Section 3.15. <ClientListLDAP>

3.15. <ClientListLDAP>

This optional clause allows you to specify your RADIUS and TACACS+ clients in an LDAP database in addition to or instead of your Radiator configuration file. When Radiator starts up and receives a SIGHUP signal, it queries the LDAP database with the SearchFilter. The results of that query are used to add details of RADIUS Clients that Radiator responds to. One Client clause is created for each matching LDAP record found. <ClientListLDAP> fetches the LDAP attributes specified by the ClientAttrDef parameters, and uses them to set the parameters in each Client clause. You can have some client details in your Radiator configuration file and some in <ClientListLDAP> although this can be confusing to future administrators.

This clause supports all the common LDAP configuration parameters. For more information about the LDAP configuration parameters, see Section 3.9. LDAP configuration.

Tip

There is a sample LDAP schema compatible with the default behaviour of <ClientListLDAP> in goodies/radiator-ldap.schema in your Radiator distribution. There are some example LDAP records for this schema in goodies/radiator-ldap.ldif.

Tip

There is an example configuration file showing how to configure <ClientListLDAP> in goodies/ldapradius.cfg in your Radiator distribution.

3.15.1. BaseDN

This is the base DN, where searches are made. It is used in similar way as with all LDAP modules. For more information, see Section 3.9.1. BaseDN.

Special formatting characters are permitted.

This BaseDN use example is specifically for <ClientListLDAP>:

# Start looking here
BaseDN ou=RadiusClients, o=University of Michigan, c=US

3.15.2. SearchFilter

This parameter specifies the LDAP search filter that is used to find the LDAP records that contain Client data. The default value is (objectclass=oscRadiusClient), which is compatible with the example schema provided in goodies/radiator-ldap.schema in your Radiator distribution. Special characters are supported.

This example finds oscRadiusClient LDAP objects, but only the ones for a specific location. It shows how you can use LDAP boolean expressions to select records from the LDAP database:

SearchFilter (&(objectclass=oscRadiusClient)(location=my_pop_1))

3.15.3. ClientAttrDef

This optional parameter specifies the name of an LDAP attribute to fetch, and the name of the Client parameter that it will be used for in the Client clause. The format is:

ClientAttrDef ldapattrname,clientparamname

where ldapattrname is the name of the LDAP attribute to fetch, and clientparamname is the name of the Client clause parameter. For more information, see Section 3.14. <Client xxxxxx> There can be (and usually are) multiple ClientAttrDef parameters. If the specified ldapattrname is not present in a record, then the matching clientparamname will not be set and will assume its default value according to the normal behaviour of the Client clause.

If no ClientAttrDef lines are defined, defaults to the equivalent of the following, which is compatible with the example schema provided in goodies/radiator-ldap.schema. Note that not all these attributes are required in your LDAP database. The only ones that must be provided are for Name and Secret.

ClientAttrDef oscRadiusClientName,Name
ClientAttrDef oscRadiusSecret,Secret
ClientAttrDef oscRadiusInoreAcctSignature,IgnoreAcctSignature
ClientAttrDef oscRadiusDupInterval,DupInterval
ClientAttrDef oscRadiusNasType,NasType
ClientAttrDef oscRadiusSNMPCommunity,SNMPCommunity
ClientAttrDef oscRadiusLivingstonOffs,LivingstonOffs
ClientAttrDef oscRadiusLivingstonHole,LivingstonHole
ClientAttrDef oscRadiusFramedGroupBaseAddress,FramedGroupBaseAddress 
ClientAttrDef oscRadiusFramedGroupMaxPortsPerClassC,FramedGroupMaxPortsPerClassC
ClientAttrDef oscRadiusFramedGroupPortOffset,FramedGroupPortOffset
ClientAttrDef oscRadiusRewriteUsername,RewriteUsername
ClientAttrDef oscRadiusUseOldAscendPasswords,UseOldAscendPasswords
ClientAttrDef oscRadiusStatusServerShowClientDetails,StatusServerShowClientDetails
ClientAttrDef oscRadiusPreHandlerHook,PreHandlerHook
ClientAttrDef oscRadiusPacketTrace,PacketTrace
ClientAttrDef oscRadiusIdenticalClients,IdenticalClients
ClientAttrDef oscRadiusNoIgnoreDuplicates,NoIgnoreDuplicates
ClientAttrDef oscRadiusDefaultReply,DefaultReply
ClientAttrDef oscRadiusFramedGroup,FramedGroup
ClientAttrDef oscRadiusStripFromReply,StripFromReply
ClientAttrDef oscRadiusAllowInReply,AllowInReply
ClientAttrDef oscRadiusAddToReply,AddToReply
ClientAttrDef oscRadiusAddToReplyIfNotExist,AddToReplyIfNotExist
ClientAttrDef oscRadiusDynamicReply,DynamicReply
ClientAttrDef oscRadiusStripfromRequest,StripfromRequest
ClientAttrDef oscRadiusAddToRequest,AddToRequest
ClientAttrDef oscRadiusAddToRequestIfNotExist,AddToRequestIfNotExist
ClientAttrDef oscRadiusDefaultRealm,DefaultRealm
ClientAttrDef oscRadiusIdentifier,Identifier
ClientAttrDef oscTacacsPlusKey,TACACSPLUSKey

3.15.4. RefreshPeriod

If this optional parameter is set to non-zero, it specifies the time period in seconds that ClientListLDAP will refresh the client list by rereading the database. If set to 0, then ClientListLDAP will only read the client list from the database at startup and on SIGHUP. Defaults to 0. The % formats are permitted.

# Reread the client list every hour
RefreshPeriod 3600

3.15.5. FarmWorkerSpacing

If this optional parameter is set to non-zero, it specifies the time in seconds for spacing out refresh done by server farm workers. Defaults to not set which causes all farm workers to refresh client list at the same moment. This parameter has only effect when both RefreshPeriod and global FarmSize parameters are configured.

# Reread the client list every hour, use 30 second offset between each worker
RefreshPeriod 3600
FarmWorkerSpacing 30

3.15.6. PostSearchHook

This optional parameter allows you to define a Perl function that is is called after the LDAP search results have been received, and after Radiator has processed the attributes it is interested in. Hook authors can use LDAP library routines to extract other attributes and process them in any way.

PostSearchHook is called once for each LDAP result and allows changing client's parameters before it is instantiated.

PostSearchHook has the following arguments:

Handle to the current ClientListLDAP object
Reference to client Name. To change the name, set the reference to this argument
Reference to a hash with client configuration parameter values collected from the entry.
Search result entry

Here is an example of PostSearchHook:

# Do not add clients that have 'test' in their name
PostSearchHook sub {my $name = $_[1]; $$name = '' if $$name =~ 'test';}

Tip

You can change client Name as shown in the above example. If you set the name to empty string, Radiator will skip this client.