Understanding dynamic radiusClients in openldap

Michael Ströder michael at stroeder.com
Wed Feb 9 11:01:09 UTC 2022 

On 2/9/22 00:23, Arran Cudbard-Bell wrote:
> Is there a reason you need a CN other than convention?  radiusClientIdentifier looks like an appropriate attribute to use in the DN.

Object class 'ipHost' requires 'cn'. So the best solution would be a 
custom object class.

But I did explain that because I did not want to flood this mailing list 
with LDAP schema discussion too much.

Ciao, Michael.

>> On Feb 4, 2022, at 1:13 PM, Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> On 2/4/22 18:13, Dave Macias wrote:
>>> Update:
>>> added ldif client as so:
>>> dn: cn=xxx:xx:x:x:x:xxff:fe57:cd00,ou=clients,ou=radius,dc=datacom,dc=net
>>> objectClass: top
>>> objectClass: radiusClient
>>> objectClass: ipHost
>>> cn: xxx:xx:x:x:x:xxff:fe57:cd00
>>> ipHostNumber: xxx:xx:x:x:x:xxff:fe57:cd00
>>> radiusClientShortname: location1
>>> radiusClientIdentifier: my-nas-name
>>> radiusClientSecret: mysecret
>>> Not a fan of the repeated IP but just testing for now.
>>
>> You can use OpenLDAP's slapo-constraint with set-based constraints to ensure consistency across attributes to avoid errors when maintaining the entries.
>>
>> This example ensures that cn and ipHostNumber contain the same values (not tested and probably sub-optimal line-wrapping):
>>
>> overlay constraint
>>
>> constraint_attribute cn,ipHostNumber
>>   set "this/cn & this/ipHostNumber" restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
>>
>> Probably you want to constrain these attrs to single value even though they are declared as multi-valued in the schema:
>>
>> constraint_attribute cn count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
>>
>> constraint_attribute ipHostNumber count 1 restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
>>
>> See also slapo-constraint(5):
>>
>> https://www.openldap.org/software/man.cgi?query=slapo-constraint
>>
>> These OpenLDAP details are probably considered off-topic here. You're welcome to ask for more on openldap-technical mailing list.
>>
>> Ciao, Michael.

More information about the Freeradius-Users mailing list