Authorization via getpwent (users coming via SSSD) (Freeradius-Users Digest, Vol 172, Issue 31)

Alan DeKok aland at
Thu Aug 15 18:58:02 CEST 2019

On Aug 15, 2019, at 12:52 PM, Mike Ely <me at> wrote:
> On 8/15/19 9:34 AM, Alan DeKok wrote:
>>  Hmm... that then is likely an issue with the underlying password / group store.
> Probably. User and group membership doesn't appear in what I'd regard as
> "normal" ways i.e.: getent. SSSD is quirky IMHO but so was winbind.

  The Unix module uses getpwnt() and getgrent()

> Maybe someday add a check that trusts the output of "id" as an indicator
> of group membership?

  <sigh>  Comments like that are unproductive, if not actively hostile.

  We use standard APIs to get standard information.  If those APIs are broken, then blame the OS, not FreeRADIUS.

  If you want to run "id" to get group membership, then FreeRADIUS allows you to do that.  It's better to do that, than to make snide remarks on the list about how we should do things better.

> For now I'll have to (with reluctance because it gives me headaches)
> follow another user's suggestion and use LDAP for authorization.

  With great reluctance you're using a method that we recommend, instead of APIs that you know are broken.  But you're still complain about how we should do things better.

  This behaviour is not acceptable.

  Alan DeKok.

More information about the Freeradius-Users mailing list