LDAP Accounting

Alan DeKok aland at deployingradius.com
Mon Dec 10 16:59:02 CET 2012

John Dennis wrote:
> Just out of curiosity why are we adding support for "worst practice",
> shouldn't we be encouraging "best practice" via the choice of supported
> configurations?


> Maintaining accounting data in LDAP is an abuse of the LDAP design goals
> of "frequent lookup, infrequent modification". Databases were designed
> for the type of data management that radius accounting involves,
> directories were not. Accounting should be in a database, not a
> directory. Directories were designed to solve different problems.
> Maintaining authentication and identity information across an enterprise
> is exactly one of those problems LDAP was designed to handle which makes
> auth/authz lookups in a directory appropriate. Maintaining accounting
> information in a directory is not.

  That's all well and good.  The current configuration allows for
storing "last login" time.  That's well within the traditional use of LDAP:


  I agree doing more than that would be bad.

  Alan DeKok.

More information about the Freeradius-Devel mailing list