hello list, i would like to authenticate users via pam and sql. part of my radiusd.conf (freeradius 1.0.5 on sles 9) is: +++++ part of radiusd.conf instantiate { } authorize { preprocess files sql shorttermaccount } authenticate { pam } preacct { preprocess acct_unique files } accounting { detail radutmp sql } ------- part of radiusd.conf if i have the following line in /etc/raddb/users: ++++++ users Auth-Type = PAM Fail-Through = Yes ------ users users known by pam get access-accept, but those in sql don't, the debug output says: ++++++ radiusd -XA Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32768, id=144, length=59 User-Name = "sqluser" User-Password = "XXXXXX" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry DEFAULT at line 3 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'sqluser' rlm_sql (sql): sql_set_user escaped user --> 'sqluser' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'sqluser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'sqluser' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'sqluser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'sqluser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'sqluser' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'sqluser' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'sqluser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'sqluser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "shorttermaccount" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type PAM auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for <sqluser>. Reason: User not known to the underlying authentication module modcall[authenticate]: module "pam" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [sqluser] (from client localhost port 1) Delaying request 0 for 1 seconds Finished request 0 ----- radiusd -XA if i delete the line "DEFAULT Auth-Type = Pam" (and Fall-Through = Yes) the users in sql get an access-accept answer. what am i doing wrong here? do theses modules (rlm_pam and rlm_sql) exclude each other? how can i use them simultaneously i.e. in parallel? thanks in advance for any hints! and merry x-mas everyone! :-) regards, markus -- Markus Krause email: krause@biochem.mpg.de Computing Center Tel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 --------------------------------------------------------------------- This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de
Markus Krause <krause@biochem.mpg.de> wrote:
i would like to authenticate users via pam and sql.
Huh? I don't know what that means. Usually if the user has a password, they have one password, which can be stored in one place. You don't need to use both PAM & SQL.
authenticate { pam }
That guarantees that CHAP & MS-CHAP won't work.
users known by pam get access-accept, but those in sql don't,
Because that's what you configured the server to do. The problem is that you forced ALL users to be authenticated via PAM, when it's not necessary.
what am i doing wrong here? do theses modules (rlm_pam and rlm_sql) exclude each other?
Only if you configure them that way.
how can i use them simultaneously i.e. in parallel?
Try this configuration. It should work. See doc/configurable_failover for details. authorize { preprocess chap group { sql { ok = return } files } shorttermaccount } authenticate { pam pap chap mschap } In summary, if you're not sure how to configure the server, DO NOT do massive edits to radiusd.conf. You'll almost definitely get it wrong. The default configuration is there for a reason: it works. Alan DeKok.
Zitat von Alan DeKok <aland@ox.org>:
> Markus Krause <krause@biochem.mpg.de> wrote:
> > i would like to authenticate users via pam and sql.
>
> Huh? I don't know what that means. Usually if the user has a
> password, they have one password, which can be stored in one place.
> You don't need to use both PAM & SQL.
sorry for not writing in more details what i am intending to do (i didn't want
you to have to read too much), reading my first email now again there is not
much info :-( ,so:
a cisco vpn concentrator is planned to be used to connect two groups of users to
parts of our network
1) our regular users with unix accounts -> pam
2) guests, which should get access only for some days -> sql
so the concentrator gets a username/password combination and asks the radius
server if they are valid
> > authenticate {
> > pam
> > }
>
> That guarantees that CHAP & MS-CHAP won't work.
actually i think i do not need them, but as i am still at the beginning with
freeradius i may be wrong here ... (corrections welcome! ;-)
> > users known by pam get access-accept, but those in sql don't,
>
> Because that's what you configured the server to do. The problem is
> that you forced ALL users to be authenticated via PAM, when it's not
> necessary.
that's how i (mis)understood the docu in
/usr/share/doc/packages/freeradius/rlm_pam where it says:
"Use Auth-Type = Pam in the users file."
if i do not enter this line in /etc/raddb/users no user at all in pam can be
authenticated.
> > what am i doing wrong here?
> > do theses modules (rlm_pam and rlm_sql) exclude each other?
> Only if you configure them that way.
>
> > how can i use them simultaneously i.e. in parallel?
>
> Try this configuration. It should work. See
> doc/configurable_failover for details.
> [snipped config example]
thank you very much, this works exactly how i want it! (i just left out
pap/chap/mschap as i still asume that i do not need them) to do this via
failover did not came to my mind! (which now seems so obvious!)
> In summary, if you're not sure how to configure the server, DO NOT
> do massive edits to radiusd.conf. You'll almost definitely get it
> wrong. The default configuration is there for a reason: it works.
>
> Alan DeKok.
sorry, but i am still learning to work with freeradius and really appreciate all
info and corrections! what confused me was that rlm_ldap just returns notfound
if a user is not in the database (i am using this in another installation) and
rlm_pam returns reject. (or am i wrong again?)
thanks again for your help!
with best regards
markus
--
Markus Krause email: krause@biochem.mpg.de
Computing Center Tel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98
---------------------------------------------------------------------
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de
participants (2)
-
Alan DeKok -
Markus Krause