Handling of duplicates in clients.conf

Alan DeKok aland at deployingradius.com
Thu Mar 26 06:34:37 CET 2009


Garber, Neal wrote:
> I’m running FR 2.0.3 and I just found that if there is more than one
> client with the same IP address in clients.conf, then it will stop
> processing the remainder of the file and continue startup.

  This is addressed in 2.1.4.  It now ignores clients that are *exact*
duplicates.

>  The only
> indication it has done this are 2 error messages that are easily missed
> when running with debug on.  I checked git.freeradius.org and noticed
> that the client.c committed on 09-March now ignores duplicates if they
> are exactly the same.  In my case, everything was the same except the
> name.  My question is, wouldn’t it be better to continue processing the
> remainder of the file even when there are duplicates that aren’t
> identical or alternatively to preclude the server from starting (I’d
> vote for the former).  Ignoring what could be hundreds of clients that
> follow the error doesn’t seem useful.  

  If your server is misconfigured, it's better to know and fix it, than
have it silently "work" for some definition of "work".

> I propose ignoring all duplicates and having client_add return ok (1).
>  This would log the error for any duplicates (even duplicates that
> aren’t completely identical), but allow processing to continue for the
> remainder of the file.

  No.  Clients that are exact duplicates can be safely ignored.  Clients
that are "similar" but not the same are conflicts.  You may have
policies, logging, etc. that depend on the fields that are different.
Which one is chosen?  One at random?

  Do you really want the server to work *accidentally*?  And one day,
when something else changes, the server suddenly picks the *other*
client definition, and all of your policies, logs, etc. are different?

  That's scary.

  If you want this behavior, fork the git tree, and maintain a separate
patch yourself.  Git makes this trivial.  But putting it into the main
tree means that there will be angry email from people when their systems
break.  And they'll be right to complain.

  Alan DeKok.



More information about the Freeradius-Users mailing list