X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=doc%2Frlm_ldap;h=5a2e61ea22d3031add2f283047999e77052d6114;hb=HEAD;hp=5c870a357b709eaa851d9ed0dca9ef4de384c011;hpb=904f40a1e6b25808e9a6b7cea73d4f3c27d2eb80;p=freeradius.git diff --git a/doc/rlm_ldap b/doc/rlm_ldap index 5c870a3..5a2e61e 100644 --- a/doc/rlm_ldap +++ b/doc/rlm_ldap @@ -1,14 +1,19 @@ -1. INSTALATION +1. INSTALLATION This module depends on OpenLDAP v2.x SDK libraries. For details on obtaining source of OpenLDAP look at . OpenLDAP SDK in turn depends on OpenSSL crypto libraries and (optionaly) on Cyrus-SASL libraries. +See also: http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html + +It's not up to date, though. For example, you do NOT have to edit +the "dictionary" file. + 2. LDAP ATTRIBUTES The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You should edit the file and add any new mapping which you need. The schema files -is located in doc/RADIUS-LDAPv3.schema. Before adding any radius attributes +is located in doc/examples/openldap.schema. Before adding any radius attributes the ldap server schema should be updated. All ldap entries containing radius attributes should contain at least "objectclass: radiusprofile" @@ -244,11 +249,6 @@ the rlm_ldap module: } } -NOTE: As LDAP is case insensitive, you should probably also set "lower_user = -yes" and "lower_time = before" in main section of radiusd.conf, to get limits -on simultaneous logins working correctly. Otherwise, users will be able get -large number of sessions, capitalizing parts of their login names. - MODULE MESSAGES: On user rejection rlm_ldap will return the following module messages: @@ -304,34 +304,72 @@ DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject -Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is -registered and can be used. It is of the form -Ldap-Group. In other words if -in radiusd.conf we configure an ldap module instance like: +Also if you are using multiple ldap module instances a per instance +Ldap-Group attribute is registered and can be used. It is of the form +-Ldap-Group. In other words if in radiusd.conf we +configure an ldap module instance like: ldap myname { [...] } -we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the -ldap module is instantiated *before* the files module so that it will have time to register -the corresponding attribute. One solution would be to add the ldap module in the instantiate{} -block in radiusd.conf +we can then use the myname-Ldap-Group attribute to match user +groups. Make sure though that the ldap module is instantiated *before* +the files module so that it will have time to register the +corresponding attribute. One solution would be to add the ldap module +in the instantiate{} block in radiusd.conf USERDN Attribute: -When rlm_ldap has found the DN corresponding to the username provided in the access-request -(all this happens in the authorize section) it will add an Ldap-UserDN attribute in the check -items list containing that DN. The attribute will be searched for in the authenticate section -and if present will be used for authentication (ldap bind with the user DN/password). Otherwise -a search will be performed to find the user dn. If the administrator wishes to use rlm_ldap only -for authentication or does not wish to populate the identity,password configuration attributes -he can set this attribute by other means and avoid the ldap search completely. For instance it can -be set through the users file in the authorize section: +When rlm_ldap has found the DN corresponding to the username provided +in the access-request (all this happens in the authorize section) it +will add an Ldap-UserDN attribute in the request items list containing +that DN. The attribute will be searched for in the authenticate +section and if present will be used for authentication (ldap bind with +the user DN/password). Otherwise a search will be performed to find +the user dn. If the administrator wishes to use rlm_ldap only for +authentication or does not wish to populate the identity,password +configuration attributes he can set this attribute by other means and +avoid the ldap search completely. For instance it can be set through +the hints file in the authorize section: DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com` +The "users" file won't work, because it can't add items to the request. + DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and -authentication (e.g. you can not afford schema extention), I propose to set +authentication (e.g. you can not afford schema extension), we suggest you set all necessary attributes in raddb/users file with following authorize section of radiusd.conf : authorize { ldap { notfound = return } files } + +LDAP and Active Directory +------------------------- + +Active directory does not return anything in the userPassword +attribute, unlike other LDAP servers. As a result, you cannot use +Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication. +You can only use PAP, and then only if you list "ldap" in the +"authenticate" section. + +To do MS-CHAP against an Active Directory domain, see the comments in +radiusd.conf, about "ntlm_auth". You will need to install Samba. + + +If you see "Operations error" returned from an LDAp query, you may +need to set dsHeuristics to 0000002 in Active Directory. This allows +searches to function similar to how they did in Active Directory +2k2. You can update dsHeuristics by launching ldp.exe, going to +'connection' and create a new connection. Then goto bind and bind to +your ldap server. Next select the 'Browse' menu and choose +'modify'. The DN *might* look like this: + +CN=Directory Service,CN=Windows +NT,CN=Services,CN=Configuration,DC=mycompany,DC=com + +Attribute is: dsHeuristics +Value is: 0000002 + +Set the operation to replace and you should be set. This should solve +the 'Operations error' error that happens when attempting to search +without specifying an OU.