Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id

François Lacombe fl.infosreseaux at gmail.com
Sat Dec 19 13:53:28 CET 2015 

Hi Alan,

2015-12-17 1:46 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
> On Dec 16, 2015, at 6:34 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
>> As you suggest it, how can I prevent freeradius to go in authenticate
>> section when LDAP return no user record ?
>
>   For EAP, you can't.  EAP requires that the server return an EAP failure at the appropriate stage.
>
>   The EAP protocol is designed to work a certain way.  Forcing it to behave in a different way means that nothing good will happen.

Is this really an EAP matter ?

Freeradius won't go in authenticate section when the access_attribute
is set to false in the LDAP user account with access_positive = yes in
ldap module conf.
Because the account is locked out.

(0) ldap: User object found at DN "uid=*my_login*,ou=users,..."
(0) ldap: "dialupAccess" attribute exists but is set to 'false' - user
locked out
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = userlock
(0)   } # authorize = userlock
(0) Invalid user: [*my_login*/<no User-Password attribute>] (from
client STRONGSWAN)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/mercure_def.ldap
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> *my_login*
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0) eap: Request was previously rejected, inserting EAP-Failure
(0) eap: Sending EAP Failure (code 4) ID 0 length 4
(0)     [eap] = updated
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds

It would be great to reject the request the same way when no user is
found in the ldap.


François L.

More information about the Freeradius-Users mailing list