Solved

FreeRadius, LDAP, MySQL  - Does this make sense?

Posted on 2004-04-01
8
14,997 Views
Last Modified: 2013-12-04
Hi,

We want to set up Radius on FreeBSD to authenticate users of a PHP/MySQL custom program, Microsoft Exchange users, Windows domain controller, and VPN clients. We also want to add/modify/delete users in the Radius database by using the custom PHP/MySQL tool.

Thinking of using FreeRadius because there is some documentation on how to configure it to work with MySQL.

I just wanted to run this by someone to make sure it makes sense.

The custom PHP/MySQL tool adds/modifies/deletes users through a web interface - so I think I would just have to make sure that it has the correct MySQL permissions and writes to the correct MySQL database. Right now, people can login to the tool and authenticate against a MySQL user table.

How would I authenticate against the Radius server instead?

I would also think that Exchange, Domain Controller, and VPN clients could be easily set up to authenticate against Radius.


Does the above make sense? Any need for LDAP?



Thanks!!

0
Comment
Question by:BrentNJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 10735459
Do you have any Radius client for Windows LSASS.EXE ???

Kerberos can authenticate Window users instead of Domain Controller.

Maybe LDAP.

Maybe MySQL or PostgreSQL can serve as shared backend between many authentication systems ( you edit tables using your custom interface, and present views for auth services)

And again - multiple parts of system make it less stable and harder to maintain, like SQL backends for few megabytes of authentication information, which will be held in RAM anyway etc.

I suggest you make your test Window machine and examine it against at least Kerberos and LDAP auth servers instead of PDC/AD/Whatever.
Never heard of radius working....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10746990
do you mean authentification against the system (login), or simply to the database (mysql)?
If you meen system authentification, I'd use LDAP.
  Disadvantage (in first place): more difficult to set up
  Advantages: fast, strong encryption, platform-independent, M$'s ADS is based on LDAP (and so can easyly switched), most products (like radius) can authenticate against LDAP
0
 
LVL 62

Expert Comment

by:gheist
ID: 10748422
I mean login, not database password.
And I wanted to emphasize, that authentication system should be as simple as possible, and SQL backend is practical, if you wish to support multiple authentication mechanisms.
It is about same effort to set up LDAP, Kerberos or Radius, and much more to set up two with shared SQL backend
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:BrentNJ
ID: 10749022
Thanks. So is LDAP a users database similar in concept (not efficiency) to keeping users in MySQL?

Would it be more common to find a deployment of various authentication systems referencing LDAP than MySQL.

If a product can authenticate against a radius server, would it matter whether that radius server is referencing users in LDAP or MySQL?

Could I directly add, modify, and delete users in LDAP using php, perl, or shell?

Thanks!!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10749404
> Could I directly add, modify, and delete users in LDAP using php, perl, or shell?
sort answer: yes
long answer: there are countless tools for that in the wild

> is LDAP a users database  ..
yes, it's most likely used for that

> .. more common to find a deployment .. referencing LDAP than MySQL ..
hmm, not shure, you need to search the web your self

> .. would it matter whether that radius server is referencing users in LDAP or MySQL?
no.
Just the credentials count, hence the granted or denied authentification
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 10751002
>similar concept
LDAP is more like tree, when SQL is more like flat table
>more common
OpenLDAP can use many database backends, but authentication data usually is small, so you will find LDAP backed with SQL in large sites (>10k user or so), either way it will be able to export LDIF file from one format and import into another.

Gheist,
still living with kerberos authentication....
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 10751137
> ..  you will find LDAP backed with SQL ..
hmm, even LDAP (Netscape/iPlanet, OpenLDAP, ..) support SQL as backend, it's always a performance penulty. db or dbm files are the way to go.
> .. large sites (>10k user or so)
if you have a million or more accounts, you know why LDAP outperforms any RDBM (like SQL) ;-)
Keep in mind that LDAP was/is designed for fast read access (small changes are ok too), hence it's ideal for authentication
just my 2 pence, even it might not be a problem/issue for the question ..
0
 

Author Comment

by:BrentNJ
ID: 10751851
Thanks. Will close out question later today.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question