That is what I tried. So I set base_filter = "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows [ldap] user XXXXXX authorized to use remote access So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)? On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok <[email protected]>wrote: > Matthew Ceroni wrote: > > I am using LDAP authorization. What I am looking to accomplish is to > > reject/deny (so not even attempt authentication) for disabled users. > > > > I am authentication against AD (use LDAP for authorize and ntlm for > > authentication). > > > > If I were to search for all none disabled users using ldapsearch, the > > filter query for this would > > be: !(userAccountControl:1.2.840.113556.1.4.803:=2) > > You can add this to the LDAP query which finds users. That's why the > query is editable in the config files. > > > That is the part that limits the results to only enabled users. > > Wondering how I would do this in FreeRadius? Even on a more general > > level how I would reject based off certain returned attributes. > > That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS > attributes. Then, use unlang to write your policy. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
