Sponsored development rlm_ldap and ocsp

Alan DeKok aland at deployingradius.com
Tue Aug 24 16:18:13 CEST 2010 

John Dennis wrote:
> Attached is a git format patch which adds support for storing clients in
> LDAP. The necessary schema can be found in
> doc/examples/389_ds_schema.ldif. This is schema ldif file suitable for
> use with 389-ds (the standard LDAP server shipped with Fedora and RHEL
> which over the years with different versions has been known under a
> variety of names, Netscape Directory Server, iPlanet, Sun Directory
> Server, Red Hat Directory Server, Fedora Directory server).
> 
> The patch was against the 2.1.10 branch. Here are a few quick notes.

  Any thoughts on adding it to 2.1.10?

> * Its had only light testing, but seems to work O.K. It should probably
> be tested in different with different combinations of client specification.
> 
> * I did add support for COA, but that's not tested.

  <g>  Sure.

> * When I was looking at the schema I noticed the OID's which are being
> used (in each of the schema files I looked at) are not registered and do
> not belong to FreeRADIUS (they belong to the GNOME name space and I
> believe the reason for that is GNOME had a block of OID's and for
> expediency they were "borrowed"). I did not update the other ldap schema
> files in the patch, the new schema should be reviewed first. The new
> attributes and object classes should then be merged into the other
> schema files.

  Yes.

> * The code to parse a client IP address is now duplicated in three
> places in the server, in client.c when reading the clients file, in
> rlm_sql.c and rlm_ldap.c. The code should probably be refactored so
> there is a common subroutine to do this.

  Yes.  That's a low priority, however.

> * The schema should be reviewed. One thing was immediately came to my
> mind was case sensitivity, right now the matching rules are case
> insenstive. Also the strings are defined to be ASCII (actually IA5).
> Perhaps the strings should be UTF-8 case sensitive. But that's less
> important than making sure the right attributes and object classes are
> defined and their naming makes sense.

  I agree.

> * The attribute names are hard coded in the source, but that's
> consistent with how the rest of rlm_ldap works, but that does mean
> you're tied to using the supplied schema.

  Yes.  Changing the attribute names is easy enough to do later.

> * I followed the existing indentation (each indent level is a tab
> character) which I personally dislike (I would prefer to see an indent
> of 4 spaces). I added a emacs configuration comment so anyone who opens
> the files with emacs will end up indenting with a tab character just so
> it stays consistent. FWIW rlm_ldap needs some love in other places,
> possibly a minor rewrite, formatting can be addressed then.

  rlm_ldap needs some work.  So does rlm_sql.  Oh well.

  Alan DeKok.

More information about the Freeradius-Devel mailing list