User administrator

Hi
I created a group and policy for User Administrators, who should have acces to adding and deleting users only.
I also created a group Super Admin who can do everything, instead of logging in as root and should be more safe.

However those User Administrators can make themselves Super Administrators, and gain access to everything. This should not be possible I think, or should I have done it another way?

Cheers
/Sven

The ClearOS implementation has been designed for user authentication, so connects to LDAP. I think there are a few places where it refers to LDAP ("grep -i ldap /etc/raddb/* -r"), but many of the references are only used if the sites or modules are enabled by symlinking to the ???-enabled folders.

To be honest, you best source of information is probably gong to be the freeradius mailing list. Did you also know that you can run Radius in debug mode? I found this essential when troubleshooting the domain implementation, and you will be required to do this if you use the mailing list. There is an even more verbose debug mode but you should not need it unless asked (and they can get upset if you give it initially).

If you do get to the end of your set up, it would be great if you could post back with a howto .

@Tony,
Interesting development on the kernel front. The reason for ClearOS having a different kernel from Centos is because it is patched for IMQ for the Bandwidth/QoS module. The stock kernel comes with IFB instead for this function. The Bandwith/QoS module and firewall have now been prepared for IFB but there has been a slight bug in the release so existing systems are missing a line in /etc/clearos/qos.conf (new installations will get it). If you edit the file, add:I will get round to releasing a patch once 7.6 is out.

If you use QoS and flip this to "yes" then you will will be using IFB instead of IMQ. At that point there is noting to stop you using the vanilla kernel. Taking that one stage further, once you use the vanilla kernel, there is nothing to stop you using the kernels from ElRepo where I think it is the kernel-ml you want. You'd then be living life on the bleedin-edge.

If you don't use QoS, you should be able to make the move anyway.

I have a feeling ClearOS will switch to the Centos kernel pretty soon, some time after 7.6, first flipping the IFB on then, when Centos release the next kernel, I would expect the mainline kernel. This has a knock-on effect on the ElRepo NIC drivers which will have to be taken into consideration.

@Schorschi
Clearcenter recently acquired a company, Daphlie, who produce an Arm box which is why Arm is in the pipeline. Unfortunately their web site is down so you can't see anything, and I don't know the status of their product. Because their build system can now, ClearOS may get compiled for 32-bit ARM as well. If this does happen, Centos is already running on 32-bit ARM, so it should be possible to install Centos, then ClearOS on top of it. Again we have to wait. The Pi 3B+ can run both 32 and 64 bit code.

I did not get as far as finding the cause of failure. One suggestion Dave has made was if there is no NIC connectivity at the time on fonfiguration. I am not sure as all mine is in a VM with four virtual NIC's which connect as they are NAT'd, but no VLAN on any of them. I'm not sure how to do that. I've been distracted by a 7.6 bug which is proving horrible to isolate, so I have not had another look. It is not something I need at all. I was only testing to see if I could create a simple script to isolate all the LAN's in the firewall and creating VLAN's was an easy way of testing.

Nick - interesting development if 32-bit comes back - running lbuntu on a 32-bit only laptop which has kernel 4.15.0-45-generic i386 and uses the ubuntu 18.04.2 LTS 32-bit packages.
Had considered a NUC for a firewall - but these types of reports sent me elsewhere as kernel 4.x required for proper support for newer CPU models - older might be OK... NUC6CAYH NUC Older NUC Intel Supported Linux Systems
Ended up finding a cheap brand new older ITX board on special - an Asrock D1800B-ITX and popped an Intel dual NIC into the PCIe slot giving me 3 NICs. One for internal and two for multi-wan - cable and adsl. Details here No problems with the J1800 SoC and Asrock BIOS - believe this same SoC on a Gigabyte board has problems with the Gigabyte supplied BIOS using linux.

I like the idea of NUC devices, but note Tony's warning about SoC devices.

There may be a chance the 32-bit ClearOS will be resurrected as Centos are doing 32-bit, but not any time soon. It might just be for v8.

As you have found, the IP Settings WiFi interface has unfortunately gone. I hope it will reappear sometime in the future, but it is not going to happen for the moment.

I don't really know either Radius or hostpad. I have managed to get hostapd working in the past, and I have had the app-radius working as well, with independent access points and a domain, but please see bug 19821. It is so broken from what was intended that it just about works!

If hostapd is creating the vlans, and you are only going to have a couple, can you manually add them to the bridge using brctl? Or check if hostapd is adding them with a "brctl show".

I think it can work on ARM devices but they may have to be UEFI based. I cannot get it working on a Pi 3B+, and CentOS do not yet have it working on it either with a 64bit build, which is the only one available for ClearOS. Note also that the 3B+ only nominally has Gb ethernet as it is limited by the USB bus. I think the maximum it can achieve is around 300Mb/s. Similarly disk speed is limited by USB. Also it is difficult to fit a second NIC. I have a 3B+ waiting for as soon as CentOS crack the 64bit issue (Fedora have).

There is a parallel thread about a low power quiet device. Most modern processors are OTT. Even my Core i3-4130 spends most of its time idling and its power use only went up when I played around with ClearGLASS.

Do you have eno7 and eno8 configured as LAN's as well? If not can you try it. They need never be used.

When I had my failure, the underlying "ifup" command was failing. You can see this in one of your logs as well:I stopped troubleshooting at that point.