On Sep 12, 2022, at 1:48 PM, Grosjean Cyril <cygrosjean+freeradius@gmail.com> wrote:
I’m using LDAP as bind from User so I can’t cache the Cleartext-Password.
That does make things more problematic.
I’m not trying to cache the EAP-GTC but the result of authentication against LDAP with a hash of User-Name/User-Password after “Bind as User” method.
I'm not sure how you cache the "result of authentication". The LDAP "bind as user" just checks a password against LDAP. If that works for EAP-GTC, then the server has extracted the password, for use in the "auth-type PAP" section. So... just cache the User-Password there.
As said before, I’m trying to cache auth (as documented on the Google Secure LDAP setup, with an other LDAP). I have already cached User-DN (which helped me remove one LDAP search), but I want to be able to remove as much LDAP bind as possible.
It is clear that on v3.2 it said that it’s only compatible with PAP (it is working with PAP flawlessly on my setup). But not with EAP-GTC as the User-Password is “converted” from GTC to PAP on the "authenticate" part and not the “authorize" part.
So? Auth-Type pap { pap if (EAP-Message && User-Password) { // cache User-Password } } That will work.
The LDAP setup I’m facing is very complicated (lot of latencies), I may suffer hard rate-limit and it isn't possible to “fix it" from my PoV.
I really dislike databases which aren't available. It's a terrible design. Alan DeKok.