Re: LDAP+PAM radiusd config

I configured --with-pam
but i dont think that did any good but i did get it working..
you need this in the radius.conf file and you need the other section in 
the users file. 


       pam {
                #
                #  The name to use for PAM authentication.
                #  PAM looks in /etc/pam.d/${pam_auth_name}
                #  for it's configuration.
                #
                #  Note that any Pam-Auth attribute set in the 'users'
                #  file over-rides this one.
                #
                pam_auth = radiusd
        }

In users file you need something like this:

DEFAULT Auth-Type := Pam 
        pam-auth="radius",
        Fall-Through = Yes



On Sun, 29 Jun 2003, Mark van Kerkwyk wrote:

> Hi Sean, thanks for your reply. The bit I was looking for actually was the 
> radiusd.conf file, which has the correct config for directing 
> authorization to ldap and authentication to pam.
> 
> I have just been doing some testing and i was wondering why it wasn't 
> working, after an ldd and truss on the process (I am on solaris8), I 
> noticed that the pam support isn't in here anyway and the truss showed it 
> reading the shadow file.
> 
> Am I missing something really obvious here, there isn't a pam option for 
> configure that I can see, I hope I am not asking a dumb question here, but 
> how do I build this with PAM support ? It looked like it was checking for 
> pam .h files but i never saw any pam libs being linked in nor can I see 
> pam_sm* functions in the code. Maybe I need a different build or a patch, 
> I pulled down the current 0.81
> 
> thanks
> 
> Mark
> 
> 
> 
> 
> Sean <picasso@xxxxxxxxxxxxx> 
> Sent by: freeradius-users-admin@xxxxxxxxxxxxxxxx
> 28/06/2003 23:26
> Please respond to
> freeradius-users@xxxxxxxxxxxxxxxx
> 
> 
> To
> freeradius-users@xxxxxxxxxxxxxxxx
> cc
> 
> Subject
> Re: LDAP+PAM radiusd config
> 
> 
> 
> 
> 
> 
> You just want the pam piece? this needs to be radiusd, the auth-file(?) 
> parameter piece is broken i think. or at least I didnt get it to work 
> right..
> The first part (commented) works but it requires a local user, the second 
> one works without a local user, and you will want to replace the 
> pam_afs.so module with the pam_krb5.so module. 
> 
> [root@test-afs-1 pam.d]# more radiusd
> #%PAM-1.0
> ###works but requires a local user
> #auth       required    /lib/security/pam_unix_auth.so shadow nullok
> #auth       required    /lib/security/pam_afs.so 
> #auth       required    /lib/security/pam_nologin.so
> #account    required    /lib/security/pam_unix_acct.so
> #password   required    /lib/security/pam_cracklib.so
> #password   required    /lib/security/pam_unix_password.so shadow nullok 
> use_aut
> htok
> #session    required    /lib/security/pam_unix_session.so
> 
> ######
> auth    required        /lib/security/pam_mine.so
> auth       required     /lib/security/pam_afs.so
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_permit.so
> password   required     /lib/security/pam_permit.so
> password   required     /lib/security/pam_permit.so
> session    required     /lib/security/pam_permit.so
> 
> 
> On Sun, 29 Jun 2003, Mark van Kerkwyk wrote:
> 
> > Hi, does anyone have a working radiusd.conf where both LDAP and PAM are 
> > being used, LDAP for accounts/groups etc and PAM for auth to another 
> > source.
> > 
> > In my case case I will store all credentials in LDAP but send all auth 
> via 
> > pam_krb5 to our kerberos enrivonment. That way I have no passwords 
> stored 
> > or sent in the clear anywhere also.
> > 
> > regards
> > 
> > Mark
> > 
> > - 
> > List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> > 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html