use of pam and sql db simultaneously

[Alan DeKok]

Markus Krause <krause at biochem.mpg.de> wrote:
> i would like to authenticate users via pam and sql.

  Huh?  I don't know what that means.  Usually if the user has a
password, they have one password, which can be stored in one place.
You don't need to use both PAM & SQL.

> authenticate {
>         pam
> }

  That guarantees that CHAP & MS-CHAP won't work.

> users known by pam get access-accept, but those in sql don't,

  Because that's what you configured the server to do.  The problem is
that you forced ALL users to be authenticated via PAM, when it's not
necessary.

> what am i doing wrong here?
> do theses modules (rlm_pam and rlm_sql) exclude each other?

  Only if you configure them that way.

> how can i use them simultaneously i.e. in parallel?

  Try this configuration.  It should work.  See
doc/configurable_failover for details.

authorize {
        preprocess
	chap
        group {
	      sql {
		  ok = return
	      }
	      files
        }
        shorttermaccount
}


authenticate {
	     pam
	     pap
	     chap
	     mschap
}

  In summary, if you're not sure how to configure the server, DO NOT
do massive edits to radiusd.conf.  You'll almost definitely get it
wrong.  The default configuration is there for a reason: it works.

  Alan DeKok.