Add ldap caching. Make rlm_ldap thread safe. Fix a memory leak in ldap_xlat.

[freeradius.git] / doc / rlm_ldap

1.   INSTALATION

This module depends on OpenLDAP v2.x SDK libraries.
For details on obtaining source of OpenLDAP look at <http://www.openldap.org>.
OpenLDAP SDK in turn depends on OpenSSL crypto libraries and (optionaly) on 
Cyrus-SASL libraries.

2. CONFIGURATION

Add following subsection to the modules{} section of radiusd.conf to control
the rlm_ldap module:

  modules {
        ...
        
        ldap {

#       server: space separated list of host[:port]
#       default: settings for your system, as set in etc/openldap/ldap.conf
#
                server   = localhost

#       net_timeout: # of seconds to wait for response of the server 
#                       (network failures)
#       default: 10
#
                net_timeout = 1

#       timeout: # seconds to wait for LDAP query to finish
#       default: 20
#
                timeout = 2

#       timelimit: # of seconds server has to process the query 
#                       (server-side time limit)
#       default: 20
#
                timelimit = 5

#       ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
#       default: 0x0000 (no debugging messages)
#       Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
                ldap_debug = 0x0028 

#       identity: DN under which LDAP searches are done
#       password: pasword which authenticate this DN
#       default: anonymous bind, no password required
#       NOTE: searches are done now over unencrypted connection!
#
#       identity = "cn=admin,o=My Org,c=UA"
#       password = mypass

#       ldap_cache_timeout: The timeout for the ldap cache in secs
#       If it is set to zero then ldap caching will be disabled
#       default: 120

        ldap_cache_timeout = 120

#       ldap_cache_size: The maximum ldap cache size. If it is set to zero
#       then the ldap cache size will be unlimited
#       default: 0

        ldap_cache_size = 0

#       ldap_connections_number: The number of ldap connections that the module
#       will keep open to use in requests. Usually it will not need to be larger
#       than 5-10 connections
#       default: 5

        ldap_connections_number = 5

#       basedn = <Base of LDAP searches>
#
                basedn   = "o=My Org,c=UA"

#       filter: LDAP search filter, to locate user object using name
#       supplied by client during Radius authentication
#       
#       default: 
#               filter   = "(uid=%u)"

#       default_profile: DN of a LDAP object, which contains default RADIUS 
#       attributes. 
#       default: NULL - use only user specific attributes or attributes, 
#       supplied by other modules.
#               
        default_profile = "cn=RadProfile,o=My Org,c=UA"

#       profile_attribute: user object attribute, which contains DN of 
#       radiusProfile object for this user.
#       default: NULL - use only user specific attributes or attributes,
#       supplied by other modules.
#
#       profile_attribute = "radiusProfileDn"

#       access_group: membership in this group controls radius access for user
#       default: NULL 
#       (means all users located in the LDAP tree under specified "basedn")
#       
                access_group = "cn=RemoteUsers,o=My Org,c=UA"

#       access_attr: if attribute is specified, module checks for its existance
#       in user object. If it exists and is set to TRUE, user is allowed to get
#       remote access.
#       default: NULL - don't check for the attribute
                access_attr = "dialupAccess"

#       password_header: If the user password is available we add it to the check items
#       (to assist in CHAP ie) striping any headers first.
#       default: NULL
#
#       password_header = "{clear}"

#       password_attribute: Define the attribute which contains the user password.
#       default: NULL - don't add password
#
#       password_attribute = "userPassword"

#       groupname_attribute: The attribute used for searching for a group in the ldap server.
#       default: cn - Search filter is "(cn=%GroupName)"
#
#       groupname_attribute = "cn"

#       groupmembership_filter: The filter to search for group membership of a particular user
#       after we have found the DN for the group.
#       default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
#
#       groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"      

        }
}

NOTE:
As LDAP is case insensitive, you should probably also set "lower_user = yes" 
and "lower_time = before" in main section of radiusd.conf, to get limits on 
simultaneous logins working correctly. Otherwise, users will be able get large 
number of sessions, capitalizing parts of their login names.

MODULE MESSAGES:
On user rejection rlm_ldap will return the following module messages:

"rlm_ldap: User not found"
"rlm_ldap: Access Attribute denies access"
"rlm_ldap: User is not an access group member"
"rlm_ldap: Bind as user failed"

These messages will be visible in radius.log as aditional information in
"Login incorrect" and "Invalid user" log messages.

DIRECTORY COMPATIBILITY NOTE:
If you use LDAP only for authorization and authentication (e.g. you can not
 afford schema extention), I propose to set all necessary attributes in 
raddb/users file with following authorize section of radiusd.conf :

authorize { 
        ldap {
                notfound = return
        } 
        files  
}