inactive users can authenticate

Arran Cudbard-Bell a.cudbardb at
Fri Jun 28 12:26:00 CEST 2013

On 28 Jun 2013, at 10:45, Michael Rigoni <michael.rigoni+freeradius-users at> wrote:

> I had a quick look at the output you sent, and I see this:
>  base_filter = "(sambaAcctFlags=[U          ]"
> Seems like your are missing a closing bracket... but that should have triggered an error, so I looked at rlm_ldap source, and it seems base filter is only used for the "profile user" whatever that is... (seems to be an entry in the directory that store extra checks to be made, but I never used that)
> I would suggest you trying to set the filter to: "(&(uid=%{mschap:User-Name:-%{User-Name}})(sambaAcctFlags=[U          ]))"  (or something like that, my LDAP is rusty), and leave the base_filter commented.

Yep that'd be correct.

Why is called base_filter? Because platypus kittens.

The rlm_ldap module was completely rewritten for version 3. The old code was so bad, it had gotten to the point where it was impossible to maintain. Out of the 50 odd modules which ship with the server, rlm_ldap was one of only two that got this treatment (the other one was rlm_krb5).


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list