Specific, complicated, detailed user rights possibility?
Hi, We have idea to use radius for rights and ldap for authentication. So that radius acts proxy for external ldap and this part is working. But we need more detailed setup, for example, the idea is to allow user1 access some switches and disable user1 to access some other switches. And then even more specific rights, for example, switches which user1 can access, he have some switch with read-only and some other switch with read-write rights. And do it with groups, not using different configuration for every user, for example, so that users are listed in as groups, and these groups are used in access configurations? Huntgroups may be the solution, but as far I know, huntgroups are for device, and not for user rights. Also I don't know, can one and same device IP exist in many different huntgroups and can one huntgroup include other huntgroups? Is such setup possible and if yes, then how? -- Mart
On Aug 27, 2015, at 9:46 AM, Mart Pirita <mart@e-positive.ee> wrote:
But we need more detailed setup, for example, the idea is to allow user1 access some switches and disable user1 to access some other switches. And then even more specific rights, for example, switches which user1 can access, he have some switch with read-only and some other switch with read-write rights.
In general, data goes into databases, and policy rules go into the FreeRADIUS config. You should put all of these restrictions into an LDAP schema, and then use FreeRADIUS to query that.
And do it with groups, not using different configuration for every user, for example, so that users are listed in as groups, and these groups are used in access configurations?
If it's simple, you can put the devices into hunt groups, and the users into ldap groups. If it's more complex... there's no simple solution.
Huntgroups may be the solution, but as far I know, huntgroups are for device, and not for user rights. Also I don't know, can one and same device IP exist in many different huntgroups and can one huntgroup include other huntgroups?
You can't put hunt groups into other hunt groups. Alan DeKok.
Alan DeKok wrote:
On Aug 27, 2015, at 9:46 AM, Mart Pirita <mart@e-positive.ee> wrote:
But we need more detailed setup, for example, the idea is to allow user1 access some switches and disable user1 to access some other switches. And then even more specific rights, for example, switches which user1 can access, he have some switch with read-only and some other switch with read-write rights. In general, data goes into databases, and policy rules go into the FreeRADIUS config.
You should put all of these restrictions into an LDAP schema, and then use FreeRADIUS to query that.
But main idea is that ldap just does the authentication yes/no and that's it, nothing more. Everything else (who can access and with what rights) is in the radius config only. Is this possible?
And do it with groups, not using different configuration for every user, for example, so that users are listed in as groups, and these groups are used in access configurations? If it's simple, you can put the devices into hunt groups, and the users into ldap groups.
Same question, how to do it without ldap groups?
If it's more complex... there's no simple solution.
Huntgroups may be the solution, but as far I know, huntgroups are for device, and not for user rights. Also I don't know, can one and same device IP exist in many different huntgroups and can one huntgroup include other huntgroups? You can't put hunt groups into other hunt groups.
Ok.
-- Mart
On Aug 28, 2015, at 8:02 AM, Mart Pirita <mart@e-positive.ee> wrote:
But main idea is that ldap just does the authentication yes/no and that's it, nothing more.
So... LDAP is an authentication server?
Everything else (who can access and with what rights) is in the radius config only. Is this possible?
And RADIUS contains that database of user rights? You can do that, but it's a bit backwards from the normal process.
Same question, how to do it without ldap groups?
You write down what you want, then implement it in unlang. For RADIUS groups, see "man rlm_passwd". Alan DeKok.
Alan DeKok wrote:
On Aug 28, 2015, at 8:02 AM, Mart Pirita <mart@e-positive.ee> wrote:
But main idea is that ldap just does the authentication yes/no and that's it, nothing more. So... LDAP is an authentication server?
Everything else (who can access and with what rights) is in the radius config only. Is this possible? And RADIUS contains that database of user rights?
You can do that, but it's a bit backwards from the normal process.
Same question, how to do it without ldap groups? You write down what you want, then implement it in unlang. For RADIUS groups, see "man rlm_passwd".
Thanks Alan. I did look the unlang and rim_passwd manpages, and still have questions: 1) As radius in acting proxy for ldap, then authentication is done by ldap, so rim_password is not used for that. You suggested, that rim_password should be used for groups, so I will set up files and list there: a) List 1, users who can access 1-100 switches b) List 2, switches which users from list 1 can access ro c) Lisa 3, switches which users from list 1 can access rw 2) Or can I use unlang to read users, switches from external file? 3) Have You seen any similar unlang config example based my needs? I did search, found none:( It's hard to start form the scratch. -- Mart
On Sep 14, 2015, at 3:35 AM, Mart Pirita <mart@e-positive.ee> wrote:
1) As radius in acting proxy for ldap, then authentication is done by ldap, so rim_password is not used for that. You suggested, that rim_password should be used for groups, so I will set up files and list there: a) List 1, users who can access 1-100 switches b) List 2, switches which users from list 1 can access ro c) Lisa 3, switches which users from list 1 can access rw
Yes. The "passwd" module can manage lists of users in groups.
2) Or can I use unlang to read users, switches from external file?
No.
3) Have You seen any similar unlang config example based my needs? I did search, found none:( It's hard to start form the scratch.
There is no example of "do everything I want". You MIUST put the pieces together yourself. In this case, it's simple. There ARE examples of setting up groups using rlm_passwd. So... use that to set up groups. Then, do group checking in "unlang". Alan DeKok.
participants (2)
-
Alan DeKok -
Mart Pirita