Authorization via getpwent (users coming via SSSD) (Freeradius-Users Digest, Vol 172, Issue 31)
Alan DeKok
aland at deployingradius.com
Thu Aug 15 18:34:02 CEST 2019
On Aug 15, 2019, at 12:27 PM, Mike Ely <me at mikeely.org> wrote:
> Thanks for that. Unfortunately it appears that this only works against
> the primary group.
Hmm... that then is likely an issue with the underlying password / group store.
> Here's the stanza I have in sites-enabled/default:
>
> if (Group == "ipmi") {
> accept
> }
> else {
> update reply {
> Reply-Message = "User not allowed to connect to this
> device"
> }
> reject
> }
>
> When trying to auth with a user who is very much part of the "ipmi" group:
> (0) if (Group == "ipmi") {
> (0) if (Group == "ipmi") -> FALSE
>
> After switching the Group check to "Domain Users"
> (0) if (Group == "Domain Users") {
> (0) if (Group == "Domain Users") -> TRUE
>
> Is there a known issue surrounding this and if so what if any workaround
> should I be looking for?
For "Group == foo", the Unix module does:
- if primary group is "foo", return "match"
- get group "foo"
- walk through the list of members seeing if User-Name is a member
- if User-Name is a member, return "match"
- otherwise return "no match"
Alan DeKok.
More information about the Freeradius-Users
mailing list