Pool-Name attribute issue WAS Re: Unknown Auth-Type "LDAP" in authenticate sub-section

up at 3.am up at 3.am
Mon Mar 12 19:23:36 CET 2012


> Hi,
>
>> > DEFAULT         Group == "FOO", Pool-Name :="FOO_pool"
>>
>> "Group" is probably empty. I can't remember what module, if any, fills
>> it out.
>
> #  The Group and Group-Name attributes are automatically created by
> #  the Unix module, and do checking against /etc/group automatically.
> #  This means that you CANNOT use Group or Group-Name to do any other
> #  kind of grouping in the server.  You MUST define a new group
> #  attribute.
>
> ...thats probably the one :-)

...and you just hit on something that solved the problem.  It seems that FR was
getting the group info from LDAP indirectly, through the PAM module, which was
configured using authconfig.  Running authconfig pointing to the local LDAP server
solved the problem.

/etc/pam.d/system-auth
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

Dovecot, sshd and other apps transparently use LDAP this way.  I didn't think FR
did (and maybe it doesn't completely), because I seem to recall trying to get it
to work on an older version (using Auth-type=PAM) that way with no luck...but that
was a while ago.


More information about the Freeradius-Users mailing list