Mixing pam and ldap
Douglas Hammond
wizhippo at gmail.com
Fri Sep 21 16:25:11 CEST 2018
Thank you I figured it out. I have to have a a check for the lookup
to be performed.
DEFAULT Ldap-Group == "SSLVPN-Users"
Filter-Id := SSLVPN-Users
On Fri, 21 Sep 2018 at 10:17, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Sep 21, 2018, at 9:58 AM, Douglas Hammond <wizhippo at gmail.com> wrote:
> >
> > using freeradius 3 I have pam working well. I use pam to authenticate
> > against winbind and google-authenticator.
> >
> > I now want to get the user groups from ldap as pam does not pass them along.
>
> PAM only does authentication. And badly. It doesn't really do much else.
>
> > I have ldap setup only in authorize. I see the user lookup performed
> > and found but no group lookup is done. When is the group lookup
> > performed?
>
> When the LDAP module is run. If you configure it to do that.
>
> > Can I mix ldap authorize with pam authenticate like this
> > or is this not going to work?
>
> It will work.
>
> But TBH, PAM is terrible. Don't use it. You should be able to use winbind directly from FreeRADIUS. Google authenticator is a bit harder, but it should be possible.
>
> > Is the ldap group lookup dependant on
> > the user ldap authentication being successful?
>
> No. The LDAP module doesn't do authentication. It does user authorization, in the "authorize" section.
>
> Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Douglas Hammond
VA3DJX
More information about the Freeradius-Users
mailing list