Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FreeRadius, LDAP, MySQL  - Does this make sense?

Posted on 2004-04-01
8
Medium Priority
?
15,024 Views
Last Modified: 2013-12-04
Hi,

We want to set up Radius on FreeBSD to authenticate users of a PHP/MySQL custom program, Microsoft Exchange users, Windows domain controller, and VPN clients. We also want to add/modify/delete users in the Radius database by using the custom PHP/MySQL tool.

Thinking of using FreeRadius because there is some documentation on how to configure it to work with MySQL.

I just wanted to run this by someone to make sure it makes sense.

The custom PHP/MySQL tool adds/modifies/deletes users through a web interface - so I think I would just have to make sure that it has the correct MySQL permissions and writes to the correct MySQL database. Right now, people can login to the tool and authenticate against a MySQL user table.

How would I authenticate against the Radius server instead?

I would also think that Exchange, Domain Controller, and VPN clients could be easily set up to authenticate against Radius.


Does the above make sense? Any need for LDAP?



Thanks!!

0
Comment
Question by:BrentNJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 10735459
Do you have any Radius client for Windows LSASS.EXE ???

Kerberos can authenticate Window users instead of Domain Controller.

Maybe LDAP.

Maybe MySQL or PostgreSQL can serve as shared backend between many authentication systems ( you edit tables using your custom interface, and present views for auth services)

And again - multiple parts of system make it less stable and harder to maintain, like SQL backends for few megabytes of authentication information, which will be held in RAM anyway etc.

I suggest you make your test Window machine and examine it against at least Kerberos and LDAP auth servers instead of PDC/AD/Whatever.
Never heard of radius working....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10746990
do you mean authentification against the system (login), or simply to the database (mysql)?
If you meen system authentification, I'd use LDAP.
  Disadvantage (in first place): more difficult to set up
  Advantages: fast, strong encryption, platform-independent, M$'s ADS is based on LDAP (and so can easyly switched), most products (like radius) can authenticate against LDAP
0
 
LVL 62

Expert Comment

by:gheist
ID: 10748422
I mean login, not database password.
And I wanted to emphasize, that authentication system should be as simple as possible, and SQL backend is practical, if you wish to support multiple authentication mechanisms.
It is about same effort to set up LDAP, Kerberos or Radius, and much more to set up two with shared SQL backend
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 

Author Comment

by:BrentNJ
ID: 10749022
Thanks. So is LDAP a users database similar in concept (not efficiency) to keeping users in MySQL?

Would it be more common to find a deployment of various authentication systems referencing LDAP than MySQL.

If a product can authenticate against a radius server, would it matter whether that radius server is referencing users in LDAP or MySQL?

Could I directly add, modify, and delete users in LDAP using php, perl, or shell?

Thanks!!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10749404
> Could I directly add, modify, and delete users in LDAP using php, perl, or shell?
sort answer: yes
long answer: there are countless tools for that in the wild

> is LDAP a users database  ..
yes, it's most likely used for that

> .. more common to find a deployment .. referencing LDAP than MySQL ..
hmm, not shure, you need to search the web your self

> .. would it matter whether that radius server is referencing users in LDAP or MySQL?
no.
Just the credentials count, hence the granted or denied authentification
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 800 total points
ID: 10751002
>similar concept
LDAP is more like tree, when SQL is more like flat table
>more common
OpenLDAP can use many database backends, but authentication data usually is small, so you will find LDAP backed with SQL in large sites (>10k user or so), either way it will be able to export LDIF file from one format and import into another.

Gheist,
still living with kerberos authentication....
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 800 total points
ID: 10751137
> ..  you will find LDAP backed with SQL ..
hmm, even LDAP (Netscape/iPlanet, OpenLDAP, ..) support SQL as backend, it's always a performance penulty. db or dbm files are the way to go.
> .. large sites (>10k user or so)
if you have a million or more accounts, you know why LDAP outperforms any RDBM (like SQL) ;-)
Keep in mind that LDAP was/is designed for fast read access (small changes are ok too), hence it's ideal for authentication
just my 2 pence, even it might not be a problem/issue for the question ..
0
 

Author Comment

by:BrentNJ
ID: 10751851
Thanks. Will close out question later today.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question