LDAP with fallback on local authentication?
Alan DeKok
aland at deployingradius.com
Thu Apr 9 14:27:19 CEST 2009
Justin Steward wrote:
> My first problem is this: I want to store reply attributes for my users
> in a MySQL database, however I want them to authenticate against an LDAP
> server. No problem, I sort of have this working. Except the reply
> attributes get sent even on an Access-Reject packet. This seems
> undesirable to me.
You can filter them out... In any case, it doesn't cause too many
issues in practice.
> My second problem is this: The LDAP server isn't necessarily in the same
> building as the radius server. I want users to be able to fall back on
> locally stored passwords in the MySQL database should the LDAP server be
> down for some reason. I'd thought that setting Fall-Through=yes and
> having a DEFAULT Auth-Type = local would have done this, but no dice.
> Any suggestions?
$ man unlang
...
ldap
if (fail) {
sql
}
...
Don't use the "users" file for complex policies. It doesn't work for
anything complicated.
Alan DeKok.
More information about the Freeradius-Users
mailing list