freeradius-users at

radius radius at
Wed Dec 5 14:17:28 CET 2007

Hi Alan
thanks for immediate reply.

 >   I presume you're using the OpenBSD PAM RADIUS module?

no, i installed freeradius-ldap, no openBSD PAM radius module that i knew.


Alan DeKok wrote:
> radius wrote:
>> we use radius authentication on this openBSD server as workaround,
>> because for openBSD no pam-(ldap) is available. here, all users, mail,
>> ftp, yni are authenticated against openldap using various authentication
>> methods (pam-ldap, pure ldap, courier-authlib with ldap, pure-ftpd with
>> ldap, ...).
>   I presume you're using the OpenBSD PAM RADIUS module?
>> the radius authentication works fine, as far as password checking is
>> concerned. The following radius-daemon output shows the login of a user
>> cvs into the system.
> ...
>> Sending Access-Accept of id 154 to port 27572
>> Finished request 1
>   The reply is empty.  So the user is allowed in, but with no configuration.
>> BUT when this user is logged in, it has the following parameters:
>> cvs at myhost -> id
>> uid=10001(cvs) gid=102(users) groups=102(users)
>> cvs at myhost ->
>> all these id-parameters are from the local /etc/master.passwd file and
>> not from the ldap directory.
>   Did you tell OpenBSD to look in the LDAP directory for that
> configuration?  If not, did you tell FreeRADIUS to look in LDAP for that
> configuration *and* return it in the Access-Accept?  And even if
> FreeRADIUS returns that configuration in the Access-Accept, you have to
> check that the OpenBSD PAM RADIUS module supports those attributes.
>   See the OpenBSD PAM RADIUS documentation for how to configure it.
>> instead of (when logging in to the user cvs on a different server) i get
>> the following (correct) id-parameters
>> cvs at yourhost ~> id
>> uid=1067(cvs) gid=100(users) groups=100(users),503(release2)
>> cvs at yourhost ~>
>   So... look at the configuration for that system to see what it's doing.
>> when i check the ldap-host log, i see, that not even an attempt is made
>> to request session parameters from the ldap server.
>   Yes... the FreeRADIUS debug log shows this, too.
>> what do i where need to change?
>   Look at the configuration for the working machine, and copy it to the
> machine that doesn't work.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list