Mixing pam and ldap
Alan DeKok
aland at deployingradius.com
Fri Sep 21 16:17:00 CEST 2018
On Sep 21, 2018, at 9:58 AM, Douglas Hammond <wizhippo at gmail.com> wrote:
>
> using freeradius 3 I have pam working well. I use pam to authenticate
> against winbind and google-authenticator.
>
> I now want to get the user groups from ldap as pam does not pass them along.
PAM only does authentication. And badly. It doesn't really do much else.
> I have ldap setup only in authorize. I see the user lookup performed
> and found but no group lookup is done. When is the group lookup
> performed?
When the LDAP module is run. If you configure it to do that.
> Can I mix ldap authorize with pam authenticate like this
> or is this not going to work?
It will work.
But TBH, PAM is terrible. Don't use it. You should be able to use winbind directly from FreeRADIUS. Google authenticator is a bit harder, but it should be possible.
> Is the ldap group lookup dependant on
> the user ldap authentication being successful?
No. The LDAP module doesn't do authentication. It does user authorization, in the "authorize" section.
Alan DeKok.
More information about the Freeradius-Users
mailing list