best practice for user permissions
Samuel LEFOL
samuel.lefol at univ-lorraine.fr
Wed Jun 27 17:00:31 CEST 2018
On 27/06/18 16:35, Alan DeKok wrote:
> On Jun 27, 2018, at 5:28 AM, Samuel LEFOL <samuel.lefol at univ-lorraine.fr> wrote:
>>
>> Hello,
Hello Alan. Thank you for your reply.
>>
>> I'm using freeradius 3.0.12 with rlm_ldap authentication.
>> I configured it as suggested in README:
>
> Which README? We haven't recommended doing this for a long time.
I saw this information in the file raddb / README.rst.
>
>> authorize {
>> ...
>> ldap
>> if ((ok || updated) && User-Password) {
>> update control {
>> Auth-Type := ldap
>
> Don't do that. It's generally unnecessary, and will cause many authentication types to fail.
I do not have access to the ldap User-Password field (anonymous bind).
So, I use "user bind" as authentication process. If I do not set
Auth-Type LDAP in users file, I have to force him here.
>
>> I wonder what is the best practice for user permissions.
>>
>> 1. in users file :
>> DEFAULT Auth-Type := ldap, LDAP-Group == "reseau"
>> cisco-avpair :="shell:priv-lvl=15"
>> DEFAULT Auth-Type := Reject
>
> You don't need to set Auth-Type LDAP
>
> You usually don't need to set Auth-Type Reject. Any users who aren't known will automatically be rejected.
>
>
>> OR
>>
>> 2. in post-auth section
>> if (LDAP-Group == "reseau") {
>> update reply {
>> cisco-avpair :="shell:priv-lvl=15"
>> }
>> }
>> else {
>> reject
>> }
>
> That works. And rejects anyone who isn't in the "reseau" group.
>
>> Could someone give me an explanation of the best way to go ?
>
> Avoid the "users" file for anything other than trivial policies.
I think that's what I'm going to do.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list