failover and groups in authenticate

Louis Munro lmunro at
Thu Sep 8 16:40:54 CEST 2016

I need to ask, even though I think this may be impossible.

Is there a way to have groups of modules with failover in "authenticate"?

The documentation does seem to be pretty explicit agains it: 
"authenticate{...}" itself is not a GROUP, even though it contains a list of Auth-Type GROUPs, because its semantics are totally different - it uses Auth-Type to decide which of its members to call, and their order is irrelevant.
The reason I am asking is that I am trying to achieve something like a local cache of NT hashes (in redis) with failover to active directory.
The idea is that getting the local hash from redis is much faster, but it may be outdated. 
So if the authentication fails, I'd like to try again using ntlm_auth (or the winbind libraries if possible).
If both authentication attempts fail, then the user is rejected.

This is something of a harebrained experiment around the performance limitations of Active-Directory.
Feel free to tell me it's a bad idea.
It probably is...

Louis Munro
lmunro at <mailto:lmunro at>  :: <> 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo ( <>) and PacketFence ( <>)

More information about the Freeradius-Users mailing list