Mixing pam and ldap

Douglas Hammond wizhippo at gmail.com
Fri Sep 21 16:25:11 CEST 2018


Thank you I figured it out.  I have to have a a check for the lookup
to be performed.

DEFAULT Ldap-Group == "SSLVPN-Users"
        Filter-Id := SSLVPN-Users
On Fri, 21 Sep 2018 at 10:17, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Sep 21, 2018, at 9:58 AM, Douglas Hammond <wizhippo at gmail.com> wrote:
> >
> > using freeradius 3 I have pam working well. I use pam to authenticate
> > against  winbind and google-authenticator.
> >
> > I now want to get the user groups from ldap as pam does not pass them along.
>
>   PAM only does authentication.  And badly.  It doesn't really do much else.
>
> > I have ldap setup only in authorize.  I see the user lookup performed
> > and found but no group lookup is done.  When is the group lookup
> > performed?
>
>   When the LDAP module is run.  If you configure it to do that.
>
> >  Can I mix ldap authorize with pam authenticate like this
> > or is this not going to work?
>
>   It will work.
>
>   But TBH, PAM is terrible.  Don't use it.  You should be able to use winbind directly from FreeRADIUS.  Google authenticator is a bit harder, but it should be possible.
>
> >  Is the ldap group lookup dependant on
> > the user ldap authentication being successful?
>
>   No.  The LDAP module doesn't do authentication.  It does user authorization, in the "authorize" section.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
Douglas Hammond
VA3DJX


More information about the Freeradius-Users mailing list