LDAP and deactivated users

Alan DeKok aland at deployingradius.com
Thu Oct 3 13:02:00 CEST 2019


On Oct 3, 2019, at 6:20 AM, R3DNano <r3dnano at gmail.com> wrote:
> 
> There are some deactivated user on the ldap directory that we need to
> reject their access to.
> Instead, the ldap module returns a correct password, and the user is
> validated - even though the user is deactivated.
> That is, at least, the impression I get.

  It's possible.  If your LDAP server is configured that way.

> I've also noticed that, in cases there's an issue with the password: i.e.:
> user needs to change their password due to it being insecure, the ldap
> seems to return this message and freeradius seems to interpret this as the
> password, even though the password is correct and the authentication fails:
> Does what I'm saying make sense? (from my limited ldap knowledge) and, is
> there a way to control this?

  Fix the LDAP server.  If the LDAP server is returning nonsense to FreeRADIUS, then no amount of poking FreeRADIUS will fix the LDAP server.

  Alan DeKok.




More information about the Freeradius-Users mailing list