Slashdot Mirror
Radius w/ MySQL?
nightrav asks: "I'm one of the systems administrators at a small ISP (about 20k customers) and we're currently looking on moving to a different Radius solution. Currently we are using Merit with LDAP which is proving to be extremely slow and causes a great deal of authentication issues if a Total Control chassis reboots or experiences some other problem that causes it to dump its users. We would like to use some sort of Radius/MySQL solution for authentication and accounting and were wondering what solutions the Slashdot community would recommend."
I can wholeheartedly recommend Radiator. It's written in Perl, which makes it really easy to extend to your own needs, etc. It's got built in modules to both log to and authenticate from Radius. It just works... and works quite well. It's not free, however, which a lot of people don't like; it's worth every penny you'll pay for it though. link.
http://www.freeradius.org
Wanna Pay? Steelbelted RADIUS
http://www.funksoftware.com
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view .pl?p=Software:Cisco_Secure_ACS_UNIX
or
http://www.gnu.org/software/radius/radius.html
or
http://www.freeradius.org/
Anything except LDAP.
When it comes to performance, LDAP is a bad protocol, and OpenLDAP is an even worse implementation.
May we never see th
If you're using OpenLDAP, you can rebuild it with ODBC support and run it on top of MySQL. I've tried running it with PostgreSQL, but have had no luck with it yet. The configure flag for this is --enable-sql.
HTH.
In Soviet Russia, Jesus asks: "What Would You Do?"
FreeRadius seems to be able to deal with datasource changes better than the GNU Radius Server. You can set up user auth info in OpenLDAP for FreeRadius and set up OpenLDAP in a Master-Slave cluster for scalability and robustness.
Postgres can also be used to store both auth and accounting info from FreeRadius and has the ability to live in a cluster for reliability purposes, I know their also working on scalability clusters, but I don't know how far along it is.
Having your user auth info in OpenLDAP will prolly get that info out faster than Postgres, but it can only be used to store auth info. It will most likely be easier to store all the data in Postgres.
Don't use MySQL if you want scalability, speed and robustness all in one package. Postgres has got much better features when it comes to this, it also has native data-types for ip addresses and such.
OpenLDAP might make your migration easier, with any new data you want to store going to Postgres.
I'd recommend thouroughly testing these setups first. Especially the clustering.
Arrogance is Confidence which lacks integrity. -- me
I did this at my last company with Oracle+openLDAP for > 1,000,000 users. Worked great, after some tuning. Which, admittedly, took some time. If that is an issue, don't be headstrong like I was and hire someone who knows how to do it the first time through, rather than learning as you go.
Doing things now at my current job (typically for much smaller user bases), I use postgres in place of Oracle, unless the client has a preference. It just works, it is fast, it doesn't chew off a limb when it has a problem. You can do more interesting queries if you need to. It is enterprise class, Mysql is not, yet. Sorry.
I wonder at all the people who have had endless problems with Open LDAP. If you read the docs, think about what they mean for your environment, and implement correctly, it works wonderfully, from stability to performance to features. Of course, lots of people have horror stories about Postgres, too, most of them illustrations of how not to run a real database. All I can say is these tools work for me and my clients.
My new company is currently about to close, I think, a deal to do what I described above for ~4M users. I'm entirely confident it will work, based on as close to empirical testing as we can emulate. The real world is always different, but that makes it fun. YMMV.
-j
I forget what 8 was for.
Freeradius comes with a SQL module to do authentication and accounting through MySQL, PgSQL, etc. My team uses it quite a lot at my place of employment...we ended up using it to replace a SafeWord installation and everybody has been very happy with it.
See Here for more info on the SQL module.
We also ended up using phpMyAdmin to administrate the adding/removing of users, groups, & other attributes.
ryanc
I'm the network administrator for an ISP based in California with 10k customers, currently. We use radius + e-mail services authenticated against MySQL, and I can very easily help you configure it...
First off, we use ICRadius for our RADIUS server... Using MySQL replication, we avoid a single point of failure... ICRadius is free, and based on Cistron Radius... It works for our needs. Secondly, we use the Exim MTA for SMTP, and Courier IMAP for pop3/imap services... Mail is stored on a RAID exported over NFS, so mail servers are quite easily clustered... Lastly, we have a home-grown account management program we wrote, called "Nebula" that manages all aspects of an account...
If you'd like examples of a config file, implementation suggestions, of even a copy of Nebula (it's open source, free), please let me know. You can e-mail me personally at work at dbauman (at) infostations (dot) net. I even have the origional ICRadius + MySQL howtos from years ago when we migrated away from Cistron, and also the ISP-Planet's ISP-Radius mailing list can be of help to you...
-PhaseBurn Welcome to Linux country. On quiet nights, you can hear windows reboot.
I'll definitely agree with that. (Did you mean 'built in modules to log to and authenticate from MySQL' maybe? Although what you say is correct of course :-) Really flexible, and it's supplied supporting an amazing number of authentication sources. Helpful people too.
We run it with Postgres (run away from MySQL, but GNU-RADIUSD can use it) -- it's fast for us (6k+ customers), under active development and stable as hell.
I've been using Cistron since 1997.. it's powerful, easy to configure, and stable (zero downtime since we installed it - including during upgrades.)
Its obvious the solution to your problem is a custom web-based front end to an overly complicated Oracle database. Ideally the schema should make very little since with hundreds of unused columns--many of which are misspellings. (Thanks for the DROP COLUMN command, oracle). In order to ensure maximum benefit, this system should be designed by a couple of guys who are COMPLETELY drunk off their rocker and refuse to document anything. The system will exhibit wild uptimes given that the programmers are drunk during 75-80% of the system's overall development. A solution such as this will provide with you enourmous perceived flexibility, tons of headaches, and job security.
;)
Oh wait, you already have that in place.