On Fri, Apr 10, 2009 at 11:51 PM, Alan DeKok
<aland@deployingradius.com> wrote:
Justin Steward wrote:
> I want to return some radius reply attributes from an SQL database,
> check the user's password against an openLDAP server
As I said... LDAP isn't an authentication protocol.
> (maybe a Windows
> Server running AD at some point in the future), and if possible fall
> back against a password stored in a MySQL database. (Though this
> password may not always be entirely up to date, so it's only for if the
> user either doesn't exist in the directory or the LDAP server is
> temporarily unavailable)
Why not let FreeRADIUS do authentication, as I suggested? Have the
LDAP module pull the password from LDAP. Then, do MySQL.
authorize {
...
ldap
if (notfound | fail) {
sql
}
...
}
That does *exactly* what you suggested above. But the last time I
suggested that solution, you said you *also* wanted to get reply
attributes from MySQL... apparently, even for the users that were found
in LDAP.
So which is it?
My apologies, I tend to let things slip when I send emails late at night. Yes, I need to also send reply attributes from a MySQL database. The reason for this is that the LDAP server is somewhat out of my control. I can't store values for attributes there. Again, apologies for being unclear.
You've mentioned a few times that LDAP is not meant for authentication, however the default config that ships with FreeRADIUS has LDAP in the authentication section. Could you clear that up a little for me please? (or point me to somewhere it's been cleared up before?)
~Justin