LDAP and deactivated users

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

LDAP and deactivated users

R3DNano
There are some deactivated user on the ldap directory that we need to
reject their access to.
Instead, the ldap module returns a correct password, and the user is
validated - even though the user is deactivated.
That is, at least, the impression I get.
I've also noticed that, in cases there's an issue with the password: i.e.:
user needs to change their password due to it being insecure, the ldap
seems to return this message and freeradius seems to interpret this as the
password, even though the password is correct and the authentication fails:
Does what I'm saying make sense? (from my limited ldap knowledge) and, is
there a way to control this?

Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP and deactivated users

Alan DeKok-2
On Oct 3, 2019, at 6:20 AM, R3DNano <[hidden email]> wrote:
>
> There are some deactivated user on the ldap directory that we need to
> reject their access to.
> Instead, the ldap module returns a correct password, and the user is
> validated - even though the user is deactivated.
> That is, at least, the impression I get.

  It's possible.  If your LDAP server is configured that way.

> I've also noticed that, in cases there's an issue with the password: i.e.:
> user needs to change their password due to it being insecure, the ldap
> seems to return this message and freeradius seems to interpret this as the
> password, even though the password is correct and the authentication fails:
> Does what I'm saying make sense? (from my limited ldap knowledge) and, is
> there a way to control this?

  Fix the LDAP server.  If the LDAP server is returning nonsense to FreeRADIUS, then no amount of poking FreeRADIUS will fix the LDAP server.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP and deactivated users

arr2036


> On 3 Oct 2019, at 07:02, Alan DeKok <[hidden email]> wrote:
>
> On Oct 3, 2019, at 6:20 AM, R3DNano <[hidden email]> wrote:
>>
>> There are some deactivated user on the ldap directory that we need to
>> reject their access to.
>> Instead, the ldap module returns a correct password, and the user is
>> validated - even though the user is deactivated.
>> That is, at least, the impression I get.
>
> It's possible.  If your LDAP server is configured that way.


Well there is that handy "access_attribute" setting in the LDAP module...

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap#L239

>> I've also noticed that, in cases there's an issue with the password: i.e.:
>> user needs to change their password due to it being insecure, the ldap
>> seems to return this message and freeradius seems to interpret this as the
>> password, even though the password is correct and the authentication fails:
>> Does what I'm saying make sense? (from my limited ldap knowledge) and, is
>> there a way to control this?

I'm pretty sure what you've just described isn't possible within the LDAP protocol, or at least not done by any LDAP server I'm aware of.  But if it's visible to the LDAP client, send over a PCAP and I'll add support so that it's at least logged...

-Arran


Arran Cudbard-Bell <[hidden email]>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html