Understanding dynamic radiusClients in openldap
Michael Ströder
michael at stroeder.com
Fri Feb 4 18:13:58 UTC 2022
On 2/4/22 18:13, Dave Macias wrote:
> Update:
>
> added ldif client as so:
>
> dn: cn=xxx:xx:x:x:x:xxff:fe57:cd00,ou=clients,ou=radius,dc=datacom,dc=net
> objectClass: top
> objectClass: radiusClient
> objectClass: ipHost
> cn: xxx:xx:x:x:x:xxff:fe57:cd00
> ipHostNumber: xxx:xx:x:x:x:xxff:fe57:cd00
> radiusClientShortname: location1
> radiusClientIdentifier: my-nas-name
> radiusClientSecret: mysecret
>
> Not a fan of the repeated IP but just testing for now.
You can use OpenLDAP's slapo-constraint with set-based constraints to
ensure consistency across attributes to avoid errors when maintaining
the entries.
This example ensures that cn and ipHostNumber contain the same values
(not tested and probably sub-optimal line-wrapping):
overlay constraint
constraint_attribute cn,ipHostNumber
set "this/cn & this/ipHostNumber"
restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
Probably you want to constrain these attrs to single value even though
they are declared as multi-valued in the schema:
constraint_attribute cn count 1
restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
constraint_attribute ipHostNumber count 1
restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
See also slapo-constraint(5):
https://www.openldap.org/software/man.cgi?query=slapo-constraint
These OpenLDAP details are probably considered off-topic here. You're
welcome to ask for more on openldap-technical mailing list.
Ciao, Michael.
More information about the Freeradius-Users
mailing list