PAM authenticacion and groups

Diego Woitasen diegows at gmail.com
Fri Sep 21 16:02:11 CEST 2007 

2007/9/19, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> Groups are a part of authorization so there is no conflict with any
> authentication method. You can use ldap (Ldap-Group), sql(Sql-Group),
> unix (Group) ...
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 19/9/2007, "Diego Woitasen" <diegows at gmail.com> piše:
>
> >2007/9/19, Alan DeKok <aland at deployingradius.com>:
> >> Diego Woitasen wrote:
> >> > That entry/configuration.... I read the FAQ and I can't see nothing
> >> > interesting. The question is, radius uses nsswitch to check group
> >> > membership using PAM authenticacion?
> >>
> >>   Q: Hi I tried to do stuff, but it didn't work.  Why?
> >>   A: WTF?
> >>
> >>   It's difficult to help you if you don't say what you expected to
> >> happen, AND what actually happened.
> >>
> >>   It's frustrating to have people post configurations and ask "why
> >> doesn't this work?"  The documentation and FAQ cover how to ask
> >> questions on the list, and what information we need to help you.
> >>
> >>   Alan DeKok.
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>
> >
> >I think the question is simple to give more detail. I rewrite the question:
> >
> >Can I use PAM for authentication and LDAP for group checking? or PAM
> >for authentication and group checking with nsswitch?
> >
> >
> >
> >
> >
> >--
> >-------------------
> >Diego Woitasen
> >-------------------
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

ok. I have enabled LDAP in authorize and authentication section. If I
set Ldap-Group == "xxx" in a users file entry radiusd only try with
LDAP authentication, and not with PAM (I saw this with radiusd -f -X).

With the following entry, radiusd try LDAP for authenticacion and authorization:

DEFAULT Ldap-Group == "xnetadmin"
        Service-Type = Login-User,
        Cisco-AVPair = "shell:priv-lvl=15",
        Fall-Through = 0

With this, PAM authenticacion is working fine, but I haven't got LDAP
authozation obviusly:

DEFAULT Auth-type = PAM
        Service-Type = Login-User,
        Cisco-AVPair = "shell:priv-lvl=15",
        Fall-Through = 0

And finally, this doesn't work neither:

DEFAULT Auth-type = PAM, Ldap-Group == "xnetadmin"
        Service-Type = Login-User,
        Cisco-AVPair = "shell:priv-lvl=15",
        Fall-Through = 0

I don't find where is the trick. The documentation doesn't say
anything about this kind of configuration of I can't find it.

regards,
    diegows



-- 
-------------------
Diego Woitasen
-------------------

More information about the Freeradius-Users mailing list