sim at gmail.com>wrote:

> G'day all, and thanks Phil for your hints
>
> (Arran I'd want to leave 3.0 as an option of last resort even though it's
> considered RC by now) ;-)
>
> > try moving mschap after LDAP in "authorise"
> Tried this one, no change unfortunately.
>
> >Second, I can't remember if mschap checks the acct control flags in
> "authorize"
> > or "authenticate". If the latter you'll need to move away from using
> LDAP bind for auth
> Hmm, I guess that would require me studying the code :-\
>
> Anyway, I'm not entirely sure if I'm going to stay with this setup of this
> Debian derivative since
> it uses its own AD to local OpenLDAP replication and It didn't entirely
> convince me
> (too many replications and components talking to each other)
>
> Best regards
> Mathieu
>
>
>
>
> 2013/6/26 Phil Mayers <p.mayers at imperial.ac.uk>
>
>> Couple of things:
>>
>> IIRC the account control flags are checked by the "mschap" module, which
>> I see is running before the LDAP lookup - try moving mschap after LDAP in
>> "authorise"
>>
>> Second, I can't remember if mschap checks the acct control flags in
>> "authorize" or "authenticate". If the latter you'll need to move away from
>> using LDAP bind for auth
>> --
>> Sent from my phone with, please excuse brevity and typos
>>
>
>
>
> --
> Mathieu Simon
> mathieu.sim at gmail.com
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130628/588aba46/attachment.html>


More information about the Freeradius-Users mailing list