eDir Disabled users can authenticate to Freeradius

  • 7006336
  • 23-Jun-2010
  • 26-Apr-2012


Novell eDirectory 8.8 for Linux
FreeRADIUS 2.1.1-7.6


Upgraded from SLES10 SP2 to SLES 11
Freeradius version 1.1.0-19.9 on SLES 10
Freeradius Version 2.1.1-7.6 on SLES 11

LDAP authenticate was previously configured for eDirectory 8.8.5 on SLES 10 and was working correctly. The only change is the upgrade to SLES 11 and the newer version of Freeradius.

The logintime attribute and lastlogintime attribute do not get updated. This can be viewed in iMonitor.


What is happening is eDirectory is only being used for password authentication. Freeradius is authorizing the user, not eDirectory.  The edir_account_policy_check is being bypassed.
To resolve this verify the configuration is correct.

Verify the /etc/raddb/modules/ldap is configured properly.
ldap {
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "server1.novell"
identity = "cn=RADadmin,o=novell"
password = mypass
basedn = "o=novell"
filter ="(uid=%{Stripped-User-Name:-%{User-Name}})"

The password attribute should be un-remmed and as follows:
password_attribute = nspmPassword

Be sure the eDirectory account policy check is not disabled. If the account of the user is disabled or closed in eDirectory, the RADIUS server can still read the universal password and authorize the user. Also, the intruder detection facility of eDirectory will be bypassed.  The default is set to no. Change it to yes
edir_account_policy_check = yes

Then edit the /etc/raddb/sites-available/default. Then un-rem the ldap module.  This is new from SLES 10 to SLES11 and is most likely the root of the issue if you edir_account_policy_check was set to yes.

# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.

Restart freeradius and test authenticate with a disabled user. The user should fail to authenticate and in the /var/log/radius/radius.log it should report the failure.

Try again with a valid user and verify the logintime attriute has been updated in iMonitor.