[RADIATOR] ClientListLDAP and mixed configuration.

Heikki Vatiainen hvn at open.com.au
Wed Oct 4 12:00:02 UTC 2017 

On 3.10.2017 9.57, Johan Wassberg wrote:

>  From the documentation about ClientListLDAP [0]:
> 
> ```
> [...]
> You can have some client details in your Radiator configuration file and
> some in <ClientListLDAP> although this can be confusing to future
> administrators.
> [...]
> ```

Hmm, probably should be 'clients' instead of 'client details'.

I'd say the confusion may arise from loading clients from SQL, LDAP 
and/or configuration file and then trying to figure out from where they 
come from and, for example, if there are same clients from multiple 
sources, what are the client settings then. See below for more. In 
short: no merging happens. Identically named clients replace the 
existing clients.

> We are trying to clean up our configuration by moving the secrets to
> LDAP and it works for most clients just fine. But the some parts of the
> configurations requires "Identifiers" on specific clients, e.g:
> 
> ```
> <Client r1.example.com>
>      Identifier se-root
> </Client>
> ```

You can pull Identifier from LDAP too. See ClientAttrDef and
    ClientAttrDef oscRadiusIdentifier,Identifier

Maybe this solves the problem?

> So I did as the documention stated, mixed the configuration by adding
> the secret to LDAP and the lines above in the configuration file. And I
> think is works but I'm a bit scared by the error messages that now can
> be found in the log:
> 
> ```
> Tue Oct  3 08:12:35 2017: ERR: No Secret or TACACSPLUSKey defined
> for Client r1.example.com in '/local/radiator/conf/radius.cfg'
> ```
> 
> The following questions comes to mind:
> 
> 1. Is the error message a real error?

It comes from the example clause above where, after the clause has been 
fully read, client activation notices that there's no secret. So it's a 
real error since the client configuration did not have a secret.

> 2. If I have a secret configured in both LDAP and the config file,
>     which secret will be used?
> 
> [0] https://www.open.com.au/radiator/ref/ClientListLDAP.html

The client from the last source configured in the configured file is the 
one that is used. Information about previously loaded clients is not 
merged but any existing client will be completely replaced.

If you have, for example,

<Client r1.example.com>
     Identifier se-root
</Client>

<ClientListLDAP>
   ...
</ClientList>

You will get a warning when the statically configured client is loaded. 
The warning is about the missing secret.

If r1.example.com is also loaded from LDAP, it will replace 
r1.example.com that was just loaded from the configuration file. Note: 
if name resolution yields different result for r1.example.com for 
statically configured and LDAP loaded client, then you can have entries 
from the both sources.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list