Filter OpenLDAP users account upon Freeradius 3.0.10 NAS-Port-Id
Alan DeKok
aland at deployingradius.com
Sat Dec 19 15:30:04 CET 2015
On Dec 19, 2015, at 7:53 AM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
> 2015-12-17 1:46 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
>> On Dec 16, 2015, at 6:34 PM, François Lacombe <fl.infosreseaux at gmail.com> wrote:
>>> As you suggest it, how can I prevent freeradius to go in authenticate
>>> section when LDAP return no user record ?
>>
>> For EAP, you can't. EAP requires that the server return an EAP failure at the appropriate stage.
>>
>> The EAP protocol is designed to work a certain way. Forcing it to behave in a different way means that nothing good will happen.
>
> Is this really an EAP matter ?
Yes. See where I said "the EAP protocol is designed to work a certain way".
> Freeradius won't go in authenticate section when the access_attribute
> is set to false in the LDAP user account with access_positive = yes in
> ldap module conf.
> Because the account is locked out.
Sure. But bailing early on an EAP authentication *might* work. i.e. it won't work by design.
> It would be great to reject the request the same way when no user is
> found in the ldap.
See where I said "people other than you use FreeRADIUS". Your needs are *not* everyone else's needs.
If you want it to bail early when no user is found in LDAP, this is trivial. And documented. See "man unlang".
ldap
if (notfound) {
reject
}
This can cause problems for some EAP clients. But it's your network. If you want to violate the protocols and break things, it's up to you.
Alan DeKok.
More information about the Freeradius-Users
mailing list