Authorization via getpwent (users coming via SSSD)

Alan DeKok aland at
Wed Aug 14 21:46:55 CEST 2019

On Aug 14, 2019, at 3:23 PM, Mike Ely <me at> wrote:
> We currently have our users authenticating via ntlm_auth and would like
> to make authorization decisions based on group membership. The radius
> server is joined to the domain and standard Unix commands calling
> getpwnam will return expected data:
> # id
> uid=123456789( gid=234567890(domain users)
> groups=234567890(domain
> users),345679012(noc),4567890123(vpm),5678901234(ipmi)
> Looking at various modules available to handle this I'm encountering the
> following problems with each (usual caveats about how I may be
> misreading the docs):
> rlm_pam: appears to only be set up to work for authentication
> rlm_passwd: appears to want a file
> rlm_unix: also appears to want a file to read? (maybe?)

  The Unix module calls getpwent() and getspwent().  It doesn't look at files.

> I'm hoping one of these above or perhaps something else can be used in
> the authorize section such that if a user logs in, and that user's group
> membership includes the required group (say, ipmi), then the
> authorization will be accepted. It's just not clear to me how to proceed
> here.

  Enable the "unix" module.  Use the "Group" attribute, which does Unix group checking.

	if (Group == "sales") {
	else if (Group == "engineering") {

  Alan DeKok.

More information about the Freeradius-Users mailing list