Questions regarding authentication systems and protocols to password types compatibility

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Fri Apr 20 12:52:10 CEST 2007


Thanks Alan!

Your answer is raising some more questions though:

Alan DeKok wrote:
> Reimer Karlsen-Masur, DFN-CERT wrote:
>> I appreciate the tables explaining the compatibility of authentication
>> systems / protocols to password type compatibility from:
> ....
>> But I am still confused about the relationship of these two tables to each
>> other and how to use them.
>>
>> Is the following considered correct?
>>
>> 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple
>> *password store*, only [table 1] if of interest.
> 
>   Yes.

Which freeradius modules can be used for the *simple password store*?
  files (the users file)
  unix
  pam
  ldap
  sql (?)

Could you please complete this list? Are these entries ending up in the
authenticate or authorize or both sections of the freeradius config?

...
>> 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication
>> oracle*, [table 2] tells me which authentication oracle system I can use
>> (depending on the authentication protocol that the supplicant/client/user is
>> using)
> 
>   Yes.
> 
>> and [table 1] tells me in which format the passwords need to be
>> stored in the authentication oracle.
> 
>   Yes.  Except that PAP is compatible with all password formats.  Also,
> ntlm_auth is used on Windows, which stores passwords in cleartext or
> NT-Hash format, and nothing else.
> 
>   So after reading the "oracle" page, there's no need to go back to the
> other page to see how to store the passwords.
> 
>> And freeradius is able to connect to
>> the back end (if there is a rlm_<back-end-db> module available), to
>> authenticate *with the user provided* credentials (username/password) and to
>> optionally retrieve some attribute values if the *user* authenticated
>> successfully against the authN oracle.
> 
>   No.  Authentication has nothing to do with retrieving other
> information.  When an authentication oracle is used, FreeRADIUS takes
> the username && password, and hands them to the oracle.  The oracle
> returns yes/no, and nothing else.

How do I differ within the ldap module configuration if I do an ldap
authentication via the *oracle* or if I *retrieve* (additional) attributes
for a user like e.g. his password?

Is the difference that the 'ldap' entry shows up in the 'authenticate'
section for attribute retrieval use  (plain password store) which I have
configured here and believe to be working and in the 'authorize' section for
oracle use?

Thanks again for more insight on this!

-- 
Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070420/46e302d4/attachment.bin>


More information about the Freeradius-Users mailing list