Subversion Repositories ALCASAR

Rev

Details | Last modification | View Log

Rev Author Line No. Line
1 root 1
# -*- text -*-
2
#
3
#  $Id$
4
 
5
# Lightweight Directory Access Protocol (LDAP)
6
#
7
#  This module definition allows you to use LDAP for
8
#  authorization and authentication.
9
#
10
#  See raddb/sites-available/default for reference to the
11
#  ldap module in the authorize and authenticate sections.
12
#
13
#  However, LDAP can be used for authentication ONLY when the
14
#  Access-Request packet contains a clear-text User-Password
15
#  attribute.  LDAP authentication will NOT work for any other
16
#  authentication method.
17
#
18
#  This means that LDAP servers don't understand EAP.  If you
19
#  force "Auth-Type = LDAP", and then send the server a
20
#  request containing EAP authentication, then authentication
21
#  WILL NOT WORK.
22
#
23
#  The solution is to use the default configuration, which does
24
#  work.
25
#
26
#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
27
#  really can't emphasize this enough.
28
#	
29
ldap {
30
	#
31
	#  Note that this needs to match the name in the LDAP
32
	#  server certificate, if you're using ldaps.
33
server = ""
34
identity = ""
35
password = 
36
basedn = "dc=example,dc=com"
37
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
38
base_filter = ""
39
 
40
	#  How many connections to keep open to the LDAP server.
41
	#  This saves time over opening a new LDAP socket for
42
	#  every authentication request.
43
	ldap_connections_number = 5
44
 
45
	# seconds to wait for LDAP query to finish. default: 20
46
	timeout = 4
47
 
48
	#  seconds LDAP server has to process the query (server-side
49
	#  time limit). default: 20
50
	#
51
	#  LDAP_OPT_TIMELIMIT is set to this value.
52
	timelimit = 3
53
 
54
	#
55
	#  seconds to wait for response of the server. (network
56
	#   failures) default: 10
57
	#
58
	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
59
	net_timeout = 1
60
 
61
	#
62
	#  This subsection configures the tls related items
63
	#  that control how FreeRADIUS connects to an LDAP
64
	#  server.  It contains all of the "tls_*" configuration
65
	#  entries used in older versions of FreeRADIUS.  Those
66
	#  configuration entries can still be used, but we recommend
67
	#  using these.
68
	#
69
	tls {
70
		# Set this to 'yes' to use TLS encrypted connections
71
		# to the LDAP database by using the StartTLS extended
72
		# operation.
73
		#			
74
		# The StartTLS operation is supposed to be
75
		# used with normal ldap connections instead of
76
		# using ldaps (port 689) connections
77
		start_tls = no
78
 
79
		# cacertfile	= /path/to/cacert.pem
80
		# cacertdir		= /path/to/ca/dir/
81
		# certfile		= /path/to/radius.crt
82
		# keyfile		= /path/to/radius.key
83
		# randfile		= /path/to/rnd
84
 
85
		#  Certificate Verification requirements.  Can be:
86
		#    "never" (don't even bother trying)
87
		#    "allow" (try, but don't fail if the cerificate
88
		#		can't be verified)
89
		#    "demand" (fail if the certificate doesn't verify.)
90
		#
91
		#	The default is "allow"
92
		# require_cert	= "demand"
93
	}
94
 
95
	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
96
	# profile_attribute = "radiusProfileDn"
97
	# access_attr = "dialupAccess"
98
 
99
	# Mapping of RADIUS dictionary attributes to LDAP
100
	# directory attributes.
101
	dictionary_mapping = ${confdir}/ldap.attrmap
102
 
103
	#  Set password_attribute = nspmPassword to get the
104
	#  user's password from a Novell eDirectory
105
	#  backend. This will work ONLY IF FreeRADIUS has been
106
	#  built with the --with-edir configure option.
107
	#
108
	#  See also the following links:
109
	#
110
	#  http://www.novell.com/coolsolutions/appnote/16745.html
111
	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
112
	#
113
	#  Novell may require TLS encrypted sessions before returning
114
	#  the user's password.
115
	#
116
	# password_attribute = userPassword
117
 
118
	#  Un-comment the following to disable Novell
119
	#  eDirectory account policy check and intruder
120
	#  detection. This will work *only if* FreeRADIUS is
121
	#  configured to build with --with-edir option.
122
	#
123
	edir_account_policy_check = no
124
 
125
	#
126
	#  Group membership checking.  Disabled by default.
127
	#
128
	# groupname_attribute = cn
129
	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
130
	# groupmembership_attribute = radiusGroupName
131
 
132
	# compare_check_items = yes
133
	# do_xlat = yes
134
	# access_attr_used_for_allow = yes
135
 
136
	#
137
	#  By default, if the packet contains a User-Password,
138
	#  and no other module is configured to handle the
139
	#  authentication, the LDAP module sets itself to do
140
	#  LDAP bind for authentication.
141
	#
142
	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
143
	#
144
	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
145
	#
146
	#  You can disable this behavior by setting the following
147
	#  configuration entry to "no".
148
	#
149
	#  allowed values: {no, yes}
150
	# set_auth_type = yes
151
	# set_auth_type = no
152
 
153
	#  ldap_debug: debug flag for LDAP SDK
154
	#  (see OpenLDAP documentation).  Set this to enable
155
	#  huge amounts of LDAP debugging on the screen.
156
	#  You should only use this if you are an LDAP expert.
157
	#
158
	#	default: 0x0000 (no debugging messages)
159
	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
160
	#ldap_debug = 0x0028 
161
}