5 # Lightweight Directory Access Protocol (LDAP)
9 # Note that this needs to match the name in the LDAP
10 # server certificate, if you're using ldaps.
11 server = "ldap.example.org"
13 # Port to connect on, defaults to 389. Setting this to
14 # 636 will enable LDAPS if start_tls (see below) is not
18 # Read-only administrator account for initial binding and searching
19 # identity = "cn=admin,dc=example,dc=org"
23 # basedn = "ou=people,dc=example,dc=org"
24 # filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
26 # Mapping of RADIUS dictionary attributes to LDAP
27 # directory attributes.
28 # dictionary_mapping = ${confdir}/ldap.attrmap
30 # Profile related attributes.
33 # Control whether or not "access_attr" is used to
34 # determine authorization. If set to "yes", then
35 # "access_attr" existing means "allow access".
36 # "access_attr" not existing means "deny access"
38 # If set to "no", then
39 # "access_attr" existing means "deny access".
40 # "access_attr" not existing means "allow access"
41 # positive_access_attr = yes
43 # If this is undefined, anyone is authorized.
44 # If it is defined, the contents of this attribute
45 # determine whether or not the user is authorized
46 # access_attr = "dialupAccess"
48 # Base filter for the following profiles.
49 # base_filter = "(objectclass=radiusprofile)"
51 # The default profile applied to all users.
52 # default_profile = "cn=radprofile,dc=example,dc=org"
54 # The list of profiles which are applied (after the default)
56 # The "User-Profile" attribute in the control list
57 # will over-ride this setting at run-time.
58 # profile_attribute = "radiusProfileDn"
62 # Group membership checking. Disabled by default.
64 # When doing checks for LDAP-Group = foo"
70 # Filter to get the list of groups that a user belongs to.
71 # membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
73 # If the filter returns nothing
74 membership_attribute = radiusGroupName
77 # LDAP connection-specific options.
79 # These options set timeouts, keepalives, etc. for the connections.
83 # The following two configuration items are for Active Directory
84 # compatibility. If you see the helpful "operations error"
85 # being returned to the LDAP module, uncomment the next
88 # chase_referrals = yes
91 # seconds to wait for LDAP query to finish. default: 20
94 # seconds LDAP server has to process the query (server-side
95 # time limit). default: 20
97 # LDAP_OPT_TIMELIMIT is set to this value.
101 # seconds to wait for response of the server. (network
102 # failures) default: 10
104 # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
107 # LDAP_OPT_X_KEEPALIVE_IDLE
110 # LDAP_OPT_X_KEEPALIVE_PROBES
113 # LDAP_OPT_X_KEEPALIVE_INTERVAL
116 # ldap_debug: debug flag for LDAP SDK
117 # (see OpenLDAP documentation). Set this to enable
118 # huge amounts of LDAP debugging on the screen.
119 # You should only use this if you are an LDAP expert.
121 # default: 0x0000 (no debugging messages)
122 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
127 # This subsection configures the tls related items
128 # that control how FreeRADIUS connects to an LDAP
129 # server. It contains all of the "tls_*" configuration
130 # entries used in older versions of FreeRADIUS. Those
131 # configuration entries can still be used, but we recommend
135 # Set this to 'yes' to use TLS encrypted connections
136 # to the LDAP database by using the StartTLS extended
139 # The StartTLS operation is supposed to be
140 # used with normal ldap connections instead of
141 # using ldaps (port 636) connections
144 # cacertfile = ${certdir}/cacert.pem
146 # cacertdir = ${certdir}
147 # certfile = /path/to/radius.crt
148 # keyfile = /path/to/radius.key
149 # randfile = ${certdir}/random
151 # Certificate Verification requirements. Can be:
152 # "never" (don't even bother trying)
153 # "allow" (try, but don't fail if the cerificate
155 # "demand" (fail if the certificate doesn't verify.)
157 # The default is "allow"
158 # require_cert = "demand"
162 # As of version 3.0, the "pool" section has replaced the
163 # following configuration items:
165 # ldap_connections_number
167 # The connection pool is new for 3.0, and will be used in many
168 # modules, for all kinds of connection-related activity.
171 # Number of connections to start
174 # Minimum number of connections to keep open
177 # Maximum number of connections
179 # If these connections are all in use and a new one
180 # is requested, the request will NOT get a connection.
183 # Spare connections to be left idle
185 # NOTE: Idle connections WILL be closed if "idle_timeout"
189 # Number of uses before the connection is closed
194 # The lifetime (in seconds) of the connection
197 # idle timeout (in seconds). A connection which is
198 # unused for this length of time will be closed.
201 # NOTE: All configuration settings are enforced. If a
202 # connection is closed because of "idle_timeout",
203 # "uses", or "lifetime", then the total number of
204 # connections MAY fall below "min". When that
205 # happens, it will open a new connection. It will
206 # also log a WARNING message.
208 # The solution is to either lower the "min" connections,
209 # or increase lifetime/idle_timeout.