Martin Pauly wrote:
I have a large set of users handled by LDAP, and a small group (admins with only a few logins) that I used to handle by setting up a bunch of local unix accounts and doing Auth-Type := System. So my users file looks like
Auth-Type := System has been deprecated in 2.x. It's not needed. Just list "unix" in the "authorize" section, and the server will figure it out.
In sites-available/default, I have 'unix' in both the authorize and authenticate section. The debug output upon a request reads: ... ++[unix] returns notfound
OK...
[ the whole thing is sent to LDAP for authorization now which succeeds, but could perhaps be avoided anyway]
? What do you mean by that?
So to me it looks like rlm_unix can't find me :-(
The module just calls the system API's to get the passwd file entry for the user. If the system returns notfound, so does the module.
I've read about rlm_passwd, but I don't need any caching or the like. Oh, and user freerad is in group shadow. But as I understand it, this is no longer relevant for my case since rlm_unix uses getpwent which is supposed to handle access to /etc/shadow, right?
No. getpwent still depends on the calling application having permission to read /etc/shadow. Alan DeKok.