Map LDAP Attribute to RADIUS Attribute
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jul 19 17:09:08 CEST 2006
Thibault Le Meur wrote:
>> with no luck. I also modified the "attrs" file to include this
>> attribute:
>>
>> But no luck there either. Any help is greatly appreciated.
>
> Yes, but I don't think you can create a new Radius attribute like this. You
> should at least declare it in a dictionnary (wince a Radius attribute
> corresponds to a number in fact).
>
> See /etc/raddb/dictionnary and any Included files.
>
> Can anyone confirm my analysis and propose a procedure to create new
> attributes ?
Correct, attributes are created by editing the dictionary. The "attrs"
file is for the proxy attribute filtering module.
> Isn't i necessary to register new attributes/number somewhere ? Is it
Yes in principle - you can obtain an enterprise number, then in
dictionary do:
VENDOR MyName MyEnterpriseNumber
ATTRIBUTE My-Attribute-1 1 string MyName
ATTRIBUTE My-Attribute-2 2 ipaddr MyName
...however, burning through the limited number of enterprise numbers for
one attribute is a bit wasteful.
> possible to define "private attributes" ?
Yes. Attributes sent over the wire should be either existing, registered
attributes, or vendor-specific attributes, using an IANA enterprise
number if need be.
However if you're *certain* the client and server will never leave your
network, then you can re-use any number you like.
Better yet is to use an existing attribute - it is highly unlikely
you're doing something no-one else has ever done.
What is the client? Can you use the "Class" attribute, which is intended
exactly for this?
More information about the Freeradius-Users
mailing list