AW: [EXTERNAL]: Re: FreeRADIUS / pam_radius

[Senouci Briksi, Djelloul]

-----Ursprüngliche Nachricht-----
Von: Freeradius-Devel <freeradius-devel-bounces+djelloul.briksi=wabtec.com at lists.freeradius.org> Im Auftrag von Alan DeKok
Gesendet: 16 February 2022 16:27
An: FreeRadius developers mailing list <freeradius-devel at lists.freeradius.org>
Betreff: Re: [EXTERNAL]: Re: FreeRADIUS / pam_radius

On Feb 16, 2022, at 9:57 AM, Senouci Briksi, Djelloul <djelloul.briksi at wabtec.com> wrote:
>
> Freeradius server is configured with ldap, which holds users and their roles.
> A role is e.g. 'admin' (who can do everything) or 'view' (who can only view/access some pages) or whatever.

  OK...

> The client (in our case witty-browser) knows how to react depending on user/role.

  The browser isn't running pam_radius though.  The web server is.  So why not just send RADIUS packets from the web server?  That way you have complete control over everything.

>> yes the web server is running pam_radius.
What do you mean with 'sending RADIUS packets'?
The web server is a pam_appl, and knows functions like pam_start, pam_authenticate.
Do you mean such functions?


  Or, have the web server to dote LDAP queries directly.  You don't need RADIUS here.

>> The web_server does not have access to ldap, but only to radius.

> We had the idea to transmit/propagate the role as a Reply-Message to the client.
> The client will get this information over conversation callback method.

  Only if the web server expects to see this, and implements the PAM conversation portion.

>> yes, the web server implements the PAM conversation portion. The web server is a pam_appl.

  I really don't think that this will work.  You're cobbling together solutions which aren't intended to do what you're doing.  And not surprisingly, finding that it doesn't really work.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See https://urldefense.com/v3/__http://www.freeradius.org/list/devel.html__;!!NUSCbv4_!GS0wunVbadn9Hplycan3RRCAxbKRH_RiZD2hfIgguTr6jKYYbUhfJTAJ-snvtneEcLofeA$
This email and any attachments are only for use by the intended recipient(s) and may contain legally privileged, confidential, proprietary or otherwise private information. Any unauthorized use, reproduction, dissemination, distribution or other disclosure of the contents of this e-mail or its attachments is strictly prohibited. If you have received this email in error, please notify the sender immediately and delete the original. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.