inactive users can authenticate

[Phil Mayers]

On 28/06/13 08:14, Mathieu Simon wrote:

>>Second, I can't remember if mschap checks the acct control flags in "authorize"
>> or "authenticate". If the latter you'll need to move away from using LDAP bind for auth
> Hmm, I guess that would require me studying the code :-\

I've just taken a look - sure enough, rlm_mschap only checks/enforces 
the SMB-Account-CTRL attribute during "authenticate {}".

Since your testing auth request was PAP, mschap will never be called for 
this, so you're stuck basically.