Matthew Ceroni wrote: > I am using LDAP authorization. What I am looking to accomplish is to > reject/deny (so not even attempt authentication) for disabled users. > > I am authentication against AD (use LDAP for authorize and ntlm for > authentication). > > If I were to search for all none disabled users using ldapsearch, the > filter query for this would > be: !(userAccountControl:1.2.840.113556.1.4.803:=2)
You can add this to the LDAP query which finds users. That's why the query is editable in the config files. > That is the part that limits the results to only enabled users. > Wondering how I would do this in FreeRadius? Even on a more general > level how I would reject based off certain returned attributes. That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS attributes. Then, use unlang to write your policy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
