Would Freeradius be the correct technology for this? For example,
Currently, for me to allow someone access to my OpenVPN server and Samba I have to first add them as a standard user with the useradd script. Then I have use smbpasswd -e to enable their account for Samba. If I wanted that user to also be able to SSH into another server I would have to repeat this process. After about 3 users I forgot who has access to what. This is the process I want to simply. I want 1 place/script that prompts for every app/server that I want to restrict access to: Samba, SSH, Shell access, X, ect. I want this infromation stored in a standard SQL type database though so I can easilly manipulate users once they've been created on the fly. Perferrably within 1 table like a provided in my last email for an example simple user management style. What do large companies that have many users/linux machines use to handle user administration? -Jesse On Fri, Sep 5, 2008 at 5:30 PM, Edvin Seferovic <[EMAIL PROTECTED]>wrote: > It is a tricky concept, but it can be done with a lot of effort. Probably > not for all applications ( since it doesn't make any sense for some of them > ). Maybe you should consider making a real network DMZ. The concept of DMZ > allows you to define and allow/disallow access to services from the Internet > and those from the local LAN. You DO NOT make things or services available > "to the DMZ" ! > > > > Start simple ! > > > > Regards, > > E:S > > > > *From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ > lists.freeradius.org > [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> > [EMAIL PROTECTED] *On Behalf Of *Jesse Stone > *Sent:* Samstag, 06. September 2008 01:50 > *To:* FreeRadius users mailing list > *Subject:* Re: Freeradius Usage > > > > Thank you for the quick response. I may not have mentioned this previously > but I am by no means a linux/networking expert. The company I work for is > pro-MS. Recently, I got the urge to get back into Linux and here I am. > > > > My thinking (in regards to network structure) was that I wanted > applications intended to the public as far away from my local lan as > posible. The local lan requires the app server though- OpenVPN, Samba (as > a PDC), misc other things so I wanted it available to the local lan but not > to the DMZ. > > > > My main questions though are with Freeradius. My setup is for "hobby" > purposes only and already I would have difficulty telling you exactly which > users have access to what. > > > > I want to using a technology like Freeradius or LDAP create 1 central place > on the app server that EVERYTHING would authenication to. In a perfect > world, the end result would be that I could type something like this: > > > > select %user% from permissionsDB > > > > and be returned something like this: > > > > SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares > available), Shell Access: No, ect > > > > Basically, I want a setup where I can easilly scale upwards without having > to "teach" each new application how to use a DB. Freeradious also can > authenicate my wireless users when would also be great as for all I know, > half my bandwidth is being used by my neighbors. > > > > -Jesse > > On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <[EMAIL PROTECTED]> > wrote: > > Hi, > > > > excuse me for asking, but why dont you set up the AppServer in your DMZ ? > you could have ( what I call ) the T – structure > > > > >< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN > > I > > I DMZ > > I > > SERVER2 + APPServer > > > > It depends how your users use the gateway and how are they suppose to > connect to the Internet. > > > > Regards, > > E:S > > > > > > *From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ > lists.freeradius.org > [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> > [EMAIL PROTECTED] *On Behalf Of *Jesse Stone > *Sent:* Samstag, 06. September 2008 01:25 > *To:* FreeRadius users mailing list > *Subject:* Freeradius Usage > > > > Hi All, > > > > I am new to this mailing list and am about to ask a probably very silly > question. Please feel free to direct me to resources that'll help me answer > them. > > > > I want to setup the following: > > > > Gateway [server1] > > - nic1 = Internet > > - nic2 = DMZ [server2] > > - nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS > SERVER HERE) -> Local Lan > > > > I read a lot about both Freeradius and LDAP and cannot determine if either > can accomplish my goals. > > > > What I want is: > > > > 1) 1 central place where all user authenication takes place: SSH, Shell > Access, Samba, OpenVPN, Mumble, Any other app that requires user > administration. > > 2) This information stored in a SQL type database so that I can build my > own custom apps to report on user usage, performance ect. > > 3) My router has wireless and I have enabled the security features. I > would still like authenication to take place before a wireless user is > allowed on the network. > > > > For example, > > > > Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local > Lan > > > > I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan > > > > Is Freeradius the best approach for my needs? Do I need anything else? > > > > -Jesse > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
