Sun Directory Services 3.1 Administration Guide

RADIUS-to-LDAP Mapping

The RADIUS attributes and values defined in all of the dictionary files provided with the Sun Directory Services are mapped onto LDAP attributes. This mapping is defined in /etc/opt/SUNWconn/ldap/current/mapping/radius.mapping.

There is a one-to-one correlation between RADIUS attributes and LDAP attributes, therefore, the mapping syntax is very simple. You can easily add proprietary RADIUS attributes to the default mapping provided with Sun Directory Services.

The radius.mapping file is used by the RADIUS server to perform searches in the LDAP directory.

Default Mapping

Table 7-2 shows the one-to-one correspondence between RADIUS attributes and LDAP attributes. The table also indicates the origin of each RADIUS attribute. There are several kinds of RADIUS attributes:

Standard attributes
Vendor-specific attributes
Sun Directory Services attributes

Standard RADIUS attributes are specified in RFC 2138 Remote Authentication Dial In User Service and RFC 2138 Remote Authentication Dial In User Service. Vendor-specific attributes are defined by NAS vendors and supplied in the dictionary file they provide with the equipment.

The LDAP attributes for the RADIUS service are specified in the schema attribute file dsserv.at.conf, under the section heading "Sun RADIUS Attributes". They are also listed in the schema object class file dsserv.oc.conf, under the comment line "Object classes for RADIUS".

The Sun Directory Services attributes are described in "Attribute Reference". They represent RADIUS user profiles, and dynamic accounting parameters.

Table 7-2 RADIUS-to-LDAP Attribute Mapping


RADIUS attribute	Origin	LDAP attribute
User-Name	RFC 2138	uid
Crypt-Password	Sun Directory Services	userPassword
CHAP-Password	RFC 2138	chapPassword
NAS-IP-Address	RFC 2138	ipHostNumber
NAS-Identifier	RFC 2138	authNASidentifier
NAS-Port	RFC 2138	authHostPortNumber
Service-Type	RFC 2138	authServiceProtocol
Framed-Protocol	RFC 2138	framedProtocol
Framed-IP-Address	RFC 2138	framedIPAddress
Framed-IP-Netmask	RFC 2138	ipNetmaskNumber
Framed-Routing	RFC 2138	framedRouting
Filter-Id	RFC 2138	authFilterId
Framed-MTU	RFC 2138	framedMTU
Framed-Compression	RFC 2138	framedCompression
Login-IP-Host	RFC 2138	ipLoginHost
Login-Service	RFC 2138	authLoginService
Login-TCP-Port	RFC 2138	ipLoginPort
Reply-Message	RFC 2138	authReplyMessage
Callback-Number	RFC 2138	userCallbackNumber
Callback-Id	RFC 2138	userCallbackId
Framed-Route	RFC 2138	framedRoute
Framed-IPX-Network	RFC 2138	ipxNetworkNumber
State	RFC 2138	authState
Session-Timeout	RFC 2138	sessionTimeoutNumber
Idle-Timeout	RFC 2138	idleTimeoutNumber
Termination-Action	RFC 2138	authTerminationAction
Called-Station-Id	RFC 2138	authCalleddStationId
Calling-Station-Id	RFC 2138	authCallingStationId
NAS-Port-Type	RFC 2138	authHostPortType
Port-Limit	RFC 2138	authPortLimit
Acct-Status-Type	RFC 2139	acctStatusType
Acct-Delay-Time	RFC 2139	acctDelayTime
Acct-Input-Octets	RFC 2139	acctInputOctet
Acct-Input-Packets	RFC 2139	acctInputPacket
Acct-Output-Octets	RFC 2139	acctOutputOctet
Acct-Output-Packets	RFC 2139	acctOutputPacket
Acct-Session-Id	RFC 2139	acctSessionId
Acct-Authentic	RFC 2139	acctAuthentic
Acct-Session-Time	RFC 2139	acctSessionTime
Acct-Terminate-Cause	RFC 2139	acctTerminateCause
Expiration	Sun Directory Services	expirationDate
Auth-Type	Sun Directory Services	Auth-Type
Menu	Sun Directory Services	authStartMenuId
Termination-Menu	Sun Directory Services	authStopMenuId
Prefix	Sun Directory Services	authPrefixName
Suffix	Sun Directory Services	authSuffixName
user-check	Sun Directory Services	grpCheckInfo
user-reply	Sun Directory Services	grpReplyInfo
Login-Profile	Sun Directory Services	radiusLoginProfile
PPP-Profile	Sun Directory Services	radiusPppProfile
SLIP-Profile	Sun Directory Services	radiusSlipProfile
Login-Passwd	Sun Directory Services	radiusLoginPasswd
PPP-Passwd	Sun Directory Services	radiusPppPasswd
SLIP-Passwd	Sun Directory Services	radiusSlipPasswd
Login-Expiration	Sun Directory Services	radiusLoginExpiration
PPP-Expiration	Sun Directory Services	radiusPppExpiration
SLIP-Expiration	Sun Directory Services	radiusSlipExpiration
Auth-Failed-Access	Sun Directory Services	radiusAuthFailedAccess
Dynamic-Session-Counter	Sun Directory Services	dynamicSessionCounter
Dynamic-SessionId	Sun Directory Services	dynamicSessionId
Dynamic-IPAddress	Sun Directory Services	dynamicIPAddress
Dynamic-IPAddr-Binding	Sun Directory Services	DynamicIPaddrBinding
Dictionary-File	Sun Directory Services	dictionaryFile
AcctAttr-File	Sun Directory Services	acctattrFile

Extending the Default Mapping

You can change the default mapping provided in radius.mapping to suit your own needs. If you want to add RADIUS attributes that are part of the dictionary file for your NAS to the default mapping, you must create an LDAP attribute for each RADIUS attribute missing in the radius.mapping file. You must then add the RADIUS-LDAP attribute pair to the radius.mapping file.

Creating RADIUS-LDAP Mapping Definitions

Create an LDAP attribute for the RADIUS attribute you require.

This modifies the schema. See "To Create a New Attribute".

Add the attribute to the list in the radius.mapping file using a text editor.

Make sure you add it in both the Import section and the Export section of the file. You need to be logged in as root to perform this operation.

Restart the dsservd daemon so that the modifications to the schema are taken into account, and the dsradiusd daemon so that the new mapping file is taken into account.

Run dejasync. As root type:
```
# /opt/SUNWconn/ldap/sbin/dejasync
```
For details on the options of the dejasync(1m) command, refer to the man page. You must run dejasync if you want to use the Deja tool to modify RADIUS entries in the directory.