Authorization via getpwent (users coming via SSSD) (Freeradius-Users Digest, Vol 172, Issue 31)

Mike Ely me at mikeely.org
Thu Aug 15 18:52:18 CEST 2019


On 8/15/19 9:34 AM, Alan DeKok wrote:
>   Hmm... that then is likely an issue with the underlying password / group store.

Probably. User and group membership doesn't appear in what I'd regard as
"normal" ways i.e.: getent. SSSD is quirky IMHO but so was winbind.

> 
>   For "Group == foo", the Unix module does:
> 
> - if primary group is "foo", return "match"
> - get group "foo"
> - walk through the list of members seeing if User-Name is a member
>   - if User-Name is a member, return "match"
> - otherwise return "no match"
> 
Maybe someday add a check that trusts the output of "id" as an indicator
of group membership?

For now I'll have to (with reluctance because it gives me headaches)
follow another user's suggestion and use LDAP for authorization.


More information about the Freeradius-Users mailing list