Hi,

I'm using pam_auth_radius PAM module to authenticate against an RSA
SecurId radius server. It works fine but I need to pre-create the
users on the system. I was wondering if it's possible to use the LDAP
directory for the valid user accounts.

I'm under linux Debian/Lenny.
I tried to define pam_ldap in /etc/pam.d/common-account :

account sufficient      pam_ldap.so

and leave the common-auth use radius (also session)

auth    sufficient      pam_radius_auth.so debug

but it does not seem to work. I may miss something. Theorically i
think it's possible, isn't it?



Other little problem with the pam_auth_radius module, when restricting
persissions on the /etc/pam_auth_radius.conf file (shared secret for
RADIUS server), I get this message when closing the session :

pam_close_session: Cannot make/remove an entry for the specified session

details :

Aug 20 14:57:09 debian su[11840]: pam_unix(su:session): session opened
for user chris by root(uid=1001)
Aug 20 14:57:10 debian su[11840]: pam_radius_auth: Could not open
configuration file /etc/pam_radius_auth.conf: Permission denied
Aug 20 14:57:10 debian su[11840]: pam_unix(su:session): session closed
for user chris
Aug 20 14:57:10 debian su[11840]: pam_close_session: Cannot
make/remove an entry for the specified session


I think it's needed to contact the radius server for accounting, but
it is not a secure configuration, even if using one time passwords


Thanks for your help,


Chris

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to