Mac Auth against LDAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Aug 26 11:12:29 CEST 2013
On 24 Aug 2013, at 10:00, Nikolaos Milas <nmilas at noa.gr> wrote:
> On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
>
>> It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that information.
>
> Thanks Arran,
>
> It was NAS-Port indeed. Strangely enough, this is not included either in ldap.attrmap or the freeradius schema. Shouldn't it (and other attributes missing from ldap.attrmap and freeradius schema but defined in RFC 2865, like NAS-Port-Type) be included at least in future FreeRadius releases? Or there is a particular reason for which they were not included?
No, they should not be included in future releases. It is inefficient to check for the presence of hundreds of attributes in the retrieved object.
The generic attribute format supported in both 2.0.0 and 3.0.0 allows you to map any attribute present in the FreeRADIUS dictionary, and even specify the operator used to add them to the various lists.
You can of course, also use generic attributes as part of filters.
> In any case, could I include the (desired) NAS-Port value in another (seemingly unused) attribute of the FreeRadius Schema, like radiusHint (which -if I understand right- has a suitable syntax: IA5 String), for which I guess I should also add an entry in ldap.attrmap (because there is no radiusHint attribute mapping therein), like:
>
> checkItem NAS-Port radiusHint
Either update the schema for your installation, or use the generic attribute mapping and do the comparisons server side.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list