On Fri, Apr 10, 2009 at 11:51 PM, Alan DeKok <aland@deployingradius.com>wrote:
Justin Steward wrote:
I want to return some radius reply attributes from an SQL database, check the user's password against an openLDAP server
As I said... LDAP isn't an authentication protocol.
(maybe a Windows Server running AD at some point in the future), and if possible fall back against a password stored in a MySQL database. (Though this password may not always be entirely up to date, so it's only for if the user either doesn't exist in the directory or the LDAP server is temporarily unavailable)
Why not let FreeRADIUS do authentication, as I suggested? Have the LDAP module pull the password from LDAP. Then, do MySQL.
authorize { ... ldap if (notfound | fail) { sql } ... }
That does *exactly* what you suggested above. But the last time I suggested that solution, you said you *also* wanted to get reply attributes from MySQL... apparently, even for the users that were found in LDAP.
So which is it?
My apologies, I tend to let things slip when I send emails late at night. Yes, I need to also send reply attributes from a MySQL database. The reason for this is that the LDAP server is somewhat out of my control. I can't store values for attributes there. Again, apologies for being unclear. You've mentioned a few times that LDAP is not meant for authentication, however the default config that ships with FreeRADIUS has LDAP in the authentication section. Could you clear that up a little for me please? (or point me to somewhere it's been cleared up before?) ~Justin