Loading new clients without a restart

Peter Lambrechtsen peter at crypt.nz
Thu Mar 30 12:26:45 CEST 2017


If you are using FR3.0 or higher then you can do it twofold. And if you
don't want to extend the schema use a group object, then define a "ou"
attribute as shared secret, or use any other existing attribute as the
secret. I also use "l" for Short name, as I separate different clients out
based on the short-name. Then I just create a dedicated OU called Clients
and create them in there with their IP address as the CN.

ldap module pre-load all the clients.
        client {
                base_dn = "ou=Clients,${..base_dn}"
                filter = '(objectClass=group)'
                scope = 'sub'
                attribute {
                        ipaddr                          = 'cn'
                        secret                          = 'ou'
                        shortname                       = 'l'
                }

Then load new clients using dynamic clients.

                if
("%{lldap:///ou=Clients,o=Identities?ou?sub?cn=%{Packet-Src-IP-Address}}"
=~ /(.*)/ ) {
                        update control {
                                # Lookup and set the Shared Secret based on
                                # the "radiusClientSecret" attribute.
                                &FreeRADIUS-Client-Secret = "%{1}"
                                #
                                &FreeRADIUS-Client-IP-Address =
"%{Packet-Src-IP-Address}"

And no schema was hurt in this process.




On Thu, Mar 30, 2017 at 10:43 PM, Matthew Newton <mcn4 at leicester.ac.uk>
wrote:

> > On Wed, Mar 29, 2017 at 08:51:14PM +0000, Clayton Knorr wrote:
> > > Suppose you're loading your clients in from LDAP or SQL, and you need
> > > adding new clients to be relatively dynamic. Reloads don't pull in the
>
> On Wed, Mar 29, 2017 at 09:08:18PM +0000, Clayton Knorr wrote:
> > Yeah I started looking at that (should have done my search
> > BEFORE sending the email) but I'm not sure we can do that
> > without serious changes to how LDAP is set up.
>
> From the sound of your original question, you're already getting
> your clients from SQL/LDAP - and I presume building clients.conf
> with a script, and then having to do a restart?
>
> So just use a script to grab from wherever and drop files into a
> directory and use raddb/mods-available/dynamic_clients. Doesn't
> need to be FR config to query the database in this case.
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/
> raddb/mods-available/dynamic_clients
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list