[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [Fwd: [Fedora-directory-users] Integrating RADIUS schema in Fedora-ds]

Thanks a bunch John -- very helpful. You are probably correct that short term I can possibly get away with just the bind -- I wasn't fully aware I could do that. None the less I'd still be interested in the schema your using in IPA as there is a good chance that may be where I go with our authentication and such down the road...definitely been anxious to try it, just been waiting for it to mature a bit.  :-)

Send me your schema when you get a chance if you'd be so kind, and thanks again.


----- Original Message -----
From: "John Dennis" <jdennis redhat com>
To: fedora-directory-users redhat com
Cc: freeipa-devel redhat com, "Jeff Fishbaugh" <jeff collectiveintellect com>
Sent: Wednesday, December 5, 2007 5:18:23 PM (GMT-0700) America/Denver
Subject: Re: [Freeipa-devel] [Fwd: [Fedora-directory-users] Integrating RADIUS schema in Fedora-ds]

> Not sure if this is the best place to ask this but have been looking for 
> some decent documentation on integrating RADIUS schema into Fedora-ds so 
> I can authenticate against my directory. Tons of docs on doing the same 
> with OpenLDAP, but slim to none with Fedora-ds (btw-- I do know about 
> freeipa, but I'm not using it).
> I see my RADIUS schema object classes as radiusprofile and radiusobject 
> profile; however, I can not seem to figure out how to get these 
> integrated into my directory properly to use it with RADIUS. If I look 
> at my 'addtional indexes' I only can add radiusprofile indexes such as 
> radiusframedmtu. Would seem I am going to need to get 
> radiusobjectprofile and its related indexes (uid, userPassword)  in 
> there if this is to work for authentication.
> Can anyone point me in the right direction with getting RADIUS schema 
> properly integrated into my directory so I can point RADIUS at it and 
> use it for user authentication??? I'm also a bit curious on the DESC 
> field being blank for all the OIDs and whether they should go or 
> populated with iinfo similar to the OID name.
> Appreciate any and all answers. Thank you...

I can send you the radius profile directory server schema we're using in 
IPA. But the larger question is why do you think you need the schema in 
the first place. You state all you want to do is authenticate against 
DS, which means all you are doing is a bind, and most likely only a 
simple bind with a plain text password. To accomplish that you'll need 
to enable ldap in the authenticate section of /etc/raddb/radiusd.conf. I 
believe you'll need to move ldap to be above any other plain text 
password authentication mechanisms in the authenticate section so the 
ldap module gets first crack, or disable the other mechanisms. In the 
modules section you'll also need to set your basic ldap parameters, e.g. 
  server, filter, etc. The filter will need to be able to locate a user 
by performing a search. The user's dn is derived from the successful 
search result and that dn is then used to perform the bind with the 
password found in the request auth packet. None of this requires schema.

If however you want to manage profiles with radius attribute/value pairs 
then you'll need the schema, but that doesn't sound like what you're 
asking for.

In any event, let me know if you want the schema, I'll send it to you.

John Dennis <jdennis redhat com>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]