Authorization via getpwent (users coming via SSSD)

Mike Ely me at mikeely.org
Wed Aug 14 21:23:37 CEST 2019


Hi,

We currently have our users authenticating via ntlm_auth and would like
to make authorization decisions based on group membership. The radius
server is joined to the domain and standard Unix commands calling
getpwnam will return expected data:

# id user.name
uid=123456789(user.name) gid=234567890(domain users)
groups=234567890(domain
users),345679012(noc),4567890123(vpm),5678901234(ipmi)

Looking at various modules available to handle this I'm encountering the
following problems with each (usual caveats about how I may be
misreading the docs):
rlm_pam: appears to only be set up to work for authentication
rlm_passwd: appears to want a file
rlm_unix: also appears to want a file to read? (maybe?)

I'm hoping one of these above or perhaps something else can be used in
the authorize section such that if a user logs in, and that user's group
membership includes the required group (say, ipmi), then the
authorization will be accepted. It's just not clear to me how to proceed
here.


More information about the Freeradius-Users mailing list