On Tue, Apr 29, 2014 at 04:08:09PM +0200, Michal Vymazal wrote:
No exactly. We want to enable to ldap to use more than one password for one service.
Means - hash no. 1 not match - ldap will try the hash no. 2 etc.
So you configure one ldap instance (say, "ldap1") to do the first hash check, and a second ldap instance ("ldap2") to check the second hash, then do redundant { ldap1 ldap2 } so if the first check fails, the second one is tried? As on http://wiki.freeradius.org/config/Fail%20over Unless I'm missing something, I don't understand yet why this needs additional code. Although ldap is a lookup database not really an auth mechanism, so you might do two lookups, then call pap in a redundant section, for example. But the theory is the same. Matthew
Dne 29.4.2014 16:02, Matthew Newton napsal(a):
On Tue, Apr 29, 2014 at 02:44:12PM +0200, Michal Vymazal wrote:
We are going to append binary code to some ldap modules - the goal is to enable ldap to use "alternate passwords" for some ldap entries. Means, every app using ldap bind will can use "alternate passwords" to verify the user access. Useful for the environment of mobile devices etc.
This is difficult to understand, but sounds like you want to just use two instances of ldap, checking different LDAP password attributes, with failover? In which case, no code changes required.
Matthew
-- Michal Vymazal work: CESNET, z.s.p.o. AAI Department Zikova 4, 160 00 Praha 6 Czech Republic http://www.cesnet.cz/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>