Understanding dynamic radiusClients in openldap
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Feb 8 23:23:09 UTC 2022
Is there a reason you need a CN other than convention? radiusClientIdentifier looks like an appropriate attribute to use in the DN.
-Arran
> On Feb 4, 2022, at 1:13 PM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> On 2/4/22 18:13, Dave Macias wrote:
>> Update:
>> added ldif client as so:
>> dn: cn=xxx:xx:x:x:x:xxff:fe57:cd00,ou=clients,ou=radius,dc=datacom,dc=net
>> objectClass: top
>> objectClass: radiusClient
>> objectClass: ipHost
>> cn: xxx:xx:x:x:x:xxff:fe57:cd00
>> ipHostNumber: xxx:xx:x:x:x:xxff:fe57:cd00
>> radiusClientShortname: location1
>> radiusClientIdentifier: my-nas-name
>> radiusClientSecret: mysecret
>> Not a fan of the repeated IP but just testing for now.
>
> You can use OpenLDAP's slapo-constraint with set-based constraints to ensure consistency across attributes to avoid errors when maintaining the entries.
>
> This example ensures that cn and ipHostNumber contain the same values (not tested and probably sub-optimal line-wrapping):
>
> overlay constraint
>
> constraint_attribute cn,ipHostNumber
> set "this/cn & this/ipHostNumber" restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
>
> Probably you want to constrain these attrs to single value even though they are declared as multi-valued in the schema:
>
> constraint_attribute cn count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
>
> constraint_attribute ipHostNumber count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
>
> See also slapo-constraint(5):
>
> https://www.openldap.org/software/man.cgi?query=slapo-constraint
>
> These OpenLDAP details are probably considered off-topic here. You're welcome to ask for more on openldap-technical mailing list.
>
> Ciao, Michael.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220208/3570894a/attachment.sig>
More information about the Freeradius-Users
mailing list