John Dennis wrote:
Just out of curiosity why are we adding support for "worst practice", shouldn't we be encouraging "best practice" via the choice of supported configurations?
Yes.
Maintaining accounting data in LDAP is an abuse of the LDAP design goals of "frequent lookup, infrequent modification". Databases were designed for the type of data management that radius accounting involves, directories were not. Accounting should be in a database, not a directory. Directories were designed to solve different problems. Maintaining authentication and identity information across an enterprise is exactly one of those problems LDAP was designed to handle which makes auth/authz lookups in a directory appropriate. Maintaining accounting information in a directory is not.
That's all well and good. The current configuration allows for storing "last login" time. That's well within the traditional use of LDAP: http://www.ldapguru.info/ldap/last-logon-time.html I agree doing more than that would be bad. Alan DeKok.