Not sure if this is the appropriate forum for this, but I'll type it anyway.
I have a need to add centralized auth and accounting to unix boxes (specifically a linux based "appliance." It's not really an actual appliance, just a standard linux box that a vendor provides). For my normal unix* boxes I have an identity management system. For appliances and network devices I use Radius, mostly. For this new appliance, I'd like to use Radius, but I don't want to manage users or what groups they belong to on the device itself. I'd like to have the users auth against Radius and then apply a group based on an attribute recieved. I've done a little looking and I see no group support for pam_auth_radius. One thought I had was to add some sort of auto provision function to the pam module to add the user and associate that user with a group via the supplied attribute from radius, then remove the user on logout. Any thoughts on this? Is there some other method that would be more appropriate? I have use for this for other psuedo-appliances. I've tried using LDAP for those, but the chatter with vendor supplied ldap modules was unmanagable. R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html