3 This module depends on OpenLDAP v2.0 SDK libraries.
4 For details on obtaining source of OpenLDAP look at <http://www.openldap.org>.
5 OpenLDAP SDK in turn depends on OpenSSL crypto libraries and (optionaly) on
10 Add following subsection to the modules{} section of radiusd.conf to control
18 # server: space separated list of host[:port]
19 # default: settings for your system, as set in etc/openldap/ldap.conf
23 # net_timeout: # of seconds to wait for response of the server
29 # timeout: # seconds to wait for LDAP query to finish
34 # ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
35 # default: 0x0000 (no debugging messages)
36 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
39 # identity: DN under which LDAP searches are done
40 # password: pasword which authenticate this DN
41 # default: anonymous bind, no password required
42 # NOTE: searches are done now over unencrypted connection!
44 # identity = "cn=admin,o=My Org,c=UA"
47 # basedn = <Base of LDAP searches>
49 basedn = "o=My Org,c=UA"
51 # filter: LDAP search filter, to locate user object using name
52 # supplied by client during Radius authentication
57 # access_group: membership in this group controls radius access for user
59 # (means all users located in the LDAP tree under specified "basedn")
61 access_group = "cn=RemoteUsers,o=My Org,c=UA"
63 # access_attr: if attribute is specified, module checks for its existance
64 # in user object. If it exists and is set to TRUE, user is allowed to get
66 # default: NULL - don't check for the attribute
67 access_attr = "dialupAccess"
72 As LDAP is case insensitive, you should probably also set "lower_user = yes"
73 and "lower_time = before" in main section of radiusd.conf, to get limits on
74 simultaneous logins working correctly. Otherwise, users will be able get large
75 number of sessions, capitalizing parts of their login names.
77 As attempts to standardize LDAP attributes for RADIUS has failed (or stalled),
78 currently I propose to set all necessary attributes in users file with
79 following authorize section of radiusd.conf :