I am trying to get the ability to authenticate users from a few different password databases on the same server. To that end, I have users in the FreeBSD system password database as well as in a Linux style shadow passwd file.
From a stock FreeRADIUS 1.1.2 radius.conf file have have done:
modules { ... + passwd myshadow { + filename = /home/lambert/shadow.txt + format = "*User-Name:Crypt-Password::Group:::::" + # have also tried: + format = "*User-Name:User-Password::Group:::::" + # and supplied the crypted password as the users password + hashsize = 100 + authtype = PAP # have tried with and without + # ignorenislike = no + # allowmultiplekeys = no + } ... } authorization { ... # Read the 'users' file files + myshadow # # Look in an SQL database. The schema of the database ... } authentication { ... + Auth-Type any_is_ok { + myshadow { + reject = 1 + notfound = 2 + ok = return + } + unix + } - unix ... } I've tried to make simpler changes to the authentication section such as just adding "myshadow" on the line above the original "unix" entry. But the above is where I think I want to be. I got the above format from a suggestion which used multiple LDAP instances. The FreeBSD system users are able to authenticate. If I try to list my linux style shadow passwd file module "myshadow" in the authenticate{} section of radius.conf, radiusd -X bombs out with: ... Module: Instantiated mschap (mschap) Module: Loaded passwd passwd: filename = "/home/lambert/shadow.txt" passwd: format = "*User-Name:Crypt-Password::Group:::::" passwd: authtype = "PAP" passwd: delimiter = ":" passwd: ignorenislike = yes passwd: ignoreempty = yes passwd: allowmultiplekeys = no passwd: hashsize = 100 rlm_passwd: nfields: 9 keyfield 0(User-Name) listable: no Module: Instantiated passwd (myshadow) radiusd.conf: "passwd" modules aren't allowed in 'authenticate' sections -- they have no such method. radiusd.conf[1919] Failed to parse "myshadow" subsection. Maybe that's a bug in 1.1.2? I haven't tried 1.1.3 just yet. I'm trying to make the version in the FreeBSD ports collection work before I venture out on my own. If I have to go to 1.1.3, it won't break my heart. If I remove the "myshadow" reference from the authenticate{} section, the "myshadow" users are denied: modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 rlm_passwd: Added User-Password: 'sFE*/CZQF8saE' to config_items rlm_passwd: Added Group: '0' to config_items rlm_passwd: Adding "Auth-Type = PAP" modcall[authorize]: module "myshadow" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. I get the feeling that I don't understand how the rlm_passwd module is supposed to be used. I've read docs/rlm_passwd and most, if not all of the other stuff in the docs directory. I'm just missing something. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org