|
Thank you Dusty, could you please provide complete URL for your "doc/ldap_howto.txt", I'd a look to http://www.freeradius.org/doc/ , but
didn’t find it. My interest in LDAP is not related to performance but
to the scalability (distributed directories, referrals, etc...) that it
provides compared to SQL. The system is already working with LDAP as backend
database, but only as free access. In these day we are developing the prepaid
solution for Wi-Fi access (scratch cards), but completely with mySQL, because
it is simpler to use (tables radacct, radcheck, etc... are already built) and
develop. As we arrive to a stable solution it is my intention to move the
authentication process to openLDAP. Best regards Carlo -----Messaggio
originale----- >
Despite this, I've seen that LDAP is not widely used. Is this for its >
complexity or are there deeper reasons that suggest to use SQL database for >
both (user data, accounting) purposes? Does anybody have links that might >
help to build a system made using this architecture? > I
use ldap for users and sql for accounting for the same reasons you listed.
Installing and using openldap has a much higher learning curve than
mysql, which is why I would guess more users use mysql. There
is an old doc in the source under doc/ldap_howto.txt. I wrote that several
years ago and keep promising a new version. Well, I was finally given
a week at the end of this month or early next month to stop all my projects
and start documenting. So, at that time, I will be re-writing that
doc to be more current. I
agree that ldap is a perfect place to store user objects. For example, I
have it setup like this. ou=users
uid=someuser,ou=users...
radiusgroupname: dial
radiusgroupname: adsl
accountNumber: 11111
uid=anotheruser,ou=users...
radiusgroupname: adsl
accountNumber: 11111 ou=accounts
accountNumber=11111,ou=accounts...
radiusgroupname: wifi Using
ldap, I can specify the services the user has access to as an attribute
of that user. I can also do account level groups as well. In the
users above, with my freeradius configuration, I can assure that someuser
has access to adsl and dial, while another user can only login to adsl.
Any user in the 11111 account can login to wifi, which would be both
of those users. Now,
you can easily do the same thing in mysql as well. But, I feel that ldap
is a better model for this data. Also, with openldap it is very easy to
replicate and setup distribution of these users. Also, since ldap is a standard
protocol, my provisioning system can write to it whether its from windows,
solaris, linux, etc... It just needs to understand the ldap protocol.
Using mysql, means your provisioning system must understand mysql
syntax, although that isn't usually a difficult task to get setup. Finally,
as you said, ldap is optimized for reads and that's exactly what I'm
doing. I've never experienced any issues with the ldap servers being overloaded.
Then again I don't get a whole lot of traffic maybe 60k-80k logins
a day. The
only downside I can think of with openldap is that it doesn't support multi-master
setups. There are workarounds I've heard of people using with
some kind of heartbeat setup and a shared IP, but I don't have the need
for a multi-master setup. As
long as my master is replicating to my slaves and freeradius is hitting my
slaves, I can assure that no users are ever denied access because of an ldap
server going down. If the master goes down, the only effect is on provisioning
(such as adding new users or changing passwords). In this case
we take a slave server and manually upgrade it to a master while we fix
the master server. Freeradius
with its configurable_failover solution, will allow us to point to
all of our slave servers and it takes care of any slave servers going down
automatically for us, without the need for a load balancer. As
an alternative for non-freeradius ldap queries, I've also setup two ldap
proxy servers that point back to my three slaves. The two proxy servers
share an IP, so one is always master (on the ip). If it goes down,
the slave takes over that IP. In that scenario, you can point applications
that don't do failover to the proxyldap shared IP and it will take
care of the failover for you. I
really like ldap, but its taken me some time to become comfortable with it. I
hope that doc helps you with your setup, if you need more help, post questions
to the list. Be sure to explain what you are trying to do and show
debug info (radiusd -X) so we can see the difference between what its doing
and what you want it to do. Take
care. - List
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________
NOD32 1.1355 (20060106) Information __________ This
message was checked by NOD32 antivirus system. http://www.eset.com |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
