On 09/24/2010 03:53 PM, Dmitri Pal wrote:
Brian LaMere wrote:
On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal<d...@redhat.com
<mailto:d...@redhat.com>>  wrote:

     Brian LaMere wrote:
     >  ah, odd - I'm used to IPs being IA5.  then the equality match should
     >  be changed?  Can't have  caseIgnoreIA5Match on a directory string :)
     Yes. This is what the patch does :-)

so, out of curiousity...why 60sudo? Seems like a string matching
netmask could be used more generically...it's redefined over as
radiusFramedIPNetmask in 60radius.ldif.  I go through and purge my
tree of attributes I'll never need, sorry - I have strange quirks.

See some discussion of the subject here:
http://www.freeipa.org/page/SUDO_Schema_Design#Proposed_Schema under
sudoHost. I tried to find something suitable but could not. I did not
look at RADIUS though.
Reusing core, well known attributes is a good practice since they are
common. Relying on RADIUS schema to be present might be not. Yes we plan
to support RADIUS in future but this work is deferred.

FWIW, I have been in conversation with the upstream FreeRADIUS folks concerning the RADIUS ldap schema (In part because I just contributed code to store RADIUS clients (e.g. NAS's) in ldap) which included schema updates.

During that discussion I pointed out how a number of the RADIUS attributes appeared to be incorrectly specified as IA5 strings and suggested the ldap schema should be updated to use UTF-8 instead (e.g. DirectoryString). There was buy-in this was the correct thing to do. However I don't specifically recall the status of the radiusFramedIPNetmask attribute.

Anyway, all that is a long winded way of saying the use of IA5 appears to have been historic and incorrect in many schemas and there is an ongoing effort to fix the use of IA5.

John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to