LDAP with fallback on local authentication?

Alan DeKok aland at deployingradius.com
Fri Apr 10 15:51:06 CEST 2009


Justin Steward wrote:
> I want to return some radius reply attributes from an SQL database,
> check the user's password against an openLDAP server 

 As I said... LDAP isn't an authentication protocol.

> (maybe a Windows
> Server running AD at some point in the future), and if possible fall
> back against a password stored in a MySQL database. (Though this
> password may not always be entirely up to date, so it's only for if the
> user either doesn't exist in the directory or the LDAP server is
> temporarily unavailable)

  Why not let FreeRADIUS do authentication, as I suggested?  Have the
LDAP module pull the password from LDAP.  Then, do MySQL.

authorize {
	...
	ldap
	if (notfound | fail) {
		sql
	}
	...
}

 That does *exactly* what you suggested above.  But the last time I
suggested that solution, you said you *also* wanted to get reply
attributes from MySQL... apparently, even for the users that were found
in LDAP.

  So which is it?

  Alan DeKok.



More information about the Freeradius-Users mailing list