Checking for disabled ad account

Caines, Max Max.Caines at
Thu Oct 26 13:19:40 CEST 2017

You can use a bitwise filter in LDAP to test if an account is disabled. See



-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Alan DeKok
Sent: 25 October 2017 19:01
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Checking for disabled ad account 

On Oct 25, 2017, at 1:19 PM, Alex Sharaz <alex.sharaz at> wrote:
> I’ve configured EAP-TLS with ocsp validation in FR 3.0.16
> I’ve now been told that I need to also check that the username associated with the account hasn’t been disabled in our AD service.
> Same FR server also does EAP-PEAP auth against AD
> Any suggestions as to how I might do this ?

  Configure the LDAP module, and do an LDAP query.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list