LDAP Accounting
Alan DeKok
aland at deployingradius.com
Mon Dec 10 16:59:02 CET 2012
John Dennis wrote:
> Just out of curiosity why are we adding support for "worst practice",
> shouldn't we be encouraging "best practice" via the choice of supported
> configurations?
Yes.
> Maintaining accounting data in LDAP is an abuse of the LDAP design goals
> of "frequent lookup, infrequent modification". Databases were designed
> for the type of data management that radius accounting involves,
> directories were not. Accounting should be in a database, not a
> directory. Directories were designed to solve different problems.
> Maintaining authentication and identity information across an enterprise
> is exactly one of those problems LDAP was designed to handle which makes
> auth/authz lookups in a directory appropriate. Maintaining accounting
> information in a directory is not.
That's all well and good. The current configuration allows for
storing "last login" time. That's well within the traditional use of LDAP:
http://www.ldapguru.info/ldap/last-logon-time.html
I agree doing more than that would be bad.
Alan DeKok.
More information about the Freeradius-Devel
mailing list