inactive users can authenticate

Mathieu Simon mathieu.sim at gmail.com
Fri Jun 28 18:31:37 CEST 2013


G'day all

I've taken out a configuration from a earlier prototype that I used with
Samba/Winbind authentication but didn't use the rlm_ldap for authorization
back then.  (Having some archives can be quite useful sometimes...) ;-)

Since ntlm_auth properly leads to Access-Rejects for disabled users I can
ignore
how good or how bad rlm_ldap behaves for disabled users as long as it
properly
checks for group memberships (that's what I'm interested in for LDAP checks)

And even if Arran points out the brokenness of rlm_ldap code in FR 2.x,
group-checks based
on rlm_ldap are working as expected - and thats what I'm required to get
working with this Setup.

Regarding...
> Since your testing auth request was PAP, mschap will never be
> called for this, so you're stuck basically.
The result was same when using radtest with "-t mschap" if that's what
you're pointing out.

I guess for the current time I'm going to stay with an ADS-joined Samba and
use LDAP
only for the authorization part. Summing up, I feel ending up with less
components taming
overall complexiness a bit.

Thank you guys for your Inputs!

-- Mathieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130628/55bce272/attachment-0001.html>


More information about the Freeradius-Users mailing list