6 # Lightweight Directory Access Protocol (LDAP)
9 # Note that this needs to match the name(s) in the LDAP server
10 # certificate, if you're using ldaps. See OpenLDAP documentation
11 # for the behavioral semantics of specifying more than one host.
13 # Depending on the libldap in use, server may be an LDAP URI.
14 # In the case of OpenLDAP this allows additional the following
16 # - ldaps:// (LDAP over SSL)
17 # - ldapi:// (LDAP over Unix socket)
18 # - ldapc:// (Connectionless LDAP)
20 # server = 'ldap.rrdns.example.org'
21 # server = 'ldap.rrdns.example.org'
23 # Port to connect on, defaults to 389, will be ignored for LDAP URIs.
26 # Administrator account for searching and possibly modifying.
27 # identity = 'cn=admin,dc=example,dc=org'
30 # Unless overridden in another section, the dn from which all
31 # searches will start from.
32 base_dn = 'dc=example,dc=org'
34 # SASL mechanism to use for administrative binds.
35 # Uncomment for certificate auth or peercred auth (ldapi:// only).
36 # sasl_mech = 'EXTERNAL'
39 # Generic valuepair attribute
42 # If set, this will attribute will be retrieved in addition to any
45 # Values should be in the format:
46 # <radius attr> <op> <value>
49 # <radius attr>: Is the attribute you wish to create
50 # with any valid list and request qualifiers.
51 # <op>: Is any assignment operator (=, :=, +=, -=).
52 # <value>: Is the value to parse into the new valuepair.
53 # If the value is wrapped in double quotes it
54 # will be xlat expanded.
55 # valuepair_attribute = 'radiusAttribute'
58 # Mapping of LDAP directory attributes to RADIUS dictionary attributes.
61 # WARNING: Although this format is almost identical to the unlang
62 # update section format, it does *NOT* mean that you can use other
63 # unlang constructs in module configuration files.
65 # Configuration items are in the format:
66 # <radius attr> <op> <ldap attr>
69 # <radius attr>: Is the destination RADIUS attribute
70 # with any valid list and request qualifiers.
71 # <op>: Is any assignment attribute (=, :=, +=, -=).
72 # <ldap attr>: Is the attribute associated with user or
73 # profile objects in the LDAP directory.
74 # If the attribute name is wrapped in double
75 # quotes it will be xlat expanded.
77 # Request and list qualifiers may also be placed after the 'update'
78 # section name to set defaults destination requests/lists
79 # for unqualified RADIUS attributes.
81 # Note: LDAP attribute names should be single quoted unless you want
82 # the name value to be derived from an xlat expansion, or an
85 control:Password-With-Header += 'userPassword'
86 # control:NT-Password := 'ntPassword'
87 # reply:Reply-Message := 'radiusReplyMessage'
88 # reply:Tunnel-Type := 'radiusTunnelType'
89 # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
90 # reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
92 # Where only a list is specified as the RADIUS attribute,
93 # the value of the LDAP attribute is parsed as a valuepair
94 # in the same format as the 'valuepair_attribute' (above).
95 control: += 'radiusControlAttribute'
96 request: += 'radiusRequestAttribute'
97 reply: += 'radiusReplyAttribute'
100 # Set to yes if you have eDirectory and want to use the universal
101 # password mechanism.
104 # Set to yes if you want to bind as the user after retrieving the
105 # Cleartext-Password. This will consume the login grace, and
106 # verify user authorization.
109 # Note: set_auth_type was removed in v3.x.x
110 # Equivalent functionality can be achieved by adding the following
111 # stanza to the authorize {} section of your virtual server.
114 # if ((ok || updated) && User-Password) {
116 # control:Auth-Type := ldap
121 # User object identification.
124 # Where to start searching in the tree for users
125 base_dn = '${..base_dn}'
127 # Filter for user objects, should be specific enough
128 # to identify a single user object.
129 filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
131 # SASL mechanism to use for user binds.
132 # sasl_mech = 'PLAIN'
134 # Search scope, may be 'base', 'one', sub' or 'children'
137 # Server side result sorting
139 # A list of space delimited attributes to order the result
140 # set by, if the filter matches multiple objects.
141 # Only the first result in the set will be processed.
143 # If the attribute name is prefixed with a hyphen '-' the
144 # sorting order will be reversed for that attribute.
146 # If sort_by is set, and the server does not support sorting
147 # the search will fail.
150 # If this is undefined, anyone is authorised.
151 # If it is defined, the contents of this attribute
152 # determine whether or not the user is authorised
153 # access_attribute = 'dialupAccess'
155 # Control whether the presence of 'access_attribute'
156 # allows access, or denys access.
158 # If 'yes', and the access_attribute is present, or
159 # 'no' and the access_attribute is absent then access
162 # If 'yes', and the access_attribute is absent, or
163 # 'no' and the access_attribute is present, then
164 # access will not be allowed.
166 # If the value of the access_attribute is 'false', it
167 # will negate the result.
170 # access_positive = yes
171 # access_attribute = userAccessAllowed
173 # With an LDAP object containing:
174 # userAccessAllowed: false
176 # Will result in the user being locked out.
177 # access_positive = yes
181 # User membership checking.
184 # Where to start searching in the tree for groups
185 base_dn = '${..base_dn}'
187 # Filter for group objects, should match all available
188 # group objects a user might be a member of.
189 filter = '(objectClass=posixGroup)'
191 # Search scope, may be 'base', 'one', sub' or 'children'
194 # Attribute that uniquely identifies a group.
195 # Is used when converting group DNs to group
197 # name_attribute = cn
199 # Filter to find group objects a user is a member of.
200 # That is, group objects with attributes that
201 # identify members (the inverse of membership_attribute).
202 # membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
204 # The attribute in user objects which contain the names
205 # or DNs of groups a user is a member of.
207 # Unless a conversion between group name and group DN is
208 # needed, there's no requirement for the group objects
209 # referenced to actually exist.
210 membership_attribute = 'memberOf'
212 # If cacheable_name or cacheable_dn are enabled,
213 # all group information for the user will be
214 # retrieved from the directory and written to LDAP-Group
215 # attributes appropriate for the instance of rlm_ldap.
217 # For group comparisons these attributes will be checked
218 # instead of querying the LDAP directory directly.
220 # This feature is intended to be used with rlm_cache.
222 # If you wish to use this feature, you should enable
223 # the type that matches the format of your check items
224 # i.e. if your groups are specified as DNs then enable
225 # cacheable_dn else enable cacheable_name.
226 # cacheable_name = 'no'
227 # cacheable_dn = 'no'
229 # Override the normal cache attribute (<inst>-LDAP-Group or
230 # LDAP-Group if using the default instance) and create a
231 # custom attribute. This can help if multiple module instances
232 # are used in fail-over.
233 # cache_attribute = 'LDAP-Cached-Membership'
237 # User profiles. RADIUS profile objects contain sets of attributes
238 # to insert into the request. These attributes are mapped using
239 # the same mapping scheme applied to user objects.
242 # Filter for RADIUS profile objects
243 # filter = '(objectclass=radiusprofile)'
245 # The default profile applied to all users.
246 # default = 'cn=radprofile,dc=example,dc=org'
248 # The list of profiles which are applied (after the default)
250 # The 'User-Profile' attribute in the control list
251 # will override this setting at run-time.
252 # attribute = 'radiusProfileDn'
256 # Bulk load clients from the directory
259 # Where to start searching in the tree for clients
260 base_dn = '${..base_dn}'
263 # Filter to match client objects
265 filter = '(objectClass=radiusClient)'
267 # Search scope, may be 'base', 'one', 'sub' or 'children'
271 # Sets default values (not obtained from LDAP) for new client entries
277 # require_message_authenticator = yes
279 # Uncomment to add a home_server with the same
280 # attributes as the client.
282 # response_window = 2.0
287 # Client attribute mappings are in the format:
288 # <client attribute> = <ldap attribute>
290 # The following attributes are required:
291 # * ipaddr | ipv4addr | ipv6addr - Client IP Address.
292 # * secret - RADIUS shared secret.
294 # All other attributes usually supported in a client
295 # definition are also supported here.
297 # Schemas are available in doc/schemas/ldap for openldap and eDirectory
300 ipaddr = 'radiusClientIdentifier'
301 secret = 'radiusClientSecret'
302 # shortname = 'radiusClientShortname'
303 # nas_type = 'radiusClientType'
304 # virtual_server = 'radiusClientVirtualServer'
305 # require_message_authenticator = 'radiusClientRequireMa'
309 # Load clients on startup
313 # Modify user object on receiving Accounting-Request
316 # Useful for recording things like the last time the user logged
317 # in, or the Acct-Session-ID for CoA/DM.
319 # LDAP modification items are in the format:
320 # <ldap attr> <op> <value>
323 # <ldap attr>: The LDAP attribute to add modify or delete.
324 # <op>: One of the assignment operators:
326 # Note: '=' is *not* supported.
327 # <value>: The value to add modify or delete.
329 # WARNING: If using the ':=' operator with a multi-valued LDAP
330 # attribute, all instances of the attribute will be removed and
331 # replaced with a single attribute.
333 reference = "%{tolower:type.%{Acct-Status-Type}}"
338 description := "Online at %S"
344 description := "Last seen at %S"
350 description := "Offline at %S"
357 # Post-Auth can modify LDAP objects too
361 description := "Authenticated at %S"
366 # LDAP connection-specific options.
368 # These options set timeouts, keep-alives, etc. for the connections.
371 # Control under which situations aliases are followed.
372 # May be one of 'never', 'searching', 'finding' or 'always'
373 # default: libldap's default which is usually 'never'.
375 # LDAP_OPT_DEREF is set to this value.
376 # dereference = 'always'
379 # The following two configuration items control whether the
380 # server follows references returned by LDAP directory.
381 # They are mostly for Active Directory compatibility.
382 # If you set these to 'no', then searches will likely return
383 # 'operations error', instead of a useful result.
385 chase_referrals = yes
388 # Seconds to wait for LDAP query to finish. default: 20
391 # Seconds LDAP server has to process the query (server-side
392 # time limit). default: 20
394 # LDAP_OPT_TIMELIMIT is set to this value.
397 # Seconds to wait for response of the server. (network
398 # failures) default: 10
400 # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
403 # LDAP_OPT_X_KEEPALIVE_IDLE
406 # LDAP_OPT_X_KEEPALIVE_PROBES
409 # LDAP_OPT_X_KEEPALIVE_INTERVAL
412 # ldap_debug: debug flag for LDAP SDK
413 # (see OpenLDAP documentation). Set this to enable
414 # huge amounts of LDAP debugging on the screen.
415 # You should only use this if you are an LDAP expert.
417 # default: 0x0000 (no debugging messages)
418 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
423 # This subsection configures the tls related items
424 # that control how FreeRADIUS connects to an LDAP
425 # server. It contains all of the 'tls_*' configuration
426 # entries used in older versions of FreeRADIUS. Those
427 # configuration entries can still be used, but we recommend
431 # Set this to 'yes' to use TLS encrypted connections
432 # to the LDAP database by using the StartTLS extended
435 # The StartTLS operation is supposed to be
436 # used with normal ldap connections instead of
437 # using ldaps (port 636) connections
440 # ca_file = ${certdir}/cacert.pem
442 # ca_path = ${certdir}
443 # certificate_file = /path/to/radius.crt
444 # private_key_file = /path/to/radius.key
445 # random_file = /dev/urandom
447 # Certificate Verification requirements. Can be:
448 # 'never' (don't even bother trying)
449 # 'allow' (try, but don't fail if the certificate
451 # 'demand' (fail if the certificate doesn't verify.)
453 # The default is 'allow'
454 # require_cert = 'demand'
458 # As of version 3.0, the 'pool' section has replaced the
459 # following configuration items:
461 # ldap_connections_number
463 # The connection pool is new for 3.0, and will be used in many
464 # modules, for all kinds of connection-related activity.
466 # When the server is not threaded, the connection pool
467 # limits are ignored, and only one connection is used.
469 # Connections to create during module instantiation.
470 # If the server cannot create specified number of
471 # connections during instantiation it will exit.
472 # Set to 0 to allow the server to start without the
473 # directory being available.
474 start = ${thread[pool].start_servers}
476 # Minimum number of connections to keep open
477 min = ${thread[pool].min_spare_servers}
479 # Maximum number of connections
481 # If these connections are all in use and a new one
482 # is requested, the request will NOT get a connection.
484 # Setting 'max' to LESS than the number of threads means
485 # that some threads may starve, and you will see errors
486 # like 'No connections available and at max connection limit'
488 # Setting 'max' to MORE than the number of threads means
489 # that there are more connections than necessary.
490 max = ${thread[pool].max_servers}
492 # Spare connections to be left idle
494 # NOTE: Idle connections WILL be closed if "idle_timeout"
495 # is set. This should be less than or equal to "max" above.
496 spare = ${thread[pool].max_spare_servers}
498 # Number of uses before the connection is closed
503 # The number of seconds to wait after the server tries
504 # to open a connection, and fails. During this time,
505 # no new connections will be opened.
508 # The lifetime (in seconds) of the connection
511 # Idle timeout (in seconds). A connection which is
512 # unused for this length of time will be closed.
515 # NOTE: All configuration settings are enforced. If a
516 # connection is closed because of 'idle_timeout',
517 # 'uses', or 'lifetime', then the total number of
518 # connections MAY fall below 'min'. When that
519 # happens, it will open a new connection. It will
520 # also log a WARNING message.
522 # The solution is to either lower the 'min' connections,
523 # or increase lifetime/idle_timeout.