Request about implementation of alternate authentication mechanism in freeradius

Tue Apr 29 16:25:04 CEST 2014

On Tue, Apr 29, 2014 at 04:08:09PM +0200, Michal Vymazal wrote:
> No exactly.
> We want to enable to ldap to use more than one password for one service.
> 
> Means - hash no. 1 not match - ldap will try the hash no. 2  etc.

So you configure one ldap instance (say, "ldap1") to do the first
hash check, and a second ldap instance ("ldap2") to check the second
hash, then do

  redundant {
    ldap1
    ldap2
  }

so if the first check fails, the second one is tried?

As on http://wiki.freeradius.org/config/Fail%20over

Unless I'm missing something, I don't understand yet why this
needs additional code. Although ldap is a lookup database not
really an auth mechanism, so you might do two lookups, then call
pap in a redundant section, for example. But the theory is the
same.

Matthew

> Dne 29.4.2014 16:02, Matthew Newton napsal(a):
> > On Tue, Apr 29, 2014 at 02:44:12PM +0200, Michal Vymazal wrote:
> >> We are going to append binary code to some ldap modules - the goal is to
> >> enable ldap to use "alternate passwords" for some ldap entries. Means,
> >> every app using ldap bind will can use "alternate passwords" to verify
> >> the user access. Useful for the environment of mobile devices etc.
> > 
> > This is difficult to understand, but sounds like you want to just
> > use two instances of ldap, checking different LDAP password
> > attributes, with failover? In which case, no code changes
> > required.
> > 
> > Matthew
> > 
> > 
> 
> 
> -- 
> Michal Vymazal
> work: CESNET, z.s.p.o.
> AAI Department
> Zikova 4, 160 00 Praha 6
> Czech Republic
> http://www.cesnet.cz/
> 

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>