Sponsored development rlm_ldap and ocsp
John Dennis
jdennis at redhat.com
Tue Aug 24 17:58:48 CEST 2010
On 08/24/2010 10:37 AM, Alan DeKok wrote:
> John Dennis wrote:
>> I think folks would appreciate the functionality in 2.1.10 so I would
>> agree to adding it to 2.1.10. However I would argue that would be
>> dependent on getting the schema reviewed first. Nothing worse than
>> having a schema get out into the field, have folks start using it and
>> then discover it needs to be modified.
>
> Yup. But I don't think many people are competent to review the
> schema. From what I know of LDAP, it looks reasonable.
>
>> Does FreeRADIUS have a block of OID's?
>
> Yes. The 11344 private enterprise code has been assigned to FreeRADIUS.
>
>> Are the client values case sensitive?
>
> The secret, nastype, nas password, and virtual server names are case
> sensitive. The other fields are used only for printing, not for
> lookups. So they can be case insensitive, as they don't matter.
O.K. I'll update the 389_ds_schema.ldif to use the FreeRADIUS oid's for
*all* the attributes. Set the syntax to utf-8 and make the above values
case sensitive, the other insensitive for the new client stuff.
There are other radius attributes in the schema which have been there
for a while, not sure where they originated. I wonder if they should
also be reviewed to check if they should be IA5 or UTF-8 and their case
sensitivity. I think you might have the best immediate understanding of
how these attributes are getting used with RADIUS and if their
definition is correct. For instance most of them are defined to be IA5
(1.3.6.1.4.1.1466.115.121.1.26). IA5 is almost equivalent to ASCII (see
http://www.zytrax.com/tech/ia5.html). One would hope the days of IA5 are
behind us. Then there are other attributes which are defined as IA5
strings which seems dubious to me, for example IdleTimeout and a couple
of port specifications (should be integer?) and a number of attributes
when appear to be booleans (but are defined as strings).
Finally are all these attributes still in use or are they legacy cruft?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Devel
mailing list