Adding run-time-access (RTA) to FreeRadius
Alan DeKok
aland at deployingradius.com
Tue Jul 31 17:28:22 CEST 2007
Bob Smith wrote:
> EXECUTIVE SUMMARY
> I believe it will be straightforward but somewhat tedious to add RTA to
> the FreeRADIUS server. There are two issues to be resolve up front -
> updates to the data in FreeRADIUS are not thread safe, and if you have
> UI driven configuration changes, you can not keep the human readable file
> formats now in use.
I think there is a possibility to keep the old configuration files.
Asking people to switch from a known and familiar system to an
unfamiliar one can seriously slow down adoption of a new system.
> 2) Would root access and 'vi' still be required?
> The hope is that FreeRADIUS would become an appliance without ever requiring
> root access or vi after the initial installation. To do this, every config
> parameter in FreeRADIUS would have to be mapped to an RTA accessible table.
> (straightforward but tedious)
Does RTA provide secure access to the SQL interface? I'm not sure I'd
want to re-invent the administrator authorization interface.
> 4) RTA is not thread safe!
> While true, I don't think this is the issue. RTA is an API for other programs
> to access your data. Would you ask that the Hayes AT command set be thread
> safe? Of course not. I think the real issue is that FreeRADIUS is not thread
> safe for configuration updates.
The only daemon I know of that can handle dynamic updates is OpenLDAP.
Everyone else just re-starts.
> 7) We've put too much effort into our config file syntax to give them up.
> This is not really an RTA issue; it is an issue for any scheme to allow dynamic
> configuration updates. Yes, you _could_ have the server try to write the config
> back to disk int the same human-readable format, but you'd be crazy to try.
There are other ways to obtain the same effect. Asking people to use
the existing system OR RTA exclusively is a non-starter.
> 9) RTA is useless without INSERT and DELETE.
> This has long been a criticism of RTA. While there are simple ways around this
> most people still expect INSERT and DELETE for tables where the data is stored
> as a linked-list or other editable structure. I've had a difficult time getting
> people to see RTA as an API and *not* as a database.
Object API's include methods for "new" and "destroy".
Overall, I'm very interested in this. I'll take a look at doing
something similar for 2.x. If we could have a Django and/or RoR
interface to the FreeRADIUS configuration, that would be extremely cool.
Alan DeKok.
More information about the Freeradius-Devel
mailing list