5 # Lightweight Directory Access Protocol (LDAP)
7 # This module definition allows you to use LDAP for
8 # authorization and authentication.
10 # See raddb/sites-available/default for reference to the
11 # ldap module in the authorize and authenticate sections.
13 # However, LDAP can be used for authentication ONLY when the
14 # Access-Request packet contains a clear-text User-Password
15 # attribute. LDAP authentication will NOT work for any other
16 # authentication method.
18 # This means that LDAP servers don't understand EAP. If you
19 # force "Auth-Type = LDAP", and then send the server a
20 # request containing EAP authentication, then authentication
23 # The solution is to use the default configuration, which does
26 # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
27 # really can't emphasize this enough.
31 # Note that this needs to match the name in the LDAP
32 # server certificate, if you're using ldaps.
33 server = "ldap.your.domain"
34 #identity = "cn=admin,o=My Org,c=UA"
36 basedn = "o=My Org,c=UA"
37 filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
38 #base_filter = "(objectclass=radiusprofile)"
40 # How many connections to keep open to the LDAP server.
41 # This saves time over opening a new LDAP socket for
42 # every authentication request.
43 ldap_connections_number = 5
45 # seconds to wait for LDAP query to finish. default: 20
48 # seconds LDAP server has to process the query (server-side
49 # time limit). default: 20
51 # LDAP_OPT_TIMELIMIT is set to this value.
55 # seconds to wait for response of the server. (network
56 # failures) default: 10
58 # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
62 # This subsection configures the tls related items
63 # that control how FreeRADIUS connects to an LDAP
64 # server. It contains all of the "tls_*" configuration
65 # entries used in older versions of FreeRADIUS. Those
66 # configuration entries can still be used, but we recommend
70 # Set this to 'yes' to use TLS encrypted connections
71 # to the LDAP database by using the StartTLS extended
74 # The StartTLS operation is supposed to be
75 # used with normal ldap connections instead of
76 # using ldaps (port 689) connections
79 # cacertfile = /path/to/cacert.pem
80 # cacertdir = /path/to/ca/dir/
81 # certfile = /path/to/radius.crt
82 # keyfile = /path/to/radius.key
83 # randfile = /path/to/rnd
85 # Certificate Verification requirements. Can be:
86 # "never" (don't even bother trying)
87 # "allow" (try, but don't fail if the cerificate
89 # "demand" (fail if the certificate doesn't verify.)
91 # The default is "allow"
92 # require_cert = "demand"
95 # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
96 # profile_attribute = "radiusProfileDn"
97 # access_attr = "dialupAccess"
99 # Mapping of RADIUS dictionary attributes to LDAP
100 # directory attributes.
101 dictionary_mapping = ${confdir}/ldap.attrmap
103 # As of version 2.2.0, the "password_attribute" configuration item
104 # is deprecated, and SHOULD NOT be used.
105 # The default behavior now is to map the LDAP "userPassword" field
106 # to a FreeRADIUS "password" field. The PAP module will take care
107 # of decoding headers (e.g. {crypt}, etc.), and doing any base-64
110 # It is only used for obtaining a password from a Novell eDirectory
111 # backend. It will work ONLY IF FreeRADIUS has been
112 # built with the --with-edir configure option.
114 # See also the following links:
116 # http://www.novell.com/coolsolutions/appnote/16745.html
117 # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
119 # Novell may require TLS encrypted sessions before returning
120 # the user's password.
122 # password_attribute = nspmPassword
124 # Un-comment the following to disable Novell
125 # eDirectory account policy check and intruder
126 # detection. This will work *only if* FreeRADIUS is
127 # configured to build with --with-edir option.
129 edir_account_policy_check = no
132 # Group membership checking. Disabled by default.
134 # groupname_attribute = cn
135 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
136 # groupmembership_attribute = radiusGroupName
138 # compare_check_items = yes
140 # access_attr_used_for_allow = yes
143 # The following two configuration items are for Active Directory
144 # compatibility. If you see the helpful "operations error"
145 # being returned to the LDAP module, uncomment the next
148 # chase_referrals = yes
152 # By default, if the packet contains a User-Password,
153 # and no other module is configured to handle the
154 # authentication, the LDAP module sets itself to do
155 # LDAP bind for authentication.
157 # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
159 # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
161 # You can disable this behavior by setting the following
162 # configuration entry to "no".
164 # allowed values: {no, yes}
165 # set_auth_type = yes
167 # ldap_debug: debug flag for LDAP SDK
168 # (see OpenLDAP documentation). Set this to enable
169 # huge amounts of LDAP debugging on the screen.
170 # You should only use this if you are an LDAP expert.
172 # default: 0x0000 (no debugging messages)
173 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
176 # As of version 2.2.0, the "auto_header" and
177 # "password_header" configuration items have been removed.
178 # Since they were deprecated long ago, this change should not
182 # Keepalive configuration. This MAY NOT be supported by your
183 # LDAP library. If these configuration entries appear in the
184 # output of "radiusd -X", then they are supported. Otherwise,
185 # they are unsupported, and changing them will do nothing.
188 # LDAP_OPT_X_KEEPALIVE_IDLE
191 # LDAP_OPT_X_KEEPALIVE_PROBES
194 # LDAP_OPT_X_KEEPALIVE_INTERVAL