Checkval weird issue with LDAP backend and PAM authentication
Marco Carcano
marco at marcolinux.it
Thu Nov 25 22:24:04 CET 2010
Hi John
thank you very much for the reply - I haven't noticed that exists a
freeradius2 rpm package
I tried, and after a lot of arrangement on the config files -
freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat - will
fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in CentOS
package):
this is the content of the original file
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <testuser>. Reason:
Module is unknown
++[pam] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
this error caused me a little headache because initially I tough it
was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
PAM is usefull in situations like the my Easy Configuration Kit - ECK:
I built an AAA system that relies on Freeradius that do Accounting in
MySQL, Authorization with OpenLDAP and Authentication by Kerberos -
the LDAP directory is Kerberized. I think that PAM and SASL are the
good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help
anybody will get this strange error - until the package got fixed
as for my checkval issue, .... have not been able to fix it! I tried
to learn unlang, but the only thing I have now in my head is a lot of
confusion, ... but I'll answer directly to Alan reply in order not to
post the same message twice
thank you again, you bring me on the right way
Marco Carcano
Il giorno 23/nov/10, alle ore 16:25, John Dennis ha scritto:
> On 11/23/2010 08:33 AM, Alan DeKok wrote:
>> marco wrote:
>>> Sorry Alan
>>>
>>> I've not realized that the logs had became a garbage :O( - maybe a
>>> webmail realted issue of my ISP.
>>> Now I Bcc myself to see how does it appear to recipients
>>>
>>> I tried "man unlang" but got no manual entry - I'm using
>>> Freeradius packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html
>>> , I think is the same.
>>
>> <shrug> Upgrade to 2.1.10. You're using a very old version of
>> the
>> server.
>
> The 2.x versions of FreeRADIUS on CentOS are under the package name
> freeradius2, not freeradius.
>
> --
> John Dennis <jdennis at redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list