>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
Stefan> Ok, in that case this attribute will need to be decided fairly
Stefan> sharpish, so that it makes it into the FreeRADIUS dictionaries before
Stefan> the service goes live. The reason I say this is because you really
Stefan> don't want to have to tell people to fiddle with more configuration
Stefan> bits (like adding lines to dictionary files) when the service is
Stefan> live. The fact that I had to document this for FR 2.1.x filled me with
Stefan> dread and I was very relieved when RFC 7055 went in.
I had not considered the dictionary issue that much, and that seems to
be a potential argument for CUI.
If we do decide we want a new attribute we can add it to Janet's VSA
dictionary and send a patch to FreeRadius within the next week or two.
In general, I'd like to understand how important it is to get attributes
into dictionaries:
we're going to have to tell people to fiddle with lots of bits of FR
configuration.
Especially since trustrouter will not go into 3.0.x, we're stuck with a
fair bit of FR fiddling for a while yet, at least until 3.1 is in common use.
We can definitely include any attributes we desire in the dictionaries
we ship.
On the proxy side besides trust router support, you need:
* Set gss-acceptor-realm name if it's not set
* Confirm that client actually corresponds to value in
gss-acceptor-host-name
* make sure that if User-Name is set it ends in the IDP's realm
* Decide what community a client goes into
* Validate scoping on CUI or whatever attribute we choose
* Radsec configuration
|