best practice for user permissions
Hello, I'm using freeradius 3.0.12 with rlm_ldap authentication. I configured it as suggested in README: authorize { ... ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap } } ... } authenticate { ... Auth-Type ldap { ldap } ... } I wonder what is the best practice for user permissions. 1. in users file : DEFAULT Auth-Type := ldap, LDAP-Group == "reseau" cisco-avpair :="shell:priv-lvl=15" DEFAULT Auth-Type := Reject OR 2. in post-auth section if (LDAP-Group == "reseau") { update reply { cisco-avpair :="shell:priv-lvl=15" } } else { reject } Could someone give me an explanation of the best way to go ? Best regards, Sam
Personally I'd avoid the users file its too hard to understand what its intent is. What is best sometimes depends upon how complex the optionality is just like any programming / policy design. For example if this is very simplistic then the group name could be used to select a profile from LDAP which in turn contains the attributes you want to add to the response. That kind of mechanism makes the policy essentially data driven but can get out of hand if there are too many 'options' requiring distinct profiles. (This is similar to the files mechanism if a tiny bit more obvious as to what is going on). On 27/06/2018, 10:29, "Freeradius-Users on behalf of Samuel LEFOL" <freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org on behalf of samuel.lefol@univ-lorraine.fr> wrote: This email is from an external source. Please do not open attachments or click links from an unknown origin. Suspicious messages can be reported by sending them as an attachment to phishing@sky.uk -------------------------------------------------------------------- ________________________________ Hello, I'm using freeradius 3.0.12 with rlm_ldap authentication. I configured it as suggested in README: authorize { ... ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap } } ... } authenticate { ... Auth-Type ldap { ldap } ... } I wonder what is the best practice for user permissions. 1. in users file : DEFAULT Auth-Type := ldap, LDAP-Group == "reseau" cisco-avpair :="shell:priv-lvl=15" DEFAULT Auth-Type := Reject OR 2. in post-auth section if (LDAP-Group == "reseau") { update reply { cisco-avpair :="shell:priv-lvl=15" } } else { reject } Could someone give me an explanation of the best way to go ? Best regards, Sam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence. Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
On Jun 27, 2018, at 5:28 AM, Samuel LEFOL <samuel.lefol@univ-lorraine.fr> wrote:
Hello,
I'm using freeradius 3.0.12 with rlm_ldap authentication. I configured it as suggested in README:
Which README? We haven't recommended doing this for a long time.
authorize { ... ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap
Don't do that. It's generally unnecessary, and will cause many authentication types to fail.
I wonder what is the best practice for user permissions.
1. in users file : DEFAULT Auth-Type := ldap, LDAP-Group == "reseau" cisco-avpair :="shell:priv-lvl=15" DEFAULT Auth-Type := Reject
You don't need to set Auth-Type LDAP You usually don't need to set Auth-Type Reject. Any users who aren't known will automatically be rejected.
OR
2. in post-auth section if (LDAP-Group == "reseau") { update reply { cisco-avpair :="shell:priv-lvl=15" } } else { reject }
That works. And rejects anyone who isn't in the "reseau" group.
Could someone give me an explanation of the best way to go ?
Avoid the "users" file for anything other than trivial policies. Alan DeKok.
On 27/06/18 16:35, Alan DeKok wrote:
On Jun 27, 2018, at 5:28 AM, Samuel LEFOL <samuel.lefol@univ-lorraine.fr> wrote:
Hello,
Hello Alan. Thank you for your reply.
I'm using freeradius 3.0.12 with rlm_ldap authentication. I configured it as suggested in README:
Which README? We haven't recommended doing this for a long time. I saw this information in the file raddb / README.rst.
authorize { ... ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap
Don't do that. It's generally unnecessary, and will cause many authentication types to fail.
I do not have access to the ldap User-Password field (anonymous bind). So, I use "user bind" as authentication process. If I do not set Auth-Type LDAP in users file, I have to force him here.
I wonder what is the best practice for user permissions.
1. in users file : DEFAULT Auth-Type := ldap, LDAP-Group == "reseau" cisco-avpair :="shell:priv-lvl=15" DEFAULT Auth-Type := Reject
You don't need to set Auth-Type LDAP
You usually don't need to set Auth-Type Reject. Any users who aren't known will automatically be rejected.
OR
2. in post-auth section if (LDAP-Group == "reseau") { update reply { cisco-avpair :="shell:priv-lvl=15" } } else { reject }
That works. And rejects anyone who isn't in the "reseau" group.
Could someone give me an explanation of the best way to go ?
Avoid the "users" file for anything other than trivial policies.
I think that's what I'm going to do.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 27, 2018, at 11:00 AM, Samuel LEFOL <samuel.lefol@univ-lorraine.fr> wrote:
I saw this information in the file raddb / README.rst.
OK. That's for doing the same thing as v2. But in general, it's not recommended.
I do not have access to the ldap User-Password field (anonymous bind). So, I use "user bind" as authentication process. If I do not set Auth-Type LDAP in users file, I have to force him here.
Yeah, that's the only way to do it. But it only works for PAP. Alan DeKok.
participants (3)
-
Alan DeKok -
Samuel LEFOL -
Winfield, Alister