> Hi, > >> > DEFAULT Group == "FOO", Pool-Name :="FOO_pool" >> >> "Group" is probably empty. I can't remember what module, if any, fills >> it out. > > # The Group and Group-Name attributes are automatically created by > # the Unix module, and do checking against /etc/group automatically. > # This means that you CANNOT use Group or Group-Name to do any other > # kind of grouping in the server. You MUST define a new group > # attribute. > > ...thats probably the one :-)
...and you just hit on something that solved the problem. It seems that FR was getting the group info from LDAP indirectly, through the PAM module, which was configured using authconfig. Running authconfig pointing to the local LDAP server solved the problem. /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so Dovecot, sshd and other apps transparently use LDAP this way. I didn't think FR did (and maybe it doesn't completely), because I seem to recall trying to get it to work on an older version (using Auth-type=PAM) that way with no luck...but that was a while ago. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html