Questions regarding authentication systems and protocols to password types compatibility
Reimer Karlsen-Masur, DFN-CERT
karlsen-masur at dfn-cert.de
Fri Apr 20 12:52:10 CEST 2007
Your answer is raising some more questions though:
Alan DeKok wrote:
> Reimer Karlsen-Masur, DFN-CERT wrote:
>> I appreciate the tables explaining the compatibility of authentication
>> systems / protocols to password type compatibility from:
>> But I am still confused about the relationship of these two tables to each
>> other and how to use them.
>> Is the following considered correct?
>> 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple
>> *password store*, only [table 1] if of interest.
Which freeradius modules can be used for the *simple password store*?
files (the users file)
Could you please complete this list? Are these entries ending up in the
authenticate or authorize or both sections of the freeradius config?
>> 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication
>> oracle*, [table 2] tells me which authentication oracle system I can use
>> (depending on the authentication protocol that the supplicant/client/user is
>> and [table 1] tells me in which format the passwords need to be
>> stored in the authentication oracle.
> Yes. Except that PAP is compatible with all password formats. Also,
> ntlm_auth is used on Windows, which stores passwords in cleartext or
> NT-Hash format, and nothing else.
> So after reading the "oracle" page, there's no need to go back to the
> other page to see how to store the passwords.
>> And freeradius is able to connect to
>> the back end (if there is a rlm_<back-end-db> module available), to
>> authenticate *with the user provided* credentials (username/password) and to
>> optionally retrieve some attribute values if the *user* authenticated
>> successfully against the authN oracle.
> No. Authentication has nothing to do with retrieving other
> information. When an authentication oracle is used, FreeRADIUS takes
> the username && password, and hands them to the oracle. The oracle
> returns yes/no, and nothing else.
How do I differ within the ldap module configuration if I do an ldap
authentication via the *oracle* or if I *retrieve* (additional) attributes
for a user like e.g. his password?
Is the difference that the 'ldap' entry shows up in the 'authenticate'
section for attribute retrieval use (plain password store) which I have
configured here and believe to be working and in the 'authorize' section for
Thanks again for more insight on this!
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users