Help with external authentication using PHP

Ekene Ezeasor ezeasorekene at gmail.com
Sun Apr 7 18:43:30 CEST 2019


Thanks Uchenna,

I appreciate your help so far but could you please expand those two methods
mentioned. By that I mean how do I exactly go about the processes. If you
wouldn't mind, can you paste some codes that can help me achieve this. At
this point I don't know what else to do.

Thanks.


On Sat, 6 Apr 2019, 8:05 pm Uchenna Nebedum, <nebeduch at gmail.com> wrote:

> Hi Ekene,
> Here are a few Ideas,
>
> use the encrypted passwords from the custom application as PLAINTEXT
> passwords in freeRADIUS, replicate the users you have in your APP DB as
> valid users in freeRADIUS DB. then before submitting passwords to
> freeRADIUS do the crypt() function on the provided password and submit that
> to freeRADIUS. depending on the authentication process.
>
> you could also create like an authentication API on your custom application
> and use either the python or perl module to reach the API and compare the
> provided password with what is in the DB. and return an Access-Accept based
> on the response code. the perl/python script would be in the auth{}
> portion.
>
> the third idea is not fully formed. I thought i had more.
>
>
>
>
>
> On Sat, Apr 6, 2019 at 7:29 PM Ekene Ezeasor <ezeasorekene at gmail.com>
> wrote:
>
> > Hi Uchenna,
> >
> > Thanks for your tip. Let me explain our scenario.
> >
> > We have our users created and managed using our custom made PHP
> > application. The username pattern is user at domain.edu and the password is
> > encrypted using PHP's function crypt() with a blowfish hash ($2y$....).
> We
> > have SimpleSAMLphp implementation where all users authenticate using our
> > SAML IdP. Because SimpleSAMLphp was done in PHP, it was easy for me to
> > integrate password_verify() to verify passwords supplied by the user.
> >
> > Now we are trying to implement eduroam. We do not intend creating
> different
> > set of users since we already have a database (MySQL). So my worry and
> > problem now is:-
> >
> > 1. - How do I authenticate users using a PHP script that will verify
> > supplied passwords using password_verify()
> >
> > 2. - In the case where the above is not obtainable in freeradius, how
> can I
> > structure my MySQL database with regards to password encryption and
> >
> > 3. - What is the correct SQL code to use to effectively verify user
> > passwords to achieve no. 2 above.
> >
> > Thank you.
> >
> >
> > On Fri, 5 Apr 2019, 10:23 pm Uchenna Nebedum, <nebeduch at gmail.com>
> wrote:
> >
> > > Hi Ekene,
> > > I think if you explain the entire scenario and what you're trying to
> > > achieve, they'll be able to help.
> > >
> > >  I currently have an external application connected to freeradius, but
> > what
> > > i do is entirely different.
> > >
> > >  I authenticate users on the application separately, but i don't use
> the
> > > password they provide as the radius password, it's generated with a
> > formula
> > > and SMD5-encrypted.
> > >
> > >  something like usermac + last 2 letters of first name + last 4 digits
> of
> > > phone number. Then salted and encrypted and stored in Freeradius.
> > >
> > > Uchenna Nebedum
> > >
> > > On Fri, Apr 5, 2019, 16:23 Ekene Ezeasor <ezeasorekene at gmail.com>
> wrote:
> > >
> > > > Hi all,
> > > >
> > > > Please our users' password are encrypted using crypt() (blowfish)
> > > function
> > > > in PHP. Now I want to use password_verify() to check the submitted
> > > password
> > > > and I intend doing that in PHP. I have updated my authorize section
> to
> > > use
> > > > the external PHP script like this:
> > > >
> > > > update control {
> > > >       Auth-type := "/usr/bin/php -f
> > > > /etc/freeradius/3.0/php/checkpassword.php %{User-Name}
> > %{User-Password}"
> > > >       &Proxy-To-Realm := LOCAL
> > > >     }
> > > >
> > > > But only the username is sent to the external PHP file. The password
> is
> > > > empty.
> > > >
> > > > We are already running a large database and it may not be easy to
> > change
> > > to
> > > > another encryption method. Therefore this is very important and we
> > really
> > > > need to implement it.
> > > >
> > > > Please can someone help. Thanks. Regards
> > > >
> > > >
> > > >
> > > > ___________________________
> > > > Ekene Ezeasor
> > > > IT Consultant,
> > > > Codee Solutions
> > > > *Phone*: 08063961963
> > > > *Web*: www.codeeltd.com
> > > > ------------------------------
> > > >
> > > > *DISCLAIMER NOTICE:*
> > > > *This e-mail, any attachments thereto and response string is intended
> > > > solely for the attention and use of the addressee(s) named herein and
> > may
> > > > contain legally privileged and/or confidential information. In the
> > event
> > > > that you are not the intended recipient(s) of this e-mail and any
> > > > attachments thereto, be notified that any dissemination, distribution
> > or
> > > > copying of this e-mail and any attachments thereto, is strictly
> > > prohibited.
> > > > If you have received or otherwise encountered this e-mail in error,
> > > please
> > > > immediately notify the sender and permanently delete the e-mail, any
> > > > attachments and response string as well as any copy printout in
> > > connection
> > > > therewith.*
> > > > ------------------------------
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>
> --
> Nebedum Uchenna
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list