use of pam and sql db simultaneously

Markus Krause krause at biochem.mpg.de
Fri Dec 23 20:36:33 CET 2005 

Zitat von Alan DeKok <aland at ox.org>:
> Markus Krause <krause at biochem.mpg.de> wrote:
> > i would like to authenticate users via pam and sql.
>
>   Huh?  I don't know what that means.  Usually if the user has a
> password, they have one password, which can be stored in one place.
> You don't need to use both PAM & SQL.
sorry for not writing in more details what i am intending to do (i didn't want
you to have to read too much), reading my first email now again there is not
much info :-( ,so:
a cisco vpn concentrator is planned to be used to connect two groups of users to
parts of our network
1) our regular users with unix accounts -> pam
2) guests, which should get access only for some days -> sql
so the concentrator gets a username/password combination and asks the radius
server if they are valid

> > authenticate {
> >         pam
> > }
>
>   That guarantees that CHAP & MS-CHAP won't work.
actually i think i do not need them, but as i am still at the beginning with
freeradius i may be wrong here ... (corrections welcome! ;-)

> > users known by pam get access-accept, but those in sql don't,
>
>   Because that's what you configured the server to do.  The problem is
> that you forced ALL users to be authenticated via PAM, when it's not
> necessary.
that's how i (mis)understood the docu in
/usr/share/doc/packages/freeradius/rlm_pam where it says:
"Use Auth-Type = Pam in the users file."
if i do not enter this line in /etc/raddb/users no user at all in pam can be
authenticated.

> > what am i doing wrong here?
> > do theses modules (rlm_pam and rlm_sql) exclude each other?
>   Only if you configure them that way.
>
> > how can i use them simultaneously i.e. in parallel?
>
>   Try this configuration.  It should work.  See
> doc/configurable_failover for details.
> [snipped config example]
thank you very much, this works exactly how i want it! (i just left out
pap/chap/mschap as i still asume that i do not need them) to do this via
failover did not came to my mind! (which now seems so obvious!)

>   In summary, if you're not sure how to configure the server, DO NOT
> do massive edits to radiusd.conf.  You'll almost definitely get it
> wrong.  The default configuration is there for a reason: it works.
>
>   Alan DeKok.
sorry, but i am still learning to work with freeradius and really appreciate all
info and corrections! what confused me was that rlm_ldap just returns notfound
if a user is not in the database (i am using this in another installation) and
rlm_pam returns reject. (or am i wrong again?)

thanks again for your help!

with best regards
   markus

--
Markus Krause                           email: krause at biochem.mpg.de
Computing Center                        Tel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics           Fax.: 089 - 89 40 85 98

---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

More information about the Freeradius-Users mailing list