Any way to implement privileges-granting as I configure in 'users'

Alan Buxey alan.buxey at gmail.com
Fri Nov 17 10:42:05 CET 2017


firstly, no working auth-type (ie something in authenticate section)
and auth packets will be rejected. no auths.

as for using LDAP - just stick the values you want into the LDAP
locations you want and then use those
populated fields in the decision tree when responding - read the ldap
module docs - its so flexible and used so differently by people
that you need to just read/understand the basics and then you can
engineer the solution to your requirements

alan


On 17 November 2017 at 09:15, luckydog xf <luckydogxf at gmail.com> wrote:
> Hello,
>
>     Currently I'm using 'users file to authorize users against login on our
> network device like Switches.
>
>    e.g
>   # /etc/raddb/users
> ......
> h3c    Cleartext-Password := "netadmin"
>        Service-Type = NAS-Prompt-User,
>        Huawei-Exec-Privilege = "3",
>        Login-Service = 50
> ......
>
>
> But I want to intergrate it with FreeIPA( which provides a LDAP service),
> which brings the benefit of using one-time-password(see this
> https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
> )
>
> Apparently it's easy to configure user's account, but is there any way to
> handle the privileges related stuff like 'Huawei-Exec-Privilege = "3",' in
> LDAP?
>
> And by the way, how is 'authenticate section' in 'site-enabled/default'
> called? I'm a littble bit confused. Can I say that 'authenticate section is
> useless and
>
>  would NEVER be called  unless I add "Auth-Type:= FOO" in the 'authorize
> section' ?  I guess this from the comment of 'default' .
>
> Thanks,
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list