Authenticate users against the passwd module?
Scott Lambert
lambert at lambertfam.org
Tue Sep 19 11:11:18 CEST 2006
I am trying to get the ability to authenticate users from a few
different password databases on the same server. To that end, I have
users in the FreeBSD system password database as well as in a Linux
style shadow passwd file.
>From a stock FreeRADIUS 1.1.2 radius.conf file have have done:
modules {
...
+ passwd myshadow {
+ filename = /home/lambert/shadow.txt
+ format = "*User-Name:Crypt-Password::Group:::::"
+ # have also tried:
+ format = "*User-Name:User-Password::Group:::::"
+ # and supplied the crypted password as the users password
+ hashsize = 100
+ authtype = PAP # have tried with and without
+ # ignorenislike = no
+ # allowmultiplekeys = no
+ }
...
}
authorization {
...
# Read the 'users' file
files
+ myshadow
#
# Look in an SQL database. The schema of the database
...
}
authentication {
...
+ Auth-Type any_is_ok {
+ myshadow {
+ reject = 1
+ notfound = 2
+ ok = return
+ }
+ unix
+ }
- unix
...
}
I've tried to make simpler changes to the authentication section such as
just adding "myshadow" on the line above the original "unix" entry. But
the above is where I think I want to be. I got the above format from a
suggestion which used multiple LDAP instances.
The FreeBSD system users are able to authenticate.
If I try to list my linux style shadow passwd file module "myshadow" in
the authenticate{} section of radius.conf, radiusd -X bombs out with:
...
Module: Instantiated mschap (mschap)
Module: Loaded passwd
passwd: filename = "/home/lambert/shadow.txt"
passwd: format = "*User-Name:Crypt-Password::Group:::::"
passwd: authtype = "PAP"
passwd: delimiter = ":"
passwd: ignorenislike = yes
passwd: ignoreempty = yes
passwd: allowmultiplekeys = no
passwd: hashsize = 100
rlm_passwd: nfields: 9 keyfield 0(User-Name) listable: no
Module: Instantiated passwd (myshadow)
radiusd.conf: "passwd" modules aren't allowed in 'authenticate' sections -- they
have no such method.
radiusd.conf[1919] Failed to parse "myshadow" subsection.
Maybe that's a bug in 1.1.2? I haven't tried 1.1.3 just yet. I'm
trying to make the version in the FreeBSD ports collection work before
I venture out on my own. If I have to go to 1.1.3, it won't break my
heart.
If I remove the "myshadow" reference from the authenticate{} section, the
"myshadow" users are denied:
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 1
rlm_passwd: Added User-Password: 'sFE*/CZQF8saE' to config_items
rlm_passwd: Added Group: '0' to config_items
rlm_passwd: Adding "Auth-Type = PAP"
modcall[authorize]: module "myshadow" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
modcall[authenticate]: module "unix" returns notfound for request 1
modcall: leaving group authenticate (returns notfound) for request 1
auth: Failed to validate the user.
I get the feeling that I don't understand how the rlm_passwd module is
supposed to be used. I've read docs/rlm_passwd and most, if not all of
the other stuff in the docs directory. I'm just missing something.
--
Scott Lambert KC5MLE Unix SysAdmin
lambert at lambertfam.org
More information about the Freeradius-Users
mailing list