freeradius 3.0.13 LDAP - reply custom Vendor Specific
Alan DeKok
aland at deployingradius.com
Thu Nov 30 17:39:16 CET 2017
> On Nov 30, 2017, at 11:17 AM, Paweł cit <pawelcit at gmail.com> wrote:
>
> I have a feeling that you mistook Supermicro's IPMI with freeIPA. Am I
> right?
I have no idea what you're doing. I can only go by what you say. If what you say is confusing (and it is), then... that's to be expected.
> freeradius is just using freeipa's user database. I try to configure
> freeradius to work with IPMI. My problem is similar to this:
> http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080240.html
> I still have no idea how to connect IPMI to freeradius. In Supermicro's
> documentation there's only:
>
> 2.2. Configuring User information
> #vi /etc/raddb/users
>
> Example:
> myuser Auth-Type :=Local, User-Password == “123456”
> Vendor-Specific = “H=4, I=4”
Oh god, THAT shit again? I should find the SuperMicro people and slap them. That's a *stupid* thing to do, which violates all of the RADIUS RFCs.
It's really quite simple then. You use THAT EXAMPLE to send the data back. You DON'T edit the dictionaries.
> In my case difference is that I have user's in LDAP, not in file.
So you need to configure the attribute "Vendor-Specific" as an LDAP reply, with contents "H=4,I=4"
The LDAP module documentation describes how to configure reply attributes. Follow that.
If you can't send "Vendor-Specific" back as-is (and I think you can't), you will need to use raw attributes.
i.e. use "Attr-26" as the attribute name, and a hex string as the contents. The hex string should be the hex version of the "H=4, I=4” string.
e.g. Attr-26 = 0x48....
and convert the rest of the string to hex.
Alan DeKok.
More information about the Freeradius-Users
mailing list