Linux groups information from RADIUS server
aland at deployingradius.com
Mon Apr 22 23:20:46 CEST 2019
On Apr 22, 2019, at 5:10 PM, JCA <1.41421 at gmail.com> wrote:
> My understanding is that, when a Linux server delegates authentication
> chores (via PAM) to a RADIUS server, the information having to do with the
> groups that the authenticated user belongs to is retrieved either locally -
> from the relevant entry in /etc/passwd - or from a remote server via NSS -
> for example, from an LDAP server.
Yes. PAM does authentication. NSS does everything else.
> Is there anything preventing one from getting the group information from
> the RADIUS server itself?
There is no NSS radius module, and there is no standard way to get UID / GID / etc. data via RADIUS.
> The RADIUS server could be configured so that,
> when a user has been successfully authenticated by said server, this server
> would send back the authentication OK RADIUS message together with one or
> more attributes containing the groups information.
> The reason I am asking this is because I have interacted with some devices
> in the past that were able to get these data from a RADIUS server alone.
> However, I don't know if this was achieved with the concourse of a
> mechanism similar to what I described, or something totally different.
Nothing implements this.
Nothing *prevents* it from being implemented, but nothing implements it.
More information about the Freeradius-Users