Specific, complicated, detailed user rights possibility?
mart at e-positive.ee
Mon Sep 14 09:35:54 CEST 2015
Alan DeKok wrote:
> On Aug 28, 2015, at 8:02 AM, Mart Pirita <mart at e-positive.ee> wrote:
>> But main idea is that ldap just does the authentication yes/no and that's it, nothing more.
> So... LDAP is an authentication server?
>> Everything else (who can access and with what rights) is in the radius config only. Is this possible?
> And RADIUS contains that database of user rights?
> You can do that, but it's a bit backwards from the normal process.
>> Same question, how to do it without ldap groups?
> You write down what you want, then implement it in unlang. For RADIUS groups, see "man rlm_passwd".
I did look the unlang and rim_passwd manpages, and still have questions:
1) As radius in acting proxy for ldap, then authentication is done by
ldap, so rim_password is not used for that. You suggested, that
rim_password should be used for groups, so I will set up files and list
a) List 1, users who can access 1-100 switches
b) List 2, switches which users from list 1 can access ro
c) Lisa 3, switches which users from list 1 can access rw
2) Or can I use unlang to read users, switches from external file?
3) Have You seen any similar unlang config example based my needs? I did
search, found none:( It's hard to start form the scratch.
More information about the Freeradius-Users