LDAP redundancy at Freeradius 3.0.8
Alan DeKok
aland at deployingradius.com
Wed Jul 8 14:27:29 CEST 2015
On Jul 8, 2015, at 3:46 AM, Michael Ströder <michael at stroeder.com> wrote:
> Alan DeKok wrote:
>>
>>
>> Do you want to use the LDAP servers as databases, and let FreeRADIUS do the authentication? Or do you want to pass the name/password to LDAP, and have the LDAP servers do the authentication?
>>
>> The answer for "how to correctly configure LDAP server redundancy" depends on the answer to those questions.
>
> Frankly I don't understand.
> Could you please elaborate on why that makes a difference?
The question should have been clear.
> Is it because sending bind requests to the LDAP server is a new separate
> connection?
No.
To put it simply: LDAP is a database. Use it as a database. FreeRADIUS should pull the "known good" password from the database. FreeRADIUS should do the authentication itself.
If you use LDAP "bind as user", you're not using LDAP as a database. And since LDAP doesn't support CHAP, MS-CHAP, or EAP, it won't work for those authentication methods.
Alan DeKok.
More information about the Freeradius-Users
mailing list