freeradius 3.0.13 LDAP - reply custom Vendor Specific
Paweł cit
pawelcit at gmail.com
Thu Nov 30 16:48:44 CET 2017
H and I are attributes required by IPMI to distinguish admin user from
readonly user. freeipa is used as a user database;
2017-11-30 16:42 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
>
> > On Nov 30, 2017, at 10:34 AM, Paweł Cituk <pawelcit at gmail.com> wrote:
> >
> > In dictionary I have added:
> > ATTRIBUTE I 5003 string
> > ATTRIBUTE H 5004 string
>
> Don't do that.
>
> For one, adding single-letter attribute names is bad. You have NO IDEA
> what they mean. Use descriptive names. It's much more productive.
>
> On top of that, the comments in raddb/dictionary tell you what numbers
> to use, and why. The comments DON'T say "use numbers in the 5000 range".
>
> And, the comments in raddb/dictionary tell you which attributes can go
> into a RADIUS packet, and which can't.
>
> The dictionary entries you added above are NOT vendor specific
> attributes.
>
> And, you can't magically invent attributes, send them to the client, and
> have the client understand them. You can only send attributes that the
> client understands.
>
> What attributes are understood by the client? Go read the client
> documentation to see. There are tens of thousands of RADIUS clients, from
> thousands of different vendors, and we have no idea what each client can do.
>
> You also said:
>
> > I try to authenticate IPMI server trough freeradius but it require two
> > custom attributes (Vendor Specfic) ie for admin H=4 and I=4.
>
> What does that mean? The link you posted to the freeipa.org page had
> *nothing* about "H=4" or "I=4".
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list