On 3.10.2017 9.57, Johan Wassberg wrote:
From the documentation about ClientListLDAP [0]:
```
[...]
You can have some client details in your Radiator configuration file and
some in <ClientListLDAP> although this can be confusing to future
administrators.
[...]
```
Hmm, probably should be 'clients' instead of 'client details'.
I'd say the confusion may arise from loading clients from SQL, LDAP
and/or configuration file and then trying to figure out from where they
come from and, for example, if there are same clients from multiple
sources, what are the client settings then. See below for more. In
short: no merging happens. Identically named clients replace the
existing clients.
We are trying to clean up our configuration by moving the secrets to
LDAP and it works for most clients just fine. But the some parts of the
configurations requires "Identifiers" on specific clients, e.g:
```
<Client r1.example.com>
Identifier se-root
</Client>
```
You can pull Identifier from LDAP too. See ClientAttrDef and
ClientAttrDef oscRadiusIdentifier,Identifier
Maybe this solves the problem?
So I did as the documention stated, mixed the configuration by adding
the secret to LDAP and the lines above in the configuration file. And I
think is works but I'm a bit scared by the error messages that now can
be found in the log:
```
Tue Oct 3 08:12:35 2017: ERR: No Secret or TACACSPLUSKey defined
for Client r1.example.com in '/local/radiator/conf/radius.cfg'
```
The following questions comes to mind:
1. Is the error message a real error?
It comes from the example clause above where, after the clause has been
fully read, client activation notices that there's no secret. So it's a
real error since the client configuration did not have a secret.
2. If I have a secret configured in both LDAP and the config file,
which secret will be used?
[0] https://www.open.com.au/radiator/ref/ClientListLDAP.html
The client from the last source configured in the configured file is the
one that is used. Information about previously loaded clients is not
merged but any existing client will be completely replaced.
If you have, for example,
<Client r1.example.com>
Identifier se-root
</Client>
<ClientListLDAP>
...
</ClientList>
You will get a warning when the statically configured client is loaded.
The warning is about the missing secret.
If r1.example.com is also loaded from LDAP, it will replace
r1.example.com that was just loaded from the configuration file. Note:
if name resolution yields different result for r1.example.com for
statically configured and LDAP loaded client, then you can have entries
from the both sources.
Thanks,
Heikki
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
