But for what is it worth we use a very similar scheme as described by Dustin below. For us however, our billing system is the authoritative database, and LDAP is only used for authentication. The billing system automagically knows which "service records" belong to each account in the database. It aides itself in this process by adding an account id attribute to each of the user's service records in LDAP.
If you get your LDAP tree right, you don't even need two instances of the ldap module. We do this:
ldap {
basedn = "ou=%{Huntgroup-Name},dc=yourdomain"
}which works really nicely, as long as you keep your huntgroups up to date ;-)
I'm sure you could do a very similar thing with sql - have an "Account" table for billing purposes, and a "Service" table for authentication purposes, with each service linked back to the "Account" via an "Account ID".
You may have to play with the accounting queries in the sql module configuration a little if you want the accounting records to reference the "Account ID"...
regards, Mike
Dustin Doris wrote:
Imagine you setup your users like this in ldap.
ou=ftpusers,dc=yourdomain uid=someuser,ou=ftpusers,dc=yourdomain
ou=dialusers,dc=yourdomain uid=sameuser,ou=dialusers,dc=yourdomain
Then you create two ldap instances in radiusd.conf (or a seperate file and include it)
ldap ftpldap { normal config stuff basedn = "ou=ftpusers,dc=yourdomain" more config stuff }
ldap dialldap { configs basedn = "ou=dialusers,dc=yourdomain" more config stuff }
<snip>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
