Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

FreeRadius, LDAP, MySQL  - Does this make sense?

Posted on 2004-04-01
8
Medium Priority
?
15,034 Views
Last Modified: 2013-12-04
Hi,

We want to set up Radius on FreeBSD to authenticate users of a PHP/MySQL custom program, Microsoft Exchange users, Windows domain controller, and VPN clients. We also want to add/modify/delete users in the Radius database by using the custom PHP/MySQL tool.

Thinking of using FreeRadius because there is some documentation on how to configure it to work with MySQL.

I just wanted to run this by someone to make sure it makes sense.

The custom PHP/MySQL tool adds/modifies/deletes users through a web interface - so I think I would just have to make sure that it has the correct MySQL permissions and writes to the correct MySQL database. Right now, people can login to the tool and authenticate against a MySQL user table.

How would I authenticate against the Radius server instead?

I would also think that Exchange, Domain Controller, and VPN clients could be easily set up to authenticate against Radius.


Does the above make sense? Any need for LDAP?



Thanks!!

0
Comment
Question by:BrentNJ
  • 3
  • 3
  • 2
8 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 10735459
Do you have any Radius client for Windows LSASS.EXE ???

Kerberos can authenticate Window users instead of Domain Controller.

Maybe LDAP.

Maybe MySQL or PostgreSQL can serve as shared backend between many authentication systems ( you edit tables using your custom interface, and present views for auth services)

And again - multiple parts of system make it less stable and harder to maintain, like SQL backends for few megabytes of authentication information, which will be held in RAM anyway etc.

I suggest you make your test Window machine and examine it against at least Kerberos and LDAP auth servers instead of PDC/AD/Whatever.
Never heard of radius working....
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10746990
do you mean authentification against the system (login), or simply to the database (mysql)?
If you meen system authentification, I'd use LDAP.
  Disadvantage (in first place): more difficult to set up
  Advantages: fast, strong encryption, platform-independent, M$'s ADS is based on LDAP (and so can easyly switched), most products (like radius) can authenticate against LDAP
0
 
LVL 62

Expert Comment

by:gheist
ID: 10748422
I mean login, not database password.
And I wanted to emphasize, that authentication system should be as simple as possible, and SQL backend is practical, if you wish to support multiple authentication mechanisms.
It is about same effort to set up LDAP, Kerberos or Radius, and much more to set up two with shared SQL backend
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:BrentNJ
ID: 10749022
Thanks. So is LDAP a users database similar in concept (not efficiency) to keeping users in MySQL?

Would it be more common to find a deployment of various authentication systems referencing LDAP than MySQL.

If a product can authenticate against a radius server, would it matter whether that radius server is referencing users in LDAP or MySQL?

Could I directly add, modify, and delete users in LDAP using php, perl, or shell?

Thanks!!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 10749404
> Could I directly add, modify, and delete users in LDAP using php, perl, or shell?
sort answer: yes
long answer: there are countless tools for that in the wild

> is LDAP a users database  ..
yes, it's most likely used for that

> .. more common to find a deployment .. referencing LDAP than MySQL ..
hmm, not shure, you need to search the web your self

> .. would it matter whether that radius server is referencing users in LDAP or MySQL?
no.
Just the credentials count, hence the granted or denied authentification
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 800 total points
ID: 10751002
>similar concept
LDAP is more like tree, when SQL is more like flat table
>more common
OpenLDAP can use many database backends, but authentication data usually is small, so you will find LDAP backed with SQL in large sites (>10k user or so), either way it will be able to export LDIF file from one format and import into another.

Gheist,
still living with kerberos authentication....
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 800 total points
ID: 10751137
> ..  you will find LDAP backed with SQL ..
hmm, even LDAP (Netscape/iPlanet, OpenLDAP, ..) support SQL as backend, it's always a performance penulty. db or dbm files are the way to go.
> .. large sites (>10k user or so)
if you have a million or more accounts, you know why LDAP outperforms any RDBM (like SQL) ;-)
Keep in mind that LDAP was/is designed for fast read access (small changes are ok too), hence it's ideal for authentication
just my 2 pence, even it might not be a problem/issue for the question ..
0
 

Author Comment

by:BrentNJ
ID: 10751851
Thanks. Will close out question later today.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question