forked from infra/ansible
198 lines
6.0 KiB
Plaintext
198 lines
6.0 KiB
Plaintext
# -*- text -*-
|
|
#
|
|
# $Id: d13892634e4a8458c942ce170f59f98521dce500 $
|
|
|
|
# Lightweight Directory Access Protocol (LDAP)
|
|
#
|
|
# This module definition allows you to use LDAP for
|
|
# authorization and authentication.
|
|
#
|
|
# See raddb/sites-available/default for reference to the
|
|
# ldap module in the authorize and authenticate sections.
|
|
#
|
|
# However, LDAP can be used for authentication ONLY when the
|
|
# Access-Request packet contains a clear-text User-Password
|
|
# attribute. LDAP authentication will NOT work for any other
|
|
# authentication method.
|
|
#
|
|
# This means that LDAP servers don't understand EAP. If you
|
|
# force "Auth-Type = LDAP", and then send the server a
|
|
# request containing EAP authentication, then authentication
|
|
# WILL NOT WORK.
|
|
#
|
|
# The solution is to use the default configuration, which does
|
|
# work.
|
|
#
|
|
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
|
|
# really can't emphasize this enough.
|
|
#
|
|
ldap {
|
|
#
|
|
# Note that this needs to match the name in the LDAP
|
|
# server certificate, if you're using ldaps.
|
|
server = "127.0.0.1"
|
|
identity = "cn=Services,ou=roles,dc=binary-kitchen,dc=de"
|
|
password = svcpwd
|
|
basedn = "dc=binary-kitchen,dc=de"
|
|
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
|
|
#base_filter = "(objectclass=radiusprofile)"
|
|
|
|
# How many connections to keep open to the LDAP server.
|
|
# This saves time over opening a new LDAP socket for
|
|
# every authentication request.
|
|
ldap_connections_number = 5
|
|
|
|
# How many times the connection can be used before
|
|
# being re-established. This is useful for things
|
|
# like load balancers, which may exhibit sticky
|
|
# behaviour without it. (0) is unlimited.
|
|
max_uses = 0
|
|
|
|
# Port to connect on, defaults to 389. Setting this to
|
|
# 636 will enable LDAPS if start_tls (see below) is not
|
|
# able to be used.
|
|
#port = 389
|
|
|
|
# seconds to wait for LDAP query to finish. default: 20
|
|
timeout = 4
|
|
|
|
# seconds LDAP server has to process the query (server-side
|
|
# time limit). default: 20
|
|
#
|
|
# LDAP_OPT_TIMELIMIT is set to this value.
|
|
timelimit = 3
|
|
|
|
#
|
|
# seconds to wait for response of the server. (network
|
|
# failures) default: 10
|
|
#
|
|
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
|
net_timeout = 1
|
|
|
|
#
|
|
# This subsection configures the tls related items
|
|
# that control how FreeRADIUS connects to an LDAP
|
|
# server. It contains all of the "tls_*" configuration
|
|
# entries used in older versions of FreeRADIUS. Those
|
|
# configuration entries can still be used, but we recommend
|
|
# using these.
|
|
#
|
|
tls {
|
|
# Set this to 'yes' to use TLS encrypted connections
|
|
# to the LDAP database by using the StartTLS extended
|
|
# operation.
|
|
#
|
|
# The StartTLS operation is supposed to be
|
|
# used with normal ldap connections instead of
|
|
# using ldaps (port 636) connections
|
|
start_tls = no
|
|
|
|
# cacertfile = /path/to/cacert.pem
|
|
# cacertdir = /path/to/ca/dir/
|
|
# certfile = /path/to/radius.crt
|
|
# keyfile = /path/to/radius.key
|
|
# randfile = /path/to/rnd
|
|
|
|
# Certificate Verification requirements. Can be:
|
|
# "never" (don't even bother trying)
|
|
# "allow" (try, but don't fail if the cerificate
|
|
# can't be verified)
|
|
# "demand" (fail if the certificate doesn't verify.)
|
|
#
|
|
# The default is "allow"
|
|
# require_cert = "demand"
|
|
}
|
|
|
|
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
|
|
# profile_attribute = "radiusProfileDn"
|
|
# access_attr = "dialupAccess"
|
|
|
|
# Mapping of RADIUS dictionary attributes to LDAP
|
|
# directory attributes.
|
|
dictionary_mapping = ${confdir}/ldap.attrmap
|
|
|
|
# Set password_attribute = nspmPassword to get the
|
|
# user's password from a Novell eDirectory
|
|
# backend. This will work ONLY IF FreeRADIUS has been
|
|
# built with the --with-edir configure option.
|
|
#
|
|
# See also the following links:
|
|
#
|
|
# http://www.novell.com/coolsolutions/appnote/16745.html
|
|
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
|
#
|
|
# Novell may require TLS encrypted sessions before returning
|
|
# the user's password.
|
|
#
|
|
# password_attribute = userPassword
|
|
|
|
# Un-comment the following to disable Novell
|
|
# eDirectory account policy check and intruder
|
|
# detection. This will work *only if* FreeRADIUS is
|
|
# configured to build with --with-edir option.
|
|
#
|
|
edir_account_policy_check = no
|
|
|
|
#
|
|
# Group membership checking. Disabled by default.
|
|
#
|
|
# groupname_attribute = cn
|
|
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
|
|
# groupmembership_attribute = radiusGroupName
|
|
|
|
# compare_check_items = yes
|
|
# do_xlat = yes
|
|
# access_attr_used_for_allow = yes
|
|
|
|
#
|
|
# The following two configuration items are for Active Directory
|
|
# compatibility. If you see the helpful "operations error"
|
|
# being returned to the LDAP module, uncomment the next
|
|
# two lines.
|
|
#
|
|
# chase_referrals = yes
|
|
# rebind = yes
|
|
|
|
#
|
|
# By default, if the packet contains a User-Password,
|
|
# and no other module is configured to handle the
|
|
# authentication, the LDAP module sets itself to do
|
|
# LDAP bind for authentication.
|
|
#
|
|
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
|
#
|
|
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
|
#
|
|
# You can disable this behavior by setting the following
|
|
# configuration entry to "no".
|
|
#
|
|
# allowed values: {no, yes}
|
|
# set_auth_type = yes
|
|
|
|
# ldap_debug: debug flag for LDAP SDK
|
|
# (see OpenLDAP documentation). Set this to enable
|
|
# huge amounts of LDAP debugging on the screen.
|
|
# You should only use this if you are an LDAP expert.
|
|
#
|
|
# default: 0x0000 (no debugging messages)
|
|
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
|
#ldap_debug = 0x0028
|
|
|
|
#
|
|
# Keepalive configuration. This MAY NOT be supported by your
|
|
# LDAP library. If these configuration entries appear in the
|
|
# output of "radiusd -X", then they are supported. Otherwise,
|
|
# they are unsupported, and changing them will do nothing.
|
|
#
|
|
keepalive {
|
|
# LDAP_OPT_X_KEEPALIVE_IDLE
|
|
idle = 60
|
|
|
|
# LDAP_OPT_X_KEEPALIVE_PROBES
|
|
probes = 3
|
|
|
|
# LDAP_OPT_X_KEEPALIVE_INTERVAL
|
|
interval = 3
|
|
}
|
|
}
|