Questions regarding authentication systems and protocols to password types compatibility

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at
Fri Apr 20 12:52:10 CEST 2007

Thanks Alan!

Your answer is raising some more questions though:

Alan DeKok wrote:
> Reimer Karlsen-Masur, DFN-CERT wrote:
>> I appreciate the tables explaining the compatibility of authentication
>> systems / protocols to password type compatibility from:
> ....
>> But I am still confused about the relationship of these two tables to each
>> other and how to use them.
>> Is the following considered correct?
>> 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple
>> *password store*, only [table 1] if of interest.
>   Yes.

Which freeradius modules can be used for the *simple password store*?
  files (the users file)
  sql (?)

Could you please complete this list? Are these entries ending up in the
authenticate or authorize or both sections of the freeradius config?

>> 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication
>> oracle*, [table 2] tells me which authentication oracle system I can use
>> (depending on the authentication protocol that the supplicant/client/user is
>> using)
>   Yes.
>> and [table 1] tells me in which format the passwords need to be
>> stored in the authentication oracle.
>   Yes.  Except that PAP is compatible with all password formats.  Also,
> ntlm_auth is used on Windows, which stores passwords in cleartext or
> NT-Hash format, and nothing else.
>   So after reading the "oracle" page, there's no need to go back to the
> other page to see how to store the passwords.
>> And freeradius is able to connect to
>> the back end (if there is a rlm_<back-end-db> module available), to
>> authenticate *with the user provided* credentials (username/password) and to
>> optionally retrieve some attribute values if the *user* authenticated
>> successfully against the authN oracle.
>   No.  Authentication has nothing to do with retrieving other
> information.  When an authentication oracle is used, FreeRADIUS takes
> the username && password, and hands them to the oracle.  The oracle
> returns yes/no, and nothing else.

How do I differ within the ldap module configuration if I do an ldap
authentication via the *oracle* or if I *retrieve* (additional) attributes
for a user like e.g. his password?

Is the difference that the 'ldap' entry shows up in the 'authenticate'
section for attribute retrieval use  (plain password store) which I have
configured here and believe to be working and in the 'authorize' section for
oracle use?

Thanks again for more insight on this!

Kind Regards

Reimer Karlsen-Masur

Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH,, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list