-1. INSTALATION
+1. INSTALLATION
This module depends on OpenLDAP v2.x SDK libraries. For details on obtaining
source of OpenLDAP look at <http://www.openldap.org>. OpenLDAP SDK in turn
depends on OpenSSL crypto libraries and (optionaly) on Cyrus-SASL libraries.
+See also: http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html
+
+It's not up to date, though. For example, you do NOT have to edit
+the "dictionary" file.
+
2. LDAP ATTRIBUTES
The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You
should edit the file and add any new mapping which you need. The schema files
-is located in doc/RADIUS-LDAPv3.schema. Before adding any radius attributes
+is located in doc/examples/openldap.schema. Before adding any radius attributes
the ldap server schema should be updated. All ldap entries containing radius
attributes should contain at least "objectclass: radiusprofile"
#
# deafault: base_filter = "(objectclass=radiusprofile)"
+ filter = "(uid=%u)"
+
+# start_tls: When set to "yes" the StartTLS extended operation is used to
+# start TLS transport encryption.
+ start_tls = no
+
+# tls_mode: When set to "yes" OR the server port is 636 we try to connect with TLS
+# Start TLS should be prefered, tls_mode is provided only for ldap servers
+# like Active Directory which do not support it.
+# default: no
+
+ tls_mode = no
+
+# tls_cacertfile: A PEM-encoded file that contains the CA Certificates that
+# you trust
+ tls_cacertfile = /path/to/cacert.pem
+
+# tls_cacertdir: Path the a directory of CA Certificates that you trust, the
+# directory must be in "hash format" (see openssl verify)
+ tls_cacertdir = /path/to/ca/dir/
+
+# tls_certfile: The PEM Encoded certificate file that we should present to
+# clients connecting
+ tls_certfile = /path/to/radius.crt
+
+# tls_keyfile: The PEM Encoded private key that we should use to encrypt the
+# session
+ tls_keyfile = /path/to/radius.key
+
+# tls_randfile: A file containing random data to seed the OpenSSL PRNG. Not
+# needed if your OpenSSL is already properly random.
+ tls_randfile = /path/to/rnd
+
+# tls_require_cert: Certificate Verification requirements. Can be "never"
+# (don't even bother trying), "allow" (try, but don't fail if the cerificate
+# can't be verified), or "demand" (fail if the certificate doesn't verify.)
+# The default is "allow"
+ tls_require_cert = "allow"
+
# default_profile: DN of a LDAP object, which contains default RADIUS
# attributes. default: NULL - use only user specific attributes or
# attributes, supplied by other modules.
# password_attribute: Define the attribute which contains the user
# password.
+# While integrating FreeRADIUS with Novell eDirectory, set
+# 'password_attribute = nspmpassword' in order to use the universal
+# password of the eDirectory users for RADIUS authentication. This will
+# work only if FreeRADIUS is configured to build with --with-edir option.
#
# default: NULL - don't add password
#
# password_attribute = "userPassword"
+# edir_account_policy_check: Specifies if the module has to enforce
+# Novell eDirectory account policy check and intruder detection for
+# RADIUS users. This will work only if FreeRADIUS is configured to build
+# with --with-edir option.
+#
+# default: yes - eDirectory account policy check enabled
+#
+# edir_account_policy_check = no
+
# groupname_attribute: The attribute containing group name in the LDAP
# server. It is used to search group by name.
#
# default: no - don't do any comparisons
#
# compare_check_items = yes
+
+# do_xlat: Specifies if the module will do an xlat on the radius attributes
+# extracted from the ldap database. Also the attribute operators will be
+# honored. If the directive is set to 'no' then we will fall back to the
+# pairadd() function which will just add the attributes at the end of the
+# corresponding attribute list (check or reply items). This can be used to
+# fall back to 0.8.1 behaviour without changing the ldap data or to gain a
+# little performance if the ldap data is rather simple (no special operators)
+#
+# default: yes - do an xlat and honor operators
+#
+# do_xlat = yes
# groupmembership_filter: The filter to search for group membership of a
} }
-NOTE: As LDAP is case insensitive, you should probably also set "lower_user =
-yes" and "lower_time = before" in main section of radiusd.conf, to get limits
-on simultaneous logins working correctly. Otherwise, users will be able get
-large number of sessions, capitalizing parts of their login names.
-
MODULE MESSAGES: On user rejection rlm_ldap will return the following module
messages:
Reply-Message = "Sorry, you are not allowed to have dialup access"
+
+Also if you are using multiple ldap module instances a per instance
+Ldap-Group attribute is registered and can be used. It is of the form
+<instance_name>-Ldap-Group. In other words if in radiusd.conf we
+configure an ldap module instance like:
+
+ldap myname { [...] }
+
+we can then use the myname-Ldap-Group attribute to match user
+groups. Make sure though that the ldap module is instantiated *before*
+the files module so that it will have time to register the
+corresponding attribute. One solution would be to add the ldap module
+in the instantiate{} block in radiusd.conf
+
+
+USERDN Attribute:
+When rlm_ldap has found the DN corresponding to the username provided
+in the access-request (all this happens in the authorize section) it
+will add an Ldap-UserDN attribute in the request items list containing
+that DN. The attribute will be searched for in the authenticate
+section and if present will be used for authentication (ldap bind with
+the user DN/password). Otherwise a search will be performed to find
+the user dn. If the administrator wishes to use rlm_ldap only for
+authentication or does not wish to populate the identity,password
+configuration attributes he can set this attribute by other means and
+avoid the ldap search completely. For instance it can be set through
+the hints file in the authorize section:
+
+DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
+
+The "users" file won't work, because it can't add items to the request.
+
+
DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and
-authentication (e.g. you can not afford schema extention), I propose to set
+authentication (e.g. you can not afford schema extension), we suggest you set
all necessary attributes in raddb/users file with following authorize section
of radiusd.conf :
authorize { ldap { notfound = return } files }
+
+LDAP and Active Directory
+-------------------------
+
+Active directory does not return anything in the userPassword
+attribute, unlike other LDAP servers. As a result, you cannot use
+Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication.
+You can only use PAP, and then only if you list "ldap" in the
+"authenticate" section.
+
+To do MS-CHAP against an Active Directory domain, see the comments in
+radiusd.conf, about "ntlm_auth". You will need to install Samba.
+
+
+If you see "Operations error" returned from an LDAp query, you may
+need to set dsHeuristics to 0000002 in Active Directory. This allows
+searches to function similar to how they did in Active Directory
+2k2. You can update dsHeuristics by launching ldp.exe, going to
+'connection' and create a new connection. Then goto bind and bind to
+your ldap server. Next select the 'Browse' menu and choose
+'modify'. The DN *might* look like this:
+
+CN=Directory Service,CN=Windows
+NT,CN=Services,CN=Configuration,DC=mycompany,DC=com
+
+Attribute is: dsHeuristics
+Value is: 0000002
+
+Set the operation to replace and you should be set. This should solve
+the 'Operations error' error that happens when attempting to search
+without specifying an OU.