The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You
should edit the file and add any new mapping which you need. The schema files
-is located in doc/RADIUS-LDAPv3.schema. Before adding any radius attributes
+is located in doc/examples/openldap.schema. Before adding any radius attributes
the ldap server schema should be updated. All ldap entries containing radius
attributes should contain at least "objectclass: radiusprofile"
} }
-NOTE: As LDAP is case insensitive, you should probably also set "lower_user =
-yes" and "lower_time = before" in main section of radiusd.conf, to get limits
-on simultaneous logins working correctly. Otherwise, users will be able get
-large number of sessions, capitalizing parts of their login names.
-
MODULE MESSAGES: On user rejection rlm_ldap will return the following module
messages:
USERDN Attribute:
When rlm_ldap has found the DN corresponding to the username provided
in the access-request (all this happens in the authorize section) it
-will add an Ldap-UserDN attribute in the check items list containing
+will add an Ldap-UserDN attribute in the request items list containing
that DN. The attribute will be searched for in the authenticate
section and if present will be used for authentication (ldap bind with
the user DN/password). Otherwise a search will be performed to find
authentication or does not wish to populate the identity,password
configuration attributes he can set this attribute by other means and
avoid the ldap search completely. For instance it can be set through
-the users file in the authorize section:
+the hints file in the authorize section:
DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
+The "users" file won't work, because it can't add items to the request.
+
DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and
-authentication (e.g. you can not afford schema extention), I propose to set
+authentication (e.g. you can not afford schema extension), we suggest you set
all necessary attributes in raddb/users file with following authorize section
of radiusd.conf :