3 This module depends on OpenLDAP v2.x SDK libraries. For details on obtaining
4 source of OpenLDAP look at <http://www.openldap.org>. OpenLDAP SDK in turn
5 depends on OpenSSL crypto libraries and (optionaly) on Cyrus-SASL libraries.
9 The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You
10 should edit the file and add any new mapping which you need. The schema files
11 is located in doc/RADIUS-LDAPv3.schema. Before adding any radius attributes
12 the ldap server schema should be updated. All ldap entries containing radius
13 attributes should contain at least "objectclass: radiusprofile"
15 radiusCheckItem and radiusReplyItem are special. They allow the administrator
16 to add any check or reply item respectively without adding it in the ldap
17 schema. The format should be <ldap-attribute>: <radius-attribute> <operator>
20 ie radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
24 Add following subsection to the modules{} section of radiusd.conf to control
31 # server: LDAP server hostname/ip address
33 # Optionaly could contain space separated list of host[:port], but
34 # redundancy/resiliency is better acheived configuring multiple rlm_ldap
35 # module instances and invocing them in redundand/failover
36 # configuration in authorize/authenticate sections
38 # You can also pass an ldap url like ldap://localhost
39 # That way you can also specify alternative ldap schemas like
40 # ldaps:// or ldapi://
41 # The port directive will be ignored in that case
43 # default: settings for your system, as set in etc/openldap/ldap.conf
47 # port: LDAP server port
49 # If LDAP server port is set to 636 (ldaps), SSL connection is enforced.
50 # This feature is useful for LDAP servers which support SSL, but don't
51 # do TLS negotiation (like Novell eDirectory).
57 # net_timeout: # of seconds to wait for response of the server (network
58 # failures) default: 10
62 # timeout: # seconds to wait for LDAP query to finish default: 20
66 # timelimit: # of seconds server has to process the query (server-side
67 # time limit) default: 20
71 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
72 # default: 0x0000 (no debugging messages)
73 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
76 # identity: DN under which LDAP searches are done password: pasword
77 # which authenticate this DN default: anonymous bind, no password
78 # required NOTE: searches are done now over unencrypted connection!
80 # identity = "cn=admin,o=My Org,c=UA" password = mypass
83 # ldap_connections_number: The number of ldap connections that the
84 # module will keep open to use in requests. Usually it will not need to
85 # be larger than 5-10 connections default: 5
87 ldap_connections_number = 5
89 # basedn = <Base of LDAP searches>
91 basedn = "o=My Org,c=UA"
93 # filter: LDAP search filter, to locate user object using name supplied
94 # by client during Radius authentication
96 # default: filter = "(uid=%u)"
98 # base_filter: The LDAP search filter used for base scope searches, like
99 # when searching for the default or regular profiles
101 # deafault: base_filter = "(objectclass=radiusprofile)"
105 # start_tls: When set to "yes" the StartTLS extended operation is used to
106 # start TLS transport encryption.
109 # tls_cacertfile: A PEM-encoded file that contains the CA Certificates that
111 tls_cacertfile = /path/to/cacert.pem
113 # tls_cacertdir: Path the a directory of CA Certificates that you trust, the
114 # directory must be in "hash format" (see openssl verify)
115 tls_cacertdir = /path/to/ca/dir/
117 # tls_certfile: The PEM Encoded certificate file that we should present to
119 tls_certfile = /path/to/radius.crt
121 # tls_keyfile: The PEM Encoded private key that we should use to encrypt the
123 tls_keyfile = /path/to/radius.key
125 # tls_randfile: A file containing random data to seed the OpenSSL PRNG. Not
126 # needed if your OpenSSL is already properly random.
127 tls_randfile = /path/to/rnd
129 # tls_require_cert: Certificate Verification requirements. Can be "never"
130 # (don't even bother trying), "allow" (try, but don't fail if the cerificate
131 # can't be verified), or "demand" (fail if the certificate doesn't verify.)
132 # The default is "allow"
133 tls_require_cert = "allow"
135 # default_profile: DN of a LDAP object, which contains default RADIUS
136 # attributes. default: NULL - use only user specific attributes or
137 # attributes, supplied by other modules.
139 default_profile = "cn=RadProfile,o=My Org,c=UA"
141 # profile_attribute: user object attribute, which contains DN of
142 # radiusProfile object for this user. default: NULL - use only user
143 # specific attributes or attributes, supplied by other modules.
145 # profile_attribute = "radiusProfileDn"
147 # access_attr_used_for_allow: Define if the access attribute (described
148 # below) will be used to allow access (meaning if it exists then user
149 # remote access will be allowed) or to deny access. default: yes - used
152 # access_attr: if attribute is specified, module checks for its
153 # existance in user object. If access_attr_used_for_allow is set to
154 # yes: If it exists the user is allowed to get remote access. If it
155 # exists and is set to FALSE the user is denied remote access. If it
156 # does not exist user is denied remote access by default if
157 # access_attr_used_for_allow is set to no: If it exists the user is
158 # denied remote access. If it does not exist user is allowed remote
161 # default: NULL - don't check for the attribute
163 access_attr = "dialupAccess"
165 # password_header: If the user password is available we add it to the
166 # check items (to assist in CHAP ie) striping any headers first.
167 # NOTE: The password_header directive is NOT case insensitive
170 # password_header = "{clear}"
172 # password_attribute: Define the attribute which contains the user
175 # default: NULL - don't add password
177 # password_attribute = "userPassword"
179 # groupname_attribute: The attribute containing group name in the LDAP
180 # server. It is used to search group by name.
182 # default: cn - Search filter is "(cn=%GroupName)"
184 # groupname_attribute = "cn"
186 # compare_check_items: Specifies if the module will do a comparison on
187 # the check items extracted from the ldap with the corresponding items
188 # present in the incoming request.
190 # default: no - don't do any comparisons
192 # compare_check_items = yes
194 # do_xlat: Specifies if the module will do an xlat on the radius attributes
195 # extracted from the ldap database. Also the attribute operators will be
196 # honored. If the directive is set to 'no' then we will fall back to the
197 # pairadd() function which will just add the attributes at the end of the
198 # corresponding attribute list (check or reply items). This can be used to
199 # fall back to 0.8.1 behaviour without changing the ldap data or to gain a
200 # little performance if the ldap data is rather simple (no special operators)
202 # default: yes - do an xlat and honor operators
207 # groupmembership_filter: The filter to search for group membership of a
208 # particular user after we have found the DN for the group.
210 # default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
212 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
215 # groupmembership_attribute: The attribute in the user entry that states
216 # the group the user belongs to. The attribute can either contain the
217 # group name or the group DN. If it contains the group DN
218 # groupmembership_attribute will also be used to find the group's name.
219 # The attribute will be used after a search based on the
220 # groupname_attribute and groupmembership_filter has failed. default:
221 # NULL - don't search for a group based on attributes in the user entry.
223 # groupmembership_attribute = "radiusGroupName"
227 NOTE: As LDAP is case insensitive, you should probably also set "lower_user =
228 yes" and "lower_time = before" in main section of radiusd.conf, to get limits
229 on simultaneous logins working correctly. Otherwise, users will be able get
230 large number of sessions, capitalizing parts of their login names.
232 MODULE MESSAGES: On user rejection rlm_ldap will return the following module
235 "rlm_ldap: User not found" "rlm_ldap: Access Attribute denies access"
236 "rlm_ldap: Bind as user failed"
238 These messages will be visible in radius.log as aditional information in
239 "Login incorrect" and "Invalid user" log messages.
241 LDAP XLAT: The ldap module now supports LDAP URLs in xlat strings. That is you
242 can now add LDAP URLs in the configuration options and hopefully shortly also
243 in the users file. The strings will be of the following form:
245 %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
247 The requested attributes list MUST contain only ONE attribute. In case this
248 attribute is multi valued which value is returned is considered UNDEFINED.
249 Also, adding the host:port information SHOULD be avoided unless there are more
250 than one ldap module instances in which case the host,port information can be
251 used to distinguish which module will actually return the information (the
252 xlat function will return NULL if the host,port information does not
253 correspond to the configured attributes). If there are more than one
254 instances the module instance name can be used instead of the string 'ldap'
255 before the ldap url to decide which instance will return the information.
256 That is the xlat string will be of the form:
258 %{$instance_name:ldap:///dc=comapny,dc=com?uid?sub?uid=%u}
260 i.e.: ${ldap_company1:ldap:///dc=company1,dc=com?uid?sub?uid=%u}
263 USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it
264 is set, it will assume that it contains the DN of a profile entry containing
265 radius attributes. This entry will _replace_ the default profile directive.
266 That way we can use different profiles based on checks on the radius
267 attributes contained in the Access-Request packets. For example (users file):
269 DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com"
272 GROUP SUPPORT: The module supports searching for ldap groups by use of the
273 Ldap-Group attribute. As long as the module has been instanciated it can be
274 used to do group membership checks through other modules. For example in the
277 DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
278 Reply-Message = "Sorry, you are not allowed to have dialup access"
280 DNs are also accepted as Ldap-Group values, i.e.:
282 DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject
283 Reply-Message = "Sorry, you are not allowed to have dialup access"
287 When rlm_ldap has found the DN corresponding to the username provided in the access-request
288 (all this happens in the authorize section) it will add an Ldap-UserDN attribute in the check
289 items list containing that DN. The attribute will be searched for in the authenticate section
290 and if present will be used for authentication (ldap bind with the user DN/password). Otherwise
291 a search will be performed to find the user dn. If the administrator wishes to use rlm_ldap only
292 for authentication or does not wish to populate the identity,password configuration attributes
293 he can set this attribute by other means and avoid the ldap search completely. For instance it can
294 be set through the users file in the authorize section:
296 DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
299 DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and
300 authentication (e.g. you can not afford schema extention), I propose to set
301 all necessary attributes in raddb/users file with following authorize section
304 authorize { ldap { notfound = return } files }