> On 4 Oct 2017, at 14:00, Heikki Vatiainen <[email protected]> wrote: > > On 3.10.2017 9.57, Johan Wassberg wrote: > >> From the documentation about ClientListLDAP [0]: >> ``` >> [...] >> You can have some client details in your Radiator configuration file and >> some in <ClientListLDAP> although this can be confusing to future >> administrators. >> [...] >> ``` > > Hmm, probably should be 'clients' instead of 'client details'. > > I'd say the confusion may arise from loading clients from SQL, LDAP and/or > configuration file and then trying to figure out from where they come from > and, for example, if there are same clients from multiple sources, what are > the client settings then. See below for more. In short: no merging happens. > Identically named clients replace the existing clients. > >> We are trying to clean up our configuration by moving the secrets to >> LDAP and it works for most clients just fine. But the some parts of the >> configurations requires "Identifiers" on specific clients, e.g: >> ``` >> <Client r1.example.com> >> Identifier se-root >> </Client> >> ``` > > You can pull Identifier from LDAP too. See ClientAttrDef and > ClientAttrDef oscRadiusIdentifier,Identifier > > Maybe this solves the problem?
Probably yes. Just need to modify our LDAP schema first… > >> So I did as the documention stated, mixed the configuration by adding >> the secret to LDAP and the lines above in the configuration file. And I >> think is works but I'm a bit scared by the error messages that now can >> be found in the log: >> ``` >> Tue Oct 3 08:12:35 2017: ERR: No Secret or TACACSPLUSKey defined >> for Client r1.example.com in '/local/radiator/conf/radius.cfg' >> ``` >> The following questions comes to mind: >> 1. Is the error message a real error? > > It comes from the example clause above where, after the clause has been fully > read, client activation notices that there's no secret. So it's a real error > since the client configuration did not have a secret. > >> 2. If I have a secret configured in both LDAP and the config file, >> which secret will be used? >> [0] https://www.open.com.au/radiator/ref/ClientListLDAP.html > > The client from the last source configured in the configured file is the one > that is used. Information about previously loaded clients is not merged but > any existing client will be completely replaced. > > If you have, for example, > > <Client r1.example.com> > Identifier se-root > </Client> > > <ClientListLDAP> > ... > </ClientList> > > You will get a warning when the statically configured client is loaded. The > warning is about the missing secret. > > If r1.example.com is also loaded from LDAP, it will replace r1.example.com > that was just loaded from the configuration file. Note: if name resolution > yields different result for r1.example.com for statically configured and LDAP > loaded client, then you can have entries from the both sources. > Cool. Thanks for the clarification! -- jocar _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
