Martin Pauly wrote: > I have a large set of users handled by LDAP, and a small group (admins with > only a few logins) that I used to handle by setting up a bunch of local > unix accounts and doing Auth-Type := System. So my users file looks like
Auth-Type := System has been deprecated in 2.x. It's not needed. Just list "unix" in the "authorize" section, and the server will figure it out. > In sites-available/default, I have 'unix' in both the authorize and > authenticate > section. The debug output upon a request reads: ... > ++[unix] returns notfound OK... > [ the whole thing is sent to LDAP for authorization now which succeeds, but > could perhaps be avoided anyway] ? What do you mean by that? > So to me it looks like rlm_unix can't find me :-( The module just calls the system API's to get the passwd file entry for the user. If the system returns notfound, so does the module. > I've read about rlm_passwd, but I don't need any caching > or the like. Oh, and user freerad is in group shadow. But > as I understand it, this is no longer relevant for my case > since rlm_unix uses getpwent which is supposed to handle > access to /etc/shadow, right? No. getpwent still depends on the calling application having permission to read /etc/shadow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html