3 This module depends on OpenLDAP v2.x SDK libraries. For details on obtaining
4 source of OpenLDAP look at <http://www.openldap.org>. OpenLDAP SDK in turn
5 depends on OpenSSL crypto libraries and (optionaly) on Cyrus-SASL libraries.
9 The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You
10 should edit the file and add any new mapping which you need. The schema files
11 is located in doc/RADIUS-LDAPv3.schema. Before adding any radius attributes
12 the ldap server schema should be updated. All ldap entries containing radius
13 attributes should contain at least "objectclass: radiusprofile"
15 radiusCheckItem and radiusReplyItem are special. They allow the administrator
16 to add any check or reply item respectively without adding it in the ldap
17 schema. The format should be <ldap-attribute>: <radius-attribute> <operator>
20 ie radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
24 Add following subsection to the modules{} section of radiusd.conf to control
31 # server: LDAP server hostname/ip address
33 # Optionaly could contain space separated list of host[:port], but
34 # redundancy/resiliency is better acheived configuring multiple rlm_ldap
35 # module instances and invocing them in redundand/failover
36 # configuration in authorize/authenticate sections
38 # You can also pass an ldap url like ldap://localhost
39 # That way you can also specify alternative ldap schemas like
40 # ldaps:// or ldapi://
41 # The port directive will be ignored in that case
43 # default: settings for your system, as set in etc/openldap/ldap.conf
47 # port: LDAP server port
49 # If LDAP server port is set to 636 (ldaps), SSL connection is enforced.
50 # This feature is useful for LDAP servers which support SSL, but don't
51 # do TLS negotiation (like Novell eDirectory).
57 # net_timeout: # of seconds to wait for response of the server (network
58 # failures) default: 10
62 # timeout: # seconds to wait for LDAP query to finish default: 20
66 # timelimit: # of seconds server has to process the query (server-side
67 # time limit) default: 20
71 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
72 # default: 0x0000 (no debugging messages)
73 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
76 # identity: DN under which LDAP searches are done password: pasword
77 # which authenticate this DN default: anonymous bind, no password
78 # required NOTE: searches are done now over unencrypted connection!
80 # identity = "cn=admin,o=My Org,c=UA" password = mypass
83 # ldap_connections_number: The number of ldap connections that the
84 # module will keep open to use in requests. Usually it will not need to
85 # be larger than 5-10 connections default: 5
87 ldap_connections_number = 5
89 # basedn = <Base of LDAP searches>
91 basedn = "o=My Org,c=UA"
93 # filter: LDAP search filter, to locate user object using name supplied
94 # by client during Radius authentication
96 # default: filter = "(uid=%u)"
98 # base_filter: The LDAP search filter used for base scope searches, like
99 # when searching for the default or regular profiles
101 # deafault: base_filter = "(objectclass=radiusprofile)"
103 # default_profile: DN of a LDAP object, which contains default RADIUS
104 # attributes. default: NULL - use only user specific attributes or
105 # attributes, supplied by other modules.
107 default_profile = "cn=RadProfile,o=My Org,c=UA"
109 # profile_attribute: user object attribute, which contains DN of
110 # radiusProfile object for this user. default: NULL - use only user
111 # specific attributes or attributes, supplied by other modules.
113 # profile_attribute = "radiusProfileDn"
115 # access_attr_used_for_allow: Define if the access attribute (described
116 # below) will be used to allow access (meaning if it exists then user
117 # remote access will be allowed) or to deny access. default: yes - used
120 # access_attr: if attribute is specified, module checks for its
121 # existance in user object. If access_attr_used_for_allow is set to
122 # yes: If it exists the user is allowed to get remote access. If it
123 # exists and is set to FALSE the user is denied remote access. If it
124 # does not exist user is denied remote access by default if
125 # access_attr_used_for_allow is set to no: If it exists the user is
126 # denied remote access. If it does not exist user is allowed remote
129 # default: NULL - don't check for the attribute
131 access_attr = "dialupAccess"
133 # password_header: If the user password is available we add it to the
134 # check items (to assist in CHAP ie) striping any headers first.
135 # NOTE: The password_header directive is NOT case insensitive
138 # password_header = "{clear}"
140 # password_attribute: Define the attribute which contains the user
143 # default: NULL - don't add password
145 # password_attribute = "userPassword"
147 # groupname_attribute: The attribute containing group name in the LDAP
148 # server. It is used to search group by name.
150 # default: cn - Search filter is "(cn=%GroupName)"
152 # groupname_attribute = "cn"
154 # compare_check_items: Specifies if the module will do a comparison on
155 # the check items extracted from the ldap with the corresponding items
156 # present in the incoming request.
158 # default: no - don't do any comparisons
160 # compare_check_items = yes
162 # do_xlat: Specifies if the module will do an xlat on the radius attributes
163 # extracted from the ldap database. Also the attribute operators will be
164 # honored. If the directive is set to 'no' then we will fall back to the
165 # pairadd() function which will just add the attributes at the end of the
166 # corresponding attribute list (check or reply items). This can be used to
167 # fall back to 0.8.1 behaviour without changing the ldap data or to gain a
168 # little performance if the ldap data is rather simple (no special operators)
170 # default: yes - do an xlat and honor operators
175 # groupmembership_filter: The filter to search for group membership of a
176 # particular user after we have found the DN for the group.
178 # default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
180 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
183 # groupmembership_attribute: The attribute in the user entry that states
184 # the group the user belongs to. The attribute can either contain the
185 # group name or the group DN. If it contains the group DN
186 # groupmembership_attribute will also be used to find the group's name.
187 # The attribute will be used after a search based on the
188 # groupname_attribute and groupmembership_filter has failed. default:
189 # NULL - don't search for a group based on attributes in the user entry.
191 # groupmembership_attribute = "radiusGroupName"
195 NOTE: As LDAP is case insensitive, you should probably also set "lower_user =
196 yes" and "lower_time = before" in main section of radiusd.conf, to get limits
197 on simultaneous logins working correctly. Otherwise, users will be able get
198 large number of sessions, capitalizing parts of their login names.
200 MODULE MESSAGES: On user rejection rlm_ldap will return the following module
203 "rlm_ldap: User not found" "rlm_ldap: Access Attribute denies access"
204 "rlm_ldap: Bind as user failed"
206 These messages will be visible in radius.log as aditional information in
207 "Login incorrect" and "Invalid user" log messages.
209 LDAP XLAT: The ldap module now supports LDAP URLs in xlat strings. That is you
210 can now add LDAP URLs in the configuration options and hopefully shortly also
211 in the users file. The strings will be of the following form:
213 %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
215 The requested attributes list MUST contain only ONE attribute. In case this
216 attribute is multi valued which value is returned is considered UNDEFINED.
217 Also, adding the host:port information SHOULD be avoided unless there are more
218 than one ldap module instances in which case the host,port information can be
219 used to distinguish which module will actually return the information (the
220 xlat function will return NULL if the host,port information does not
221 correspond to the configured attributes). If there are more than one
222 instances the module instance name can be used instead of the string 'ldap'
223 before the ldap url to decide which instance will return the information.
224 That is the xlat string will be of the form:
226 %{$instance_name:ldap:///dc=comapny,dc=com?uid?sub?uid=%u}
228 i.e.: ${ldap_company1:ldap:///dc=company1,dc=com?uid?sub?uid=%u}
231 USER PROFILE ATTRIBUTE: The module can use the User-Profile attribute. If it
232 is set, it will assume that it contains the DN of a profile entry containing
233 radius attributes. This entry will _replace_ the default profile directive.
234 That way we can use different profiles based on checks on the radius
235 attributes contained in the Access-Request packets. For example (users file):
237 DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com"
240 GROUP SUPPORT: The module supports searching for ldap groups by use of the
241 Ldap-Group attribute. As long as the module has been instanciated it can be
242 used to do group membership checks through other modules. For example in the
245 DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
246 Reply-Message = "Sorry, you are not allowed to have dialup access"
248 DNs are also accepted as Ldap-Group values, i.e.:
250 DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject
251 Reply-Message = "Sorry, you are not allowed to have dialup access"
254 DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and
255 authentication (e.g. you can not afford schema extention), I propose to set
256 all necessary attributes in raddb/users file with following authorize section
259 authorize { ldap { notfound = return } files }