6 # Lightweight Directory Access Protocol (LDAP)
10 # Note that this needs to match the name in the LDAP
11 # server certificate, if you're using ldaps.
12 server = "ldap.example.org"
14 # Port to connect on, defaults to 389. Setting this to
15 # 636 will enable LDAPS if start_tls (see below) is not
19 # Read-only administrator account for initial binding and searching
20 # identity = "cn=admin,dc=example,dc=org"
24 # basedn = "ou=people,dc=example,dc=org"
25 # filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
28 # Mapping of RADIUS dictionary attributes to LDAP directory attributes.
30 # WARNING: Although this format is almost identical to the unlang
31 # update section format, it does *NOT* mean that you can use other
32 # unlang constructs in module configuration files.
34 # Configuration items are in the format:
35 # <radius attr> <op> <ldap attr>
38 # <radius attr>: The destination RADIUS attribute
39 # with any valid list and request qualifiers.
40 # <op>: Is any assignment attribute (=, :=, +=, -=).
41 # <ldap attr>: The attribute in the associated with user or
42 # profile objects in the LDAP.
43 # directory. If the attribute name is wrapped in
44 # double quotes it will be xlat expanded.
46 # Request and list qualifiers may also be placed after the section
47 # name to set defaults for unqualified RADIUS attributes.
49 # Note: LDAP attribute names should be single quoted unless you want
50 # the name value to be derived from an xlat expansion, or an
54 # control:NT-Password := 'ntPassword'
55 # Reply-Message := 'radiusReplyMessage'
56 # Tunnel-Type := 'radiusTunnelType'
57 # Tunnel-Medium-Type := 'radiusTunnelMediumType'
58 # Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
61 # Set to "no" to disable the 'no "known good" password' warning,
62 # if you're not using LDAP to retrieve password values.
63 # expect_password = yes
65 # Set to yes if you have eDirectory and want to use the universal
69 # Set to yes if you want to bind as the user after retrieving the
70 # Cleartext-Password. This will consume the login grace, and
71 # verify user authorization.
75 # Profile related attributes.
78 # Control whether or not "access_attr" is used to
79 # determine authorization. If set to "yes", then
80 # "access_attr" existing means "allow access".
81 # "access_attr" not existing means "deny access"
83 # If set to "no", then
84 # "access_attr" existing means "deny access".
85 # "access_attr" not existing means "allow access"
86 # positive_access_attr = yes
88 # If this is undefined, anyone is authorized.
89 # If it is defined, the contents of this attribute
90 # determine whether or not the user is authorized
91 # access_attr = "dialupAccess"
93 # Base filter for the following profiles.
94 # base_filter = "(objectclass=radiusprofile)"
96 # The default profile applied to all users.
97 # default_profile = "cn=radprofile,dc=example,dc=org"
99 # The list of profiles which are applied (after the default)
101 # The "User-Profile" attribute in the control list
102 # will over-ride this setting at run-time.
103 # profile_attribute = "radiusProfileDn"
107 # Group membership checking. Disabled by default.
109 # When doing checks for LDAP-Group = foo"
113 # name_attribute = cn
115 # Filter to get the list of groups that a user belongs to.
116 # membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
118 # If the filter returns nothing
119 membership_attribute = radiusGroupName
123 # Modify user object on receiving Accounting-Request
125 # Useful for recording things like the last time the user logged
126 # in, or the Acct-Session-ID for CoA/DM.
128 # LDAP modification items are in the format:
129 # <ldap attr> <op> <value>
132 # <ldap attr>: The LDAP attribute to add modify or delete.
133 # <op>: One of the assignment operators:
135 # Note: '=' is *not* supported.
136 # <value>: The value to add modify or delete.
138 # WARNING: If using the ':=' operator with a multivalued LDAP
139 # attribute, all instances of the attribute will be removed and
140 # replaced with a single attribute.
143 reference = "%{tolower:type.%{Acct-Status-Type}}"
148 description := "Online at %S"
154 description := "Last seen at %S"
160 description := "Offline at %S"
167 # Post-Auth can modify LDAP objects too
169 # For eDir users this is performed *after* the post-auth login checks
173 description := "Authenticated at %S"
177 # LDAP connection-specific options.
179 # These options set timeouts, keepalives, etc. for the connections.
183 # The following two configuration items are for Active Directory
184 # compatibility. If you set these to "no", then searches
185 # will likely return "operations error", instead of a
188 chase_referrals = yes
191 # seconds to wait for LDAP query to finish. default: 20
194 # seconds LDAP server has to process the query (server-side
195 # time limit). default: 20
197 # LDAP_OPT_TIMELIMIT is set to this value.
201 # seconds to wait for response of the server. (network
202 # failures) default: 10
204 # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
207 # LDAP_OPT_X_KEEPALIVE_IDLE
210 # LDAP_OPT_X_KEEPALIVE_PROBES
213 # LDAP_OPT_X_KEEPALIVE_INTERVAL
216 # ldap_debug: debug flag for LDAP SDK
217 # (see OpenLDAP documentation). Set this to enable
218 # huge amounts of LDAP debugging on the screen.
219 # You should only use this if you are an LDAP expert.
221 # default: 0x0000 (no debugging messages)
222 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
227 # This subsection configures the tls related items
228 # that control how FreeRADIUS connects to an LDAP
229 # server. It contains all of the "tls_*" configuration
230 # entries used in older versions of FreeRADIUS. Those
231 # configuration entries can still be used, but we recommend
235 # Set this to 'yes' to use TLS encrypted connections
236 # to the LDAP database by using the StartTLS extended
239 # The StartTLS operation is supposed to be
240 # used with normal ldap connections instead of
241 # using ldaps (port 636) connections
244 # cacertfile = ${certdir}/cacert.pem
246 # cacertdir = ${certdir}
247 # certfile = /path/to/radius.crt
248 # keyfile = /path/to/radius.key
249 # randfile = ${certdir}/random
251 # Certificate Verification requirements. Can be:
252 # "never" (don't even bother trying)
253 # "allow" (try, but don't fail if the cerificate
255 # "demand" (fail if the certificate doesn't verify.)
257 # The default is "allow"
258 # require_cert = "demand"
262 # As of version 3.0, the "pool" section has replaced the
263 # following configuration items:
265 # ldap_connections_number
267 # The connection pool is new for 3.0, and will be used in many
268 # modules, for all kinds of connection-related activity.
271 # Number of connections to start
274 # Minimum number of connections to keep open
277 # Maximum number of connections
279 # If these connections are all in use and a new one
280 # is requested, the request will NOT get a connection.
283 # Spare connections to be left idle
285 # NOTE: Idle connections WILL be closed if "idle_timeout"
289 # Number of uses before the connection is closed
294 # The lifetime (in seconds) of the connection
297 # idle timeout (in seconds). A connection which is
298 # unused for this length of time will be closed.
301 # NOTE: All configuration settings are enforced. If a
302 # connection is closed because of "idle_timeout",
303 # "uses", or "lifetime", then the total number of
304 # connections MAY fall below "min". When that
305 # happens, it will open a new connection. It will
306 # also log a WARNING message.
308 # The solution is to either lower the "min" connections,
309 # or increase lifetime/idle_timeout.