Re: PAM authenticacion and groups
2007/9/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Groups are a part of authorization so there is no conflict with any authentication method. You can use ldap (Ldap-Group), sql(Sql-Group), unix (Group) ... Ivan Kalik Kalik Informatika ISP Dana 19/9/2007, Diego Woitasen [EMAIL PROTECTED] piše: 2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think the question is simple to give more detail. I rewrite the question: Can I use PAM for authentication and LDAP for group checking? or PAM for authentication and group checking with nsswitch? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok. I have enabled LDAP in authorize and authentication section. If I set Ldap-Group == xxx in a users file entry radiusd only try with LDAP authentication, and not with PAM (I saw this with radiusd -f -X). With the following entry, radiusd try LDAP for authenticacion and authorization: DEFAULT Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 With this, PAM authenticacion is working fine, but I haven't got LDAP authozation obviusly: DEFAULT Auth-type = PAM Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 And finally, this doesn't work neither: DEFAULT Auth-type = PAM, Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 I don't find where is the trick. The documentation doesn't say anything about this kind of configuration of I can't find it. regards, diegows -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
Diego Woitasen wrote: And finally, this doesn't work neither: DEFAULT Auth-type = PAM, Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 I don't see why that wouldn't work. Again, what does the debug log say? You ARE running the server in debugging mode, as suggested in the FAQ, README, INSTALL... etc. Is there any other documentation we need to update in order to convince people to run in debugging mode? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
With the following entry, radiusd try LDAP for authenticacion and authorization: DEFAULT Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 With this, PAM authenticacion is working fine, but I haven't got LDAP authozation obviusly: DEFAULT Auth-type = PAM Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 And finally, this doesn't work neither: DEFAULT Auth-type = PAM, Ldap-Group == xnetadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 Post radiusd -X for the request and let's see why this doesn't work neither. Hard to help without that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM authenticacion and groups
Hi, I have freeradius configured to authenticate users with PAM working fine. Now I want to add group membership checking. I have the followind users entry: DEFAULT Auth-type = PAM, Group-name == netadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 That doesn't work. I test with Group attribute too. The user that I use in radtest is member of netadmin group. One thing, the group membership must be queryed via nsswitch (getgrnam()), because the users are not local, they are in a LDAP server (I can't user the rlm_ldap now, we are in transition). What am I missing? regards, diegows -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: ... That doesn't work. And what do you mean by that? See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think the question is simple to give more detail. I rewrite the question: Can I use PAM for authentication and LDAP for group checking? or PAM for authentication and group checking with nsswitch? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
Groups are a part of authorization so there is no conflict with any authentication method. You can use ldap (Ldap-Group), sql(Sql-Group), unix (Group) ... Ivan Kalik Kalik Informatika ISP Dana 19/9/2007, Diego Woitasen [EMAIL PROTECTED] piše: 2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think the question is simple to give more detail. I rewrite the question: Can I use PAM for authentication and LDAP for group checking? or PAM for authentication and group checking with nsswitch? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
