From owner-freebsd-net Thu Feb 25 1:17:50 1999 Delivered-To: freebsd-net@freebsd.org Received: from mail.vera.net (mail.vera.net [200.33.116.55]) by hub.freebsd.org (Postfix) with ESMTP id 2909514D01 for ; Thu, 25 Feb 1999 01:17:48 -0800 (PST) (envelope-from mdragon@vera.net) Received: from mail.vera.net (mail.vera.net [200.33.116.55]) by mail.vera.net (8.9.3/8.9.3) with SMTP id DAA36332; Thu, 25 Feb 1999 03:17:16 -0600 (CST) Date: Thu, 25 Feb 1999 09:17:16 +0000 ( ) From: "Victor M. Mondragon A." To: Chris Shenton Cc: GVB , freebsd-net@FreeBSD.ORG Subject: Re: RADIUS Solutions [synchronizing passwords across systems] In-Reply-To: <86lnhnu83x.fsf@samizdat.uucom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > GVB writes: > > > I will be running two FreeBSD machines for Radius Authentication. > > Both using Meritt AAA and /etc/passwd for authentication. What is > > the best way to synchronize passwd files between the two systems > > immediatly (or 5 minute incriments) upon user adds and password > > changes, etc. NIS? rsync? etc.. Our solution is simple and works very fast: I wrote a simple inetd service ([getpw.c] avaliable from _me_ by mail request ~4K sources), which uses the getpwnam(2) function and a custom database #include Add the following line to /etc/services: getpw 1111/tcp #network authentication And this one goes in /etc/inetd.conf: getpw stream tcp nowait root /usr/libexec/tcpd /usr/sbin/getpw Now try it using telnet # kill -HUP your_inetd_process_number #telnet your.host 1111 user987 <-- type the username user987:525:radius:101:Bj95X221nM:FFAAFFF8766Ag <-- you'll get this So this means user987 has uid=525 on group=radius gid=101 encryped_passwd=Bj95X221nM comment=FFAAFFF8766A We use the comment filed as a 'text/hex structure' for the access privileges for each user i.e: What WWW pages are allowed, access phone lines, modem use credit, use the fax-mail, is he/she a group/dept leader, etc. This service can be accessed from C, perl and even shell scripts, so it may be easy to adapt to a radius athentificator (have you seen the one developed in perl, I know it is in the CPAN as well as many other radius stuff) --------------------------------------------------------------------------- Victor Manuel Mondragon mdragon@vera.net --------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message