PAM+RADIUS Attribute Value Pairs
Tobias Heide
tucks at gmx.de
Mon Jan 21 21:31:57 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Leonardo,
I'm not into the whole radius thing, but if I understand you correctly,
you want to have a possibility to return some data to the application
from your PAM module.
I faced the same problem with my student research project, and I used an
extended conversation function with a new "message-type" as a solution.
This of course breaks compability with many applications (to be more
exact: it breaks compability, if the authorization server - in my case a
XACML-Server - returns some attribute-value-pairs). I solved the problem
by denying any access if the application does not understand my messages.
Also I had to put a lot of effort into the whole encoding/decoding-part,
because the PAM conversation-interface only allows character pointers,
while XACML allows typed attributes with multiple values...
Hope, this helps you.
tobi
Leonardo Pereira Santos schrieb:
> Hello All:
>
> I'm using PAM as a interface to a RADIUS server. I managed to get the
> authentication part working, but I need to get authorization to work too. I
> know that the pam_radius_auth.so doesn't support authorization, so I'm trying
> to hack it.
> My main problem is how to pass ANY token from the RADIUS reply in the
> talk_radius() function. What functions in the framework can be used for
> this ? I have to look at the attribute-value pairs in the AUTH_OK response
>>from the RADIUS server and then set some attribute. I tried to use the
> pam_set_data/pam_get_data functions, but they won't work if called from an
> application.
> Any ideas are welcome. Thank you.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFHlQ9L1FY7cmdhGCwRAu7mAJ0Y1K8H5ult5Zati/MLK3KTT+TRSgCfQpTX
bDqpKSQPRxaETZIlpKjO1iM=
=Zqtv
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list