>
> Is it correct as above? Do I have to call ldap_dhcp separately in each
> section (i.e. twice)?
Hopefully someone else will chime in who's actually used it, but this is what I
believe the order of operations should be:
* Receive DHCP-Discover
- Call LDAP to get the IP assignment for the Mac-Address.
- Augment the reply list with additional options
- Cache the reply attributes you're about to send (see rlm_cache), you
probably want to key it on the same attributes as your LDAP search
- Set DHCP-Message-Type
* Receive DHCP-Request
- Pull reply list out of cache
- Compare requested IP with that in reply list IP if != IP requested
trash the reply list and DHCP-Message-Type := NAK
- If request IP == reply IP, DHCP-Message-Type := ACK
That way you only have one hit on your LDAP server, and you guarantee
consistency across Offer and Request.
You can also do it the way you have in your example server (it has the
advantage that it'll work behind load balancers, or multiple gateways pointing
at different servers), but you should check the IP from LDAP is the same as the
one requested, and NAK if appropriate.
If you do it the way I suggested I highly recommend you use V3.0.0
(release_branch_3.0.0 or master/HEAD) instead, as the list/attribute handling
is much better.
-Arran
Arran Cudbard-Bell <a.cudba...@freeradius.org>
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
