[RADIATOR] ClientListLDAP and mixed configuration.

Johan Wassberg jocar at su.se
Thu Oct 5 08:31:50 UTC 2017 


> On 4 Oct 2017, at 14:00, Heikki Vatiainen <hvn at open.com.au> wrote:
> 
> On 3.10.2017 9.57, Johan Wassberg wrote:
> 
>> From the documentation about ClientListLDAP [0]:
>> ```
>> [...]
>> You can have some client details in your Radiator configuration file and
>> some in <ClientListLDAP> although this can be confusing to future
>> administrators.
>> [...]
>> ```
> 
> Hmm, probably should be 'clients' instead of 'client details'.
> 
> I'd say the confusion may arise from loading clients from SQL, LDAP and/or configuration file and then trying to figure out from where they come from and, for example, if there are same clients from multiple sources, what are the client settings then. See below for more. In short: no merging happens. Identically named clients replace the existing clients.
> 
>> We are trying to clean up our configuration by moving the secrets to
>> LDAP and it works for most clients just fine. But the some parts of the
>> configurations requires "Identifiers" on specific clients, e.g:
>> ```
>> <Client r1.example.com>
>>     Identifier se-root
>> </Client>
>> ```
> 
> You can pull Identifier from LDAP too. See ClientAttrDef and
>   ClientAttrDef oscRadiusIdentifier,Identifier
> 
> Maybe this solves the problem?

Probably yes. Just need to modify our LDAP schema first…

> 
>> So I did as the documention stated, mixed the configuration by adding
>> the secret to LDAP and the lines above in the configuration file. And I
>> think is works but I'm a bit scared by the error messages that now can
>> be found in the log:
>> ```
>> Tue Oct  3 08:12:35 2017: ERR: No Secret or TACACSPLUSKey defined
>> for Client r1.example.com in '/local/radiator/conf/radius.cfg'
>> ```
>> The following questions comes to mind:
>> 1. Is the error message a real error?
> 
> It comes from the example clause above where, after the clause has been fully read, client activation notices that there's no secret. So it's a real error since the client configuration did not have a secret.
> 
>> 2. If I have a secret configured in both LDAP and the config file,
>>    which secret will be used?
>> [0] https://www.open.com.au/radiator/ref/ClientListLDAP.html
> 
> The client from the last source configured in the configured file is the one that is used. Information about previously loaded clients is not merged but any existing client will be completely replaced.
> 
> If you have, for example,
> 
> <Client r1.example.com>
>    Identifier se-root
> </Client>
> 
> <ClientListLDAP>
>  ...
> </ClientList>
> 
> You will get a warning when the statically configured client is loaded. The warning is about the missing secret.
> 
> If r1.example.com is also loaded from LDAP, it will replace r1.example.com that was just loaded from the configuration file. Note: if name resolution yields different result for r1.example.com for statically configured and LDAP loaded client, then you can have entries from the both sources.
> 

Cool.
Thanks for the clarification!

--
jocar

More information about the radiator mailing list