The RADIUS attributes and values defined in all of the dictionary files provided with the Sun Directory Services are mapped onto LDAP attributes. This mapping is defined in /etc/opt/SUNWconn/ldap/current/mapping/radius.mapping.
There is a one-to-one correlation between RADIUS attributes and LDAP attributes, therefore, the mapping syntax is very simple. You can easily add proprietary RADIUS attributes to the default mapping provided with Sun Directory Services.
The radius.mapping file is used by the RADIUS server to perform searches in the LDAP directory.
Table 7-2 shows the one-to-one correspondence between RADIUS attributes and LDAP attributes. The table also indicates the origin of each RADIUS attribute. There are several kinds of RADIUS attributes:
Standard attributes
Vendor-specific attributes
Sun Directory Services attributes
Standard RADIUS attributes are specified in RFC 2138 Remote Authentication Dial In User Service and RFC 2138 Remote Authentication Dial In User Service. Vendor-specific attributes are defined by NAS vendors and supplied in the dictionary file they provide with the equipment.
The LDAP attributes for the RADIUS service are specified in the schema attribute file dsserv.at.conf, under the section heading "Sun RADIUS Attributes". They are also listed in the schema object class file dsserv.oc.conf, under the comment line "Object classes for RADIUS".
The Sun Directory Services attributes are described in "Attribute Reference". They represent RADIUS user profiles, and dynamic accounting parameters.
Table 7-2 RADIUS-to-LDAP Attribute Mapping
RADIUS attribute |
Origin |
LDAP attribute |
---|---|---|
User-Name |
RFC 2138 |
uid |
Crypt-Password |
Sun Directory Services |
userPassword |
CHAP-Password |
RFC 2138 |
chapPassword |
NAS-IP-Address |
RFC 2138 |
ipHostNumber |
NAS-Identifier |
RFC 2138 |
authNASidentifier |
NAS-Port |
RFC 2138 |
authHostPortNumber |
Service-Type |
RFC 2138 |
authServiceProtocol |
Framed-Protocol |
RFC 2138 |
framedProtocol |
Framed-IP-Address |
RFC 2138 |
framedIPAddress |
Framed-IP-Netmask |
RFC 2138 |
ipNetmaskNumber |
Framed-Routing |
RFC 2138 |
framedRouting |
Filter-Id |
RFC 2138 |
authFilterId |
Framed-MTU |
RFC 2138 |
framedMTU |
Framed-Compression |
RFC 2138 |
framedCompression |
Login-IP-Host |
RFC 2138 |
ipLoginHost |
Login-Service |
RFC 2138 |
authLoginService |
Login-TCP-Port |
RFC 2138 |
ipLoginPort |
Reply-Message |
RFC 2138 |
authReplyMessage |
Callback-Number |
RFC 2138 |
userCallbackNumber |
Callback-Id |
RFC 2138 |
userCallbackId |
Framed-Route |
RFC 2138 |
framedRoute |
Framed-IPX-Network |
RFC 2138 |
ipxNetworkNumber |
State |
RFC 2138 |
authState |
Session-Timeout |
RFC 2138 |
sessionTimeoutNumber |
Idle-Timeout |
RFC 2138 |
idleTimeoutNumber |
Termination-Action |
RFC 2138 |
authTerminationAction |
Called-Station-Id |
RFC 2138 |
authCalleddStationId |
Calling-Station-Id |
RFC 2138 |
authCallingStationId |
NAS-Port-Type |
RFC 2138 |
authHostPortType |
Port-Limit |
RFC 2138 |
authPortLimit |
Acct-Status-Type |
RFC 2139 |
acctStatusType |
Acct-Delay-Time |
RFC 2139 |
acctDelayTime |
Acct-Input-Octets |
RFC 2139 |
acctInputOctet |
Acct-Input-Packets |
RFC 2139 |
acctInputPacket |
Acct-Output-Octets |
RFC 2139 |
acctOutputOctet |
Acct-Output-Packets |
RFC 2139 |
acctOutputPacket |
Acct-Session-Id |
RFC 2139 |
acctSessionId |
Acct-Authentic |
RFC 2139 |
acctAuthentic |
Acct-Session-Time |
RFC 2139 |
acctSessionTime |
Acct-Terminate-Cause |
RFC 2139 |
acctTerminateCause |
Expiration |
Sun Directory Services |
expirationDate |
Auth-Type |
Sun Directory Services |
Auth-Type |
Menu |
Sun Directory Services |
authStartMenuId |
Termination-Menu |
Sun Directory Services |
authStopMenuId |
Prefix |
Sun Directory Services |
authPrefixName |
Suffix |
Sun Directory Services |
authSuffixName |
user-check |
Sun Directory Services |
grpCheckInfo |
user-reply |
Sun Directory Services |
grpReplyInfo |
Login-Profile |
Sun Directory Services |
radiusLoginProfile |
PPP-Profile |
Sun Directory Services |
radiusPppProfile |
SLIP-Profile |
Sun Directory Services |
radiusSlipProfile |
Login-Passwd |
Sun Directory Services |
radiusLoginPasswd |
PPP-Passwd |
Sun Directory Services |
radiusPppPasswd |
SLIP-Passwd |
Sun Directory Services |
radiusSlipPasswd |
Login-Expiration |
Sun Directory Services |
radiusLoginExpiration |
PPP-Expiration |
Sun Directory Services |
radiusPppExpiration |
SLIP-Expiration |
Sun Directory Services |
radiusSlipExpiration |
Auth-Failed-Access |
Sun Directory Services |
radiusAuthFailedAccess |
Dynamic-Session-Counter |
Sun Directory Services |
dynamicSessionCounter |
Dynamic-SessionId |
Sun Directory Services |
dynamicSessionId |
Dynamic-IPAddress |
Sun Directory Services |
dynamicIPAddress |
Dynamic-IPAddr-Binding |
Sun Directory Services |
DynamicIPaddrBinding |
Dictionary-File |
Sun Directory Services |
dictionaryFile |
AcctAttr-File |
Sun Directory Services |
acctattrFile |
You can change the default mapping provided in radius.mapping to suit your own needs. If you want to add RADIUS attributes that are part of the dictionary file for your NAS to the default mapping, you must create an LDAP attribute for each RADIUS attribute missing in the radius.mapping file. You must then add the RADIUS-LDAP attribute pair to the radius.mapping file.
Create an LDAP attribute for the RADIUS attribute you require.
This modifies the schema. See "To Create a New Attribute".
Add the attribute to the list in the radius.mapping file using a text editor.
Make sure you add it in both the Import section and the Export section of the file. You need to be logged in as root to perform this operation.
Restart the dsservd daemon so that the modifications to the schema are taken into account, and the dsradiusd daemon so that the new mapping file is taken into account.
Run dejasync. As root type:
# /opt/SUNWconn/ldap/sbin/dejasync
For details on the options of the dejasync(1m) command, refer to the man page. You must run dejasync if you want to use the Deja tool to modify RADIUS entries in the directory.