Linux groups information from RADIUS server
My understanding is that, when a Linux server delegates authentication chores (via PAM) to a RADIUS server, the information having to do with the groups that the authenticated user belongs to is retrieved either locally - from the relevant entry in /etc/passwd - or from a remote server via NSS - for example, from an LDAP server. Is there anything preventing one from getting the group information from the RADIUS server itself? The RADIUS server could be configured so that, when a user has been successfully authenticated by said server, this server would send back the authentication OK RADIUS message together with one or more attributes containing the groups information. The reason I am asking this is because I have interacted with some devices in the past that were able to get these data from a RADIUS server alone. However, I don't know if this was achieved with the concourse of a mechanism similar to what I described, or something totally different.
On Apr 22, 2019, at 5:10 PM, JCA <1.41421@gmail.com> wrote:
My understanding is that, when a Linux server delegates authentication chores (via PAM) to a RADIUS server, the information having to do with the groups that the authenticated user belongs to is retrieved either locally - from the relevant entry in /etc/passwd - or from a remote server via NSS - for example, from an LDAP server.
Yes. PAM does authentication. NSS does everything else.
Is there anything preventing one from getting the group information from the RADIUS server itself?
There is no NSS radius module, and there is no standard way to get UID / GID / etc. data via RADIUS.
The RADIUS server could be configured so that, when a user has been successfully authenticated by said server, this server would send back the authentication OK RADIUS message together with one or more attributes containing the groups information.
The reason I am asking this is because I have interacted with some devices in the past that were able to get these data from a RADIUS server alone. However, I don't know if this was achieved with the concourse of a mechanism similar to what I described, or something totally different.
Nothing implements this. Nothing *prevents* it from being implemented, but nothing implements it. Alan DeKok.
participants (2)
-
Alan DeKok -
JCA