On Jul 8, 2015, at 3:46 AM, Michael Ströder <michael@stroeder.com> wrote:
Alan DeKok wrote:
Do you want to use the LDAP servers as databases, and let FreeRADIUS do the authentication? Or do you want to pass the name/password to LDAP, and have the LDAP servers do the authentication?
The answer for "how to correctly configure LDAP server redundancy" depends on the answer to those questions.
Frankly I don't understand. Could you please elaborate on why that makes a difference?
The question should have been clear.
Is it because sending bind requests to the LDAP server is a new separate connection?
No. To put it simply: LDAP is a database. Use it as a database. FreeRADIUS should pull the "known good" password from the database. FreeRADIUS should do the authentication itself. If you use LDAP "bind as user", you're not using LDAP as a database. And since LDAP doesn't support CHAP, MS-CHAP, or EAP, it won't work for those authentication methods. Alan DeKok.