[RADIATOR] ClientListLDAP and mixed configuration.
hvn at open.com.au
Wed Oct 4 12:00:02 UTC 2017
On 3.10.2017 9.57, Johan Wassberg wrote:
> From the documentation about ClientListLDAP :
> You can have some client details in your Radiator configuration file and
> some in <ClientListLDAP> although this can be confusing to future
Hmm, probably should be 'clients' instead of 'client details'.
I'd say the confusion may arise from loading clients from SQL, LDAP
and/or configuration file and then trying to figure out from where they
come from and, for example, if there are same clients from multiple
sources, what are the client settings then. See below for more. In
short: no merging happens. Identically named clients replace the
> We are trying to clean up our configuration by moving the secrets to
> LDAP and it works for most clients just fine. But the some parts of the
> configurations requires "Identifiers" on specific clients, e.g:
> <Client r1.example.com>
> Identifier se-root
You can pull Identifier from LDAP too. See ClientAttrDef and
Maybe this solves the problem?
> So I did as the documention stated, mixed the configuration by adding
> the secret to LDAP and the lines above in the configuration file. And I
> think is works but I'm a bit scared by the error messages that now can
> be found in the log:
> Tue Oct 3 08:12:35 2017: ERR: No Secret or TACACSPLUSKey defined
> for Client r1.example.com in '/local/radiator/conf/radius.cfg'
> The following questions comes to mind:
> 1. Is the error message a real error?
It comes from the example clause above where, after the clause has been
fully read, client activation notices that there's no secret. So it's a
real error since the client configuration did not have a secret.
> 2. If I have a secret configured in both LDAP and the config file,
> which secret will be used?
>  https://www.open.com.au/radiator/ref/ClientListLDAP.html
The client from the last source configured in the configured file is the
one that is used. Information about previously loaded clients is not
merged but any existing client will be completely replaced.
If you have, for example,
You will get a warning when the statically configured client is loaded.
The warning is about the missing secret.
If r1.example.com is also loaded from LDAP, it will replace
r1.example.com that was just loaded from the configuration file. Note:
if name resolution yields different result for r1.example.com for
statically configured and LDAP loaded client, then you can have entries
from the both sources.
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator