LDAP authorization
Matthew Ceroni
matthewceroni at gmail.com
Thu Mar 7 18:34:57 CET 2013
That is what I tried. So I set
base_filter =
"(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
But what I am finding is whether the user is found and enabled, user is
found but disabled, or user isn't found at the output (from radius debug)
shows
[ldap] user XXXXXX authorized to use remote access
So then it continues onto the authorization part. How do I get it to reject
if the user isn't found (or user is disabled)?
On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok <aland at deployingradius.com>wrote:
> Matthew Ceroni wrote:
> > I am using LDAP authorization. What I am looking to accomplish is to
> > reject/deny (so not even attempt authentication) for disabled users.
> >
> > I am authentication against AD (use LDAP for authorize and ntlm for
> > authentication).
> >
> > If I were to search for all none disabled users using ldapsearch, the
> > filter query for this would
> > be: !(userAccountControl:1.2.840.113556.1.4.803:=2)
>
> You can add this to the LDAP query which finds users. That's why the
> query is editable in the config files.
>
> > That is the part that limits the results to only enabled users.
> > Wondering how I would do this in FreeRadius? Even on a more general
> > level how I would reject based off certain returned attributes.
>
> That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS
> attributes. Then, use unlang to write your policy.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130307/e085a639/attachment.html>
More information about the Freeradius-Users
mailing list