5 # Lightweight Directory Access Protocol (LDAP)
7 # This module definition allows you to use LDAP for
8 # authorization and authentication.
10 # See raddb/sites-available/default for reference to the
11 # ldap module in the authorize and authenticate sections.
13 # However, LDAP can be used for authentication ONLY when the
14 # Access-Request packet contains a clear-text User-Password
15 # attribute. LDAP authentication will NOT work for any other
16 # authentication method.
18 # This means that LDAP servers don't understand EAP. If you
19 # force "Auth-Type = LDAP", and then send the server a
20 # request containing EAP authentication, then authentication
23 # The solution is to use the default configuration, which does
26 # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
27 # really can't emphasize this enough.
31 # Note that this needs to match the name in the LDAP
32 # server certificate, if you're using ldaps.
33 server = "ldap.your.domain"
34 #identity = "cn=admin,o=My Org,c=UA"
36 basedn = "o=My Org,c=UA"
37 filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
38 #base_filter = "(objectclass=radiusprofile)"
40 # How many connections to keep open to the LDAP server.
41 # This saves time over opening a new LDAP socket for
42 # every authentication request.
43 ldap_connections_number = 5
45 # seconds to wait for LDAP query to finish. default: 20
48 # seconds LDAP server has to process the query (server-side
49 # time limit). default: 20
51 # LDAP_OPT_TIMELIMIT is set to this value.
55 # seconds to wait for response of the server. (network
56 # failures) default: 10
58 # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
62 # This subsection configures the tls related items
63 # that control how FreeRADIUS connects to an LDAP
64 # server. It contains all of the "tls_*" configuration
65 # entries used in older versions of FreeRADIUS. Those
66 # configuration entries can still be used, but we recommend
70 # Set this to 'yes' to use TLS encrypted connections
71 # to the LDAP database by using the StartTLS extended
74 # The StartTLS operation is supposed to be
75 # used with normal ldap connections instead of
76 # using ldaps (port 689) connections
79 # cacertfile = /path/to/cacert.pem
80 # cacertdir = /path/to/ca/dir/
81 # certfile = /path/to/radius.crt
82 # keyfile = /path/to/radius.key
83 # randfile = /path/to/rnd
85 # Certificate Verification requirements. Can be:
86 # "never" (don't even bother trying)
87 # "allow" (try, but don't fail if the cerificate
89 # "demand" (fail if the certificate doesn't verify.)
91 # The default is "allow"
92 # require_cert = "demand"
95 # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
96 # profile_attribute = "radiusProfileDn"
97 # access_attr = "dialupAccess"
99 # Mapping of RADIUS dictionary attributes to LDAP
100 # directory attributes.
101 dictionary_mapping = ${confdir}/ldap.attrmap
103 # Set password_attribute = nspmPassword to get the
104 # user's password from a Novell eDirectory
105 # backend. This will work ONLY IF FreeRADIUS has been
106 # built with the --with-edir configure option.
108 # See also the following links:
110 # http://www.novell.com/coolsolutions/appnote/16745.html
111 # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
113 # Novell may require TLS encrypted sessions before returning
114 # the user's password.
116 # password_attribute = userPassword
118 # Un-comment the following to disable Novell
119 # eDirectory account policy check and intruder
120 # detection. This will work *only if* FreeRADIUS is
121 # configured to build with --with-edir option.
123 edir_account_policy_check = no
126 # Group membership checking. Disabled by default.
128 # groupname_attribute = cn
129 # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
130 # groupmembership_attribute = radiusGroupName
132 # compare_check_items = yes
134 # access_attr_used_for_allow = yes
137 # The following two configuration items are for Active Directory
138 # compatibility. If you see the helpful "operations error"
139 # being returned to the LDAP module, uncomment the next
142 # chase_referrals = yes
146 # By default, if the packet contains a User-Password,
147 # and no other module is configured to handle the
148 # authentication, the LDAP module sets itself to do
149 # LDAP bind for authentication.
151 # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
153 # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
155 # You can disable this behavior by setting the following
156 # configuration entry to "no".
158 # allowed values: {no, yes}
159 # set_auth_type = yes
161 # ldap_debug: debug flag for LDAP SDK
162 # (see OpenLDAP documentation). Set this to enable
163 # huge amounts of LDAP debugging on the screen.
164 # You should only use this if you are an LDAP expert.
166 # default: 0x0000 (no debugging messages)
167 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
170 # As of version 2.2.0, the "auto_header" and
171 # "password_header" configuration items have been removed.
172 # Since they were deprecated long ago, this change should not