FreeRadius DHCP against LDAP

Arran Cudbard-Bell a.cudbardb at
Fri Sep 13 19:40:41 CEST 2013

> Is it correct as above? Do I have to call ldap_dhcp separately in each section (i.e. twice)?

Hopefully someone else will chime in who's actually used it, but this is what I believe the order of operations should be:

* Receive DHCP-Discover
	- Call LDAP to get the IP assignment for the Mac-Address.
	- Augment the reply list with additional options
	- Cache the reply attributes you're about to send (see rlm_cache), you probably want to key it on the same attributes as your LDAP search
	- Set DHCP-Message-Type

* Receive DHCP-Request
	- Pull reply list out of cache
	- Compare requested IP with that in reply list IP if != IP requested trash the reply list and DHCP-Message-Type := NAK
	- If request IP == reply IP, DHCP-Message-Type := ACK

That way you only have one hit on your LDAP server, and you guarantee consistency across Offer and Request.

You can also do it the way you have in your example server (it has the advantage that it'll work behind load balancers, or multiple gateways pointing at different servers), but you should check the IP from LDAP is the same as the one requested, and NAK if appropriate.

If you do it the way I suggested I highly recommend you use V3.0.0 (release_branch_3.0.0 or master/HEAD) instead, as the list/attribute handling is much better.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list