[EXTERNAL] best practice for user permissions

Winfield, Alister Alister.Winfield at sky.uk
Wed Jun 27 12:58:25 CEST 2018


Personally I'd avoid the users file its too hard to understand what its intent is.

What is best sometimes depends upon how complex the optionality is just like any programming / policy design.

For example if this is very simplistic then the group name could be used to select a profile from LDAP which in turn contains the attributes you want to add to the response. That kind of mechanism makes the policy essentially data driven but can get out of hand if there are too many 'options' requiring distinct profiles. (This is similar to the files mechanism if a tiny bit more obvious as to what is going on).



´╗┐On 27/06/2018, 10:29, "Freeradius-Users on behalf of Samuel LEFOL" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of samuel.lefol at univ-lorraine.fr> wrote:

    This email is from an external source. Please do not open attachments or click links from an unknown origin. Suspicious messages can be reported by sending them as an attachment to phishing at sky.uk
    --------------------------------------------------------------------

    ________________________________

    Hello,

    I'm using freeradius 3.0.12 with rlm_ldap authentication.
    I configured it as suggested in README:
       authorize {
         ...
         ldap
         if ((ok || updated) && User-Password) {
           update control {
             Auth-Type := ldap
           }
         }
         ...
       }

       authenticate {
         ...
         Auth-Type ldap {
           ldap
         }
         ...
       }


    I wonder what is the best practice for user permissions.

    1. in users file :
    DEFAULT Auth-Type := ldap, LDAP-Group == "reseau"
             cisco-avpair :="shell:priv-lvl=15"
    DEFAULT Auth-Type := Reject

    OR

    2. in post-auth section
    if (LDAP-Group == "reseau") {
       update reply {
         cisco-avpair :="shell:priv-lvl=15"
       }
    }
    else {
       reject
    }


    Could someone give me an explanation of the best way to go ?

    Best regards,
    Sam
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.



More information about the Freeradius-Users mailing list