On Mon, 22 Mar 2004, Robert Banniza wrote: > On Fri, Mar 19, 2004 at 06:35:17PM +0200, Kostas Kalevras wrote: > > On Fri, 19 Mar 2004, Robert Banniza wrote: > > > > > In looking at the dictionary.juniper file, I notice there are 5 > > > attributes in this file: > > > > > > ATTRIBUTE Juniper-Local-User-Name 1 string > > > Juniper > > > ATTRIBUTE Juniper-Allow-Commands 2 string > > > Juniper > > > ATTRIBUTE Juniper-Deny-Commands 3 string > > > Juniper > > > ATTRIBUTE Juniper-Allow-Configuration 4 string > > > Juniper > > > ATTRIBUTE Juniper-Deny-Configuration 5 string > > > Juniper > > > > > > With that said, I'm using OpenLDAP to authenticate and would also like > > > to use LDAP to control who has access to which commands within JUNOS. > > > Therefore, can I place these attributes in my OpenLDAP ldif and have > > > radius read them....In doing this, don't these attributes need to be > > > defined within the RADIUS-LDAPv3.schema or some other schema? Is anyone > > > doing this currently to show me where I need to go next? I have searched > > > the web and there is little info on Juniper/Freeradius. > > > > You can either define a few new ldap attributes for the corresponding Juniper > > RADIUS attributes and add them to your ldap schema. > > Or you can use the generic attributes provided in the current schema: > > > > radiusReplyItem: Juniper-Local-User-Name := <username> > > > > and so on > > I'm not sure I'm following you...Let's say I want to add the > Juniper-Allow-Commands and Juniper-Deny-Commands to my user's profile > within OpenLDAP. Wouldn't I have to define these attributes within some > LDAP schema whether it be in the RADIUS-LDAPv3.schema or some other > schema in order for OpenLDAP to know how to interpret the attribute? I
Yes you need to add the RADIUS-LDAPv3 schema to your openldap server in order to be able to use the attributes contained in the schema file. > guess the knowledge gap I'm having is to determine how/where to make > Freeradius understand these attributes within OpenLDAP the same way > Freeradius knows about these attributes through the dictionary.juniper > file. Along those same lines, in which file do I put "radiusReplyItem: > Juniper-Local-User-Name := <username>"? This is what you 'll put in the user *ldap entry*, not in any file. You just add the radius schema to your ldap server in order to be able to use the corresponding attributes and then you can add those attributes in your users ldap entries. > > Thanks > Robert > > > > > > > > > Thanks > > > > > > Robert > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
