On Fri, Apr 10, 2009 at 11:51 PM, Alan DeKok <al...@deployingradius.com>wrote:
> Justin Steward wrote: > > I want to return some radius reply attributes from an SQL database, > > check the user's password against an openLDAP server > > As I said... LDAP isn't an authentication protocol. > > > (maybe a Windows > > Server running AD at some point in the future), and if possible fall > > back against a password stored in a MySQL database. (Though this > > password may not always be entirely up to date, so it's only for if the > > user either doesn't exist in the directory or the LDAP server is > > temporarily unavailable) > > Why not let FreeRADIUS do authentication, as I suggested? Have the > LDAP module pull the password from LDAP. Then, do MySQL. > > authorize { > ... > ldap > if (notfound | fail) { > sql > } > ... > } > > That does *exactly* what you suggested above. But the last time I > suggested that solution, you said you *also* wanted to get reply > attributes from MySQL... apparently, even for the users that were found > in LDAP. > > So which is it? > My apologies, I tend to let things slip when I send emails late at night. Yes, I need to also send reply attributes from a MySQL database. The reason for this is that the LDAP server is somewhat out of my control. I can't store values for attributes there. Again, apologies for being unclear. You've mentioned a few times that LDAP is not meant for authentication, however the default config that ships with FreeRADIUS has LDAP in the authentication section. Could you clear that up a little for me please? (or point me to somewhere it's been cleared up before?) ~Justin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html