[Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif
John Dennis
jdennis at redhat.com
Fri Sep 24 21:37:12 UTC 2010
On 09/24/2010 03:53 PM, Dmitri Pal wrote:
> Brian LaMere wrote:
>> On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal<dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> Brian LaMere wrote:
>> > ah, odd - I'm used to IPs being IA5. then the equality match should
>> > be changed? Can't have caseIgnoreIA5Match on a directory string :)
>> Yes. This is what the patch does :-)
>>
>>
>> so, out of curiousity...why 60sudo? Seems like a string matching
>> netmask could be used more generically...it's redefined over as
>> radiusFramedIPNetmask in 60radius.ldif. I go through and purge my
>> tree of attributes I'll never need, sorry - I have strange quirks.
>
> See some discussion of the subject here:
> http://www.freeipa.org/page/SUDO_Schema_Design#Proposed_Schema under
> sudoHost. I tried to find something suitable but could not. I did not
> look at RADIUS though.
> Reusing core, well known attributes is a good practice since they are
> common. Relying on RADIUS schema to be present might be not. Yes we plan
> to support RADIUS in future but this work is deferred.
FWIW, I have been in conversation with the upstream FreeRADIUS folks
concerning the RADIUS ldap schema (In part because I just contributed
code to store RADIUS clients (e.g. NAS's) in ldap) which included schema
updates.
During that discussion I pointed out how a number of the RADIUS
attributes appeared to be incorrectly specified as IA5 strings and
suggested the ldap schema should be updated to use UTF-8 instead (e.g.
DirectoryString). There was buy-in this was the correct thing to do.
However I don't specifically recall the status of the
radiusFramedIPNetmask attribute.
Anyway, all that is a long winded way of saying the use of IA5 appears
to have been historic and incorrect in many schemas and there is an
ongoing effort to fix the use of IA5.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list