AW: [EXTERNAL]: Re: FreeRADIUS / pam_radius

Senouci Briksi, Djelloul djelloul.briksi at wabtec.com
Thu Feb 17 13:56:14 UTC 2022 

Ok.
We will take your advices into consideration and I will get in touch with our security guy.
Thank you for your time.

Djelloul Briksi

-----Ursprüngliche Nachricht-----
Von: Freeradius-Devel <freeradius-devel-bounces+djelloul.briksi=wabtec.com at lists.freeradius.org> Im Auftrag von Alan DeKok
Gesendet: 17 February 2022 14:37
An: FreeRadius developers mailing list <freeradius-devel at lists.freeradius.org>
Betreff: Re: [EXTERNAL]: Re: FreeRADIUS / pam_radius

On Feb 17, 2022, at 1:38 AM, Senouci Briksi, Djelloul <djelloul.briksi at wabtec.com> wrote:
>>> yes the web server is running pam_radius.
> What do you mean with 'sending RADIUS packets'?

  The web server can send RADIUS packets itself.

> The web server is a pam_appl, and knows functions like pam_start, pam_authenticate.
> Do you mean such functions?

  No.  If I had meant "PAM", I would have said "PAM".

>>> The web_server does not have access to ldap, but only to radius.

  Fix that.  Don't use PAM.  You don't need RADIUS.

>>> yes, the web server implements the PAM conversation portion. The web server is a pam_appl.

  You're very careful to not say what web server you're using.  I don't know why.

  The correct solution here is to have the web server contact LDAP directly.  Using PAM + RADIUS to get to LDAP is just wrong.

  You have the source code to the pam_radius module.  So if you insist on using it, you can modify the source to do what you want.

  But my prediction is that even if you get that done, the web server will ignore the Reply-Message.  Because it needs changing, too.  So you'll have to modify the web server source, too.

  All of this is a waste of time.  Have the web server contact LDAP directly.  If there's some kind of "security policy" preventing that, the policy is stupid.  Change the policy.

 Alan DeKok.

-
List info/subscribe/unsubscribe? See https://urldefense.com/v3/__http://www.freeradius.org/list/devel.html__;!!NUSCbv4_!EZIVsFfXN3INigDP6txghZa0yANrAlr5qGwcN4xEMrMsySXOfyBgPbSw65NnJBNbjceIdw$
This email and any attachments are only for use by the intended recipient(s) and may contain legally privileged, confidential, proprietary or otherwise private information. Any unauthorized use, reproduction, dissemination, distribution or other disclosure of the contents of this e-mail or its attachments is strictly prohibited. If you have received this email in error, please notify the sender immediately and delete the original. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.

More information about the Freeradius-Devel mailing list