Authentication and authorization with PAM
Alan DeKok
aland at deployingradius.com
Sat Jul 25 14:04:19 CEST 2015
On Jul 24, 2015, at 6:49 PM, JCA <1.41421 at gmail.com> wrote:
> I have a Linux L system in which the password authentication is
> carried out against a remote RADIUS server R by means of PAM in L.
OK...
> This works as expected, but I would like to use this mechanism to do
> authorization chores, besides the authentication ones.
PAM doesn't really do authorization.
> As part of a
> successful authentication, R will send back to L (in addition to the
> successful authentication packet) a series of attributes that L will
> interpret as authorization parameters - e.g. a list of groups that the
> user that has been authenticated is to belong to.
What's with the one letter acronyms? It just makes things harder to understand.
And PAM doesn't do group membership. NSS does group membership.
> My understanding is that the PAM RADIUS module pam_radius.so is the
> one that interacts with the RADIUS server, and it therefore behooves
> this module to interpret the authentication information, and act on
> it. Looking into the documentation for the current pam_radius.so
> module, it would seem that it contains no support for this - i.e. in
> order to accomplish what I am describing I need to develop a PAM
> RADIUS of my own. Is this correct?
What you want is impossible to do. PAM is designed to do authentication. You CANNOT set group membership with PAM.
Alan DeKok.
More information about the Freeradius-Users
mailing list