Thanks Christian a lot for your answer. It gives me more thought. Do you mean I can use PAM for authentication and LDAP for authorization, right? Or I enable the LDAP in authentication session but you need specify the user to use both authentications. In the /raddb/users, I think you can only define one Auth-Type there. Do I miss something?
Really appreciate your help!! Lou On Wed, Jun 15, 2011 at 12:50 AM, Christian Hesse <[email protected]> wrote: > Hailu Meng <[email protected]> on Tue, 14 Jun 2011 16:55:30 -0500: > > Simon, > > > > New version of freeradius is still doing that. But anyway we can look > > at that part later. > > > > At this point, my ldap and oath works well independently. But when I > > put them together in PAM, only the first module will get user name > > and password popped up. The second module doesn't give me the prompt > > for inputting user name and password. I'm testing with Juniper VPN. > > My /etc/pam.d/radiusd is: > > > > #%PAM-1.0 > > auth required pam_ldap.so debug > > auth required pam_oath.so debug > > usersfile=/etc/users.oath window=20 > > account include system-auth > > password include system-auth > > session include system-auth > > > > So when Juniper VPN pop up the user name prompt, I put ldap login but > > I saw the oath is taking that password too. It didn't give me the 2nd > > prompt. I guess I need do something after the pam_ldap finishes. > > Maybe I need modify the oath code to add conversation function to it? > > Freeradius is an authentication, authorization and accounting server. > Not just a frontend for pam... It can query a lot of databases, > directories, etc itself. > > You should remove ldap from your pam configuration, instead add ldap to > your authorize section in freeradius' configuration just before the pam > module: > > [...] > authenticate { > [...] > Auth-Type LDAP { > ldap > } > [...] > pam > [...] > } > [...] > > As always I suppose freeradius needs some more configuration to work > properly. ;) > -- > Schoene Gruesse > Chris >
