Understanding dynamic radiusClients in openldap

Dave Macias davama at gmail.com
Tue Feb 22 19:29:28 UTC 2022 

Arran,

i tried your map  as so:

if
("%{ldap:ldap:///ou=radius,dc=datacom,dc=net?cn?sub?(&(objectClass=radiusClient)(cn=%{Packet-Src-IPv6-Address}))}")
{
map ldap
"%{ldap:///ou=radius,dc=datacom,dc=net?cn?sub?(&(objectClass=radiusClient)(cn=%{Packet-Src-IPv6-Address}}}"
{
        &control:FreeRADIUS-Client-IPv6-Address = cn
        &control:FreeRADIUS-Client-Shortname = radiusClientShortname
        &control:FreeRADIUS-Client-Secret = radiusClientSecret
}
}

but radiusd -X errors out :

including configuration file /etc/raddb/sites-enabled/dynamic-clients
/etc/raddb/sites-enabled/dynamic-clients[107]: Expecting section start
brace '{' after "map ldap"
Errors reading or parsing /etc/raddb/radiusd.conf

Using:

[root at openldap1-lab ~]# rpm -qa | grep -i freer
freeradius-rest-3.0.20-11.module+el8.5.0+730+ecaca518.x86_64
freeradius-3.0.20-11.module+el8.5.0+730+ecaca518.x86_64
freeradius-utils-3.0.20-11.module+el8.5.0+730+ecaca518.x86_64
freeradius-doc-3.0.20-11.module+el8.5.0+730+ecaca518.x86_64
freeradius-ldap-3.0.20-11.module+el8.5.0+730+ecaca518.x86_64
python3-freeradius-3.0.20-11.module+el8.5.0+730+ecaca518.x86_64

I put the previous block which I had posted and radiusd -X runs fine

Am I doing something wrong?

Thank you!

On Tue, Feb 22, 2022 at 2:17 PM Dave Macias <davama at gmail.com> wrote:

> If it's there it'll be something like:
>>
>> map ldap
>> "%{ldap:///ou=radius,dc=datacom,dc=net?cn?sub?(&(objectClass=radiusClient)(cn=%{Packet-Src-IPv6-Address})}"
>> {
>>         &control:FreeRADIUS-Client-IPv6-Address = cn
>>         &control:FreeRADIUS-Client-Shortname = radiusClientShortname
>>         &control:FreeRADIUS-Client-Secret = radiusClientSecret
>> }
>>
>> That picks out the fields from a single search result.
>>
>
> that is soo cool!
> let me give that a shot! thank you!!
>
> @Michael Ströder <michael at stroeder.com>
>
> without map these are the logs:
>  Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1423 op=1 SRCH
> base="ou=radius,dc=datacom,dc=net" scope=2 deref=0
> filter="(&(objectClass=radiusClient)(cn=<redactedipv6>))"
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1423 op=1 SRCH attr=cn
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1423 op=1 SEARCH RESULT
> tag=101 err=0 qtime=0.000049 etime=0.000346 nentries=1 text=
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1424 op=1 SRCH
> base="cn=<redactedipv6>,ou=clients,ou=radius,dc=datacom,dc=net" scope=0
> deref=0 filter="(objectClass=*)"
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1424 op=1 SRCH
> attr=radiusClientShortname
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1424 op=1 SEARCH RESULT
> tag=101 err=0 qtime=0.000017 etime=0.000297 nentries=1 text=
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1425 op=1 SRCH
> base="cn=<redactedipv6>,ou=clients,ou=radius,dc=datacom,dc=net" scope=0
> deref=0 filter="(objectClass=*)"
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1425 op=1 SRCH
> attr=radiusClientSecret
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1425 op=1 SEARCH RESULT
> tag=101 err=0 qtime=0.000019 etime=0.000287 nentries=1 text=
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1426 op=1 SRCH
> base="dc=datacom,dc=net" scope=2 deref=0 filter="(uid=myusername)"
> Feb 22 14:12:52 openldap1-lab slapd[36643]: conn=1426 op=1 SRCH
> attr=userPassword radiusControlAttribute radiusRequestAttribute
> radiusReplyAttribute
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1426 op=1 SEARCH RESULT
> tag=101 err=0 qtime=0.000018 etime=0.346607 nentries=1 text=
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1428 fd=20 ACCEPT from
> IP=[::1]:38854 (IP=[::]:389)
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1428 op=0 BIND
> dn="cn=authuser,dc=datacom,dc=net" method=128
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1428 op=0 BIND
> dn="cn=authuser,dc=datacom,dc=net" mech=SIMPLE bind_ssf=0 ssf=0
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1428 op=0 RESULT tag=97
> err=0 qtime=0.000017 etime=0.011889 text=
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1422 op=2 SRCH
> base="ou=radius,dc=datacom,dc=net" scope=2 deref=0
> filter="(&(objectClass=radiusClient)(cn=<redactedipv6>))"
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1422 op=2 SRCH attr=cn
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1422 op=2 SEARCH RESULT
> tag=101 err=0 qtime=0.000013 etime=0.000800 nentries=1 text=
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1427 op=1 SRCH
> base="cn=<redactedipv6>,ou=clients,ou=radius,dc=datacom,dc=net" scope=0
> deref=0 filter="(objectClass=*)"
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1427 op=1 SRCH
> attr=radiusClientShortname
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1427 op=1 SEARCH RESULT
> tag=101 err=0 qtime=0.000025 etime=0.000312 nentries=1 text=
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1423 op=2 SRCH
> base="cn=<redactedipv6>,ou=clients,ou=radius,dc=datacom,dc=net" scope=0
> deref=0 filter="(objectClass=*)"
> Feb 22 14:12:53 openldap1-lab slapd[36643]: conn=1423 op=2 SRCH
> attr=radiusClientSecret
>

More information about the Freeradius-Users mailing list