inactive users can authenticate
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Jun 28 15:03:54 CEST 2013
On 28 Jun 2013, at 11:50, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:
> On 28/06/13 08:14, Mathieu Simon wrote:
>
>>> Second, I can't remember if mschap checks the acct control flags in "authorize"
>>> or "authenticate". If the latter you'll need to move away from using LDAP bind for auth
>> Hmm, I guess that would require me studying the code :-\
>
> I've just taken a look - sure enough, rlm_mschap only checks/enforces the SMB-Account-CTRL attribute during "authenticate {}".
>
> Since your testing auth request was PAP, mschap will never be called for this, so you're stuck basically.
Seeing as it's a string value, can't he just pull it out of the directory using the attribute map and check it with a regex?
Or is it more complicated than that?
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list