Checkval weird issue with LDAP backend and PAM authentication

Marco Carcano marco at marcolinux.it
Thu Nov 25 22:24:04 CET 2010


Hi John

thank you very much for the reply - I haven't noticed that exists a  
freeradius2 rpm package

I tried, and after a lot of arrangement on the config files -  
freeradius2 splits a lot radiusd.conf - I got it working

but I have to point out this thing - that I hope you - Red Hat - will  
fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS  
package):

this is the content of the original file

#%PAM-1.0
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
session    include      password-auth

it is wrong: it causes PAM auth to fail with a really strange error

pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <testuser>. Reason:  
Module is unknown
++[pam] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}

this error caused me a little headache because initially I tough it  
was a mine misconfiguration of freeradius.

the fix is to replace the contents of /etc/pam.d/radiusd with

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth

PAM is usefull in situations like the my Easy Configuration Kit - ECK:  
I built an AAA system that relies on Freeradius that do Accounting in  
MySQL, Authorization with OpenLDAP and Authentication by Kerberos -  
the LDAP directory is Kerberized. I think that PAM and SASL are the  
good way to accomplish this - In ECK it works.

Maybe you already know about this issue - I hope this post can help  
anybody will get this strange error - until the package got fixed

as for my checkval issue, .... have not been able to fix it! I tried  
to learn unlang, but the only thing I have now in my head is a lot of  
confusion, ... but I'll answer directly to Alan reply in order not to  
post the same message twice

thank you again, you bring me on the right way

Marco Carcano



Il giorno 23/nov/10, alle ore 16:25, John Dennis ha scritto:

> On 11/23/2010 08:33 AM, Alan DeKok wrote:
>> marco wrote:
>>> Sorry Alan
>>>
>>> I've not realized that the logs had became a garbage :O( - maybe a  
>>> webmail realted issue of my ISP.
>>> Now I Bcc myself to see how does it appear to recipients
>>>
>>> I tried "man unlang" but got no manual entry - I'm using  
>>> Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html 
>>> , I think is the same.
>>
>>   <shrug>   Upgrade to 2.1.10.  You're using a very old version of  
>> the
>> server.
>
> The 2.x versions of FreeRADIUS on CentOS are under the package name  
> freeradius2, not freeradius.
>
> -- 
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list