Solved

FreeRadius, LDAP, MySQL  - Does this make sense?

Posted on 2004-04-01
8
14,966 Views
Last Modified: 2013-12-04
Hi,

We want to set up Radius on FreeBSD to authenticate users of a PHP/MySQL custom program, Microsoft Exchange users, Windows domain controller, and VPN clients. We also want to add/modify/delete users in the Radius database by using the custom PHP/MySQL tool.

Thinking of using FreeRadius because there is some documentation on how to configure it to work with MySQL.

I just wanted to run this by someone to make sure it makes sense.

The custom PHP/MySQL tool adds/modifies/deletes users through a web interface - so I think I would just have to make sure that it has the correct MySQL permissions and writes to the correct MySQL database. Right now, people can login to the tool and authenticate against a MySQL user table.

How would I authenticate against the Radius server instead?

I would also think that Exchange, Domain Controller, and VPN clients could be easily set up to authenticate against Radius.


Does the above make sense? Any need for LDAP?



Thanks!!

0
Comment
Question by:BrentNJ
  • 3
  • 3
  • 2
8 Comments
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Do you have any Radius client for Windows LSASS.EXE ???

Kerberos can authenticate Window users instead of Domain Controller.

Maybe LDAP.

Maybe MySQL or PostgreSQL can serve as shared backend between many authentication systems ( you edit tables using your custom interface, and present views for auth services)

And again - multiple parts of system make it less stable and harder to maintain, like SQL backends for few megabytes of authentication information, which will be held in RAM anyway etc.

I suggest you make your test Window machine and examine it against at least Kerberos and LDAP auth servers instead of PDC/AD/Whatever.
Never heard of radius working....
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
do you mean authentification against the system (login), or simply to the database (mysql)?
If you meen system authentification, I'd use LDAP.
  Disadvantage (in first place): more difficult to set up
  Advantages: fast, strong encryption, platform-independent, M$'s ADS is based on LDAP (and so can easyly switched), most products (like radius) can authenticate against LDAP
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
I mean login, not database password.
And I wanted to emphasize, that authentication system should be as simple as possible, and SQL backend is practical, if you wish to support multiple authentication mechanisms.
It is about same effort to set up LDAP, Kerberos or Radius, and much more to set up two with shared SQL backend
0
 

Author Comment

by:BrentNJ
Comment Utility
Thanks. So is LDAP a users database similar in concept (not efficiency) to keeping users in MySQL?

Would it be more common to find a deployment of various authentication systems referencing LDAP than MySQL.

If a product can authenticate against a radius server, would it matter whether that radius server is referencing users in LDAP or MySQL?

Could I directly add, modify, and delete users in LDAP using php, perl, or shell?

Thanks!!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> Could I directly add, modify, and delete users in LDAP using php, perl, or shell?
sort answer: yes
long answer: there are countless tools for that in the wild

> is LDAP a users database  ..
yes, it's most likely used for that

> .. more common to find a deployment .. referencing LDAP than MySQL ..
hmm, not shure, you need to search the web your self

> .. would it matter whether that radius server is referencing users in LDAP or MySQL?
no.
Just the credentials count, hence the granted or denied authentification
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 200 total points
Comment Utility
>similar concept
LDAP is more like tree, when SQL is more like flat table
>more common
OpenLDAP can use many database backends, but authentication data usually is small, so you will find LDAP backed with SQL in large sites (>10k user or so), either way it will be able to export LDIF file from one format and import into another.

Gheist,
still living with kerberos authentication....
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
Comment Utility
> ..  you will find LDAP backed with SQL ..
hmm, even LDAP (Netscape/iPlanet, OpenLDAP, ..) support SQL as backend, it's always a performance penulty. db or dbm files are the way to go.
> .. large sites (>10k user or so)
if you have a million or more accounts, you know why LDAP outperforms any RDBM (like SQL) ;-)
Keep in mind that LDAP was/is designed for fast read access (small changes are ok too), hence it's ideal for authentication
just my 2 pence, even it might not be a problem/issue for the question ..
0
 

Author Comment

by:BrentNJ
Comment Utility
Thanks. Will close out question later today.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now