3 This module depends on OpenLDAP v2.x SDK libraries.
4 For details on obtaining source of OpenLDAP look at <http://www.openldap.org>.
5 OpenLDAP SDK in turn depends on OpenSSL crypto libraries and (optionaly) on
10 Add following subsection to the modules{} section of radiusd.conf to control
18 # server: space separated list of host[:port]
19 # default: settings for your system, as set in etc/openldap/ldap.conf
23 # net_timeout: # of seconds to wait for response of the server
29 # timeout: # seconds to wait for LDAP query to finish
34 # timelimit: # of seconds server has to process the query
35 # (server-side time limit)
40 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
41 # default: 0x0000 (no debugging messages)
42 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
45 # identity: DN under which LDAP searches are done
46 # password: pasword which authenticate this DN
47 # default: anonymous bind, no password required
48 # NOTE: searches are done now over unencrypted connection!
50 # identity = "cn=admin,o=My Org,c=UA"
53 # ldap_cache_timeout: The timeout for the ldap cache in secs
54 # If it is set to zero then ldap caching will be disabled
57 ldap_cache_timeout = 120
59 # ldap_cache_size: The maximum ldap cache size. If it is set to zero
60 # then the ldap cache size will be unlimited
65 # ldap_connections_number: The number of ldap connections that the module
66 # will keep open to use in requests. Usually it will not need to be larger
67 # than 5-10 connections
70 ldap_connections_number = 5
72 # basedn = <Base of LDAP searches>
74 basedn = "o=My Org,c=UA"
76 # filter: LDAP search filter, to locate user object using name
77 # supplied by client during Radius authentication
82 # default_profile: DN of a LDAP object, which contains default RADIUS
84 # default: NULL - use only user specific attributes or attributes,
85 # supplied by other modules.
87 default_profile = "cn=RadProfile,o=My Org,c=UA"
89 # profile_attribute: user object attribute, which contains DN of
90 # radiusProfile object for this user.
91 # default: NULL - use only user specific attributes or attributes,
92 # supplied by other modules.
94 # profile_attribute = "radiusProfileDn"
96 # access_group: membership in this group controls radius access for user
98 # (means all users located in the LDAP tree under specified "basedn")
100 access_group = "cn=RemoteUsers,o=My Org,c=UA"
102 # access_attr: if attribute is specified, module checks for its existance
103 # in user object. If it exists and is set to TRUE, user is allowed to get
105 # default: NULL - don't check for the attribute
106 access_attr = "dialupAccess"
108 # password_header: If the user password is available we add it to the check items
109 # (to assist in CHAP ie) striping any headers first.
112 # password_header = "{clear}"
114 # password_attribute: Define the attribute which contains the user password.
115 # default: NULL - don't add password
117 # password_attribute = "userPassword"
119 # groupname_attribute: The attribute used for searching for a group in the ldap server.
120 # default: cn - Search filter is "(cn=%GroupName)"
122 # groupname_attribute = "cn"
124 # groupmembership_filter: The filter to search for group membership of a particular user
125 # after we have found the DN for the group.
126 # default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
128 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
134 As LDAP is case insensitive, you should probably also set "lower_user = yes"
135 and "lower_time = before" in main section of radiusd.conf, to get limits on
136 simultaneous logins working correctly. Otherwise, users will be able get large
137 number of sessions, capitalizing parts of their login names.
140 On user rejection rlm_ldap will return the following module messages:
142 "rlm_ldap: User not found"
143 "rlm_ldap: Access Attribute denies access"
144 "rlm_ldap: User is not an access group member"
145 "rlm_ldap: Bind as user failed"
147 These messages will be visible in radius.log as aditional information in
148 "Login incorrect" and "Invalid user" log messages.
151 The ldap module now supports LDAP URLs in xlat strings. That is you can now
152 add LDAP URLs in the configuration options and hopefully shortly also in the
153 users file. The strings will be of the following form:
155 %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
157 The requested attributes list MUST contain only ONE attribute. In case this attribute
158 is multi valued which value is returned is considered UNDEFINED.
159 Also, adding the host:port information SHOULD be avoided unless there are more than one
160 ldap module instances in which case the host,port information can be used to distinguish
161 which module will actually return the information (the xlat function will return NULL if
162 the host,port information does not correspond to the configured attributes).
164 USER PROFILE ATTRIBUTE:
166 The module can use the User-Profile attribute. If it is set, it will assume that it contains
167 the DN of a profile entry containing radius attributes. This entry will _replace_ the default
168 profile directive. That way we can use different profiles based on checks on the radius attributes
169 contained in the Access-Request packets. For example (users file):
171 DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com"
174 DIRECTORY COMPATIBILITY NOTE:
175 If you use LDAP only for authorization and authentication (e.g. you can not
176 afford schema extention), I propose to set all necessary attributes in
177 raddb/users file with following authorize section of radiusd.conf :