eDir Universal password implementation.

Olivier Beytrison olivier at heliosnet.org
Sat Dec 8 17:20:04 CET 2012

On 07.12.2012 22:27, Peter Lambrechtsen wrote:
> Ahh fair enough, we map the loginDisabled and expirationDate to dummy
> VSAs and check it in FreeRadius rather than passing that back as part of
> a bind to LDAP.  Helps save ~30ms from the Auth time, and with ~1mil
> subs in the LDAP database, that's time worth saving.

I would also be interested in this. Could you post a snippet of your 
configuration ? Only difference with doing a bind, is that you don't 
consume the loginGrace. Which might be a good thing actually. But the 
complete check should be loginDisabled == false && 
(passwordExpirationTime > now || loginGraceRemaining > 0)

> Thanks for doing the work to add eDir support back in again.  It "was"
> going to be one of our major stumbling blocks in moving to FR3.

Same here, I was blocked in my eduroam project (and my deadline is next 
friday) so now at least I can move over and deploy the servers. Big 
thanks to Alan for his job !

And I have to say that I have a lot of fun doing some code again :) I'll 
continue to propose some minor fix/enhancement to FR3 as I deploy it.


  Olivier Beytrison
  Network & Security Engineer, HES-SO Fribourg
  Mail: olivier at heliosnet.org

More information about the Freeradius-Devel mailing list