I am moving from Livingston radius 2.1 to freeradius 0.9.1 on a RedHat 9
box and everything is looking OK, but I had one problem I would like to
find out more about.
We are using Group check items to add filter rules to allow certain
users to use our squid proxy which filters content. Our radius server
is running on our NIS server machine. We were not using supplementary
groups for our users for any purpose prior to this and what I noticed is
that when users were added to a group that existed in NIS (gid > 500),
the 'id' program listed the id twice on the NIS server but only once on
other machines on our network. I figured out that it was getting it
once from /etc/group and the second time from NIS.
Now the really strance thing was that running freeradius on the NIS
server would never match our group checkitem, even though 'id' listed
the group twice. But when I ran radius on another of our servers, it
matched the group check item just fine. I worked on it a little more
and moved my groups with gid > 500 to /etc/group.yp and adjusted
/var/yp/Makefile to use /etc/group.yp and now the group is only listed
once on the NIS server and radiusd maches on the Group checkitem.
Everything is great, but I cannot use 'usermod -G' to add users to the
supplementary group because it wants to use /etc/group and not
/etc/group.yp.
So my real questions is:
1) Is there a way to get 'raduisd -X' to show all the Group attributes
that get added? I looked thought the output and I never saw any of the
check items. I only saw the request items and the reply items. I think
being able to view the check items (like Group) would be useful.
2) Any idea why having the group listed twice for a user caused the
Group check item to get deleted? Is this documented behaviour?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
