best practice for user permissions

Samuel LEFOL samuel.lefol at univ-lorraine.fr
Wed Jun 27 11:28:51 CEST 2018


Hello,

I'm using freeradius 3.0.12 with rlm_ldap authentication.
I configured it as suggested in README:
   authorize {
     ...
     ldap
     if ((ok || updated) && User-Password) {
       update control {
         Auth-Type := ldap
       }
     }
     ...
   }

   authenticate {
     ...
     Auth-Type ldap {
       ldap
     }
     ...
   }


I wonder what is the best practice for user permissions.

1. in users file :
DEFAULT Auth-Type := ldap, LDAP-Group == "reseau"
         cisco-avpair :="shell:priv-lvl=15"
DEFAULT Auth-Type := Reject

OR

2. in post-auth section
if (LDAP-Group == "reseau") {
   update reply {
     cisco-avpair :="shell:priv-lvl=15"
   }
}
else {
   reject
}


Could someone give me an explanation of the best way to go ?

Best regards,
Sam


More information about the Freeradius-Users mailing list