Understanding dynamic radiusClients in openldap

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Feb 8 23:23:09 UTC 2022 

Is there a reason you need a CN other than convention?  radiusClientIdentifier looks like an appropriate attribute to use in the DN.

-Arran

> On Feb 4, 2022, at 1:13 PM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> On 2/4/22 18:13, Dave Macias wrote:
>> Update:
>> added ldif client as so:
>> dn: cn=xxx:xx:x:x:x:xxff:fe57:cd00,ou=clients,ou=radius,dc=datacom,dc=net
>> objectClass: top
>> objectClass: radiusClient
>> objectClass: ipHost
>> cn: xxx:xx:x:x:x:xxff:fe57:cd00
>> ipHostNumber: xxx:xx:x:x:x:xxff:fe57:cd00
>> radiusClientShortname: location1
>> radiusClientIdentifier: my-nas-name
>> radiusClientSecret: mysecret
>> Not a fan of the repeated IP but just testing for now.
> 
> You can use OpenLDAP's slapo-constraint with set-based constraints to ensure consistency across attributes to avoid errors when maintaining the entries.
> 
> This example ensures that cn and ipHostNumber contain the same values (not tested and probably sub-optimal line-wrapping):
> 
> overlay constraint
> 
> constraint_attribute cn,ipHostNumber
>  set "this/cn & this/ipHostNumber" restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> 
> Probably you want to constrain these attrs to single value even though they are declared as multi-valued in the schema:
> 
> constraint_attribute cn count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> 
> constraint_attribute ipHostNumber count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> 
> See also slapo-constraint(5):
> 
> https://www.openldap.org/software/man.cgi?query=slapo-constraint
> 
> These OpenLDAP details are probably considered off-topic here. You're welcome to ask for more on openldap-technical mailing list.
> 
> Ciao, Michael.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220208/3570894a/attachment.sig>

More information about the Freeradius-Users mailing list