inactive users can authenticate

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 28 15:53:37 CEST 2013


On 28/06/13 14:03, Arran Cudbard-Bell wrote:
>
> On 28 Jun 2013, at 11:50, Phil Mayers <p.mayers at IMPERIAL.AC.UK>
> wrote:
>
>> On 28/06/13 08:14, Mathieu Simon wrote:
>>
>>>> Second, I can't remember if mschap checks the acct control
>>>> flags in "authorize" or "authenticate". If the latter you'll
>>>> need to move away from using LDAP bind for auth
>>> Hmm, I guess that would require me studying the code :-\
>>
>> I've just taken a look - sure enough, rlm_mschap only
>> checks/enforces the SMB-Account-CTRL attribute during "authenticate
>> {}".
>>
>> Since your testing auth request was PAP, mschap will never be
>> called for this, so you're stuck basically.
>
> Seeing as it's a string value, can't he just pull it out of the
> directory using the attribute map and check it with a regex?

Sorry, yes. "stuck" is not correct. I meant "can't use the mschap module 
for this".

Numerous other solutions exist, and regexp is probably the easiest.


More information about the Freeradius-Users mailing list