[ejabberd] LDAP Authentication - deny access

Konstantin Khomoutov flatworm at users.sourceforge.net
Thu Jun 27 16:24:21 MSK 2013


On Thu, 27 Jun 2013 12:40:40 +0200
Petter Olsson <polsson at bgc-jena.mpg.de> wrote:

> Hi guys,
> 
> Running:
> Ubuntu 12.04.02 LTS
> ejabberd 2.1.10-2ubuntu1.1
> 
> Relevant LDAP Info:
> %% LDAP attribute that holds user ID:
> {ldap_uids, [{"uid", "%u"}]}.
> %%
> %% LDAP filter:
> {ldap_filter, "(objectClass=shadowAccount)"}.
> 
> Problem:
> Accounts that are disabled in LDAP can still login.
> 
> Question:
> Can I use some sort of filter to have it not allow disabled/expired
> accounts from LDAP or do I have to switch to PAM for this to happen?

What's your LDAP implementation?
The problem is that there's no such thing as "disabled account"
in LDAP -- the state of being disabled/enabled is by a policy
implemented by the concrete LDAP schema.  For instance, Microsoft Active
Directory uses certain funky attribute for such a state, and the
ldap_filter parameter should be something like

"(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"


More information about the ejabberd mailing list