inactive users can authenticate

Arran Cudbard-Bell a.cudbardb at
Fri Jun 28 15:03:54 CEST 2013

On 28 Jun 2013, at 11:50, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:

> On 28/06/13 08:14, Mathieu Simon wrote:
>>> Second, I can't remember if mschap checks the acct control flags in "authorize"
>>> or "authenticate". If the latter you'll need to move away from using LDAP bind for auth
>> Hmm, I guess that would require me studying the code :-\
> I've just taken a look - sure enough, rlm_mschap only checks/enforces the SMB-Account-CTRL attribute during "authenticate {}".
> Since your testing auth request was PAP, mschap will never be called for this, so you're stuck basically.

Seeing as it's a string value, can't he just pull it out of the directory using the attribute map and check it with a regex?

Or is it more complicated than that?


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list