Justin Steward wrote:
My first problem is this: I want to store reply attributes for my users in a MySQL database, however I want them to authenticate against an LDAP server. No problem, I sort of have this working. Except the reply attributes get sent even on an Access-Reject packet. This seems undesirable to me.
You can filter them out... In any case, it doesn't cause too many issues in practice.
My second problem is this: The LDAP server isn't necessarily in the same building as the radius server. I want users to be able to fall back on locally stored passwords in the MySQL database should the LDAP server be down for some reason. I'd thought that setting Fall-Through=yes and having a DEFAULT Auth-Type = local would have done this, but no dice. Any suggestions?
$ man unlang ... ldap if (fail) { sql } ... Don't use the "users" file for complex policies. It doesn't work for anything complicated. Alan DeKok.