LDAP authorization

Alan DeKok aland at deployingradius.com
Thu Mar 7 15:41:00 CET 2013

Matthew Ceroni wrote:
> I am using LDAP authorization. What I am looking to accomplish is to
> reject/deny (so not even attempt authentication) for disabled users.
> I am authentication against AD (use LDAP for authorize and ntlm for
> authentication).
> If I were to search for all none disabled users using ldapsearch, the
> filter query for this would
> be: !(userAccountControl:1.2.840.113556.1.4.803:=2)

  You can add this to the LDAP query which finds users.  That's why the
query is editable in the config files.

> That is the part that limits the results to only enabled users.
> Wondering how I would do this in FreeRadius? Even on a more general
> level how I would reject based off certain returned attributes.

  That's what ldap.attrmap is for.  Map the LDAP attributes to RADIUS
attributes.  Then, use unlang to write your policy.

  Alan DeKok.

More information about the Freeradius-Users mailing list