Again: clients.conf storage in ldap
Phil Mayers
p.mayers at imperial.ac.uk
Fri Dec 3 15:13:04 CET 2010
On 03/12/10 13:52, Michal Bruncko wrote:
> Hello list,
>
> I have found one old discussion in freeradius maillist about storing
> RADIUS clients definitions in LDAP.
> That discussion is from date 23 Nov 2004 and is in following link:
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg11425.html
>
> I want to ask what is the status of integrating clients.conf in LDAP
> storage now, four years later from that discussion?
> This integration is interesting and makes the configuration more
> centralized.
FreeRadius 2 has support for dynamic clients; with that I guess the
"ldap" module can be used to reply to the dynamic client queries with
"xlat" values or (with a 2nd instance and custom ldap.attrmap) read them
wholesale out of LDAP.
For example:
modules {
ldap ldap_clients {
... ldap config
dictionary_mapping = ldap.attrmap_clients
base = ...
filter = (radiusClientIP=%{Packet-Src-IP-Address})
}
}
client dynamic {
ipaddr = 192.168.0.0
netmask = 16
dynamic_client = dyn_clients_ldap
lifetime = 3600
}
server dyn_clients_ldap {
authorize {
ldap_clients
}
}
...and in ldap.attrmap_clients:
checkItem FreeRADIUS-Client-Secret radiusClientSecret
checkItem FreeRADIUS-Client-IP-Address radiusClientIP
checkItem FreeRADIUS-Client-Shortname cn
...obviously modify for your LDAP schema.
More information about the Freeradius-Users
mailing list