From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 9 Nov 2023 16:41:02 +0000 (-0600)
Subject: ldap: Add extra schemas for tacacs
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99301e5c73afb359955f980d8fcb670c82b0628f;p=thirdparty%2Ffreeradius-server.git

ldap: Add extra schemas for tacacs
---

diff --git a/doc/schemas/ldap/openldap/freeradius-tacacs.ldif b/doc/schemas/ldap/openldap/freeradius-tacacs.ldif
index 1f93a647234..16a6b0e2d7d 100644
--- a/doc/schemas/ldap/openldap/freeradius-tacacs.ldif
+++ b/doc/schemas/ldap/openldap/freeradius-tacacs.ldif
@@ -1,6 +1,11 @@
 dn: cn=freeradius-tacacs,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: freeradius-tacacs
+olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.1 NAME 'tacacsAttribute' DESC 'TACACS+ attribute in format [<list>.]<attr> <op> <value>' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.2.1.2 NAME 'tacacsService' DESC 'The identifier for the TACACS+ service e.g. exec, shell, ppp, etc...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.3.1.1 NAME 'tacacsCommand' DESC 'The identifier for the TACACS+ command e.g. show, enable, etc...' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.1.1.1 NAME 'tacacsClientSecret' DESC 'Client Secret' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.11344.4.5.1.1.2 NAME 'tacacsClientSingleConnectionMode' DESC 'Set whether we allow and request single connection mode for this client' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.2.2.2 NAME 'tacacsServiceProfile' SUP top AUXILIARY MUST tacacsService MAY tacacsAttribute )
+olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.3.2.2 NAME 'tacacsCommandProfile' SUP top AUXILIARY MUST tacacsCommand MAY tacacsAttribute )
 olcObjectClasses: ( 1.3.6.1.4.1.11344.4.5.1.2.1 NAME 'tacacsClient' SUP top AUXILIARY MUST tacacsClientSecret MAY tacacsClientSingleConnectionMode )
diff --git a/doc/schemas/ldap/openldap/freeradius-tacacs.schema b/doc/schemas/ldap/openldap/freeradius-tacacs.schema
index 4b9b5868e10..4542b854abd 100644
--- a/doc/schemas/ldap/openldap/freeradius-tacacs.schema
+++ b/doc/schemas/ldap/openldap/freeradius-tacacs.schema
@@ -1,8 +1,78 @@
+#
+# tacacsServiceProfile should be added to a freeradiusPolicy, user/subscriber objects, groups,
+# or any other object which needs TACACS+ attributes associated with it.
+#
+# The DN of the tacacsServiceProfile will usually be a combination of cn=<policy_id>+tacacsService=<service>
+# where <policy_id> is the group, role or client type, and service is the TACACS+ service received in the
+# authen_service attribute in the Authorization or Authentication request.
+#
+# 11344.4.5.2.[1|2]
+# |     | | |   |_ .1 Profile attributes, .2 profile objects
+# |     | | |_ tacacsServiceProfile
+# |     | |_ TACACS+
+# |     |_ LDAP Attributes
+# |_ Vendor
+#
+attributetype ( 1.3.6.1.4.1.11344.4.5.2.1.1
+	NAME 'tacacsAttribute'
+	DESC 'TACACS+ attribute in format [<list>.]<attr> <op> <value>'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+attributetype ( 1.3.6.1.4.1.11344.4.5.2.1.2
+	NAME 'tacacsService'
+	DESC 'The identifier for the TACACS+ service e.g. exec, shell, ppp, etc...'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+objectclass ( 1.3.6.1.4.1.11344.4.5.2.2.2
+	NAME 'tacacsServiceProfile'
+	SUP top
+	AUXILIARY
+	MUST ( tacacsService )
+	MAY ( tacacsAttribute )
+ )
+
+#
+# tacacsCommandProfile should be added to a freeradiusPolicy, user/subscriber objects, groups,
+# or any other object which needs TACACS+ attributes associated with it.
+#
+# The DN of the tacacsCommandProfile will usually be a combination of cn=<policy_id>+tacacsCommand=<command>
+# where <policy_id> is the group, role or client type, and command is the TACACS+ command received in the cmd attribute
+# in the Authorization request.
+#
+# 11344.4.5.3.[1|2]
+# |     | | |   |_ .1 Profile attributes, .2 profile objects
+# |     | | |_ tacacsCommandProfile
+# |     | |_ TACACS+
+# |     |_ LDAP Attributes
+# |_ Vendor
+#
+attributetype ( 1.3.6.1.4.1.11344.4.5.3.1.1
+	NAME 'tacacsCommand'
+	DESC 'The identifier for the TACACS+ command e.g. show, enable, etc...'
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+objectclass ( 1.3.6.1.4.1.11344.4.5.3.2.2
+	NAME 'tacacsCommandProfile'
+	SUP top
+	AUXILIARY
+	MUST ( tacacsCommand )
+	MAY ( tacacsAttribute )
+ )
+
 #
 # 11344.4.5.1.[1|2]
 # |     | | |   |_ .1 Profile attributes, .2 profile objects
 # |     | | |_ Client
-# |     | |_ RADIUS
+# |     | |_ TACACS+
 # |     |_ LDAP Attributes
 # |_ Vendor
 #