feature request: ldap enhancements

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jan 15 10:16:07 CET 2014


On 15 Jan 2014, at 08:27, Hachmer, Tobias <Tobias.Hachmer at stadt-frankfurt.de> wrote:

> -----Ursprüngliche Nachricht-----
> Von: freeradius-users-bounces+tobias.hachmer=stadt-frankfurt.de at lists.freeradius.org [mailto:freeradius-users-bounces+tobias.hachmer=stadt-frankfurt.de at lists.freeradius.org] Im Auftrag von Arran Cudbard-Bell
> Gesendet: Dienstag, 14. Januar 2014 18:58
> An: FreeRadius users mailing list
> Betreff: Re: feature request: ldap enhancements
> 
>> On 14 Jan 2014, at 16:16, Alan DeKok <aland at deployingradius.com> wrote:
>>> The dynamic clients code already handles this.  I'd suggest instead 
>>> ensuring that the dynamic clients can have ranges, and not just IP 
>>> addresses.  Simpler, and more flexible.
> 
>> Done... In theory. On v3.0.x and master.
>> If you just wanted to add ranges, use a combination of dynamic clients and the LDAP bulk load.
> 
> Thanks for the update. Yes, this is also a good resolution. 
> 
> How do I have to use the new internal FR attribute  FreeRADIUS-Client-IP-Prefix?
> For my understanding I have to create ldap objects with rdn cn=IP-Prefix like cn=10.0.1.0/24.
> What way is the matching done?

If your subnets are fixed size and on the octets boundaries, use a regex and the LDAP wildcard operator.

If your subnets are a fixed size but not on octets boundaries I can add an xlat function to zero out the host bits:

update control {
	Tmp-Ip-Address-0 := "%{ipprefix:%{Packet-Src-IP-Address}/<cidr>}"
}

If they're a limited range of sizes then the solution above could work, just add additional prefixes to the filter for your standard subnet sizes.

If they're arbitrary sizes then this solution won't work well

For actually retrieving the data you could use (yet another) instance of rlm_ldap with a different configuration, or ldap xlat and pull each client attribute from the directory one at a time.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140115/e04c5c4d/attachment.pgp>


More information about the Freeradius-Users mailing list