LDAP with fallback on local authentication?
Justin Steward
althalus87 at gmail.com
Fri Apr 10 23:21:52 CEST 2009
On Fri, Apr 10, 2009 at 11:51 PM, Alan DeKok <aland at deployingradius.com>wrote:
> Justin Steward wrote:
> > I want to return some radius reply attributes from an SQL database,
> > check the user's password against an openLDAP server
>
> As I said... LDAP isn't an authentication protocol.
>
> > (maybe a Windows
> > Server running AD at some point in the future), and if possible fall
> > back against a password stored in a MySQL database. (Though this
> > password may not always be entirely up to date, so it's only for if the
> > user either doesn't exist in the directory or the LDAP server is
> > temporarily unavailable)
>
> Why not let FreeRADIUS do authentication, as I suggested? Have the
> LDAP module pull the password from LDAP. Then, do MySQL.
>
> authorize {
> ...
> ldap
> if (notfound | fail) {
> sql
> }
> ...
> }
>
> That does *exactly* what you suggested above. But the last time I
> suggested that solution, you said you *also* wanted to get reply
> attributes from MySQL... apparently, even for the users that were found
> in LDAP.
>
> So which is it?
>
My apologies, I tend to let things slip when I send emails late at night.
Yes, I need to also send reply attributes from a MySQL database. The reason
for this is that the LDAP server is somewhat out of my control. I can't
store values for attributes there. Again, apologies for being unclear.
You've mentioned a few times that LDAP is not meant for authentication,
however the default config that ships with FreeRADIUS has LDAP in the
authentication section. Could you clear that up a little for me please? (or
point me to somewhere it's been cleared up before?)
~Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090411/24efac77/attachment.html>
More information about the Freeradius-Users
mailing list