Sorry, what I'm trying to ask is:
Most secure way to create a unix login whose sole function is to execute
adduser to add users to the /etc/passwd file. I'm running openbsd.
Hmmm... as I finish writing this question it looks like this is rather
off topic. Anyhows any ideas welcome.
Thanks
Hi there,
I've finally come to a decision as to what sort of backend we're going
to use. Thanks for all the discussion it was very helpful in coming to
the final decision. Heres what I'm going to go with:
Use the UNIX password file on the machine that holds the radius server
to authenticate
Dustin any input on this one?
Maqbool Hashim wrote:
Hi there,
I've finally come to a decision as to what sort of backend we're going
to use. Thanks for all the discussion it was very helpful in coming
to the final decision. Heres what I'm going to go with:
Use the UNIX password file on the
Dustin any input on this one?
Maqbool Hashim wrote:
Hi there,
I've finally come to a decision as to what sort of backend we're going
to use. Thanks for all the discussion it was very helpful in coming
to the final decision. Heres what I'm going to go with:
Use the UNIX
Hi there,
After some trouble I have managed to get freeradius to compile on
openbsd! Now I have a question about the backend database to use with
freeradius. Requirements:
1) Users can access the database and change their own password.
2) Users cannot see or change any other users passwords.
@lists.freeradius.org
Subject: deployment question
Hi there,
After some trouble I have managed to get freeradius to compile on
openbsd! Now I have a question about the backend database to use with
freeradius. Requirements:
1) Users can access the database and change their own password.
2) Users
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Maqbool Hashim
Sent: Wednesday, April 13, 2005 8:57 AM
To: freeradius-users@lists.freeradius.org
Subject: deployment question
Hi there,
After some trouble I have managed to get freeradius to compile on
openbsd! Now I have
Of
Maqbool Hashim
Sent: Wednesday, April 13, 2005 9:09 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: deployment question
Thanks, I'm just thinking that mysql is a big and complex program which
offers a lot of features. Our requirements are quite specific. I'm not
saying I'm ruling
To: freeradius-users@lists.freeradius.org
Subject: Re: deployment question
Thanks, I'm just thinking that mysql is a big and complex program which
offers a lot of features. Our requirements are quite specific. I'm not
saying I'm ruling out using mysql, just would like to hear whether there
are any
: deployment question
sorry I'm not being clear here. When I meant was, if all users are
contained in the same table, how can I allow a user to change just the
row which corresponds to their username without revealing the rest of
the table?
Miles Mawyer wrote:
Isn't it going to be difficult to give
-=- Webmaster . Centralva.net ...
... [EMAIL PROTECTED] ...
... 434.385.5053 ...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Maqbool Hashim
Sent: Wednesday, April 13, 2005 9:22 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: deployment question
sorry
Subject: Re: deployment question
That makes sense. So effectively the php program has a login for the
database. The user has a login for the php frontend. What the user
sees depends on the credentials he supplies to the php frontend.
Therefore the security rests with the php frontend. Right
Sent: Wednesday, April 13, 2005 9:47 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: deployment question
That makes sense. So effectively the php program has a login for the
database. The user has a login for the php frontend. What the user
sees depends on the credentials he supplies
Ldap will provide that feature for you. An openldap acl might look like
this.
access to attr=userPassword
by self write
by anonymous auth
by * none
access to dn.one=ou=useraccounts,dc=yourdomain,dc=com
by self write
by
Thats very helpful thank you. I was actually thinking of something
similar except using mysql, but obviously ldap would be better as it
directly provides that feature. However I was just reading some of the
rlm_dbm file and it seems like the ideal backend for us, as it doesn't
require any
dbm would be very fast and simple. I've never used it directly though, so
I can't provide any help. Openldap does use berkerly db as the backend db
for datastorage, so you are really just taking off a layer and making it
much simpler. Mysql even offers a berkely db backend.
You will need to
On Wed, 13 Apr 2005, Maqbool Hashim wrote:
True. Just coming back to your earlier mail:
Put the front-end on a different machine and have it only run apache.
Put the ldap server on your private network and have the radius server
and webserver with an interface on that network.
The
Great, thanks to everyone who made suggestions, I'm going to go ahead
and implement according to Alan's suggestion because of the amount of
seperation that it gives and it seems the best way of acheiving this.
One other point, if we are using a an sql backend then the radiusd
process would
Hi,
Do you mean I could seperate users from different realms into different
database tables? Is this what it means my using schemas? So rather
than have one users table, I can have many different tables with users
from different realms? And allow customers access to only the user
table
Alan DeKok wrote:
You would be better of having the customers manage their own RADIUS
servers, and having you just proxy to those servers.
If the customers don't want to manage their own servers, you can
still have a server locally, per-customer. That way, you can give
each customer limited
a schema is a set of tables within a database.
you can have identical table structure and names in each schema.
you would need to fully specify the tables when referring to them.
not 'users' , which is really 'public.users' ,
but for customer foo you could have 'foo.users' and customer baz
Maqbool Hashim [EMAIL PROTECTED] wrote:
Ok so the way this would work is to have an instance of the radiusd
program running for every customer. Just point it at the right
configuration files for the customer and bind it to a different port for
each customer.Then give the customer
I'd like to know if it is possible to allow external customers limited
access to add users to our RADIUS configuration. We manage many
firewalls for different customers. VPN users on the firewalls can be
authenticated via our Freeradius server. So when another VPN needs to
be setup on the
Maqbool Hashim [EMAIL PROTECTED] wrote:
I'd like to know if it is possible to allow external customers limited
access to add users to our RADIUS configuration.
Yes, but it's probably a bad idea.
Is this possible? I know this will involve realms, but how can we get
the customer to update
at the database level you can create a database user and GRANT them
rights on the users table. That would, howeer, allow them to mess
with users of other external customrs. If you tag vpn users so you
can identify to whom the user belongs, you can use an application
which authenticates the
25 matches
Mail list logo
