Re: OpenLDAP and Radius and Cisco attributes

[Dan White <dwhite@olp.net>]

On 27/09/10 11:06 -0400, Francois Gelinas wrote:
> Full_Name: Francois Gelinas
> Version: 2.3.27
> OS: RedHat Enterprise Linux 5
> URL:
> Submission from: (NULL) (216.252.95.98)
>
>
> I'm lookling for a Cisco LDAP Schema for Radius, i need to pass Cisco
> propriatary attributes back to my radius server and i want to store them
> into ldap.
>
> Here's the list of cisco attributes i am talking about:
> http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_
> for_windows/4.2.1/User_Guide/A_RADAtr.html
>
> I could try to create one myself but how can i get the number to create the
> entry (like this in pureftpd.schema)
>
> attributetype ( 1.3.6.1.4.1.6981.11.3.1 NAME 'FTPQuotaFiles'

Francois,

Which RADIUS server are you using?

I've had success implementing the cisco-avpair attribute with FreeRADIUS
by using just the freeradius.schema. Presumably any other attribute could
be implemented in a similar way, assuming that there's a corresponding
dictionary file installed within FreeRADIUS. See the 'dictionary.cisco*'
files distributed with FreeRADIUS for a list of attributes that should work
out of the box.

With the freeradius schema, any Cisco dictionary attribute can be
implemented via the radiusReplyItem LDAP attribute. For instance:

dn: cn=priv-15,ou=cisco,ou=radius,dc=example,dc=com
objectClass: radiusObjectProfile
objectClass: radiusprofile
cn: priv-15
radiusReplyItem: cisco-avpair = "shell:priv-lvl=15"

If you really want to create your own schema (which wouldn't be necessary
with the above approach), I'd recommend registering an enterprise number
with IANA, which you could then use to create your own globally unique
schema hierarchy underneath:

1.3.6.1.4.1.<your enterprise number>.x...

--
Dan White