### LDAP schema for OpenRADIUS # # Schema for use with OpenRADIUS. Contains a radiusClient and radiusUser # object. For the latter we also define some attributes that can be mapped # octet-for-octet (even for numeric ones) to RADIUS attributes, and versions # that can be mapped to ASCII counterparts of the numeric RADIUS attributes. # See radldap.attrmap for more details. # # You may notice that the OIDs all end with the space, vendor, attribute combo # as used in the OpenRADIUS dictionary. If there was a way for an LDAP client # to query an attribute's OID, then the LDAP module could do without the # mapping file when using this standard schema. But to my knowledge that isn't # possible. # # 2002/03/20 - EvB - Created # 2002/03/28 - EvB - Used real OIDs using own space (1.3.6.1.4.1.12836) ### "Standard" RADIUS attribute types # # This set of attributes hold strings, values and IP addresses in ASCII form, # and must be mapped in radldap.attrmap to string-typed intermediate attributes, # as RadLDAP doesn't do type conversion. You can convert them in the behaviour # file using a simple assign. # # Example: radiusFramedIpAddress (defined here) is mapped (in radldap.attrmap) # to str-Framed-IP-Address (defined in dict.str-ldap) which is converted in # behaviour.sample-ldap to a real Framed-IP-Address attribute. attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.6 NAME 'radiusServiceType' DESC 'Service-Type, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.7 NAME 'radiusFramedProtocol' DESC 'Framed-Protocol, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.8 NAME 'radiusFramedIpAddress' DESC 'Framed-IP-Address, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.9 NAME 'radiusFramedIpNetmask' DESC 'Framed-IP-Netmask, in network order' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.11 NAME 'radiusFilterId' DESC 'Filter-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.14 NAME 'radiusLoginIpHost' DESC 'Login-IP-Host, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.15 NAME 'radiusLoginService' DESC 'Login-Service, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.16 NAME 'radiusLoginTcpPort' DESC 'Login-TCP-Port, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.18 NAME 'radiusReplyMessage' DESC 'Reply-Message' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.19 NAME 'radiusCallbackNumber' DESC 'Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.20 NAME 'radiusCallbackId' DESC 'Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.22 NAME 'radiusFramedRoute' DESC 'Framed-Route' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.27 NAME 'radiusSessionTimeout' DESC 'Session-Timeout, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.28 NAME 'radiusIdleTimeout' DESC 'Idle-Timeout, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.102.0.62 NAME 'radiusPortLimit' DESC 'Port-Limit, in ASCII form' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) ### "Raw" RADIUS attribute types # # This set of attributes is intended to be mapped straight to their # RADIUS counterparts. That means that numeric attributes and IP addresses # are stored as binary values, 4 octets, in network order. attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.6 NAME 'rawradiusServiceType' DESC 'Service-Type, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.7 NAME 'rawradiusFramedProtocol' DESC 'Framed-Protocol, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.8 NAME 'rawradiusFramedIpAddress' DESC 'Framed-IP-Address, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.9 NAME 'rawradiusFramedIpNetmask' DESC 'Framed-IP-Netmask, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.14 NAME 'rawradiusLoginIpHost' DESC 'Login-IP-Host, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.15 NAME 'rawradiusLoginService' DESC 'Login-Service, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.16 NAME 'rawradiusLoginTcpPort' DESC 'Login-TCP-Port, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.27 NAME 'rawradiusSessionTimeout' DESC 'Session-Timeout, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.28 NAME 'rawradiusIdleTimeout' DESC 'Idle-Timeout, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.12836.1.2.2.0.62 NAME 'rawradiusPortLimit' DESC 'Port-Limit, in network order' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{4} SINGLE-VALUE ) ### OpenRADIUS auxiliary attributes # # This set of attributes do not have any RADIUS counterparts, but are intended # to convey other information to OpenRADIUS, such as a cleartext password to # perform CHAP with. See also dict.internal. attributetype ( 1.3.6.1.4.1.12836.1.2.100.0.11 NAME 'openradiusSecret' DESC 'Shared secret for use in radiusClient objects' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{256} ) attributetype ( 1.3.6.1.4.1.12836.1.2.100.0.41 NAME 'openradiusClearPassword' DESC 'Clear text password for PAP and CHAP' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{256} ) attributetype ( 1.3.6.1.4.1.12836.1.2.100.0.42 NAME 'openradiusMd5HexPassword' DESC 'Hashed password (PAP only)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} ) ### Objects # # Radius Client object objectclass ( 1.3.6.1.4.1.12836.1.1.1 NAME 'openradiusClient' SUP top STRUCTURAL DESC 'Radius Client object, for storing shared secrets' MUST ( cn $ openradiusSecret ) ) # Radius User object objectclass ( 1.3.6.1.4.1.12836.1.1.2 NAME 'openradiusUser' SUP top STRUCTURAL DESC 'Radius User object, for authenticating and/or holding profiles' MUST cn MAY ( radiusServiceType $ radiusFramedProtocol $ radiusFramedIpAddress $ radiusFramedIpNetmask $ radiusFilterId $ radiusLoginIpHost $ radiusLoginService $ radiusLoginTcpPort $ radiusReplyMessage $ radiusCallbackNumber $ radiusCallbackId $ radiusFramedRoute $ radiusSessionTimeout $ radiusIdleTimeout $ radiusPortLimit $ rawradiusServiceType $ rawradiusFramedProtocol $ rawradiusFramedIpAddress $ rawradiusFramedIpNetmask $ rawradiusLoginIpHost $ rawradiusLoginService $ rawradiusLoginTcpPort $ rawradiusSessionTimeout $ rawradiusIdleTimeout $ rawradiusPortLimit $ openradiusClearPassword $ openradiusMd5HexPassword $ userPassword ) )