LDAP redundancy at Freeradius 3.0.8
Michael Ströder
michael at stroeder.com
Wed Jul 8 14:39:19 CEST 2015
Alan DeKok wrote:
> On Jul 8, 2015, at 3:46 AM, Michael Ströder <michael at stroeder.com> wrote:
>> Alan DeKok wrote:
>>>
>>> Do you want to use the LDAP servers as databases, and let FreeRADIUS do
>>> the authentication? Or do you want to pass the name/password to LDAP,
>>> and have the LDAP servers do the authentication?
>>>
>>> The answer for "how to correctly configure LDAP server redundancy"
>>> depends on the answer to those questions.
>>
>> Frankly I don't understand.
>> Could you please elaborate on why that makes a difference?
>
> The question should have been clear.
>
>> Is it because sending bind requests to the LDAP server is a new separate
>> connection?
>
> No.
>
> To put it simply: LDAP is a database. Use it as a database. FreeRADIUS
> should pull the "known good" password from the database. FreeRADIUS should
> do the authentication itself.
>
> If you use LDAP "bind as user", you're not using LDAP as a database. And
> since LDAP doesn't support CHAP, MS-CHAP, or EAP, it won't work for those
> authentication methods.
Yes, I already know all this. But I still don't get how that makes a
difference regarding configuration options for LDAP server redundancy.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150708/27f56fe6/attachment-0001.bin>
More information about the Freeradius-Users
mailing list