Re: [OATH-Toolkit-help] FreeRadius integration

[Christian Hesse]

Hailu Meng <address@hidden> on Tue, 14 Jun 2011 16:55:30 -0500:
> Simon,
> 
> New version of freeradius is still doing that. But anyway we can look
> at that part later.
> 
> At this point, my ldap and oath works well independently. But when I
> put them together in PAM, only the first module will get user name
> and password popped up. The second module doesn't give me the prompt
> for inputting user name and password. I'm testing with Juniper VPN.
> My /etc/pam.d/radiusd is:
> 
> #%PAM-1.0
> auth       required     pam_ldap.so debug
> auth       required     pam_oath.so     debug
> usersfile=/etc/users.oath window=20
> account    include      system-auth
> password   include     system-auth
> session    include     system-auth
> 
> So when Juniper VPN pop up the user name prompt, I put ldap login but
> I saw the oath is taking that password too. It didn't give me the 2nd
> prompt. I guess I need do something after the pam_ldap finishes.
> Maybe I need modify the oath code to add conversation function to it?

Freeradius is an authentication, authorization and accounting server.
Not just a frontend for pam... It can query a lot of databases,
directories, etc itself.

You should remove ldap from your pam configuration, instead add ldap to
your authorize section in freeradius' configuration just before the pam
module:

[...]
authenticate {
        [...]
        Auth-Type LDAP {
                ldap
        }
        [...]
        pam
        [...]
}
[...]

As always I suppose freeradius needs some more configuration to work
properly. ;)
-- 
Schoene Gruesse
Chris