> BUT, we noted an interesting behaviour. If the client specify Windows to > use > another username to login, although freeradius complaints that the user > doesn't exist on ldap, it seems it still accepts this user, as long as the > certificate is fine. So, in this case, if the user isn't allowed to login > because of simultaneous use, he still can change the username which he > uses > specifying another one (whichever, even if it doesn't exist) and voilá! He > can > now log in. > > I'm sure I'm missing something, but I'm not sure what. > > Any clue?
Read doc/rlm_ldap, bit about access attribute. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
