Re: Centralising passwords/radius accounting
On Mon, 13 Dec 1999, Technical Support wrote:
>On Mon, 13 Dec 1999, Russell Coker wrote:
>
>> >Rather than having complete installations at each location, I was thinking
>> >we would probably only put a radius / squid proxy at each location.
>> >
>> >However we would want passwords to be chared from ur centralised server,
>> >and all accounting information passed back to it.
>>
>> Use LDAP for Authentication and install OpenLDAP servers at all locations.
>> Have all writes go to the main LDAP server and have it replicate to the other
>> ones. This way a minimal amount of bandwidth will be taken up between the
>> POP's, there will be full redundancy, and it will work with most currently
>> available RADIUS servers.
>
>I am not familure with ldap beyond the idea, but I assume that the
>authentication is taken care of via an PAM - ldap setup. How would you
>compare ldap to SQL for this kind of application?
They do the same sort of thing in much the same way. Don't bother with PAM,
using the NSS modules is much easier and for the read-only side of things PAM
offers no benefit.
Most RADIUS servers now are capable of doing LDAP authentication directly
without using getpwnam() to access data in LDAP. This is good because it
allows more than just searching on user-name. You can configure the RADIUS
server to look for extra attributes to determine whether the user can access.
You could probably even store things like static IP addresses in LDAP.
One site that I'm working with has LDAP storing the phone numbers used to
call the terminal server. Both the phone number AND the password must match
to give the user access.
--
The ultimate result is that some innovations that would truly benefit
consumers never occur for the sole reason that they do not coincide with
Microsoft's self-interest.
-- Judge Thomas Penfield Jackson, U.S. District Judge
Reply to: