Evan Huus wrote: > The problem is that pam_radius_auth (to the best of my knowledge) > silently ignores any VSAs in the messages it receives. This makes > sense from its perspective, since PAM is purely for authentication.
Yes. And PAM can't change user authorization or permissions. So I really have no idea why anyone uses PAM. > The best solution I've come up with has pam_radius_auth forwarding the > Access-Accept messages to a configurable port on the local machine. > Our daemon can then listen on that port and extract the data it needs. > This solution is very ugly, and I'm hoping that there's a better way > I'm just not aware of. > > Any suggestions or information you can provide are very much appreciated. If you can figure out how to get PAM to set UID/GID/shell/etc., I'd be happy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
