[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: [EXTERNAL] best practice for user permissions
From:       "Winfield, Alister" <Alister.Winfield () sky ! uk>
Date:       2018-06-27 10:58:25
Message-ID: 4D8E5277-12F9-44CE-9304-07A7155D6EEC () sky ! uk
[Download RAW message or body]

Personally I'd avoid the users file its too hard to understand what its intent is.

What is best sometimes depends upon how complex the optionality is just like any \
programming / policy design.

For example if this is very simplistic then the group name could be used to select a \
profile from LDAP which in turn contains the attributes you want to add to the \
response. That kind of mechanism makes the policy essentially data driven but can get \
out of hand if there are too many 'options' requiring distinct profiles. (This is \
similar to the files mechanism if a tiny bit more obvious as to what is going on).



On 27/06/2018, 10:29, "Freeradius-Users on behalf of Samuel LEFOL" \
<freeradius-users-bounces+alister.winfield=sky.uk@lists.freeradius.org on behalf of \
samuel.lefol@univ-lorraine.fr> wrote:

    This email is from an external source. Please do not open attachments or click \
links from an unknown origin. Suspicious messages can be reported by sending them as \
                an attachment to phishing@sky.uk
    --------------------------------------------------------------------

    ________________________________

    Hello,

    I'm using freeradius 3.0.12 with rlm_ldap authentication.
    I configured it as suggested in README:
       authorize {
         ...
         ldap
         if ((ok || updated) && User-Password) {
           update control {
             Auth-Type := ldap
           }
         }
         ...
       }

       authenticate {
         ...
         Auth-Type ldap {
           ldap
         }
         ...
       }


    I wonder what is the best practice for user permissions.

    1. in users file :
    DEFAULT Auth-Type := ldap, LDAP-Group == "reseau"
             cisco-avpair :="shell:priv-lvl=15"
    DEFAULT Auth-Type := Reject

    OR

    2. in post-auth section
    if (LDAP-Group == "reseau") {
       update reply {
         cisco-avpair :="shell:priv-lvl=15"
       }
    }
    else {
       reject
    }


    Could someone give me an explanation of the best way to go ?

    Best regards,
    Sam
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Information in this email including any attachments may be privileged, confidential \
and is intended exclusively for the addressee. The views expressed may not be \
official policy, but the personal views of the originator. If you have received it in \
error, please notify the sender by return e-mail and delete it from your system. You \
should not reproduce, distribute, store, retransmit, use or disclose its contents to \
anyone. Please note we reserve the right to monitor all e-mail communication through \
our internal and external networks. SKY and the SKY marks are trademarks of Sky plc \
and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration \
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are \
direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the \
companies mentioned in this paragraph are incorporated in England and Wales and share \
the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]