Replacement for config.xml and raddb/users for freeradius2



  • Is there an alternate storage method in freeradius2 for user information that normally would be found in config.xml and raddb/users ?

    After fighting and fussing for a week, I finally have MySQL running, and I was hoping that the information would be stored in the supplied schema, but that doesn't appear to be the case.

    so if it can be done with MySQL and/or LDAP that would be great.

    I'm strategizing how to automate the addition and removal of of users in a programmatic fashion using php and/or python (and/or ruby), I want to know what my options are before I start designing my solution.

    I'm hoping that it doesn't come down to having PHP and/or Python and/or Ruby directly edit config.xml

    Thanks.



  • Hi,

    MySQL is an option! I use MySQL on some of my installations for CP users and it works fine ;-)
    I use some scripts to load users directly into the database. The DB itself is based on the schema that is provided with FreeRadius. No modifications.

    LDAP should work (never tried it with pfSense). It is a performance boost, LDAP is lightning fast for read only actions (What AAA is most of the time).

    Have fun!



  • @jhochwald:

    Hi,

    MySQL is an option! I use MySQL on some of my installations for CP users and it works fine ;-)
    I use some scripts to load users directly into the database. The DB itself is based on the schema that is provided with FreeRadius. No modifications.

    LDAP should work (never tried it with pfSense). It is a performance boost, LDAP is lightning fast for read only actions (What AAA is most of the time).

    Have fun!

    What table are the user accounts supposed to be stored in ?
    My greatest desire to store all user info on the DB.
    Thanks for the reply.



  • @simply:

    What table are the user accounts supposed to be stored in ?
    My greatest desire to store all user info on the DB.
    Thanks for the reply.

    DB? Table?
    Yes, LDAP can use databases. It's up to you to configure a database backend for your LDAP Server!

    I use the OpenLDAP build in database, no fancy backends.
    Here are some relevant LDIF Files:

    dn: ou=users,dc=bewoelkt,dc=lan
    ou: users
    objectClass: top
    objectClass: organizationalUnit
    structuralObjectClass: organizationalUnit
    
    dn: ou=groups,dc=bewoelkt,dc=lan
    ou: groups
    objectClass: top
    objectClass: organizationalUnit
    structuralObjectClass: organizationalUnit
    
    dn: uid=jho,ou=users,dc=bewoelkt,dc=lan
    objectClass: top
    objectClass: radiusprofile
    objectClass: inetOrgPerson
    cn: jho
    sn: jho
    uid: jho
    description: Radius User Joerg Hochwald
    userPassword: PWhere
    radiusReplyItem: WISPr-Redirection-URL+='http://www.bewoelkt.net'
    radiusReplyItem: WISPr-Bandwidth-Max-Down+=1024
    radiusReplyItem: WISPr-Bandwidth-Max-Up+=1024
    radiusReplyItem: WISPr-Location-Name+="FFM01"
    radiusReplyItem: WISPr-Location-ID+="01"
    radiusReplyItem: WISPr-Max-Daily-Session+=3600
    radiusReplyItem: Simultaneous-Use+="0"
    radiusReplyItem: Max-Daily-Session+='3600'
    radiusReplyItem: MHS-INT-Site+="Default"
    radiusReplyItem: myHotspot-Group+="Guest"
    radiusSessionTimeout: 7200
    

    Just include the Radius Schema in /etc/ldap/slapd.conf:

    # Radius include
    include /etc/ldap/schema/radius.schema
    

    Now create a file (schema.conf below) with the following content:

    include /etc/ldap/schema/radius.schema
    

    And import the Schema to your LDAP Server:

    slaptest -f schema.conf -F testdir/
    ldapadd -Y EXTERNAL -H ldapi:/// -f testdir/cn\=config/cn\=schema/cn\=\{0\}radius.ldif
    

    The Schema above works fine with pfSense. Just did some tests with 50k Users (imported via LDIF).
    There is only one problem: The RADIUS didn't return all radiusReplyItem configured in the example above. But I didn't find the time to dig into that issue. All relevant infos are parsed :)

    For mySQL: You will find a lot of good howtos via Google (Remember, this is your friend) ;-)


Log in to reply