Martin Pauly wrote:
> I have a large set of users handled by LDAP, and a small group (admins with 
> only a few logins) that I used to handle by setting up a bunch of local 
> unix accounts and doing Auth-Type := System. So my users file looks like

  Auth-Type := System has been deprecated in 2.x.  It's not needed.
Just list "unix" in the "authorize" section, and the server will figure
it out.

> In sites-available/default, I have 'unix' in both the authorize and 
> authenticate 
> section. The debug output upon a request reads:
...
> ++[unix] returns notfound

  OK...

> [ the whole thing is sent to LDAP for authorization now which succeeds, but 
> could perhaps be avoided anyway]

  ? What do you mean by that?

> So to me it looks like rlm_unix can't find me :-(

  The module just calls the system API's to get the passwd file entry
for the user.  If the system returns notfound, so does the module.

> I've read about rlm_passwd, but I don't need any caching
> or the like. Oh, and user freerad is in group shadow. But
> as I understand it, this is no longer relevant for my case
> since rlm_unix uses getpwent which is supposed to handle 
> access to /etc/shadow, right?

  No.  getpwent still depends on the calling application having
permission to read /etc/shadow.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to