user auth against mysql
Hello list, I have 1 freeradius server doing 'authentication only' to different types of backends: user@realm1 -> freerad -> MS-AD1 user@realm2 -> freerad -> OpenLDAP user@realm3 -> freerad -> other_radius user@realm4 -> freerad -> MS-AD2 Now I want to add: user@realm5 -> freerad -> MySQL I do NOT administrate this MySQL database and I have just 'databasename + username field + password field' and I just have access to this db to authenticate. Nothing more than that. As I never played with the combination Freeradius/MySQL, I set up a test server according to this documentation: http://www.frontios.com/freeradius.html I set up a db with the db_mysql.sql file that comes with freeradius and this server works perfectly well. Two questions: 1) the sql.conf file is filled up with things I do not need, because the MySQL db has no structure that corresponds to the sql.conf file. Can I simply uncomment all lines I do not need? 2) in the accounting and authorize part of radiusd.conf there is an entry "sql", but not in "authenticate" as where I'd expect such an entry. Why is that? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+
richard lucassen <mailinglists@lucassen.org>wrote:
I do NOT administrate this MySQL database and I have just 'databasename + username field + password field' and I just have access to this db to authenticate. Nothing more than that.
I'm not sure what you mean by "access to this DB to authenticate".
1) the sql.conf file is filled up with things I do not need, because the MySQL db has no structure that corresponds to the sql.conf file. Can I simply uncomment all lines I do not need?
The schema FreeRADIUS uses is pretty much hard-coded into the SQL module, sorry. So it can't easily be used with another schema.
2) in the accounting and authorize part of radiusd.conf there is an entry "sql", but not in "authenticate" as where I'd expect such an entry. Why is that?
Does your SQL DB perform 802.1X authentication? MS-CHAP? CHAP? HTTP digest authentication? I thought not. SQL DB's are data stores, not authentication servers. FreeRADIUS is an authentication server, not a data store. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Tue, 08 Aug 2006 16:10:18 -0400 "Alan DeKok" <aland@deployingradius.com> wrote:
richard lucassen <mailinglists@lucassen.org>wrote:
I do NOT administrate this MySQL database and I have just 'databasename + username field + password field' and I just have access to this db to authenticate. Nothing more than that.
I'm not sure what you mean by "access to this DB to authenticate".
Sorry, I have privileges to read the UserName and the (encrypted) Password field.
1) the sql.conf file is filled up with things I do not need, because the MySQL db has no structure that corresponds to the sql.conf file. Can I simply uncomment all lines I do not need?
The schema FreeRADIUS uses is pretty much hard-coded into the SQL module, sorry. So it can't easily be used with another schema.
Ok, so AFAIUI it would be better to dump the original db to a file and populate a server which is set up according to the freeradius schema. If possible of course (but that's a MySQL issue and beyond the scope of this list of course)
2) in the accounting and authorize part of radiusd.conf there is an entry "sql", but not in "authenticate" as where I'd expect such an entry. Why is that?
Does your SQL DB perform 802.1X authentication? MS-CHAP? CHAP? HTTP digest authentication?
I thought not. SQL DB's are data stores, not authentication servers. FreeRADIUS is an authentication server, not a data store.
Ok, that's clear. Thnx. R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+
richard lucassen wrote:
Sorry, I have privileges to read the UserName and the (encrypted) Password field.
Then you will be severely limited in the protocols you can use (because of the encryption). You cannot use any protocol where the client sends the password already encrypted, it will need to be sent clear text over the wire (ie PAP).
1) the sql.conf file is filled up with things I do not need, because the MySQL db has no structure that corresponds to the sql.conf file. Can I simply uncomment all lines I do not need? The schema FreeRADIUS uses is pretty much hard-coded into the SQL module, sorry. So it can't easily be used with another schema.
Ok, so AFAIUI it would be better to dump the original db to a file and populate a server which is set up according to the freeradius schema. If possible of course (but that's a MySQL issue and beyond the scope of this list of course)
If the DB is MySQL 5, you *may* be able to create a view. Otherwise, you may have to do what we did for a while. We wrote a perl script to translate from one schema to the other and ran it every 10 minutes. Users were told to wait 10 mins before trying to login after an account change (reactivation, password update, etc). -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com
On Tue, 08 Aug 2006 17:44:22 -0400 Dennis Skinner <dskinner@bluefrog.com> wrote:
Ok, so AFAIUI it would be better to dump the original db to a file and populate a server which is set up according to the freeradius schema. If possible of course (but that's a MySQL issue and beyond the scope of this list of course)
If the DB is MySQL 5, you *may* be able to create a view. Otherwise, you may have to do what we did for a while. We wrote a perl script to translate from one schema to the other and ran it every 10 minutes. Users were told to wait 10 mins before trying to login after an account change (reactivation, password update, etc).
I'm thinking of something similar. Fortunately running the script once a day is ok. It's MySQL-4 btw. R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+
participants (3)
-
Alan DeKok -
Dennis Skinner -
richard lucassen