I am trying to set up freeradius to use mysql for user authentication. I'm running into some challengages though.
The host I am trying to install freeradius on, I will refer to as "box a". The mysql server though is located on a different host, that I will refer to as "box b".
Box A is an existing bastion host that is sitting in our DMZ. It currently has several applications that communicate with mysql databases running on box b through the firewall.
On box A we have installed the mysql client from source tarball. There is currently no mysql server components running on box A. I have verified that we have the required mysql library and include (header) files. Originally we built the mysql client install with only the static libraries (./configure --prefix=/usr/local/mysql --without-server -disable-shared). We have built several apps that link to mysql using that configuration, however we could not get free radius to recognise the mysql clients presence. The configure script would complain about it can't find libmysqlclient (even though it is there and we have linked to it before). After much trial and error we were able to get free radius to reconise the mysql client after we reinstalled mysql using shared libraries (./configure --prefix=/usr/local/mysql --without-server --with-low-memory). We tried all the various freeradius configure command line switches for mysql lib and include locations and no-shared, etc to no avail. After we built the shared library we could run the freeradius config script and it would detect the presence of the mysql client. We than ran make and it did not report any errors.
Box B is an existing server running mysql. It serves many different applications. We basically have not touched this system except to add a new database and mysql user account for use by freeradius. We installed the mysql schema provided in the freeradius dist.
From box a we are able to connect and peruse the freeradius db on box b, using myadmin with the user account, password, and database name we configured for freeradius.
After getting freeradius to configure, make, and make install we set it up to do authentication using the local system (no mysql). It works fine and we can authenticte to freeradius using ntradping.
However after adding and configuring for mysql, free radius segfaults on startup right after it processes sql.conf.
The details:
Box A ------
MySQL client 3.22.32 built by
untar tarball (tar -zxvf mysql*)
./configure --prefix=/usr/local/mysql --without-server /
--with-low-memory
make
make check
make installfreeradius 0.9.3 built by untar (tar-zxvf free*) ./configure --localstatedir=/var --sysconfdir=/etc make make install
OS Linux 2.2 kernel on MIPS (Sun Cobalt RAQ2)
modified the following files in /etc/raddb
clients.conf
comment out localhost entry
add client stanza for each router
client xxx.xxx.xxx.xxx { <- real ip in config
secret = test4321
shortname = webfe
nastype = other
}radiusd.conf add sql to the authorise section between suffix and files entries add spl to the accounting section between unix and radutmp entries
sql.conf # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = "rlm_sql_mysql"
# Connect info server = "xxx.xxx.xxx.xxx" login = "mysqlaaauser" password = "mysqlaaapassword"
# Database table configuration radius_db = "radius"
#######################################################################
# Query config: Username
#######################################################################
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used belo$
# everywhere a username substitution is needed so you you can be sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to mean:
#
# Use Stripped-User-Name, if it's there.
# Else use User-Name, if it's there,
#
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used belo$
# everywhere a username substitution is needed so you you can be sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to mean:
#
# Use Stripped-User-Name, if it's there.
# Else use User-Name, if it's there,
# Else use hard-coded string "DEFAULT" as the user name.
sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}"
#
#sql_user_name = "%{User-Name}"Box B -----
RedHat Linux 7.0 (2.2.16 kernel) MySql 3.22.32 from RPM Compaq Prosigna 300 Pentium 120 SCSI Disks in Raid Array
My question to the list, has anyone set up freeradius in a similar configuration? If so what did you have to do to get it to work ?
I am getting ready to dive deep into the code but wanted to pose the question to the list first.
Thanks Robert Causey
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
