[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: [EXTERNAL] best practice for user permissions
From: "Winfield, Alister" <Alister.Winfield () sky ! uk>
Date: 2018-06-27 10:58:25
Message-ID: 4D8E5277-12F9-44CE-9304-07A7155D6EEC () sky ! uk
[Download RAW message or body]
Personally I'd avoid the users file its too hard to understand what its intent is.
What is best sometimes depends upon how complex the optionality is just like any \
programming / policy design.
For example if this is very simplistic then the group name could be used to select a \
profile from LDAP which in turn contains the attributes you want to add to the \
response. That kind of mechanism makes the policy essentially data driven but can get \
out of hand if there are too many 'options' requiring distinct profiles. (This is \
similar to the files mechanism if a tiny bit more obvious as to what is going on).
On 27/06/2018, 10:29, "Freeradius-Users on behalf of Samuel LEFOL" \
<freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org on behalf of \
samuel.lefol@univ-lorraine.fr> wrote:
This email is from an external source. Please do not open attachments or click \
links from an unknown origin. Suspicious messages can be reported by sending them as \
an attachment to phishing@sky.uk
--------------------------------------------------------------------
________________________________
Hello,
I'm using freeradius 3.0.12 with rlm_ldap authentication.
I configured it as suggested in README:
authorize {
...
ldap
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
...
}
authenticate {
...
Auth-Type ldap {
ldap
}
...
}
I wonder what is the best practice for user permissions.
1. in users file :
DEFAULT Auth-Type := ldap, LDAP-Group == "reseau"
cisco-avpair :="shell:priv-lvl=15"
DEFAULT Auth-Type := Reject
OR
2. in post-auth section
if (LDAP-Group == "reseau") {
update reply {
cisco-avpair :="shell:priv-lvl=15"
}
}
else {
reject
}
Could someone give me an explanation of the best way to go ?
Best regards,
Sam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Information in this email including any attachments may be privileged, confidential \
and is intended exclusively for the addressee. The views expressed may not be \
official policy, but the personal views of the originator. If you have received it in \
error, please notify the sender by return e-mail and delete it from your system. You \
should not reproduce, distribute, store, retransmit, use or disclose its contents to \
anyone. Please note we reserve the right to monitor all e-mail communication through \
our internal and external networks. SKY and the SKY marks are trademarks of Sky plc \
and Sky International AG and are used under licence.
Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration \
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are \
direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the \
companies mentioned in this paragraph are incorporated in England and Wales and share \
the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic