ldap: Add extra schemas for tacacs

diff --git a/doc/schemas/ldap/openldap/freeradius-tacacs.ldif b/doc/schemas/ldap/openldap/freeradius-tacacs.ldif
index 1f93a6472343fc975a3ba08958088cb7dd15e310..16a6b0e2d7d59c969c23bb6e00adcdd83ba3bb1b 100644 (file)
--- a/doc/schemas/ldap/openldap/freeradius-tacacs.ldif
+++ b/doc/schemas/ldap/openldap/freeradius-tacacs.ldif
@@ -1,6 +1,11 @@
 dn: cn=freeradius-tacacs,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: freeradius-tacacs
+olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.1 NAME 'tacacsAttribute' DESC 'TACACS+ attribute in format [<list>.]<attr> <op> <value>' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.2 NAME 'tacacsService' DESC 'The identifier for the TACACS+ service e.g. exec, shell, ppp, etc...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.3.1.1 NAME 'tacacsCommand' DESC 'The identifier for the TACACS+ command e.g. show, enable, etc...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.1.1.1 NAME 'tacacsClientSecret' DESC 'Client Secret' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.1.1.2 NAME 'tacacsClientSingleConnectionMode' DESC 'Set whether we allow and request single connection mode for this client' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.2.2.2 NAME 'tacacsServiceProfile' SUP top AUXILIARY MUST tacacsService MAY tacacsAttribute )
+olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.3.2.2 NAME 'tacacsCommandProfile' SUP top AUXILIARY MUST tacacsCommand MAY tacacsAttribute )
 olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.1.2.1 NAME 'tacacsClient' SUP top AUXILIARY MUST tacacsClientSecret MAY tacacsClientSingleConnectionMode )

diff --git a/doc/schemas/ldap/openldap/freeradius-tacacs.schema b/doc/schemas/ldap/openldap/freeradius-tacacs.schema
index 4b9b5868e10d775301e77ad367eb3e933938ccfb..4542b854abd44b26f21583c33270de11e92a6590 100644 (file)
--- a/doc/schemas/ldap/openldap/freeradius-tacacs.schema
+++ b/doc/schemas/ldap/openldap/freeradius-tacacs.schema
@@ -1,8 +1,78 @@
+#
+# tacacsServiceProfile should be added to a freeradiusPolicy, user/subscriber objects, groups,
+# or any other object which needs TACACS+ attributes associated with it.
+#
+# The DN of the tacacsServiceProfile will usually be a combination of cn=<policy_id>+tacacsService=<service>
+# where <policy_id> is the group, role or client type, and service is the TACACS+ service received in the
+# authen_service attribute in the Authorization or Authentication request.
+#
+# 11344.4.5.2.[1|2]
+# |     | | |   |_ .1 Profile attributes, .2 profile objects
+# |     | | |_ tacacsServiceProfile
+# |     | |_ TACACS+
+# |     |_ LDAP Attributes
+# |_ Vendor
+#
+attributetype ( 1.3.6.1.4.1.11344.4.5.2.1.1
+       NAME 'tacacsAttribute'
+       DESC 'TACACS+ attribute in format [<list>.]<attr> <op> <value>'
+       EQUALITY caseIgnoreMatch
+       SUBSTR caseIgnoreSubstringsMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+attributetype ( 1.3.6.1.4.1.11344.4.5.2.1.2
+       NAME 'tacacsService'
+       DESC 'The identifier for the TACACS+ service e.g. exec, shell, ppp, etc...'
+       EQUALITY caseIgnoreMatch
+       SUBSTR caseIgnoreSubstringsMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+objectclass ( 1.3.6.1.4.1.11344.4.5.2.2.2
+       NAME 'tacacsServiceProfile'
+       SUP top
+       AUXILIARY
+       MUST ( tacacsService )
+       MAY ( tacacsAttribute )
+ )
+
+#
+# tacacsCommandProfile should be added to a freeradiusPolicy, user/subscriber objects, groups,
+# or any other object which needs TACACS+ attributes associated with it.
+#
+# The DN of the tacacsCommandProfile will usually be a combination of cn=<policy_id>+tacacsCommand=<command>
+# where <policy_id> is the group, role or client type, and command is the TACACS+ command received in the cmd attribute
+# in the Authorization request.
+#
+# 11344.4.5.3.[1|2]
+# |     | | |   |_ .1 Profile attributes, .2 profile objects
+# |     | | |_ tacacsCommandProfile
+# |     | |_ TACACS+
+# |     |_ LDAP Attributes
+# |_ Vendor
+#
+attributetype ( 1.3.6.1.4.1.11344.4.5.3.1.1
+       NAME 'tacacsCommand'
+       DESC 'The identifier for the TACACS+ command e.g. show, enable, etc...'
+       EQUALITY caseIgnoreMatch
+       SUBSTR caseIgnoreSubstringsMatch
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+objectclass ( 1.3.6.1.4.1.11344.4.5.3.2.2
+       NAME 'tacacsCommandProfile'
+       SUP top
+       AUXILIARY
+       MUST ( tacacsCommand )
+       MAY ( tacacsAttribute )
+ )
+
 #
 # 11344.4.5.1.[1|2]
 # |     | | |   |_ .1 Profile attributes, .2 profile objects
 # |     | | |_ Client
-# |     | |_ RADIUS
+# |     | |_ TACACS+
 # |     |_ LDAP Attributes
 # |_ Vendor
 #