3 This module depends on OpenLDAP v2.x SDK libraries. For details on obtaining
4 source of OpenLDAP look at <http://www.openldap.org>. OpenLDAP SDK in turn
5 depends on OpenSSL crypto libraries and (optionaly) on Cyrus-SASL libraries.
9 The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You
10 should edit the file and add any new mapping which you need. The schema files
11 is located in doc/RADIUS-LDAPv3.schema. Before adding any radius attributes
12 the ldap server schema should be updated. All ldap entries containing radius
13 attributes should contain at least "objectclass: radiusprofile"
15 radiusCheckItem and radiusReplyItem are special. They allow the administrator
16 to add any check or reply item respectively without adding it in the ldap
17 schema. The format should be <ldap-attribute>: <radius-attribute> <operator>
20 ie radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
24 Add following subsection to the modules{} section of radiusd.conf to control
31 # server: LDAP server hostname/ip address
33 # Optionaly could contain space separated list of host[:port], but
34 # redundancy/resiliency is better acheived configuring multiple rlm_ldap
35 # module instances and invocing them in redundand/failover
36 # configuration in authorize/authenticate sections
38 # You can also pass an ldap url like ldap://localhost
39 # That way you can also specify alternative ldap schemas like
40 # ldaps:// or ldapi://
41 # The port directive will be ignored in that case
43 # default: settings for your system, as set in etc/openldap/ldap.conf
47 # port: LDAP server port
49 # If LDAP server port is set to 636 (ldaps), SSL connection is enforced.
50 # This feature is useful for LDAP servers which support SSL, but don't
51 # do TLS negotiation (like Novell eDirectory).
57 # net_timeout: # of seconds to wait for response of the server (network
58 # failures) default: 10
62 # timeout: # seconds to wait for LDAP query to finish default: 20
66 # timelimit: # of seconds server has to process the query (server-side
67 # time limit) default: 20
71 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
72 # default: 0x0000 (no debugging messages)
73 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
76 # identity: DN under which LDAP searches are done password: pasword
77 # which authenticate this DN default: anonymous bind, no password
78 # required NOTE: searches are done now over unencrypted connection!
80 # identity = "cn=admin,o=My Org,c=UA" password = mypass
83 # ldap_connections_number: The number of ldap connections that the
84 # module will keep open to use in requests. Usually it will not need to
85 # be larger than 5-10 connections default: 5
87 ldap_connections_number = 5
89 # basedn = <Base of LDAP searches>
91 basedn = "o=My Org,c=UA"
93 # filter: LDAP search filter, to locate user object using name supplied
94 # by client during Radius authentication
96 # default: filter = "(uid=%u)"
98 # base_filter: The LDAP search filter used for base scope searches, like
99 # when searching for the default or regular profiles
101 # deafault: base_filter = "(objectclass=radiusprofile)"
105 # start_tls: When set to "yes" the StartTLS extended operation is used to
106 # start TLS transport encryption.
109 # tls_mode: When set to "yes" OR the server port is 636 we try to connect with TLS
110 # Start TLS should be prefered, tls_mode is provided only for ldap servers
111 # like Active Directory which do not support it.
116 # tls_cacertfile: A PEM-encoded file that contains the CA Certificates that
118 tls_cacertfile = /path/to/cacert.pem
120 # tls_cacertdir: Path the a directory of CA Certificates that you trust, the
121 # directory must be in "hash format" (see openssl verify)
122 tls_cacertdir = /path/to/ca/dir/
124 # tls_certfile: The PEM Encoded certificate file that we should present to
126 tls_certfile = /path/to/radius.crt
128 # tls_keyfile: The PEM Encoded private key that we should use to encrypt the
130 tls_keyfile = /path/to/radius.key
132 # tls_randfile: A file containing random data to seed the OpenSSL PRNG. Not
133 # needed if your OpenSSL is already properly random.
134 tls_randfile = /path/to/rnd
136 # tls_require_cert: Certificate Verification requirements. Can be "never"
137 # (don't even bother trying), "allow" (try, but don't fail if the cerificate
138 # can't be verified), or "demand" (fail if the certificate doesn't verify.)
139 # The default is "allow"
140 tls_require_cert = "allow"
142 # default_profile: DN of a LDAP object, which contains default RADIUS
143 # attributes. default: NULL - use only user specific attributes or
144 # attributes, supplied by other modules.
146 default_profile = "cn=RadProfile,o=My Org,c=UA"
148 # profile_attribute: user object attribute, which contains DN of
149 # radiusProfile object for this user. default: NULL - use only user
150 # specific attributes or attributes, supplied by other modules.
152 # profile_attribute = "radiusProfileDn"
154 # access_attr_used_for_allow: Define if the access attribute (described
155 # below) will be used to allow access (meaning if it exists then user
156 # remote access will be allowed) or to deny access. default: yes - used
159 # access_attr: if attribute is specified, module checks for its
160 # existance in user object. If access_attr_used_for_allow is set to
161 # yes: If it exists the user is allowed to get remote access. If it
162 # exists and is set to FALSE the user is denied remote access. If it
163 # does not exist user is denied remote access by default if
164 # access_attr_used_for_allow is set to no: If it exists the user is
165 # denied remote access. If it does not exist user is allowed remote
168 # default: NULL - don't check for the attribute
170 access_attr = "dialupAccess"
172 # password_header: If the user password is available we add it to the
173 # check items (to assist in CHAP ie) striping any headers first.
174 # NOTE: The password_header directive is NOT case insensitive
177 # password_header = "{clear}"
179 # password_attribute: Define the attribute which contains the user
181 # While integrating FreeRADIUS with Novell eDirectory, set
182 # 'password_attribute = nspmpassword' in order to use the universal
183 # password of the eDirectory users for RADIUS authentication. This will
184 # work only if FreeRADIUS is configured to build with --with-edir option.
186 # default: NULL - don't add password
188 # password_attribute = "userPassword"
190 # edir_account_policy_check: Specifies if the module has to enforce
191 # Novell eDirectory account policy check and intruder detection for
192 # RADIUS users. This will work only if FreeRADIUS is configured to build
193 # with --with-edir option.
195 # default: yes - eDirectory account policy check enabled
197 # edir_account_policy_check = no
199 # groupname_attribute: The attribute containing group name in the LDAP
200 # server. It is used to search group by name.
202 # default: cn - Search filter is "(cn=%GroupName)"
204 # groupname_attribute = "cn"
206 # compare_check_items: Specifies if the module will do a comparison on
207 # the check items extracted from the ldap with the corresponding items
208 # present in the incoming request.
210 # default: no - don't do any comparisons
212 # compare_check_items = yes
214 # do_xlat: Specifies if the module will do an xlat on the radius attributes
215 # extracted from the ldap database. Also the attribute operators will be
216 # honored. If the directive is set to 'no' then we will fall back to the
217 # pairadd() function which will just add the attributes at the end of the
218 # corresponding attribute list (check or reply items). This can be used to
219 # fall back to 0.8.1 behaviour without changing the ldap data or to gain a
220 # little performance if the ldap data is rather simple (no special operators)
222 # default: yes - do an xlat and honor operators
227 # groupmembership_filter: The filter to search for group membership of a
228 # particular user after we have found the DN for the group.
230 # default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
232 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
235 # groupmembership_attribute: The attribute in the user entry that states
236 # the group the user belongs to. The attribute can either contain the
237 # group name or the group DN. If it contains the group DN
238 # groupmembership_attribute will also be used to find the group's name.
239 # The attribute will be used after a search based on the
240 # groupname_attribute and groupmembership_filter has failed. default:
241 # NULL - don't search for a group based on attributes in the user entry.
243 # groupmembership_attribute = "radiusGroupName"
247 NOTE: As LDAP is case insensitive, you should probably also set "lower_user =
248 yes" and "lower_time = before" in main section of radiusd.conf, to get limits
249 on simultaneous logins working correctly. Otherwise, users will be able get
250 large number of sessions, capitalizing parts of their login names.
252 MODULE MESSAGES: On user rejection rlm_ldap will return the following module
255 "rlm_ldap: User not found" "rlm_ldap: Access Attribute denies access"
256 "rlm_ldap: Bind as user failed"
258 These messages will be visible in radius.log as aditional information in
259 "Login incorrect" and "Invalid user" log messages.
261 LDAP XLAT: The ldap module now supports LDAP URLs in xlat strings. That is you
262 can now add LDAP URLs in the configuration options and hopefully shortly also
263 in the users file. The strings will be of the following form:
265 %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
267 The requested attributes list MUST contain only ONE attribute. In case this
268 attribute is multi valued which value is returned is considered UNDEFINED.
269 Also, adding the host:port information SHOULD be avoided unless there are more
270 than one ldap module instances in which case the host,port information can be
271 used to distinguish which module will actually return the information (the
272 xlat function will return NULL if the host,port information does not
273 correspond to the configured attributes). If there are more than one
274 instances the module instance name can be used instead of the string 'ldap'
275 before the ldap url to decide which instance will return the information.
276 That is the xlat string will be of the form:
278 %{$instance_name:ldap:///dc=comapny,dc=com?uid?sub?uid=%u}
280 i.e.: ${ldap_company1:ldap:///dc=company1,dc=com?uid?sub?uid=%u}
283 USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it
284 is set, it will assume that it contains the DN of a profile entry containing
285 radius attributes. This entry will _replace_ the default profile directive.
286 That way we can use different profiles based on checks on the radius
287 attributes contained in the Access-Request packets. For example (users file):
289 DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com"
292 GROUP SUPPORT: The module supports searching for ldap groups by use of the
293 Ldap-Group attribute. As long as the module has been instanciated it can be
294 used to do group membership checks through other modules. For example in the
297 DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
298 Reply-Message = "Sorry, you are not allowed to have dialup access"
300 DNs are also accepted as Ldap-Group values, i.e.:
302 DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject
303 Reply-Message = "Sorry, you are not allowed to have dialup access"
307 Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is
308 registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if
309 in radiusd.conf we configure an ldap module instance like:
311 ldap myname { [...] }
313 we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the
314 ldap module is instantiated *before* the files module so that it will have time to register
315 the corresponding attribute. One solution would be to add the ldap module in the instantiate{}
316 block in radiusd.conf
320 When rlm_ldap has found the DN corresponding to the username provided in the access-request
321 (all this happens in the authorize section) it will add an Ldap-UserDN attribute in the check
322 items list containing that DN. The attribute will be searched for in the authenticate section
323 and if present will be used for authentication (ldap bind with the user DN/password). Otherwise
324 a search will be performed to find the user dn. If the administrator wishes to use rlm_ldap only
325 for authentication or does not wish to populate the identity,password configuration attributes
326 he can set this attribute by other means and avoid the ldap search completely. For instance it can
327 be set through the users file in the authorize section:
329 DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
332 DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and
333 authentication (e.g. you can not afford schema extention), I propose to set
334 all necessary attributes in raddb/users file with following authorize section
337 authorize { ldap { notfound = return } files }