Templating sections :-)

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri May 13 15:52:55 CEST 2016 

> On May 13, 2016, at 9:12 AM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On May 13, 2016, at 9:06 AM, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
>> A quick question for you guys... I'm trying to help out a site with redundant load balancing and went back into my archive to dig up Jonathan's thread the other day about this. In it Arran mentioned templating... can you expand on that? How do we set up templates?
> 
>  raddb/templates.conf
> 
>  It has loads of documentation.
> 
>  Alan DeKok.
> 

Example which shows everything together:

template {
#
#  Module instance configuration for pulling subscriber and client
#  info from LDAP. Connection pool sharing is used for the rest of the
#  instances, so the options below will apply everywhere.
#
example_ldap_subscriber {
	base_dn = 'dc=example,dc=co,dc=foo'

	identity = 'uid=radius,ou=users,ou=system,dc=example,dc=co,dc=foo'
	password = 'foo'

	#
	#  Generic attribute. If any of these appear in the object
	#  they should be in the format:
	#  	<list>:<attr> <op> <value>
	#
	#  e.g.
	#  	reply:Reply-Message := "Hello %{User-Name}"
	#
	valuepair_attribute = 'radiusAttribute'

	update {
		&request:Example-Service-Precedence		:= 'servicePrecedence'
		&request:Example-Service-Profile-DN		:= 'serviceProfileDN'
		&request:Example-Subscriber-ID			:= 'subscriberID'

		&control:Cleartext-Password			:= 'userPassword'
		&control:Example-Service-Status			:= 'serviceStatus'
		&control:Example-Port-Binding			:= 'portBinding'
		&control:Example-Port-Binding-ID		:= 'portBindingIdentifier'
		&control:Example-Port-Binding-Modified-Str	:= 'portBindingModifiedStr'

		#
		#  Static IP address attributes
		#
		&reply:Framed-IP-Address			:= 'radiusFramedIPAddress'
		&reply:Framed-IP-Netmask			:= 'radiusFramedIPNetmask'
		&reply:Framed-Route				:= 'radiusFramedRoute'

		#
		#  Other common, statically mapped, attributes
		#
		&reply:Session-Timeout				:= 'radiusSessionTimeout'
		&control:Simultaneous-Use			:= 'radiusSimultaneousUse'
	}

	#
	#  We don't need to search for the subscriber here, we can form
	#  the complete DN from attributes in, or derived from the request.
	#
	user {
		#  Where to start searching in the tree for users
		base_dn = "cn=%{Stripped-User-Name}+serviceAccessMedia=%{Example-Service-Access-Media},cn=%{Stripped-User-Domain},ou=realms,${..base_dn}"

		#  Search scope, may be 'base', 'one', sub' or 'children'
		scope = 'base'
	}

	#
	#  LDAP connection-specific options.
	#
	#  These options set timeouts, keep-alives, etc. for the connections.
	#
	options {
		#  Control under which situations aliases are followed.
		#  May be one of 'never', 'searching', 'finding' or 'always'
		#  default: libldap's default which is usually 'never'.
		#
		#  LDAP_OPT_DEREF is set to this value.
		dereference = 'always'

		#
		#  The following two configuration items control whether the
		#  server follows references returned by LDAP directory.
		#  They are  mostly for Active Directory compatibility.
		#  If you set these to 'no', then searches will likely return
		#  'operations error', instead of a useful result.
		#
		chase_referrals = no
		rebind = no

		#  Default timeout.
		timeout = 1

		#  Seconds LDAP server has to process the query (server-side
		#  time limit).
		#
		#  This should normally be subsecond, if it's > 100ms something
		#  is very wrong on the LDAP server.
		timelimit = 1

		#  Seconds to wait for response of the server. (network
		#  failures). This is the socket level timeout.
		net_timeout = 1

		#  LDAP_OPT_X_KEEPALIVE_IDLE
		idle = 60

		#  LDAP_OPT_X_KEEPALIVE_PROBES
		probes = 3

		#  LDAP_OPT_X_KEEPALIVE_INTERVAL
		interval = 3

		#  ldap_debug: debug flag for LDAP SDK
		#  (see OpenLDAP documentation).  Set this to enable
		#  huge amounts of LDAP debugging on the screen.
		#  You should only use this if you are an LDAP expert.
		#
		#	default: 0x0000 (no debugging messages)
		#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
		ldap_debug = 0x0028
	}

	tls {
		start_tls = yes
		ca_file	= "${certdir}/cert_chain.pem"
		require_cert = 'demand'
	}
}
}

ldap example_ldap_subscriber_slave_0 {
	server = ldap_slave_0.example.net.foo

	$template example_ldap_subscriber
	pool {
		$template example_connection_pool
	}
}

ldap example_ldap_subscriber_slave_1 {
	server = ldap_slave_1.example.net.foo

	$template example_ldap_subscriber
	pool {
		$template example_connection_pool
	}
}

ldap example_ldap_subscriber_slave_2 {
	server = ldap_slave_2.example.net.foo

	$template example_ldap_subscriber
	pool {
		$template example_connection_pool
	}
}

instantiate {
	redundant ldap_subscriber {
		example_ldap_subscriber_slave_0
		example_ldap_subscriber_slave_1
		example_ldap_subscriber_slave_2
	}
}

%{ldap_subscriber:ldap://}


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160513/5bf9e1e4/attachment.sig>

More information about the Freeradius-Users mailing list