Question on ldap module's base_filter

Mathieu Simon mathieu.sim at gmail.com
Mon May 6 09:05:38 CEST 2013


G'day list

I've come across an issue with the ldap module parameter base_filter, and
I'm not yet sure whether
I'm hitting a bug (I guess: less likely) than I'm missing /
missunderstanding its correct use.

I'm running a Debian Squeeze derivative (Univention Corporate Server), FR
2.1.10 and OpenLDAP.
On squeeze base_filter come preconfigured as disabled (#base_filter =
"(objectclass=radiusprofile)"

Now my idea was to set base_filter = "(sambaAcctFlags=[U          ])" to
only let user objects (that are not disabled) get authorized. This field is
present on user object so it would be great to have it used somehow.

The curious thing was that radtest I always get Access-Accept even when a
user has a the disabled flag (sambaAcctFlags=[UD         ]).

This led me to check whether I can just set
base_filter="(notExisting=thisDoesntExist)"
And the result also was: Access-Accept, so I guess base_filter isn't read
as I'd have expected it at first sigh :-\

When I launch freeradius in debug mode I can see a message base_filter =
"(sambaAcctFlags=[U          ])" passing on the screen so I guess the value
at least is getting read.

Can you give me a clever hint where/what to look for?

Best regards
Mathieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130506/8da2d120/attachment.html>


More information about the Freeradius-Users mailing list