Hello Alan, I was thinking about a hack...
From the established/Accepted connection from the person I would store the password encrypted sha512 or a better mechanism to encrypt. with a TTL in a database MariaDB or the like. If the system hits the cache, update control { Cache-Status-Only = 'yes' } cache if (User-Password && !notfound) { ldap if (!ok) { update control { Auth-Type := perl # Perl / Python script controls if the server is available or not, # If not uses the cache to do auth with the user password against the local hashed pass + username # Can do additional controls like OTP } } } if (User-Password && notfound) { update control { Auth-Type := ldap } } cache
In authorize { I have Auth-Type perl { if (!notfound) { perl } Any comments? } On Thu, Jan 14, 2021 at 5:36 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 14, 2021, at 12:00 PM, André <netriver@gmail.com> wrote:
This only caches ldap attributes, it's not able to store results Access-Accept for example from a existing ldap confirmed authentication?
No.
Would it be possible to store the result "Access-Accept" for a user + password combination for future approval?
No.
That's not how EAP works. You *cannot* just cache EAP packets and expect it to work.
Your options are:
a) cache the Cleartext-Password (or whatever) returned from LDAP
b) set up session resumption caching. See the "cache" subsection of mods-available/eap
c) both of the above
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html