Hi, I am new to freeradius and try to authenticate users with pam and authorize with ldap groups. I try to find a minimal configuration but have some problems forcing the Auth-Type to be PAM.
I have radiusd.conf: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd db_dir = $(raddbdir) libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { ipaddr = * port = 0 type = auth } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files syslog_facility = daemon file = ${logdir}/radius.log stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE clients.conf snmp = no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pam { pam_auth = radiusd } ldap { server = "192.168.2.1" port = 636 identity = "uid=ldapadmin,ou=external,dc=example,dc=com" password = controllme basedn = "ou=external,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls_mode = yes tls { start_tls = no cacertdir = /etc/certs } set_auth_type = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = "%t" suppress { User-Password } } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 suppress { User-Password } } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } } $INCLUDE sites-enabled/ sites-enabled/default: authorize { auth_log ldap } authenticate { pam } preacct { acct_unique } accounting { detail } ldap.attrmap: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem If I run radiusd-X I get: rad_recv: Access-Request packet from host 127.0.0.1 port 63402, id=76, length=58 User-Name = "fred" User-Password = "hamster" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 +- entering group authorize expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080123 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080123 expand: %t -> Wed Jan 23 19:53:47 2008 ++[auth_log] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for fred WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=fred) expand: ou=external,dc=example,dc=com -> ou=external,dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: setting TLS CACert Directory to /etc/certs rlm_ldap: starting SSL rlm_ldap: (re)connect to 10.129.189.34:5636, authentication 0 rlm_ldap: bind as uid=ldapadmin,ou=external,dc=example,dc=com/controlme to 192.2.1.1:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=networks,ou=external,dc=example,dc=com, with filter (uid=fred) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user fred authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [fred/hamster] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 189 to 127.0.0.1 port 63418 Waking up in 4.9 seconds. Cleaning up request 0 ID 189 with timestamp +3 Ready to process requests. Only if I set set_auth_type = yes in radiusd.conf for ldap and change authorize in default to: Auth-Type LDAP { pam } I get a successful login. Is there any other way to force Auth-Type tp be PAM for all users ? Is there also a way to disable the use of the ldap.attribute mapping as I really don't need it ? Thank you Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html