[EXTERNAL]: Re: FreeRADIUS / pam_radius

[Alan DeKok]

On Feb 16, 2022, at 9:57 AM, Senouci Briksi, Djelloul <djelloul.briksi at wabtec.com> wrote:
> 
> Freeradius server is configured with ldap, which holds users and their roles.
> A role is e.g. 'admin' (who can do everything) or 'view' (who can only view/access some pages) or whatever.

  OK...

> The client (in our case witty-browser) knows how to react depending on user/role.

  The browser isn't running pam_radius though.  The web server is.  So why not just send RADIUS packets from the web server?  That way you have complete control over everything.

  Or, have the web server to dote LDAP queries directly.  You don't need RADIUS here.

> We had the idea to transmit/propagate the role as a Reply-Message to the client.
> The client will get this information over conversation callback method.

  Only if the web server expects to see this, and implements the PAM conversation portion.

  I really don't think that this will work.  You're cobbling together solutions which aren't intended to do what you're doing.  And not surprisingly, finding that it doesn't really work.

  Alan DeKok.