[Freeipa-users] Ldap schema
John Dennis
jdennis at redhat.com
Thu Sep 5 16:59:22 UTC 2013
On 09/05/2013 02:29 AM, Dmitri Pal wrote:
> On 09/05/2013 12:38 AM, Jason Prouty wrote:
>> This is the AV-Pair I would like to implement to pass back to radius.
>>
>>
>> dn: cn=priv-15,ou=cisco,ou=radius,dc=example,dc=com
>> objectClass: radiusObjectProfile
>> objectClass: radiusprofile
>> cn: priv-15
>> radiusReplyItem: cisco-avpair = "shell:priv-lvl=15"
>
> The question was why you need to use IPA as a storage for profiles?
> It looks like you are not using FreeRADIUS. Is this the case?
I already answered him privately.
He is using FreeRADIUS and wants to use IPA's ldap for performing
lookup's inside radiusd in order to add an attribute to the AccessAccept
reply.
Radius profiles in LDAP are one way to do this, but it means adding
schema to 389ds.
My suggestion is to use IPA's ability to put users into groups. Then in
FreeRADIUS's unlang policy language use the group to add the attribute
to the reply. Something along the lines of this in the post-auth section
should do the trick (not 100% sure it's correct syntax):
post-auth {
if(Ldap-Group == "xxx") {
update reply {
cisco-avpair = "shell:priv-lvl=15"
}
}
}
You'll need to lookup the group in the authorize section with a search
crafted for IPA.
If there are a lot of different reply attributes this becomes cumbersome
and some type of extra schema would be needed, but if there are only a
handful of attributes putting it in the radius config is reasonable.
--
John
More information about the Freeipa-users
mailing list