ntlm remotely ? - too much to...
me at mikeely.org
Fri Jun 17 17:56:39 CEST 2016
On 06/17/2016 06:43 AM, Alan DeKok wrote:
>> On Jun 17, 2016, at 9:29 AM, lejeczek via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> ... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much?
> Don't use PAM. It's intended for applications to do user authentication... once.
> Maybe they've fixed it, but PAM used to leak memory like crazy when FreeRADIUS used it for repeated authentication.
> And whatever PAM can do for authentication... FreeRADIUS can do better. And simpler. And more controlled.
> PAM stands for "pluggable authentication modules". Well, FreeRADIUS is an authentication server. And FreeRADIUS has pluggable modules. And FreeRADIUS has "unlang', and a configuration which is infinitely more flexible than PAM.
> The only reason to use PAM is when you need to use a proprietary authentication plugin that is only supplied via PAM. And even then, it's only good for PAP authentication.
> PAM doesn't do CHAP, MS-CHAP, EAP, or any other authentication method.
> Don't use PAM.
I think you were answering my thread, based on context. I'm not sold on
PAM, just surprised and slightly frustrated at the fact that (as of my
Googling thus far) there doesn't appear to be a Perl module capable of
handling MS-CHAP authentication (on the NAS side - we're already using
rlm_perl to good effect on the radius server). I've got winbind running
over PAP from the wiki example, and that'll just have to do for now.
More information about the Freeradius-Users