On 27/06/18 16:35, Alan DeKok wrote:
On Jun 27, 2018, at 5:28 AM, Samuel LEFOL <samuel.lefol@univ-lorraine.fr> wrote:
Hello,
Hello Alan. Thank you for your reply.
I'm using freeradius 3.0.12 with rlm_ldap authentication. I configured it as suggested in README:
Which README? We haven't recommended doing this for a long time. I saw this information in the file raddb / README.rst.
authorize { ... ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap
Don't do that. It's generally unnecessary, and will cause many authentication types to fail.
I do not have access to the ldap User-Password field (anonymous bind). So, I use "user bind" as authentication process. If I do not set Auth-Type LDAP in users file, I have to force him here.
I wonder what is the best practice for user permissions.
1. in users file : DEFAULT Auth-Type := ldap, LDAP-Group == "reseau" cisco-avpair :="shell:priv-lvl=15" DEFAULT Auth-Type := Reject
You don't need to set Auth-Type LDAP
You usually don't need to set Auth-Type Reject. Any users who aren't known will automatically be rejected.
OR
2. in post-auth section if (LDAP-Group == "reseau") { update reply { cisco-avpair :="shell:priv-lvl=15" } } else { reject }
That works. And rejects anyone who isn't in the "reseau" group.
Could someone give me an explanation of the best way to go ?
Avoid the "users" file for anything other than trivial policies.
I think that's what I'm going to do.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html