On Mon, 22 Mar 2004, Robert Banniza wrote:
> I'm not sure I'm following you...Let's say I want to add the > Juniper-Allow-Commands and Juniper-Deny-Commands to my user's profile > within OpenLDAP. Wouldn't I have to define these attributes within some > LDAP schema whether it be in the RADIUS-LDAPv3.schema or some other > schema in order for OpenLDAP to know how to interpret the attribute? I can't talk about how freeradius interprets the juniper values, but openldap will need to have attribute and objectclass definitions to match what juniper has most likely. I am not that familiar with much about Juniper or FreeRadius but I have been working with ldap some. http://www.juniper.net/techpubs/software/management/sdx/sdx400/sw-sdx-install/html/sw-sdx-installTOC.html search down to openldap they have instructions on how to load the openldap server, I assume that installs the schema too which is what defines all the juniper attributes for you and you should be off to the races with the correct attributes and objectclasses. The rest of this is crap I wrote if you have to do it the hard way, which it doesn't look like you do but i am including it so _I_ don't forget what I am doing. The another way to get these is to set up the Juniper LDAP server, perform an ldapsearch on their database equivalent to an dump of the database into LDIF format. I don't know how well jumipers ldap server will respond to that. Sun's responded fairly well. You migh poke around and find a schema or an ldif file in the Juniper install media too. basically you need a lot of the attributes like on: http://www.juniper.net/techpubs/software/management/sdx/sdx310/sdx310-sw-developer/html/ldap-object-mapping6.html You need to figure out what they are looking for for the attribute syntax, since you need the long number representation of it. but you can cross reference from http://www.faqs.org/rfcs/rfc2252.html section 4.3.2 lists them. The rest of it is fairly straightforward if you look at another schema. The object identifier (OID) number _technically_ just has to be unique, but they supply one for you, I would use it only for the fact you wont have to worry about getting stuff mixed up if you try to do something else with the server. (technically the Juniper ones should be registered aand unique. C You will find examples of the syntax of the matching rules in the openldap schema. It isn't particularly hard just tedious as all hell. Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
