On Jun 27, 2018, at 5:28 AM, Samuel LEFOL <samuel.lefol@univ-lorraine.fr> wrote:
Hello,
I'm using freeradius 3.0.12 with rlm_ldap authentication. I configured it as suggested in README:
Which README? We haven't recommended doing this for a long time.
authorize { ... ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap
Don't do that. It's generally unnecessary, and will cause many authentication types to fail.
I wonder what is the best practice for user permissions.
1. in users file : DEFAULT Auth-Type := ldap, LDAP-Group == "reseau" cisco-avpair :="shell:priv-lvl=15" DEFAULT Auth-Type := Reject
You don't need to set Auth-Type LDAP You usually don't need to set Auth-Type Reject. Any users who aren't known will automatically be rejected.
OR
2. in post-auth section if (LDAP-Group == "reseau") { update reply { cisco-avpair :="shell:priv-lvl=15" } } else { reject }
That works. And rejects anyone who isn't in the "reseau" group.
Could someone give me an explanation of the best way to go ?
Avoid the "users" file for anything other than trivial policies. Alan DeKok.