Seems like I am getting closer possibly, but I see an error in radius.log --
could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow.
Basically, I go to login to my pam_radius host, user exists in local password
file with no pass, user/pass in RADIUS/LDAP, and when I login the SSH session
immediately exits and I see the below in radius.log. If I use a login not in
the local password file, but it is in RADIUS/LDAP then I get an access denied
and no mention of the below error.
I am not even starting TLS so why is it even complaining about it??? I am also
curious what this means -- rlm_exec: Wait=yes but no output defined. Did you
mean output=none?
Appreciate any help. Thanks!
Tue Dec 18 19:32:48 2007 : Info: rlm_exec: Wait=yes but no output defined. Did
you mean output=none?
Tue Dec 18 19:32:48 2007 : Info: Ready to process requests.
Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set
LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set
LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Tue Dec 18 19:35:55 2007 : Error: rlm_ldap: could not set
LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Tue Dec 18 19:36:03 2007 : Error: rlm_ldap: could not set
LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
----- Original Message -----
From: Jeff Fishbaugh
To: [email protected]
Sent: Tuesday, December 18, 2007 2:13 PM
Subject: Help w/ pam radius
Hello:
I am having trouble getting pam_radius working and was wondering if someone
might be of help since I followed the INSTALL instructions as well as a howto
(as provided by the Wikid folks) and I am still coming up short getting it
working.
Here are some of my details
- My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)....sshd being
what I am most interested in, the default config for it looks like the below on
a host I want talking to radius. What does this need to look like in terms of
the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL
instructions or a howto I found would work.
/etc/pam.d/sshd (default below)
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
- My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds)
backending it with the user/pass info, got it working for Cisco's but have yet
to get PAM working. I just get 'Access denied' -- tried the later with a user
defined on the host with no password or with a password and won't work.
Pretty simple, no huntgroups or anythig like that just plain and simple
binding against LDAP.
I think what I am looking for are...
1- Pam configuration on the host (ie- /etc/pam.d/sshd)
2- Pam configuration requirements as far as the radius server is concerned.
Be helpful to see what all I might need that I am possibly missing in conf
files.
Thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
