failover and groups in authenticate

Alan DeKok aland at deployingradius.com
Thu Sep 8 16:59:28 CEST 2016


On Sep 8, 2016, at 10:40 AM, Louis Munro <lmunro at inverse.ca> wrote:
> Is there a way to have groups of modules with failover in "authenticate"?

authenticate {
	...
	Auth-Type foo {
		redundant {
			pap1
			pap2
			pap3
		}
	}

	...
}

  That works.

> The documentation does seem to be pretty explicit agains it: 
> "authenticate{...}" itself is not a GROUP, even though it contains a list of Auth-Type GROUPs, because its semantics are totally different - it uses Auth-Type to decide which of its members to call, and their order is irrelevant.

  The Auth-Type subsection is a group.

> The reason I am asking is that I am trying to achieve something like a local cache of NT hashes (in redis) with failover to active directory.
> The idea is that getting the local hash from redis is much faster, but it may be outdated. 

  Sure.

> So if the authentication fails, I'd like to try again using ntlm_auth (or the winbind libraries if possible).
> If both authentication attempts fail, then the user is rejected.
> 
> This is something of a harebrained experiment around the performance limitations of Active-Directory.
> Feel free to tell me it's a bad idea.
> It probably is...

  If it works...

  And yes, Active Directory is one of the slowest LDAP servers around.  NTLM is even worse.  It's just terrible.

  Alan DeKok.




More information about the Freeradius-Users mailing list