[EXTERNAL]: Re: FreeRADIUS / pam_radius

Alan DeKok aland at deployingradius.com
Thu Feb 17 13:37:25 UTC 2022

On Feb 17, 2022, at 1:38 AM, Senouci Briksi, Djelloul <djelloul.briksi at wabtec.com> wrote:
>>> yes the web server is running pam_radius.
> What do you mean with 'sending RADIUS packets'?

  The web server can send RADIUS packets itself.

> The web server is a pam_appl, and knows functions like pam_start, pam_authenticate.
> Do you mean such functions?

  No.  If I had meant "PAM", I would have said "PAM".

>>> The web_server does not have access to ldap, but only to radius.

  Fix that.  Don't use PAM.  You don't need RADIUS.

>>> yes, the web server implements the PAM conversation portion. The web server is a pam_appl.

  You're very careful to not say what web server you're using.  I don't know why.

  The correct solution here is to have the web server contact LDAP directly.  Using PAM + RADIUS to get to LDAP is just wrong.

  You have the source code to the pam_radius module.  So if you insist on using it, you can modify the source to do what you want.

  But my prediction is that even if you get that done, the web server will ignore the Reply-Message.  Because it needs changing, too.  So you'll have to modify the web server source, too.

  All of this is a waste of time.  Have the web server contact LDAP directly.  If there's some kind of "security policy" preventing that, the policy is stupid.  Change the policy.

 Alan DeKok.

More information about the Freeradius-Devel mailing list