Re: freeradius-users@lists.freeradius.org

Wed, 05 Dec 2007 05:33:14 -0800 

Hi Alan
thanks for immediate reply.

>   I presume you're using the OpenBSD PAM RADIUS module?

no, i installed freeradius-ldap, no openBSD PAM radius module that i knew.

suomi


Alan DeKok wrote:

radius wrote:

we use radius authentication on this openBSD server as workaround,
because for openBSD no pam-(ldap) is available. here, all users, mail,
ftp, yni are authenticated against openldap using various authentication
methods (pam-ldap, pure ldap, courier-authlib with ldap, pure-ftpd with
ldap, ...).


  I presume you're using the OpenBSD PAM RADIUS module?


the radius authentication works fine, as far as password checking is
concerned. The following radius-daemon output shows the login of a user
cvs into the system.

...

Sending Access-Accept of id 154 to 127.0.0.1 port 27572
Finished request 1


  The reply is empty.  So the user is allowed in, but with no configuration.


BUT when this user is logged in, it has the following parameters:

[EMAIL PROTECTED] -> id
uid=10001(cvs) gid=102(users) groups=102(users)
[EMAIL PROTECTED] ->

all these id-parameters are from the local /etc/master.passwd file and
not from the ldap directory.


  Did you tell OpenBSD to look in the LDAP directory for that
configuration?  If not, did you tell FreeRADIUS to look in LDAP for that
configuration *and* return it in the Access-Accept?  And even if
FreeRADIUS returns that configuration in the Access-Accept, you have to
check that the OpenBSD PAM RADIUS module supports those attributes.

  See the OpenBSD PAM RADIUS documentation for how to configure it.


instead of (when logging in to the user cvs on a different server) i get
the following (correct) id-parameters

[EMAIL PROTECTED] ~> id
uid=1067(cvs) gid=100(users) groups=100(users),503(release2)
[EMAIL PROTECTED] ~>


  So... look at the configuration for that system to see what it's doing.


when i check the ldap-host log, i see, that not even an attempt is made
to request session parameters from the ldap server.


  Yes... the FreeRADIUS debug log shows this, too.


what do i where need to change?


  Look at the configuration for the working machine, and copy it to the
machine that doesn't work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to