Understanding dynamic radiusClients in openldap

Dave Macias davama at gmail.com
Tue Feb 22 18:23:52 UTC 2022


Just to update:

Arran,

I was able to use just radiusdClientIdentifier but with this ldap object we
lose having the hostname since radiusClientShortname is set to location.

dn: radiusClientIdentifier=2xx:xx:xx,ou=clients,ou=radius,dc=datacom,dc=net
objectClass: radiusClient
radiusClientComment: USA-location
radiusClientShortname: hostnameofclient
radiusClientSecret: blabla
radiusClientIdentifier: 2xx:xx:xx

Yes, I tried radiusClientComment but there is no FreeRadius-Client-Comment
that I can use to pass to the python module

 if
("%{ldap:ldap:///ou=radius,dc=datacom,dc=net?cn?sub?(&(objectClass=radiusClient)(cn=%{Packet-Src-IPv6-Address}))}")
{
update control {
&FreeRADIUS-Client-IPv6-Address = "%{Packet-Src-IPv6-Address}"
&FreeRADIUS-Client-Shortname =
"%{ldap:ldap:///cn=%{Packet-Src-IPv6-Address},ou=clients,ou=radius,dc=datacom,dc=net?radiusClientShortname?}"
&FreeRADIUS-Client-Secret =
"%{ldap:ldap:///cn=%{Packet-Src-IPv6-Address},ou=clients,ou=radius,dc=datacom,dc=net?radiusClientSecret?}"
}
}

So having it with cn is more useful to us since we can get the data and
pass it to the python module.

Hope this made sense.

Thank you for the awesome support!




On Wed, Feb 9, 2022 at 6:01 AM Michael Ströder via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> On 2/9/22 00:23, Arran Cudbard-Bell wrote:
> > Is there a reason you need a CN other than convention?
> radiusClientIdentifier looks like an appropriate attribute to use in the DN.
>
> Object class 'ipHost' requires 'cn'. So the best solution would be a
> custom object class.
>
> But I did explain that because I did not want to flood this mailing list
> with LDAP schema discussion too much.
>
> Ciao, Michael.
>
> >> On Feb 4, 2022, at 1:13 PM, Michael Ströder via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> >>
> >> On 2/4/22 18:13, Dave Macias wrote:
> >>> Update:
> >>> added ldif client as so:
> >>> dn:
> cn=xxx:xx:x:x:x:xxff:fe57:cd00,ou=clients,ou=radius,dc=datacom,dc=net
> >>> objectClass: top
> >>> objectClass: radiusClient
> >>> objectClass: ipHost
> >>> cn: xxx:xx:x:x:x:xxff:fe57:cd00
> >>> ipHostNumber: xxx:xx:x:x:x:xxff:fe57:cd00
> >>> radiusClientShortname: location1
> >>> radiusClientIdentifier: my-nas-name
> >>> radiusClientSecret: mysecret
> >>> Not a fan of the repeated IP but just testing for now.
> >>
> >> You can use OpenLDAP's slapo-constraint with set-based constraints to
> ensure consistency across attributes to avoid errors when maintaining the
> entries.
> >>
> >> This example ensures that cn and ipHostNumber contain the same values
> (not tested and probably sub-optimal line-wrapping):
> >>
> >> overlay constraint
> >>
> >> constraint_attribute cn,ipHostNumber
> >>   set "this/cn & this/ipHostNumber"
> restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> >>
> >> Probably you want to constrain these attrs to single value even though
> they are declared as multi-valued in the schema:
> >>
> >> constraint_attribute cn count 1
> restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> >>
> >> constraint_attribute ipHostNumber count 1
> restrict="ldap:///dc=datacom,dc=net??sub?(objectClass=radiusClient)"
> >>
> >> See also slapo-constraint(5):
> >>
> >> https://www.openldap.org/software/man.cgi?query=slapo-constraint
> >>
> >> These OpenLDAP details are probably considered off-topic here. You're
> welcome to ask for more on openldap-technical mailing list.
> >>
> >> Ciao, Michael.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list