# -*- text -*- # # $Id: d13892634e4a8458c942ce170f59f98521dce500 $ # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication. # # See raddb/sites-available/default for reference to the # ldap module in the authorize and authenticate sections. # # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force "Auth-Type = LDAP", and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. # # The solution is to use the default configuration, which does # work. # # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "127.0.0.1" identity = "cn=Services,ou=roles,dc=binary-kitchen,dc=de" password = svcpwd basedn = "dc=binary-kitchen,dc=de" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # How many times the connection can be used before # being re-established. This is useful for things # like load balancers, which may exhibit sticky # behaviour without it. (0) is unlimited. max_uses = 0 # Port to connect on, defaults to 389. Setting this to # 636 will enable LDAPS if start_tls (see below) is not # able to be used. #port = 389 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 636) connections start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # # See also the following links: # # http://www.novell.com/coolsolutions/appnote/16745.html # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html # # Novell may require TLS encrypted sessions before returning # the user's password. # # password_attribute = userPassword # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # edir_account_policy_check = no # # Group membership checking. Disabled by default. # # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes # # The following two configuration items are for Active Directory # compatibility. If you see the helpful "operations error" # being returned to the LDAP module, uncomment the next # two lines. # # chase_referrals = yes # rebind = yes # # By default, if the packet contains a User-Password, # and no other module is configured to handle the # authentication, the LDAP module sets itself to do # LDAP bind for authentication. # # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. # # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). # # You can disable this behavior by setting the following # configuration entry to "no". # # allowed values: {no, yes} # set_auth_type = yes # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) #ldap_debug = 0x0028 # # Keepalive configuration. This MAY NOT be supported by your # LDAP library. If these configuration entries appear in the # output of "radiusd -X", then they are supported. Otherwise, # they are unsupported, and changing them will do nothing. # keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }