freeradius-users at lists.freeradius.org

Alan DeKok aland at deployingradius.com
Wed Dec 5 13:35:05 CET 2007 

radius wrote:
> we use radius authentication on this openBSD server as workaround,
> because for openBSD no pam-(ldap) is available. here, all users, mail,
> ftp, yni are authenticated against openldap using various authentication
> methods (pam-ldap, pure ldap, courier-authlib with ldap, pure-ftpd with
> ldap, ...).

  I presume you're using the OpenBSD PAM RADIUS module?

> the radius authentication works fine, as far as password checking is
> concerned. The following radius-daemon output shows the login of a user
> cvs into the system.
...
> Sending Access-Accept of id 154 to 127.0.0.1 port 27572
> Finished request 1

  The reply is empty.  So the user is allowed in, but with no configuration.

> BUT when this user is logged in, it has the following parameters:
> 
> cvs at myhost -> id
> uid=10001(cvs) gid=102(users) groups=102(users)
> cvs at myhost ->
> 
> all these id-parameters are from the local /etc/master.passwd file and
> not from the ldap directory.

  Did you tell OpenBSD to look in the LDAP directory for that
configuration?  If not, did you tell FreeRADIUS to look in LDAP for that
configuration *and* return it in the Access-Accept?  And even if
FreeRADIUS returns that configuration in the Access-Accept, you have to
check that the OpenBSD PAM RADIUS module supports those attributes.

  See the OpenBSD PAM RADIUS documentation for how to configure it.

> instead of (when logging in to the user cvs on a different server) i get
> the following (correct) id-parameters
> 
> cvs at yourhost ~> id
> uid=1067(cvs) gid=100(users) groups=100(users),503(release2)
> cvs at yourhost ~>

  So... look at the configuration for that system to see what it's doing.

> when i check the ldap-host log, i see, that not even an attempt is made
> to request session parameters from the ldap server.

  Yes... the FreeRADIUS debug log shows this, too.

> what do i where need to change?

  Look at the configuration for the working machine, and copy it to the
machine that doesn't work.

  Alan DeKok.

More information about the Freeradius-Users mailing list