Digest using an external database for the Password

Mike Brennan mbrennan at thrupoint.com
Thu Apr 25 15:04:05 CEST 2013

Hi Alan
Yes the password is in clear text.
Thx - I will let you know if I am successful

-----Original Message-----
From: freeradius-users-bounces+mbrennan=thrupoint.com at lists.freeradius.org
[mailto:freeradius-users-bounces+mbrennan=thrupoint.com at lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: 25 April 2013 13:47
To: FreeRadius users mailing list
Subject: Re: Digest using an external database for the Password

Mike Brennan wrote:
>     * Use Digest Authentication
>     * The password is stored in an external database (it has a
>       complicated schema) that I am connecting to via sql.conf.
>     * I want to extract the password from this database so that it can
>       be used in Digest Authentication (SIP - using RFC 4590)

  Is the password stored in clear-text?  If so, it can work.  If not, it's

> Is it possible to get the Cleartext-Password (or is it the
> User-Password) from my external database through authorize_check_query ?

  Yes.  But you need to edit it.

> If so, how do I assign this attribute to the value returned in my query?

  You create an "Attribute = value", like with everything else in the

> I can't store any information in my external database as I am not
> allowed to create any tables

  That's fine.

> The following query would return the password - can I use it in
> authorize_check_query?
> authorize_check_query="SELECT password FROM fusion.cdm_credentials
> WHERE person_id=(SELECT person_id FROM fusion.cdm_person WHERE
> user_name='%{User-Name}');"

  No.  The authorize_check_query needs to return "Attribute = value", as
shown by the default configuration.  You can update your query to return

  Or, don't use "sql" in the "authorize" section, as it expects to see the
default FreeRADIUS schema.  List "sql" in "instantite", and then do:

authorize {
	update control {
		Cleartext-Password := "%{sql: SELECT password FROM fusion


  i.e. if you have a SELECT which returns a password, you can assign that
directly to the Cleartext-Password attribute yourself.

> Or am I totally off track?


  Alan DeKok.
List info/subscribe/unsubscribe? See
Note: The information contained in this message may be privileged and confidential 
and protected from disclosure. If the reader of this message is not the intended 
recipient, or an employee or agent responsible for delivering this message to the 
intended recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify us immediately by replying to the message and 
deleting it from your computer. Thank you. Thrupoint, Inc.

More information about the Freeradius-Users mailing list