Checking for disabled ad account

Caines, Max Max.Caines at wlv.ac.uk
Thu Oct 26 13:19:40 CEST 2017


You can use a bitwise filter in LDAP to test if an account is disabled. See https://support.microsoft.com/en-us/help/269181/how-to-query-active-directory-by-using-a-bitwise-filter

Regards

Max

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 25 October 2017 19:01
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Checking for disabled ad account 

On Oct 25, 2017, at 1:19 PM, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
> I’ve configured EAP-TLS with ocsp validation in FR 3.0.16
> I’ve now been told that I need to also check that the username associated with the account hasn’t been disabled in our AD service.
> 
> Same FR server also does EAP-PEAP auth against AD
> 
> Any suggestions as to how I might do this ?

  Configure the LDAP module, and do an LDAP query.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list