On Wed, Jun 15, 2011 at 12:50 AM, Christian Hesse
<address@hidden> wrote:
Hailu Meng <address@hidden> on Tue, 14 Jun 2011 16:55:30 -0500:
> Simon,
>
> New version of freeradius is still doing that. But anyway we can look
> at that part later.
>
> At this point, my ldap and oath works well independently. But when I
> put them together in PAM, only the first module will get user name
> and password popped up. The second module doesn't give me the prompt
> for inputting user name and password. I'm testing with Juniper VPN.
> My /etc/pam.d/radiusd is:
>
> #%PAM-1.0
> auth required pam_ldap.so debug
> auth required pam_oath.so debug
> usersfile=/etc/users.oath window=20
> account include system-auth
> password include system-auth
> session include system-auth
>
> So when Juniper VPN pop up the user name prompt, I put ldap login but
> I saw the oath is taking that password too. It didn't give me the 2nd
> prompt. I guess I need do something after the pam_ldap finishes.
> Maybe I need modify the oath code to add conversation function to it?
Freeradius is an authentication, authorization and accounting server.
Not just a frontend for pam... It can query a lot of databases,
directories, etc itself.
You should remove ldap from your pam configuration, instead add ldap to
your authorize section in freeradius' configuration just before the pam
module:
[...]
authenticate {
[...]
Auth-Type LDAP {
ldap
}
[...]
pam
[...]
}
[...]
As always I suppose freeradius needs some more configuration to work
properly. ;)
--
Schoene Gruesse
Chris