Setting up centralized authentication for Linux SSH users
Alan DeKok
aland at deployingradius.com
Mon Jun 22 21:22:23 CEST 2015
On Jun 22, 2015, at 3:03 PM, Daniel Bray <dbray925 at gmail.com> wrote:
> Thanks again. In the end, this is the logic I came up with, and
> appears to be doing what I need it to do:
>
> # First, start with the "blanks". Meaning, no group, no NAS IP, no
> access...get out.
> if (("%{sql:SELECT `groupname` FROM `radusergroup` WHERE
PLEASE don't change the meaning or contents of the existing tables. That will confuse anyone who expects the standard meaning.
If you're going to use the radusergroup table, please read this page, which describes how it works:
http://wiki.freeradius.org/modules/Rlm_sql
If that functionality matches what you need, then delete your custom queries, and use the standard configuration.
> For future vendors, I see the "elsif" part growing, and
> changing....and that's about it. So far, all my tests are working,
> and not working as expected.
Databases should store data. If your rules require 10+ if/then/else statements which are all identical but for "vendor"... that data belongs in a database. Create a custom schema of user name, NAS IP, group, and vendor. Then write ONE select statement which pulls information from SQL.
It will be much, much, easier to maintain and extend in the future.
Alan DeKok.
More information about the Freeradius-Users
mailing list