On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:
1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
Yes.
I am having a hard time trying to adapt the example at:
http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation to work
from ldap.
We are starting from a point where we have an (LDAP) DIT branch
ou=hosts,dc=example,dc=com, where hosts are stored (also used for
MAC-Auth), using entries of the form:
dn: cn=host1.tech,ou=hosts,dc=example,dc=com
cn: host1.tech
objectClass: device
objectClass: ieee802Device
objectClass: top
objectClass: radiusprofile
objectClass: simpleSecurityObject
description: Main Workstation at Tech Dpt
ou: tech
l: Sierra Nevada
userPassword: test123
owner: cn=TechAdmins,ou=Groups,dc=example,dc=com
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusNASIpAddress: 10.10.10.125
radiusTunnelPrivateGroupId: 1
macAddress: 00:24:8b:3a:d1:db
radiusTerminationAction: 33
radiusHint: 50004
radiusFramedIPAddress: 10.10.10.63
radiusArapSecurity: 10.10.10.1
radiusArapZoneAccess: 255.255.255.128
We are attempting to assign the host (using DHCP) with the macAdress
stored at macAddress attribute:
- the IP Address defined at radiusFramedIPAddress
- the gateway defined at radiusArapSecurity
- the mask defined at radiusArapZoneAccess
Can we use ldap calls (as when doing auth), in modules/ldap, like:
ldap ldap_dhcp {
server = "localhost"
identity = "uid=auth,ou=AdminAccounts,dc=example,dc=com"
password = "mysecret"
basedn = "ou=hosts,dc=example,dc=com"
filter = "(macAddress=%{DHCP-Client-Hardware-Address})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 2
timeout = 4
timelimit = 3
net_timeout = 1
}
...having added in ldap.attr the following (using current unused
freeradius schema attributes):
replyItem DHCP-Subnet-Mask radiusArapZoneAccess
replyItem DHCP-Router-Address radiusArapSecurity
replyItem DHCP-Your-IP-Address radiusFramedIPAddress
and then modify the example as follows:
server dhcp {
listen {
type = dhcp
ipaddr = 127.0.0.1
port = 67
interface = eth0
broadcast = no
}
dhcp DHCP-Discover {
ldap_dhcp
update reply {
DHCP-Message-Type = DHCP-Offer
}
update reply {
DHCP-Domain-Name-Server := 10.10.10.90
DHCP-Domain-Name-Server := 10.10.10.91
}
ok
}
dhcp DHCP-Request {
update reply {
DHCP-Message-Type = DHCP-Ack
}
ldap_dhcp
update reply {
DHCP-Domain-Name-Server := 10.10.10.90
DHCP-Domain-Name-Server := 10.10.10.91
}
ok
}
dhcp {
reject
}
}
...??
Is it correct as above? Do I have to call ldap_dhcp separately in each
section (i.e. twice)?
Please clarify!
Regards,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
