1 |
root |
1 |
# -*- text -*-
|
|
|
2 |
#
|
|
|
3 |
# $Id$
|
|
|
4 |
|
|
|
5 |
# Lightweight Directory Access Protocol (LDAP)
|
|
|
6 |
#
|
|
|
7 |
# This module definition allows you to use LDAP for
|
|
|
8 |
# authorization and authentication.
|
|
|
9 |
#
|
|
|
10 |
# See raddb/sites-available/default for reference to the
|
|
|
11 |
# ldap module in the authorize and authenticate sections.
|
|
|
12 |
#
|
|
|
13 |
# However, LDAP can be used for authentication ONLY when the
|
|
|
14 |
# Access-Request packet contains a clear-text User-Password
|
|
|
15 |
# attribute. LDAP authentication will NOT work for any other
|
|
|
16 |
# authentication method.
|
|
|
17 |
#
|
|
|
18 |
# This means that LDAP servers don't understand EAP. If you
|
|
|
19 |
# force "Auth-Type = LDAP", and then send the server a
|
|
|
20 |
# request containing EAP authentication, then authentication
|
|
|
21 |
# WILL NOT WORK.
|
|
|
22 |
#
|
|
|
23 |
# The solution is to use the default configuration, which does
|
|
|
24 |
# work.
|
|
|
25 |
#
|
|
|
26 |
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
|
|
|
27 |
# really can't emphasize this enough.
|
|
|
28 |
#
|
|
|
29 |
ldap {
|
|
|
30 |
#
|
|
|
31 |
# Note that this needs to match the name in the LDAP
|
|
|
32 |
# server certificate, if you're using ldaps.
|
|
|
33 |
server = ""
|
|
|
34 |
identity = ""
|
|
|
35 |
password =
|
|
|
36 |
basedn = "dc=example,dc=com"
|
|
|
37 |
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
|
|
|
38 |
base_filter = ""
|
|
|
39 |
|
|
|
40 |
# How many connections to keep open to the LDAP server.
|
|
|
41 |
# This saves time over opening a new LDAP socket for
|
|
|
42 |
# every authentication request.
|
|
|
43 |
ldap_connections_number = 5
|
|
|
44 |
|
|
|
45 |
# seconds to wait for LDAP query to finish. default: 20
|
|
|
46 |
timeout = 4
|
|
|
47 |
|
|
|
48 |
# seconds LDAP server has to process the query (server-side
|
|
|
49 |
# time limit). default: 20
|
|
|
50 |
#
|
|
|
51 |
# LDAP_OPT_TIMELIMIT is set to this value.
|
|
|
52 |
timelimit = 3
|
|
|
53 |
|
|
|
54 |
#
|
|
|
55 |
# seconds to wait for response of the server. (network
|
|
|
56 |
# failures) default: 10
|
|
|
57 |
#
|
|
|
58 |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
|
|
59 |
net_timeout = 1
|
|
|
60 |
|
|
|
61 |
#
|
|
|
62 |
# This subsection configures the tls related items
|
|
|
63 |
# that control how FreeRADIUS connects to an LDAP
|
|
|
64 |
# server. It contains all of the "tls_*" configuration
|
|
|
65 |
# entries used in older versions of FreeRADIUS. Those
|
|
|
66 |
# configuration entries can still be used, but we recommend
|
|
|
67 |
# using these.
|
|
|
68 |
#
|
|
|
69 |
tls {
|
|
|
70 |
# Set this to 'yes' to use TLS encrypted connections
|
|
|
71 |
# to the LDAP database by using the StartTLS extended
|
|
|
72 |
# operation.
|
|
|
73 |
#
|
|
|
74 |
# The StartTLS operation is supposed to be
|
|
|
75 |
# used with normal ldap connections instead of
|
|
|
76 |
# using ldaps (port 689) connections
|
|
|
77 |
start_tls = no
|
|
|
78 |
|
|
|
79 |
# cacertfile = /path/to/cacert.pem
|
|
|
80 |
# cacertdir = /path/to/ca/dir/
|
|
|
81 |
# certfile = /path/to/radius.crt
|
|
|
82 |
# keyfile = /path/to/radius.key
|
|
|
83 |
# randfile = /path/to/rnd
|
|
|
84 |
|
|
|
85 |
# Certificate Verification requirements. Can be:
|
|
|
86 |
# "never" (don't even bother trying)
|
|
|
87 |
# "allow" (try, but don't fail if the cerificate
|
|
|
88 |
# can't be verified)
|
|
|
89 |
# "demand" (fail if the certificate doesn't verify.)
|
|
|
90 |
#
|
|
|
91 |
# The default is "allow"
|
|
|
92 |
# require_cert = "demand"
|
|
|
93 |
}
|
|
|
94 |
|
|
|
95 |
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
|
|
|
96 |
# profile_attribute = "radiusProfileDn"
|
|
|
97 |
# access_attr = "dialupAccess"
|
|
|
98 |
|
|
|
99 |
# Mapping of RADIUS dictionary attributes to LDAP
|
|
|
100 |
# directory attributes.
|
|
|
101 |
dictionary_mapping = ${confdir}/ldap.attrmap
|
|
|
102 |
|
|
|
103 |
# Set password_attribute = nspmPassword to get the
|
|
|
104 |
# user's password from a Novell eDirectory
|
|
|
105 |
# backend. This will work ONLY IF FreeRADIUS has been
|
|
|
106 |
# built with the --with-edir configure option.
|
|
|
107 |
#
|
|
|
108 |
# See also the following links:
|
|
|
109 |
#
|
|
|
110 |
# http://www.novell.com/coolsolutions/appnote/16745.html
|
|
|
111 |
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
|
|
112 |
#
|
|
|
113 |
# Novell may require TLS encrypted sessions before returning
|
|
|
114 |
# the user's password.
|
|
|
115 |
#
|
|
|
116 |
# password_attribute = userPassword
|
|
|
117 |
|
|
|
118 |
# Un-comment the following to disable Novell
|
|
|
119 |
# eDirectory account policy check and intruder
|
|
|
120 |
# detection. This will work *only if* FreeRADIUS is
|
|
|
121 |
# configured to build with --with-edir option.
|
|
|
122 |
#
|
|
|
123 |
edir_account_policy_check = no
|
|
|
124 |
|
|
|
125 |
#
|
|
|
126 |
# Group membership checking. Disabled by default.
|
|
|
127 |
#
|
|
|
128 |
# groupname_attribute = cn
|
|
|
129 |
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
|
|
|
130 |
# groupmembership_attribute = radiusGroupName
|
|
|
131 |
|
|
|
132 |
# compare_check_items = yes
|
|
|
133 |
# do_xlat = yes
|
|
|
134 |
# access_attr_used_for_allow = yes
|
|
|
135 |
|
|
|
136 |
#
|
|
|
137 |
# By default, if the packet contains a User-Password,
|
|
|
138 |
# and no other module is configured to handle the
|
|
|
139 |
# authentication, the LDAP module sets itself to do
|
|
|
140 |
# LDAP bind for authentication.
|
|
|
141 |
#
|
|
|
142 |
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
|
|
143 |
#
|
|
|
144 |
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
|
|
145 |
#
|
|
|
146 |
# You can disable this behavior by setting the following
|
|
|
147 |
# configuration entry to "no".
|
|
|
148 |
#
|
|
|
149 |
# allowed values: {no, yes}
|
|
|
150 |
# set_auth_type = yes
|
|
|
151 |
# set_auth_type = no
|
|
|
152 |
|
|
|
153 |
# ldap_debug: debug flag for LDAP SDK
|
|
|
154 |
# (see OpenLDAP documentation). Set this to enable
|
|
|
155 |
# huge amounts of LDAP debugging on the screen.
|
|
|
156 |
# You should only use this if you are an LDAP expert.
|
|
|
157 |
#
|
|
|
158 |
# default: 0x0000 (no debugging messages)
|
|
|
159 |
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
|
|
160 |
#ldap_debug = 0x0028
|
|
|
161 |
}
|