freeradius-users at lists.freeradius.org

radius radius at ayni.com
Wed Dec 5 14:17:28 CET 2007 

Hi Alan
thanks for immediate reply.

 >   I presume you're using the OpenBSD PAM RADIUS module?

no, i installed freeradius-ldap, no openBSD PAM radius module that i knew.

suomi


Alan DeKok wrote:
> radius wrote:
>> we use radius authentication on this openBSD server as workaround,
>> because for openBSD no pam-(ldap) is available. here, all users, mail,
>> ftp, yni are authenticated against openldap using various authentication
>> methods (pam-ldap, pure ldap, courier-authlib with ldap, pure-ftpd with
>> ldap, ...).
> 
>   I presume you're using the OpenBSD PAM RADIUS module?
> 
>> the radius authentication works fine, as far as password checking is
>> concerned. The following radius-daemon output shows the login of a user
>> cvs into the system.
> ...
>> Sending Access-Accept of id 154 to 127.0.0.1 port 27572
>> Finished request 1
> 
>   The reply is empty.  So the user is allowed in, but with no configuration.
> 
>> BUT when this user is logged in, it has the following parameters:
>>
>> cvs at myhost -> id
>> uid=10001(cvs) gid=102(users) groups=102(users)
>> cvs at myhost ->
>>
>> all these id-parameters are from the local /etc/master.passwd file and
>> not from the ldap directory.
> 
>   Did you tell OpenBSD to look in the LDAP directory for that
> configuration?  If not, did you tell FreeRADIUS to look in LDAP for that
> configuration *and* return it in the Access-Accept?  And even if
> FreeRADIUS returns that configuration in the Access-Accept, you have to
> check that the OpenBSD PAM RADIUS module supports those attributes.
> 
>   See the OpenBSD PAM RADIUS documentation for how to configure it.
> 
>> instead of (when logging in to the user cvs on a different server) i get
>> the following (correct) id-parameters
>>
>> cvs at yourhost ~> id
>> uid=1067(cvs) gid=100(users) groups=100(users),503(release2)
>> cvs at yourhost ~>
> 
>   So... look at the configuration for that system to see what it's doing.
> 
>> when i check the ldap-host log, i see, that not even an attempt is made
>> to request session parameters from the ldap server.
> 
>   Yes... the FreeRADIUS debug log shows this, too.
> 
>> what do i where need to change?
> 
>   Look at the configuration for the working machine, and copy it to the
> machine that doesn't work.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list