FreeRadius, LDAP, MySQL - Does this make sense?

Hi,

We want to set up Radius on FreeBSD to authenticate users of a PHP/MySQL custom program, Microsoft Exchange users, Windows domain controller, and VPN clients. We also want to add/modify/delete users in the Radius database by using the custom PHP/MySQL tool.

Thinking of using FreeRadius because there is some documentation on how to configure it to work with MySQL.

I just wanted to run this by someone to make sure it makes sense.

The custom PHP/MySQL tool adds/modifies/deletes users through a web interface - so I think I would just have to make sure that it has the correct MySQL permissions and writes to the correct MySQL database. Right now, people can login to the tool and authenticate against a MySQL user table.

How would I authenticate against the Radius server instead?

I would also think that Exchange, Domain Controller, and VPN clients could be easily set up to authenticate against Radius.


Does the above make sense? Any need for LDAP?



Thanks!!

BrentNJAsked:
Who is Participating?
 
ahoffmannConnect With a Mentor Commented:
> ..  you will find LDAP backed with SQL ..
hmm, even LDAP (Netscape/iPlanet, OpenLDAP, ..) support SQL as backend, it's always a performance penulty. db or dbm files are the way to go.
> .. large sites (>10k user or so)
if you have a million or more accounts, you know why LDAP outperforms any RDBM (like SQL) ;-)
Keep in mind that LDAP was/is designed for fast read access (small changes are ok too), hence it's ideal for authentication
just my 2 pence, even it might not be a problem/issue for the question ..
0
 
gheistCommented:
Do you have any Radius client for Windows LSASS.EXE ???

Kerberos can authenticate Window users instead of Domain Controller.

Maybe LDAP.

Maybe MySQL or PostgreSQL can serve as shared backend between many authentication systems ( you edit tables using your custom interface, and present views for auth services)

And again - multiple parts of system make it less stable and harder to maintain, like SQL backends for few megabytes of authentication information, which will be held in RAM anyway etc.

I suggest you make your test Window machine and examine it against at least Kerberos and LDAP auth servers instead of PDC/AD/Whatever.
Never heard of radius working....
0
 
ahoffmannCommented:
do you mean authentification against the system (login), or simply to the database (mysql)?
If you meen system authentification, I'd use LDAP.
  Disadvantage (in first place): more difficult to set up
  Advantages: fast, strong encryption, platform-independent, M$'s ADS is based on LDAP (and so can easyly switched), most products (like radius) can authenticate against LDAP
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
gheistCommented:
I mean login, not database password.
And I wanted to emphasize, that authentication system should be as simple as possible, and SQL backend is practical, if you wish to support multiple authentication mechanisms.
It is about same effort to set up LDAP, Kerberos or Radius, and much more to set up two with shared SQL backend
0
 
BrentNJAuthor Commented:
Thanks. So is LDAP a users database similar in concept (not efficiency) to keeping users in MySQL?

Would it be more common to find a deployment of various authentication systems referencing LDAP than MySQL.

If a product can authenticate against a radius server, would it matter whether that radius server is referencing users in LDAP or MySQL?

Could I directly add, modify, and delete users in LDAP using php, perl, or shell?

Thanks!!
0
 
ahoffmannCommented:
> Could I directly add, modify, and delete users in LDAP using php, perl, or shell?
sort answer: yes
long answer: there are countless tools for that in the wild

> is LDAP a users database  ..
yes, it's most likely used for that

> .. more common to find a deployment .. referencing LDAP than MySQL ..
hmm, not shure, you need to search the web your self

> .. would it matter whether that radius server is referencing users in LDAP or MySQL?
no.
Just the credentials count, hence the granted or denied authentification
0
 
gheistConnect With a Mentor Commented:
>similar concept
LDAP is more like tree, when SQL is more like flat table
>more common
OpenLDAP can use many database backends, but authentication data usually is small, so you will find LDAP backed with SQL in large sites (>10k user or so), either way it will be able to export LDIF file from one format and import into another.

Gheist,
still living with kerberos authentication....
0
 
BrentNJAuthor Commented:
Thanks. Will close out question later today.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.