I am installing a new server running freeradius 2.0.5 to replace a server running 1.1.7. In our unique situation I have until now been using the rlm_unix module in multiple instances to read about 5 different passwd/shadow file combinations. This was fine until 2.05 were the ability to specify the path to those files has been removed. I know it is suppose to be replaced with the rlm_passwd module but was hoping there was an easier way. Mark Jones London Operations Managed Network Systems 171 Queens Ave Suite 515 London Ontario N6A 5J7 519-679-5207
Mark Jones wrote:
In our unique situation I have until now been using the rlm_unix module in multiple instances to read about 5 different passwd/shadow file combinations. This was fine until 2.05 were the ability to specify the path to those files has been removed. I know it is suppose to be replaced with the rlm_passwd module but was hoping there was an easier way.
"Easier"? Yes, it's work to configure the format for the "passwd" module, but that only has to be done once. After that, you can cut & paste it multiple times. Alan DeKok.
True enough but I am unclear as to how to do it with passwd and shadow file and groups file. Are there an example config that someone has I can see to get a better understanding of what I have to do? ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, September 05, 2008 1:28 AM Subject: Re: rlm_unix
Mark Jones wrote:
In our unique situation I have until now been using the rlm_unix module in multiple instances to read about 5 different passwd/shadow file combinations. This was fine until 2.05 were the ability to specify the path to those files has been removed. I know it is suppose to be replaced with the rlm_passwd module but was hoping there was an easier way.
"Easier"? Yes, it's work to configure the format for the "passwd" module, but that only has to be done once. After that, you can cut & paste it multiple times.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.11/1639 - Release Date: 8/28/2008 7:39 AM
Mark Jones wrote:
True enough but I am unclear as to how to do it with passwd and shadow file and groups file. Are there an example config that someone has I can see to get a better understanding of what I have to do?
raddb/modules/etc_group has a sample configuration for reading /etc/group. If there are no passwords in /etc/passwd, you don't need to read that. The format for etc/shadow should be straightforward. See the etc_group example, and the documentation for the "passwd" module. Alan DeKok.
Was there any particular reason to remove the ability to specify what passwd and shadow file to use with the unix module? As the way the passwd module is processed I cannot get the same functionality that I currently have under 1.1.x. Unless I misunderstand. the unix module can me used in the authenticate section where the passwd module can only be used in the authorize section. ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, September 05, 2008 10:21 AM Subject: Re: rlm_unix
Mark Jones wrote:
True enough but I am unclear as to how to do it with passwd and shadow file and groups file. Are there an example config that someone has I can see to get a better understanding of what I have to do?
raddb/modules/etc_group has a sample configuration for reading /etc/group.
If there are no passwords in /etc/passwd, you don't need to read that.
The format for etc/shadow should be straightforward. See the etc_group example, and the documentation for the "passwd" module.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.11/1639 - Release Date: 8/28/2008 7:39 AM
Mark Jones wrote:
Was there any particular reason to remove the ability to specify what passwd and shadow file to use with the unix module?
It didn't work on some systems, and it duplicated the functionality of the "passwd" module.
Unless I misunderstand. the unix module can me used in the authenticate section where the passwd module can only be used in the authorize section.
Exactly. The "passwd" module is essentially a simple database. Databases don't do authentication. You're probably forcing Auth-Type to each of the individual unix modules in 1.1.x. In 2.x, you don't need to do this. Just list the various "passwd" modules in the "authorize" section, and be sure that the "pap" module is listed last. Then, the server will figure it out. You can even do that in 1.1.4 or later. Just ensure that "pap" is listed last in "authorize", that it's also in "authenticate". Then, delete of the places where you set Auth-Type to the various unix modules. And in 2.x, the "authenticate" method has been removed from the "unix" module. So don't use "unix" for authentication. Use pap. Alan DeKok.
participants (2)
-
Alan DeKok -
Mark Jones