Sponsored development rlm_ldap and ocsp

John Dennis jdennis at redhat.com
Fri Aug 20 18:43:17 CEST 2010

Attached is a git format patch which adds support for storing clients in 
LDAP. The necessary schema can be found in 
doc/examples/389_ds_schema.ldif. This is schema ldif file suitable for 
use with 389-ds (the standard LDAP server shipped with Fedora and RHEL 
which over the years with different versions has been known under a 
variety of names, Netscape Directory Server, iPlanet, Sun Directory 
Server, Red Hat Directory Server, Fedora Directory server).

The patch was against the 2.1.10 branch. Here are a few quick notes.

* Its had only light testing, but seems to work O.K. It should probably 
be tested in different with different combinations of client specification.

* I did add support for COA, but that's not tested.

* When I was looking at the schema I noticed the OID's which are being 
used (in each of the schema files I looked at) are not registered and do 
not belong to FreeRADIUS (they belong to the GNOME name space and I 
believe the reason for that is GNOME had a block of OID's and for 
expediency they were "borrowed"). I did not update the other ldap schema 
files in the patch, the new schema should be reviewed first. The new 
attributes and object classes should then be merged into the other 
schema files.

* The code to parse a client IP address is now duplicated in three 
places in the server, in client.c when reading the clients file, in 
rlm_sql.c and rlm_ldap.c. The code should probably be refactored so 
there is a common subroutine to do this.

* The schema should be reviewed. One thing was immediately came to my 
mind was case sensitivity, right now the matching rules are case 
insenstive. Also the strings are defined to be ASCII (actually IA5). 
Perhaps the strings should be UTF-8 case sensitive. But that's less 
important than making sure the right attributes and object classes are 
defined and their naming makes sense.

* The attribute names are hard coded in the source, but that's 
consistent with how the rest of rlm_ldap works, but that does mean 
you're tied to using the supplied schema.

* I followed the existing indentation (each indent level is a tab 
character) which I personally dislike (I would prefer to see an indent 
of 4 spaces). I added a emacs configuration comment so anyone who opens 
the files with emacs will end up indenting with a tab character just so 
it stays consistent. FWIW rlm_ldap needs some love in other places, 
possibly a minor rewrite, formatting can be addressed then.

Have fun, hope this helps ...


John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Load-clients-from-LDAP.patch
Type: text/x-patch
Size: 26223 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20100820/47810e53/attachment.bin>

More information about the Freeradius-Devel mailing list