Mixing pam and ldap

Alan DeKok aland at deployingradius.com
Fri Sep 21 16:17:00 CEST 2018

On Sep 21, 2018, at 9:58 AM, Douglas Hammond <wizhippo at gmail.com> wrote:
> using freeradius 3 I have pam working well. I use pam to authenticate
> against  winbind and google-authenticator.
> I now want to get the user groups from ldap as pam does not pass them along.

  PAM only does authentication.  And badly.  It doesn't really do much else.

> I have ldap setup only in authorize.  I see the user lookup performed
> and found but no group lookup is done.  When is the group lookup
> performed?

  When the LDAP module is run.  If you configure it to do that.

>  Can I mix ldap authorize with pam authenticate like this
> or is this not going to work?

  It will work.

  But TBH, PAM is terrible.  Don't use it.  You should be able to use winbind directly from FreeRADIUS.  Google authenticator is a bit harder, but it should be possible.

>  Is the ldap group lookup dependant on
> the user ldap authentication being successful?

  No.  The LDAP module doesn't do authentication.  It does user authorization, in the "authorize" section.

  Alan DeKok.

More information about the Freeradius-Users mailing list