best practice for user permissions
Alan DeKok
aland at deployingradius.com
Wed Jun 27 16:35:32 CEST 2018
On Jun 27, 2018, at 5:28 AM, Samuel LEFOL <samuel.lefol at univ-lorraine.fr> wrote:
>
> Hello,
>
> I'm using freeradius 3.0.12 with rlm_ldap authentication.
> I configured it as suggested in README:
Which README? We haven't recommended doing this for a long time.
> authorize {
> ...
> ldap
> if ((ok || updated) && User-Password) {
> update control {
> Auth-Type := ldap
Don't do that. It's generally unnecessary, and will cause many authentication types to fail.
> I wonder what is the best practice for user permissions.
>
> 1. in users file :
> DEFAULT Auth-Type := ldap, LDAP-Group == "reseau"
> cisco-avpair :="shell:priv-lvl=15"
> DEFAULT Auth-Type := Reject
You don't need to set Auth-Type LDAP
You usually don't need to set Auth-Type Reject. Any users who aren't known will automatically be rejected.
> OR
>
> 2. in post-auth section
> if (LDAP-Group == "reseau") {
> update reply {
> cisco-avpair :="shell:priv-lvl=15"
> }
> }
> else {
> reject
> }
That works. And rejects anyone who isn't in the "reseau" group.
> Could someone give me an explanation of the best way to go ?
Avoid the "users" file for anything other than trivial policies.
Alan DeKok.
More information about the Freeradius-Users
mailing list