Thanks a bunch John -- very helpful. You are probably correct that short term I can
possibly get away with just the bind -- I wasn't fully aware I could do that. None the
less I'd still be interested in the schema your using in IPA as there is a good chance
that may be where I go with our authentication and such down the road...definitely been
anxious to try it, just been waiting for it to mature a bit. :-)
Send me your schema when you get a chance if you'd be so kind, and thanks again.
-Jeff
----- Original Message -----
From: "John Dennis" <jdennis(a)redhat.com>
To: fedora-directory-users(a)redhat.com
Cc: freeipa-devel(a)redhat.com, "Jeff Fishbaugh"
<jeff(a)collectiveintellect.com>
Sent: Wednesday, December 5, 2007 5:18:23 PM (GMT-0700) America/Denver
Subject: Re: [Freeipa-devel] [Fwd: [Fedora-directory-users] Integrating RADIUS schema in
Fedora-ds]
Not sure if this is the best place to ask this but have been looking
for
some decent documentation on integrating RADIUS schema into Fedora-ds so
I can authenticate against my directory. Tons of docs on doing the same
with OpenLDAP, but slim to none with Fedora-ds (btw-- I do know about
freeipa, but I'm not using it).
I see my RADIUS schema object classes as radiusprofile and radiusobject
profile; however, I can not seem to figure out how to get these
integrated into my directory properly to use it with RADIUS. If I look
at my 'addtional indexes' I only can add radiusprofile indexes such as
radiusframedmtu. Would seem I am going to need to get
radiusobjectprofile and its related indexes (uid, userPassword) in
there if this is to work for authentication.
Can anyone point me in the right direction with getting RADIUS schema
properly integrated into my directory so I can point RADIUS at it and
use it for user authentication??? I'm also a bit curious on the DESC
field being blank for all the OIDs and whether they should go or
populated with iinfo similar to the OID name.
Appreciate any and all answers. Thank you...
I can send you the radius profile directory server schema we're using in
IPA. But the larger question is why do you think you need the schema in
the first place. You state all you want to do is authenticate against
DS, which means all you are doing is a bind, and most likely only a
simple bind with a plain text password. To accomplish that you'll need
to enable ldap in the authenticate section of /etc/raddb/radiusd.conf. I
believe you'll need to move ldap to be above any other plain text
password authentication mechanisms in the authenticate section so the
ldap module gets first crack, or disable the other mechanisms. In the
modules section you'll also need to set your basic ldap parameters, e.g.
server, filter, etc. The filter will need to be able to locate a user
by performing a search. The user's dn is derived from the successful
search result and that dn is then used to perform the bind with the
password found in the request auth packet. None of this requires schema.
If however you want to manage profiles with radius attribute/value pairs
then you'll need the schema, but that doesn't sound like what you're
asking for.
In any event, let me know if you want the schema, I'll send it to you.
--
John Dennis <jdennis(a)redhat.com>