Specific, complicated, detailed user rights possibility?

Mart Pirita mart at e-positive.ee
Mon Sep 14 09:35:54 CEST 2015

Alan DeKok wrote:
> On Aug 28, 2015, at 8:02 AM, Mart Pirita <mart at e-positive.ee> wrote:
>> But main idea is that ldap just does the authentication yes/no and that's it, nothing more.
>    So... LDAP is an authentication server?
>> Everything else (who can access and with what rights) is in the radius config only. Is this possible?
>    And RADIUS contains that database of user rights?
>    You can do that, but it's a bit backwards from the normal process.
>> Same question, how to do it without ldap groups?
>    You write down what you want, then implement it in unlang.  For RADIUS groups, see "man rlm_passwd".

Thanks Alan.

I did look the unlang and rim_passwd manpages, and still have questions:

1) As radius in acting proxy for ldap, then authentication is done by 
ldap, so rim_password is not used for that. You suggested, that 
rim_password should be used for groups, so I will set up files and list 
a) List 1, users who can access 1-100 switches
b) List 2, switches which users from list 1 can access ro
c) Lisa 3, switches which users from list 1 can access rw
2) Or can I use unlang to read users, switches from external file?
3) Have You seen any similar unlang config example based my needs? I did 
search, found none:( It's hard to start form the scratch.


More information about the Freeradius-Users mailing list