FreeRadius DHCP against LDAP

Nikolaos Milas nmilas at
Fri Sep 13 19:19:24 CEST 2013

On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:

>> 1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
> Yes. 

I am having a hard time trying to adapt the example at: to work 
from ldap.

We are starting from a point where we have an (LDAP) DIT branch 
ou=hosts,dc=example,dc=com, where hosts are stored (also used for 
MAC-Auth), using entries of the form:

objectClass: device
objectClass: ieee802Device
objectClass: top
objectClass: radiusprofile
objectClass: simpleSecurityObject
description: Main Workstation at Tech Dpt
ou: tech
l: Sierra Nevada
userPassword: test123
owner: cn=TechAdmins,ou=Groups,dc=example,dc=com
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 1
macAddress: 00:24:8b:3a:d1:db
radiusTerminationAction: 33
radiusHint: 50004

We are attempting to assign the host (using DHCP) with the macAdress 
stored at macAddress attribute:

- the IP Address defined at radiusFramedIPAddress
- the gateway defined at radiusArapSecurity
- the mask defined at radiusArapZoneAccess

Can we use ldap calls (as when doing auth), in modules/ldap, like:

ldap ldap_dhcp {

         server = "localhost"

         identity = "uid=auth,ou=AdminAccounts,dc=example,dc=com"

         password = "mysecret"

         basedn = "ou=hosts,dc=example,dc=com"

         filter = "(macAddress=%{DHCP-Client-Hardware-Address})"

         start_tls = no

         dictionary_mapping = ${raddbdir}/ldap.attrmap

         ldap_connections_number = 2

         timeout = 4

         timelimit = 3

         net_timeout = 1


...having added in ldap.attr the following (using current unused 
freeradius schema attributes):

replyItem       DHCP-Subnet-Mask              radiusArapZoneAccess

replyItem       DHCP-Router-Address          radiusArapSecurity

replyItem       DHCP-Your-IP-Address         radiusFramedIPAddress

and then modify the example as follows:

     server dhcp {

         listen {

             type = dhcp

             ipaddr =

             port = 67

             interface = eth0

             broadcast = no


         dhcp DHCP-Discover {


             update reply {

                 DHCP-Message-Type = DHCP-Offer


             update reply {

                 DHCP-Domain-Name-Server :=

                 DHCP-Domain-Name-Server :=




         dhcp DHCP-Request {

             update reply {

                 DHCP-Message-Type = DHCP-Ack



             update reply {
                 DHCP-Domain-Name-Server :=
                 DHCP-Domain-Name-Server :=



         dhcp {





Is it correct as above? Do I have to call ldap_dhcp separately in each 
section (i.e. twice)?

Please clarify!


More information about the Freeradius-Users mailing list