On Mon, Jul 13, 2020 at 12:36 PM Mike Jumper <[email protected]> wrote:
> On Tue, Jun 30, 2020, 16:46 Nick Couchman <[email protected]> wrote: > >> On Tue, Jun 30, 2020 at 18:01 dynz <[email protected]> >> wrote: >> >>> Hi, >>> >>> Great release by the way! >>> >>> I'm using RADIUS and MySQL for authentication, with MySQL holding >>> connections and groups. >>> If I use >>> mysql-auto-create-accounts: true >>> can I define a Group in MySQL with a certain name so that the >>> auto-created >>> users will automatically be defined as members of that Group? If so, >>> what is >>> the that certain Group name. >>> >> >> No, there is no way to accomplish that with the auto creation process. >> I’ve thought in the past about some way to assign either default >> permissions or membership to new users, or some way to grant permissions to >> all authenticated users. However, another part of me says that those >> methods are just work-arounds for proper group and permissions management - >> a big part of which it’s making sure that all of the extensions support >> some method of providing group membership. >> >> I’m interested to hear what others think. >> > > Is there a standard way within RADIUS to define the group memberships of a > user? > > I believe the most common way to do this with RADIUS is using the Vendor-Specific attribute and defining the group membership, there. However, it has something of a limitation, as least from the research I've done, in that you usually can only define a single group the user is a member of and not a list of groups. > If so, then perhaps the solution here is to pull that information when > configured to do so, similar to the group support within SAML. > > Yes, I think providing at least a single group membership entry out of RADIUS is the way to go. I've looked into this off-and-on for several months, but not settled on the best way to do this, yet. -Nick
