# -*- text -*- # # $Id$ # # Lightweight Directory Access Protocol (LDAP) # ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap.example.org" # Port to connect on, defaults to 389. Setting this to # 636 will enable LDAPS if start_tls (see below) is not # able to be used. # port = 389 # Read-only administrator account for initial binding and searching # identity = "cn=admin,dc=example,dc=org" # password = mypass # basedn = "ou=people,dc=example,dc=org" # filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" # # Mapping of RADIUS dictionary attributes to LDAP directory attributes. # # WARNING: Although this format is almost identical to the unlang # update section format, it does *NOT* mean that you can use other # unlang constructs in module configuration files. # # Configuration items are in the format: # # # Where: # : The destination RADIUS attribute # with any valid list and request qualifiers. # : Is any assignment attribute (=, :=, +=, -=). # : The attribute in the associated with user or # profile objects in the LDAP. # directory. If the attribute name is wrapped in # double quotes it will be xlat expanded. # # Request and list qualifiers may also be placed after the section # name to set defaults for unqualified RADIUS attributes. # # Note: LDAP attribute names should be single quoted unless you want # the name value to be derived from an xlat expansion, or an # attribute ref. # update reply { # control:NT-Password := 'ntPassword' # Reply-Message := 'radiusReplyMessage' # Tunnel-Type := 'radiusTunnelType' # Tunnel-Medium-Type := 'radiusTunnelMediumType' # Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' } # Set to "no" to disable the 'no "known good" password' warning, # if you're not using LDAP to retrieve password values. # expect_password = yes # Set to yes if you have eDirectory and want to use the universal # password mechanism. # edir = no # Set to yes if you want to bind as the user after retrieving the # Cleartext-Password. This will consume the login grace, and # verify user authorization. # edir_autz = no # # Profile related attributes. # profiles { # Control whether or not "access_attr" is used to # determine authorization. If set to "yes", then # "access_attr" existing means "allow access". # "access_attr" not existing means "deny access" # # If set to "no", then # "access_attr" existing means "deny access". # "access_attr" not existing means "allow access" # positive_access_attr = yes # If this is undefined, anyone is authorized. # If it is defined, the contents of this attribute # determine whether or not the user is authorized # access_attr = "dialupAccess" # Base filter for the following profiles. # base_filter = "(objectclass=radiusprofile)" # The default profile applied to all users. # default_profile = "cn=radprofile,dc=example,dc=org" # The list of profiles which are applied (after the default) # to all users. # The "User-Profile" attribute in the control list # will over-ride this setting at run-time. # profile_attribute = "radiusProfileDn" } # # Group membership checking. Disabled by default. # # When doing checks for LDAP-Group = foo" # group { # Check for "cn=foo" # name_attribute = cn # Filter to get the list of groups that a user belongs to. # membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" # If the filter returns nothing membership_attribute = radiusGroupName } # # Modify user object on receiving Accounting-Request # # Useful for recording things like the last time the user logged # in, or the Acct-Session-ID for CoA/DM. # # LDAP modification items are in the format: # # # Where: # : The LDAP attribute to add modify or delete. # : One of the assignment operators: # (:=, +=, -=, ++). # Note: '=' is *not* supported. # : The value to add modify or delete. # # WARNING: If using the ':=' operator with a multivalued LDAP # attribute, all instances of the attribute will be removed and # replaced with a single attribute. # accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } # # Post-Auth can modify LDAP objects too # # For eDir users this is performed *after* the post-auth login checks # post-auth { update { description := "Authenticated at %S" } } # LDAP connection-specific options. # # These options set timeouts, keepalives, etc. for the connections. # options { # # The following two configuration items are for Active Directory # compatibility. If you set these to "no", then searches # will likely return "operations error", instead of a # useful resuly. # chase_referrals = yes rebind = yes # seconds to wait for LDAP query to finish. default: 20 timeout = 10 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) ldap_debug = 0x0028 } # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 636) connections # start_tls = yes # cacertfile = ${certdir}/cacert.pem # cacertdir = ${certdir} # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = ${certdir}/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) # "allow" (try, but don't fail if the cerificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" } # As of version 3.0, the "pool" section has replaced the # following configuration items: # # ldap_connections_number # The connection pool is new for 3.0, and will be used in many # modules, for all kinds of connection-related activity. # pool { # Number of connections to start start = 5 # Minimum number of connections to keep open min = 4 # Maximum number of connections # # If these connections are all in use and a new one # is requested, the request will NOT get a connection. max = 10 # Spare connections to be left idle # # NOTE: Idle connections WILL be closed if "idle_timeout" # is set. spare = 3 # Number of uses before the connection is closed # # 0 means "infinite" uses = 0 # The lifetime (in seconds) of the connection lifetime = 0 # idle timeout (in seconds). A connection which is # unused for this length of time will be closed. idle_timeout = 60 # NOTE: All configuration settings are enforced. If a # connection is closed because of "idle_timeout", # "uses", or "lifetime", then the total number of # connections MAY fall below "min". When that # happens, it will open a new connection. It will # also log a WARNING message. # # The solution is to either lower the "min" connections, # or increase lifetime/idle_timeout. } }