3 This module depends on OpenLDAP v2.x SDK libraries.
4 For details on obtaining source of OpenLDAP look at <http://www.openldap.org>.
5 OpenLDAP SDK in turn depends on OpenSSL crypto libraries and (optionaly) on
10 Add following subsection to the modules{} section of radiusd.conf to control
18 # server: space separated list of host[:port]
19 # default: settings for your system, as set in etc/openldap/ldap.conf
23 # net_timeout: # of seconds to wait for response of the server
29 # timeout: # seconds to wait for LDAP query to finish
34 # timelimit: # of seconds server has to process the query
35 # (server-side time limit)
40 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
41 # default: 0x0000 (no debugging messages)
42 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
45 # identity: DN under which LDAP searches are done
46 # password: pasword which authenticate this DN
47 # default: anonymous bind, no password required
48 # NOTE: searches are done now over unencrypted connection!
50 # identity = "cn=admin,o=My Org,c=UA"
53 # ldap_cache_timeout: The timeout for the ldap cache in secs
54 # If it is set to zero then ldap caching will be disabled
55 # default: 0 (disabled)
57 ldap_cache_timeout = 0
59 # ldap_cache_size: The maximum ldap cache size. If it is set to zero
60 # then the ldap cache size will be unlimited
65 # ldap_connections_number: The number of ldap connections that the module
66 # will keep open to use in requests. Usually it will not need to be larger
67 # than 5-10 connections
70 ldap_connections_number = 5
72 # basedn = <Base of LDAP searches>
74 basedn = "o=My Org,c=UA"
76 # filter: LDAP search filter, to locate user object using name
77 # supplied by client during Radius authentication
82 # default_profile: DN of a LDAP object, which contains default RADIUS
84 # default: NULL - use only user specific attributes or attributes,
85 # supplied by other modules.
87 default_profile = "cn=RadProfile,o=My Org,c=UA"
89 # profile_attribute: user object attribute, which contains DN of
90 # radiusProfile object for this user.
91 # default: NULL - use only user specific attributes or attributes,
92 # supplied by other modules.
94 # profile_attribute = "radiusProfileDn"
96 # access_group: membership in this group controls radius access for user
98 # (The default NULL means all users located in the LDAP tree under specified "basedn")
100 access_group = "cn=RemoteUsers,o=My Org,c=UA"
102 # access_attr: if attribute is specified, module checks for its existance
103 # in user object. If it exists the user is allowed to get remote access.
104 # If it exists and is set to FALSE the user is denied remote access.
105 # default: NULL - don't check for the attribute
106 access_attr = "dialupAccess"
108 # password_header: If the user password is available we add it to the check items
109 # (to assist in CHAP ie) striping any headers first.
112 # password_header = "{clear}"
114 # password_attribute: Define the attribute which contains the user password.
115 # default: NULL - don't add password
117 # password_attribute = "userPassword"
119 # groupname_attribute: The attribute used for searching for a group in the ldap server.
120 # default: cn - Search filter is "(cn=%GroupName)"
122 # groupname_attribute = "cn"
124 # compare_check_items: Specifies if the module will do a comparison on the check items extracted
125 # from the ldap with the corresponding items present in the incoming request.
126 # default: no - don't do any comparisons
128 # compare_check_items = yes
131 # groupmembership_filter: The filter to search for group membership of a particular user
132 # after we have found the DN for the group.
133 # default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
135 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
141 As LDAP is case insensitive, you should probably also set "lower_user = yes"
142 and "lower_time = before" in main section of radiusd.conf, to get limits on
143 simultaneous logins working correctly. Otherwise, users will be able get large
144 number of sessions, capitalizing parts of their login names.
147 On user rejection rlm_ldap will return the following module messages:
149 "rlm_ldap: User not found"
150 "rlm_ldap: Access Attribute denies access"
151 "rlm_ldap: User is not an access group member"
152 "rlm_ldap: Bind as user failed"
154 These messages will be visible in radius.log as aditional information in
155 "Login incorrect" and "Invalid user" log messages.
158 The ldap module now supports LDAP URLs in xlat strings. That is you can now
159 add LDAP URLs in the configuration options and hopefully shortly also in the
160 users file. The strings will be of the following form:
162 %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
164 The requested attributes list MUST contain only ONE attribute. In case this attribute
165 is multi valued which value is returned is considered UNDEFINED.
166 Also, adding the host:port information SHOULD be avoided unless there are more than one
167 ldap module instances in which case the host,port information can be used to distinguish
168 which module will actually return the information (the xlat function will return NULL if
169 the host,port information does not correspond to the configured attributes).
171 USER PROFILE ATTRIBUTE:
172 The module can use the User-Profile attribute. If it is set, it will assume that it contains
173 the DN of a profile entry containing radius attributes. This entry will _replace_ the default
174 profile directive. That way we can use different profiles based on checks on the radius attributes
175 contained in the Access-Request packets. For example (users file):
177 DEFAULT Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com"
181 The module supports searching for ldap groups by use of the Ldap-Group attribute. As long as the module
182 has been instanciated it can be used to do group membership checks through other modules. For example in
185 DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
186 Reply-Message = "Sorry, you are not allowed to have dialup access"
188 DIRECTORY COMPATIBILITY NOTE:
189 If you use LDAP only for authorization and authentication (e.g. you can not
190 afford schema extention), I propose to set all necessary attributes in
191 raddb/users file with following authorize section of radiusd.conf :