[nycbug-talk] RADIUS experiences

Jonathan Vanasco nycbug-list at 2xlp.com
Wed May 24 14:02:40 EDT 2006

On May 23, 2006, at 3:08 PM, Peter Wright wrote:

>> 2) LDAP backends?  Is this common practice? (I'm concerned about  
>> over-
>> complexity)
> aside from the initial learning curve of setting up an ldap  
> environment we
> seem to have pretty good success using LDAP+RADIUS for our wireless  
> and
> remote access networks.

LDAP is ideal for that use because of the internal caching  
implementations and lookup schemes that it uses - it was pretty much  
designed to optimize what you want to do.  Not to knock on RDBMs --  
using a query cache in mysql kind of works similar, but not nearly as  
well because of the way everything must be bit-for-bit exact and  
expiry times -- and you're using mysql.  I'm not too familiar with  
Postgres's query caching.

>> 3) SQL backends?  Is this common practice? (Again, concerned about  
>> over-complexity)
i know a lot of people who use mysql/sqlite for similar things.  they  
all generally do it because of not knowing LDAP.

but i don't think its overcomplicated - in fact, its really quite  
easy and extensible.  most projects that support any sort of lookup  
for accounts seem to be providing sql binding for mysql/postgres/ 
sqlite now.   one of the reasons why is because they're super  
extensible - you can toss a ton of account configuration and settings  
into it, as well as tracking -- and only admin 1 database instead of  
linking a dozen things together.  it makes things easier than running  
stuff through PAM too.

> I'm familiar with LDAP so i'll lean that way.  There are plenty  
> python and
> perl libraries to make scripting ldap easy...and frankly ldap is  
> just a
> database anyway.  Although ramping up on LDAP may be a pain a SQL  
> sounds a little heavy for this solution.  or...you could use  
> berkeleyDB

I'm seconding LDAP.  The python bindings for openldap are pretty simple.

Ike- If you're still working w/MOB and have the old server contents  
archived, I had a super simple cron job running on the email server  
that would do some LDAP access to do spam filtering and permission  
fixing on email accounts.  you could stab at that and be an expert at  
python/ldap in about 3 minutes of toying around.

The only thing that I wasn't super excited with in regards to ldap  
was that by default passwords aren't secure - they're 2way encrypted  
and I believe the domain manager can decrypt at will (i don't lilke  
that).  It takes a bit of work to use a hashed/digest system for  

| - - - - - - - - - - - - - - - - - - - -
| RoadSound.com / Indie-Rock.net
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - -

More information about the talk mailing list