best practice for user permissions

Samuel LEFOL samuel.lefol at univ-lorraine.fr
Wed Jun 27 17:00:31 CEST 2018



On 27/06/18 16:35, Alan DeKok wrote:
> On Jun 27, 2018, at 5:28 AM, Samuel LEFOL <samuel.lefol at univ-lorraine.fr> wrote:
>>
>> Hello,
Hello Alan. Thank you for your reply.

>>
>> I'm using freeradius 3.0.12 with rlm_ldap authentication.
>> I configured it as suggested in README:
> 
>    Which README?  We haven't recommended doing this for a long time.
I saw this information in the file raddb / README.rst.

> 
>>   authorize {
>>     ...
>>     ldap
>>     if ((ok || updated) && User-Password) {
>>       update control {
>>         Auth-Type := ldap
> 
>    Don't do that.  It's generally unnecessary, and will cause many authentication types to fail.
I do not have access to the ldap User-Password field (anonymous bind). 
So, I use "user bind" as authentication process. If I do not set 
Auth-Type LDAP in users file, I have to force him here.

> 
>> I wonder what is the best practice for user permissions.
>>
>> 1. in users file :
>> DEFAULT Auth-Type := ldap, LDAP-Group == "reseau"
>>         cisco-avpair :="shell:priv-lvl=15"
>> DEFAULT Auth-Type := Reject
> 
>    You don't need to set Auth-Type LDAP
> 
>    You usually don't need to  set Auth-Type Reject.  Any users who aren't known will automatically be rejected.
> 
> 
>> OR
>>
>> 2. in post-auth section
>> if (LDAP-Group == "reseau") {
>>   update reply {
>>     cisco-avpair :="shell:priv-lvl=15"
>>   }
>> }
>> else {
>>   reject
>> }
> 
>    That works.  And rejects anyone who isn't in the "reseau" group.
> 
>> Could someone give me an explanation of the best way to go ?
> 
>    Avoid the "users" file for anything other than trivial policies.
I think that's what I'm going to do.

> 
>    Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


More information about the Freeradius-Users mailing list