Help with redundant autz

[Paolo Cecchini]

Hello everybody.

First at all a few words about me, I’m from Italy and I work at my city, 
Urbino, University. Our AAA is freeradius based.

Student credential’s authoritative source is an Oracle database located 
outside of the local net, because the application is outsourced. 
Credentials went synced hourly to our internal LDAP.

We experienced sporadic black out with that database and in effort to 
mitigate the issue we’re planning to switch the first source to LDAP. 
Something like this.

Users ….

DEFAULT Realm == "stud",Autz-Type := stud, Auth-Type := PAP

Sites-available/default …

Autz-Type stud {

group {

ldap_stud {

ok= return

fail= 1

notfound = 2

default = return

}

sql_stud

}

}

Now, scenarios.

a)The user is found in ldap, ldap_stud module returns ok, the password 
is checked via pap and matches, access-accept. The sql module is 
skipped, as intended.

b)The user is NOT found in ldap, the module returns notfound, proceed to 
sql_stud module (the same if ldap crashes, via fail)

c)The user IS FOUND in ldap but the user made a password change and ldap 
is not synced. The ldap_stud module returns ok, but now the pap will 
reject the authentication. Btw the sql_stud module is skipped, of 
course, because the previous returned ok.

I tried my best to solve the issue but that’s apparently far beyond my 
skill J

May add that the reverse approach, sql first then ldap, will work in 
abstract

Autz-Type stud {

group {

sql_stud {

ok= return

fail= 1

notfound = 2

default = return

}

ldap_stud

}

}

But when the sql is unattainable the radius will time-out a lot.

So in the end thanks a lot for any hint.


Greetings. Paolo Cecchini