Authorization via getpwent (users coming via SSSD)
Alan DeKok
aland at deployingradius.com
Wed Aug 14 21:46:55 CEST 2019
On Aug 14, 2019, at 3:23 PM, Mike Ely <me at mikeely.org> wrote:
>
> We currently have our users authenticating via ntlm_auth and would like
> to make authorization decisions based on group membership. The radius
> server is joined to the domain and standard Unix commands calling
> getpwnam will return expected data:
>
> # id user.name
> uid=123456789(user.name) gid=234567890(domain users)
> groups=234567890(domain
> users),345679012(noc),4567890123(vpm),5678901234(ipmi)
>
> Looking at various modules available to handle this I'm encountering the
> following problems with each (usual caveats about how I may be
> misreading the docs):
> rlm_pam: appears to only be set up to work for authentication
> rlm_passwd: appears to want a file
> rlm_unix: also appears to want a file to read? (maybe?)
The Unix module calls getpwent() and getspwent(). It doesn't look at files.
> I'm hoping one of these above or perhaps something else can be used in
> the authorize section such that if a user logs in, and that user's group
> membership includes the required group (say, ipmi), then the
> authorization will be accepted. It's just not clear to me how to proceed
> here.
Enable the "unix" module. Use the "Group" attribute, which does Unix group checking.
if (Group == "sales") {
reject
}
else if (Group == "engineering") {
accept
}
Alan DeKok.
More information about the Freeradius-Users
mailing list