On Tue, 2002-03-12 at 09:36, Dan Perik wrote: > On Tue, 2002-03-12 at 01:29, Alan DeKok wrote: > > Dan Perik <[EMAIL PROTECTED]> wrote: > > > Now, I'd like to extend that and allow FreeRadius to also try SQL > > > auth. So it would try LDAP first, and if the user isn't found (or > > > even on a bad password), I would like FreeRadius to then try to auth > > > against sql. Is this possible, and if so how? > > > > See 'doc/configurable_failover' > > > > Alan DeKok. > > Excellent. Works beautifully. Thank you. > > - Dan
Before I start, I'm using FreeRadius 0.4 on RH 7.2, kernel 2.4.9. Actually, it didn't work beautifully (using a "redundant" block). The LDAP worked, but the SQL didn't. Since I was pointed in the right direction, I figured I'd hack on it to figure out why not. Well, I just (finally) got it working. I thought if anyone else would like to do something similar, they could benefit from my findings. First, I had trouble getting sql authentication working. Come to find out, I turned sqltrace = yes in sql.conf. But since I didn't initially create and change owner ship of the default sqltracefile, the sql module would silently fail when doing authentication. Then, according to the configurable_failover docs, I could use "redundant" to group sql and ldap together. But "redundant" is for two data stores that have the same user data in it (or so I understand). I want to have two user data stores, one LDAP (CommuniGate Pro mail server), and the other SQL (MySQL specifically). The problem is that the first "module" would fail. According to configurable_failover, a failure returned from the whole "redundant" group, so I needed to specifically specify the actions required from each return. I include that section from the authentication "group" here. Notice that "reject" is not return, but rather "3". This was the key change to get this to work.: authtype LDAPORSQL { group { sql { fail = 1 notfound = 2 noop = return ok = return updated = return reject = 3 userlock = return invalid = return handled = return notfound = return } ldap { fail = 1 notfound = 2 noop = return ok = return updated = return reject = 3 userlock = return invalid = return handled = return notfound = return } } } Now, I can authenticate to a user found in LDAP *or* SQL. And it seems to work very well. Thank you to the FreeRadius developers. A very good product. - Dan -- - Dan Perik Computer Services Department Lapilo Center New Tribes Mission - PNG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html