3 This module depends on OpenLDAP v2.x SDK libraries.
4 For details on obtaining source of OpenLDAP look at <http://www.openldap.org>.
5 OpenLDAP SDK in turn depends on OpenSSL crypto libraries and (optionaly) on
10 Add following subsection to the modules{} section of radiusd.conf to control
18 # server: space separated list of host[:port]
19 # default: settings for your system, as set in etc/openldap/ldap.conf
23 # net_timeout: # of seconds to wait for response of the server
29 # timeout: # seconds to wait for LDAP query to finish
34 # timelimit: # of seconds server has to process the query
35 # (server-side time limit)
40 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
41 # default: 0x0000 (no debugging messages)
42 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
45 # identity: DN under which LDAP searches are done
46 # password: pasword which authenticate this DN
47 # default: anonymous bind, no password required
48 # NOTE: searches are done now over unencrypted connection!
50 # identity = "cn=admin,o=My Org,c=UA"
53 # ldap_cache_timeout: The timeout for the ldap cache in secs
54 # If it is set to zero then ldap caching will be disabled
57 ldap_cache_timeout = 120
59 # ldap_cache_size: The maximum ldap cache size. If it is set to zero
60 # then the ldap cache size will be unlimited
65 # ldap_connections_number: The number of ldap connections that the module
66 # will keep open to use in requests. Usually it will not need to be larger
67 # than 5-10 connections
70 ldap_connections_number = 5
72 # basedn = <Base of LDAP searches>
74 basedn = "o=My Org,c=UA"
76 # filter: LDAP search filter, to locate user object using name
77 # supplied by client during Radius authentication
82 # default_profile: DN of a LDAP object, which contains default RADIUS
84 # default: NULL - use only user specific attributes or attributes,
85 # supplied by other modules.
87 default_profile = "cn=RadProfile,o=My Org,c=UA"
89 # profile_attribute: user object attribute, which contains DN of
90 # radiusProfile object for this user.
91 # default: NULL - use only user specific attributes or attributes,
92 # supplied by other modules.
94 # profile_attribute = "radiusProfileDn"
96 # access_group: membership in this group controls radius access for user
98 # (means all users located in the LDAP tree under specified "basedn")
100 access_group = "cn=RemoteUsers,o=My Org,c=UA"
102 # access_attr: if attribute is specified, module checks for its existance
103 # in user object. If it exists and is set to TRUE, user is allowed to get
105 # default: NULL - don't check for the attribute
106 access_attr = "dialupAccess"
108 # password_header: If the user password is available we add it to the check items
109 # (to assist in CHAP ie) striping any headers first.
112 # password_header = "{clear}"
114 # password_attribute: Define the attribute which contains the user password.
115 # default: NULL - don't add password
117 # password_attribute = "userPassword"
119 # groupname_attribute: The attribute used for searching for a group in the ldap server.
120 # default: cn - Search filter is "(cn=%GroupName)"
122 # groupname_attribute = "cn"
124 # groupmembership_filter: The filter to search for group membership of a particular user
125 # after we have found the DN for the group.
126 # default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
128 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
134 As LDAP is case insensitive, you should probably also set "lower_user = yes"
135 and "lower_time = before" in main section of radiusd.conf, to get limits on
136 simultaneous logins working correctly. Otherwise, users will be able get large
137 number of sessions, capitalizing parts of their login names.
140 On user rejection rlm_ldap will return the following module messages:
142 "rlm_ldap: User not found"
143 "rlm_ldap: Access Attribute denies access"
144 "rlm_ldap: User is not an access group member"
145 "rlm_ldap: Bind as user failed"
147 These messages will be visible in radius.log as aditional information in
148 "Login incorrect" and "Invalid user" log messages.
150 DIRECTORY COMPATIBILITY NOTE:
151 If you use LDAP only for authorization and authentication (e.g. you can not
152 afford schema extention), I propose to set all necessary attributes in
153 raddb/users file with following authorize section of radiusd.conf :