On Aug 14, 2019, at 3:23 PM, Mike Ely <me@mikeely.org> wrote:
We currently have our users authenticating via ntlm_auth and would like to make authorization decisions based on group membership. The radius server is joined to the domain and standard Unix commands calling getpwnam will return expected data:
# id user.name uid=123456789(user.name) gid=234567890(domain users) groups=234567890(domain users),345679012(noc),4567890123(vpm),5678901234(ipmi)
Looking at various modules available to handle this I'm encountering the following problems with each (usual caveats about how I may be misreading the docs): rlm_pam: appears to only be set up to work for authentication rlm_passwd: appears to want a file rlm_unix: also appears to want a file to read? (maybe?)
The Unix module calls getpwent() and getspwent(). It doesn't look at files.
I'm hoping one of these above or perhaps something else can be used in the authorize section such that if a user logs in, and that user's group membership includes the required group (say, ipmi), then the authorization will be accepted. It's just not clear to me how to proceed here.
Enable the "unix" module. Use the "Group" attribute, which does Unix group checking. if (Group == "sales") { reject } else if (Group == "engineering") { accept } Alan DeKok.