Understanding dynamic radiusClients in openldap

Dave Macias davama at gmail.com
Wed Feb 9 00:30:08 UTC 2022


Hmm, thats an interesting idea…

Was using cn because thats what i saw in the dynamic clients config…doesnt have to be cn

Will give it a try and report.

Thank you for the tip!
On Feb 8, 2022, 5:23 PM -0600, Arran Cudbard-Bell <a.cudbardb at freeradius.org>, wrote:
> Is there a reason you need a CN other than convention? radiusClientIdentifier looks like an appropriate attribute to use in the DN.
>
> -Arran
>
> > On Feb 4, 2022, at 1:13 PM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> >
> > On 2/4/22 18:13, Dave Macias wrote:
> > > Update:
> > > added ldif client as so:
> > > dn: cn=xxx:xx:x:x:x:xxff:fe57:cd00,ou=clients,ou=radius,dc=datacom,dc=net
> > > objectClass: top
> > > objectClass: radiusClient
> > > objectClass: ipHost
> > > cn: xxx:xx:x:x:x:xxff:fe57:cd00
> > > ipHostNumber: xxx:xx:x:x:x:xxff:fe57:cd00
> > > radiusClientShortname: location1
> > > radiusClientIdentifier: my-nas-name
> > > radiusClientSecret: mysecret
> > > Not a fan of the repeated IP but just testing for now.
> >
> > You can use OpenLDAP's slapo-constraint with set-based constraints to ensure consistency across attributes to avoid errors when maintaining the entries.
> >
> > This example ensures that cn and ipHostNumber contain the same values (not tested and probably sub-optimal line-wrapping):
> >
> > overlay constraint
> >
> > constraint_attribute cn,ipHostNumber
> > set "this/cn & this/ipHostNumber" restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> >
> > Probably you want to constrain these attrs to single value even though they are declared as multi-valued in the schema:
> >
> > constraint_attribute cn count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> >
> > constraint_attribute ipHostNumber count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> >
> > See also slapo-constraint(5):
> >
> > https://www.openldap.org/software/man.cgi?query=slapo-constraint
> >
> > These OpenLDAP details are probably considered off-topic here. You're welcome to ask for more on openldap-technical mailing list.
> >
> > Ciao, Michael.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list