<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:Arial;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 107.65pt 2.0cm 107.65pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=IT link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'>Thank you Dusty,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'>could you please provide complete URL for your "<b><span
style='font-weight:bold'>doc/ldap_howto.txt</span></b>", I'd a look to <a
href="http://www.freeradius.org/doc/">http://www.freeradius.org/doc/</a> , but
didn’t find it.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'>My interest in LDAP is not related to performance but
to the scalability (distributed directories, referrals, etc...) that it
provides compared to SQL.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'>The system is already working with LDAP as backend
database, but only as free access. In these day we are developing the prepaid
solution for Wi-Fi access (scratch cards), but completely with mySQL, because
it is simpler to use (tables radacct, radcheck, etc... are already built) and
develop. As we arrive to a stable solution it is my intention to move the
authentication process to openLDAP. <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'>Best regards<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'>Carlo<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span lang=EN-GB
style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>-----Messaggio
originale-----<br>
Da: freeradius-users-bounces+c.prestopino=waitalia.com@lists.freeradius.org
[mailto:freeradius-users-bounces+c.prestopino=waitalia.com@lists.freeradius.org]
Per conto di Dusty Doris<br>
Inviato: sabato 7 gennaio 2006 17.56<br>
A: FreeRadius users mailing list<br>
Oggetto: Re: openLDAP vs.mySQL</span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>>
Despite this, I've seen that LDAP is not widely used. Is this for its<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>>
complexity or are there deeper reasons that suggest to use SQL database for<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>>
both (user data, accounting) purposes? Does anybody have links that might<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>>
help to build a system made using this architecture?<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>I
use ldap for users and sql for accounting for the same reasons you <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>listed.
Installing and using openldap has a much higher learning curve <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>than
mysql, which is why I would guess more users use mysql.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>There
is an old doc in the source under doc/ldap_howto.txt. I wrote that <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>several
years ago and keep promising a new version. Well, I was finally <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>given
a week at the end of this month or early next month to stop all my <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>projects
and start documenting. So, at that time, I will be re-writing <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>that
doc to be more current.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>I
agree that ldap is a perfect place to store user objects. For example, <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>I
have it setup like this.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>ou=users<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
uid=someuser,ou=users...<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
radiusgroupname: dial<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
radiusgroupname: adsl<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
accountNumber: 11111<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
uid=anotheruser,ou=users...<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
radiusgroupname: adsl<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
accountNumber: 11111<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>ou=accounts<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
accountNumber=11111,ou=accounts...<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>
radiusgroupname: wifi<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>Using
ldap, I can specify the services the user has access to as an <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>attribute
of that user. I can also do account level groups as well. In <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>the
users above, with my freeradius configuration, I can assure that <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>someuser
has access to adsl and dial, while another user can only login to <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>adsl.
Any user in the 11111 account can login to wifi, which would be <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>both
of those users.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>Now,
you can easily do the same thing in mysql as well. But, I feel that <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>ldap
is a better model for this data. Also, with openldap it is very easy <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>to
replicate and setup distribution of these users. Also, since ldap is a <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>standard
protocol, my provisioning system can write to it whether its from <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>windows,
solaris, linux, etc... It just needs to understand the ldap <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>protocol.
Using mysql, means your provisioning system must understand <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>mysql
syntax, although that isn't usually a difficult task to get setup. <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>Finally,
as you said, ldap is optimized for reads and that's exactly what <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>I'm
doing. I've never experienced any issues with the ldap servers being <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>overloaded.
Then again I don't get a whole lot of traffic maybe 60k-80k <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>logins
a day.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>The
only downside I can think of with openldap is that it doesn't support <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>multi-master
setups. There are workarounds I've heard of people using <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>with
some kind of heartbeat setup and a shared IP, but I don't have the <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>need
for a multi-master setup.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>As
long as my master is replicating to my slaves and freeradius is hitting <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>my
slaves, I can assure that no users are ever denied access because of an <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>ldap
server going down. If the master goes down, the only effect is on <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>provisioning
(such as adding new users or changing passwords). In this <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>case
we take a slave server and manually upgrade it to a master while we <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>fix
the master server.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>Freeradius
with its configurable_failover solution, will allow us to point <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>to
all of our slave servers and it takes care of any slave servers going <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>down
automatically for us, without the need for a load balancer.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>As
an alternative for non-freeradius ldap queries, I've also setup two <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>ldap
proxy servers that point back to my three slaves. The two proxy <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>servers
share an IP, so one is always master (on the ip). If it goes <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>down,
the slave takes over that IP. In that scenario, you can point <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>applications
that don't do failover to the proxyldap shared IP and it will <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>take
care of the failover for you.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>I
really like ldap, but its taken me some time to become comfortable with <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>it.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>I
hope that doc helps you with your setup, if you need more help, post <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>questions
to the list. Be sure to explain what you are trying to do and <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>show
debug info (radiusd -X) so we can see the difference between what its <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>doing
and what you want it to do.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>Take
care.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>- <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>List
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>__________
NOD32 1.1355 (20060106) Information __________<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>This
message was checked by NOD32 antivirus system.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'>http://www.eset.com<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Arial><span style='font-size:10.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>