I want to implement login to my vpn service with password + google_otp. freeradius as auth server and ldap as backend_database.
I have completed the following work:
- enable pam Authentication Module in /etc/raddb/sites-enabled/default
- add a line "DEFAULT Auth-Type := PAM" to /etc/raddb/users
- enable ldap module and add ldap site to freeradis, I confirm that raidus use ldap database is working properly.
- Overwrite the contents of /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so secret=/tmp/.google_authenticator user=root forward_pass auth required pam_unix.so use_first_pass
run test cmd:(testpa is my password,271082 is otp)
radtest perlingzhao testpa271082 localhost 1812 testing123
radius log:
(0) [pap] = noop
(0) } # authorize = updated
(0) Found Auth-Type = pam
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) pam: Using pamauth string "radiusd" for pam.conf lookup
(0) pam: ERROR: pam_authenticate failed: User not known to the underlying authentication module
(0) [pam] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
log in /var/log/secure:
radiusd(pam_google_authenticator)[11728]: Accepted google_authenticator for perlingzhao
pam_unix(radiusd:auth): check pass; user unknown
pam_unix(radiusd:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
I know this is because there is no local user, user info is in ldap.
anyone can help me , tell me how to config can solve this problem, thanks.
