[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Linux groups information from RADIUS server
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2019-04-22 21:20:46
Message-ID: 48EB88B0-2BD9-4828-AC36-BE5724B732D8 () deployingradius ! com
[Download RAW message or body]

On Apr 22, 2019, at 5:10 PM, JCA <1.41421@gmail.com> wrote:
> 
> My understanding is that, when a Linux server delegates authentication
> chores (via PAM) to a RADIUS server, the information having to do with the
> groups that the authenticated user belongs to is retrieved either locally -
> from the relevant entry in /etc/passwd - or from a remote server via NSS -
> for example, from an LDAP server.

  Yes.  PAM does authentication.  NSS does everything else.

> Is there anything preventing one from getting the group information from
> the RADIUS server itself?

  There is no NSS radius module, and there is no standard way to get UID / GID / etc. data via RADIUS.

> The RADIUS server could be configured so that,
> when a user has been successfully authenticated by said server, this server
> would send back the authentication OK RADIUS message together with one or
> more attributes containing the groups information.
> 
> The reason I am asking this is because I have interacted with some devices
> in the past that were able to get these data from a RADIUS server alone.
> However, I don't know if this was achieved with the concourse of a
> mechanism similar to what I described, or something totally different.

  Nothing implements this.

  Nothing *prevents* it from being implemented, but nothing implements it.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]