source: n4d-freeradius/trunk/fuentes/install/usr/share/n4d/templates/n4d-freeradius/modules/ldap @ 5606

Last change on this file since 5606 was 5606, checked in by hectorgh, 23 months ago

adding groupname filters

File size: 5.7 KB
Line 
1# -*- text -*-
2#
3#  $Id$
4
5# Lightweight Directory Access Protocol (LDAP)
6#
7#  This module definition allows you to use LDAP for
8#  authorization and authentication.
9#
10#  See raddb/sites-available/default for reference to the
11#  ldap module in the authorize and authenticate sections.
12#
13#  However, LDAP can be used for authentication ONLY when the
14#  Access-Request packet contains a clear-text User-Password
15#  attribute.  LDAP authentication will NOT work for any other
16#  authentication method.
17#
18#  This means that LDAP servers don't understand EAP.  If you
19#  force "Auth-Type = LDAP", and then send the server a
20#  request containing EAP authentication, then authentication
21#  WILL NOT WORK.
22#
23#  The solution is to use the default configuration, which does
24#  work.
25#
26#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
27#  really can't emphasize this enough.
28#       
29ldap {
30        #
31        #  Note that this needs to match the name in the LDAP
32        #  server certificate, if you're using ldaps.
33        server = "%%SERVER%%"
34        identity = "%%LDAP_USER%%"
35        password = %%LDAP_PASSWORD%%
36        basedn = "%%LDAP_BASE_DN%%"
37        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
38        #base_filter = "(objectclass=radiusprofile)"
39
40        #  How many connections to keep open to the LDAP server.
41        #  This saves time over opening a new LDAP socket for
42        #  every authentication request.
43        ldap_connections_number = 5
44
45        # seconds to wait for LDAP query to finish. default: 20
46        timeout = 4
47
48        #  seconds LDAP server has to process the query (server-side
49        #  time limit). default: 20
50        #
51        #  LDAP_OPT_TIMELIMIT is set to this value.
52        timelimit = 3
53
54        #
55        #  seconds to wait for response of the server. (network
56        #   failures) default: 10
57        #
58        #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
59        net_timeout = 1
60
61        #
62        #  This subsection configures the tls related items
63        #  that control how FreeRADIUS connects to an LDAP
64        #  server.  It contains all of the "tls_*" configuration
65        #  entries used in older versions of FreeRADIUS.  Those
66        #  configuration entries can still be used, but we recommend
67        #  using these.
68        #
69        tls {
70                # Set this to 'yes' to use TLS encrypted connections
71                # to the LDAP database by using the StartTLS extended
72                # operation.
73                #                       
74                # The StartTLS operation is supposed to be
75                # used with normal ldap connections instead of
76                # using ldaps (port 689) connections
77                start_tls = yes
78
79                # cacertfile    = /path/to/cacert.pem
80                # cacertdir             = /path/to/ca/dir/
81                # certfile              = /path/to/radius.crt
82                # keyfile               = /path/to/radius.key
83                # randfile              = /path/to/rnd
84
85                #  Certificate Verification requirements.  Can be:
86                #    "never" (don't even bother trying)
87                #    "allow" (try, but don't fail if the cerificate
88                #               can't be verified)
89                #    "demand" (fail if the certificate doesn't verify.)
90                #
91                #       The default is "allow"
92                # require_cert  = "demand"
93        }
94
95        # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
96        # profile_attribute = "radiusProfileDn"
97        # access_attr = "dialupAccess"
98
99        # Mapping of RADIUS dictionary attributes to LDAP
100        # directory attributes.
101        dictionary_mapping = ${confdir}/ldap.attrmap
102
103        #  Set password_attribute = nspmPassword to get the
104        #  user's password from a Novell eDirectory
105        #  backend. This will work ONLY IF FreeRADIUS has been
106        #  built with the --with-edir configure option.
107        #
108        #  See also the following links:
109        #
110        #  http://www.novell.com/coolsolutions/appnote/16745.html
111        #  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
112        #
113        #  Novell may require TLS encrypted sessions before returning
114        #  the user's password.
115        #
116        # password_attribute = userPassword
117
118        #  Un-comment the following to disable Novell
119        #  eDirectory account policy check and intruder
120        #  detection. This will work *only if* FreeRADIUS is
121        #  configured to build with --with-edir option.
122        #
123        edir_account_policy_check = no
124
125        #
126        #  Group membership checking.  Disabled by default.
127        #
128        # groupname_attribute = cn
129        # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
130        # groupmembership_attribute = radiusGroupName
131
132        groupname_attribute = cn
133        groupmembership_filter = "(memberUid=%{Usern-Name})"
134        groupmembership_attribute = memberUid
135
136        # compare_check_items = yes
137        # do_xlat = yes
138        # access_attr_used_for_allow = yes
139
140        #
141        #  The following two configuration items are for Active Directory
142        #  compatibility.  If you see the helpful "operations error"
143        #  being returned to the LDAP module, uncomment the next
144        #  two lines.
145        #
146        # chase_referrals = yes
147        # rebind = yes
148
149        #
150        #  By default, if the packet contains a User-Password,
151        #  and no other module is configured to handle the
152        #  authentication, the LDAP module sets itself to do
153        #  LDAP bind for authentication.
154        #
155        #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
156        #
157        #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
158        #
159        #  You can disable this behavior by setting the following
160        #  configuration entry to "no".
161        #
162        #  allowed values: {no, yes}
163        # set_auth_type = yes
164
165        #  ldap_debug: debug flag for LDAP SDK
166        #  (see OpenLDAP documentation).  Set this to enable
167        #  huge amounts of LDAP debugging on the screen.
168        #  You should only use this if you are an LDAP expert.
169        #
170        #       default: 0x0000 (no debugging messages)
171        #       Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
172        #ldap_debug = 0x0028
173
174        #
175        #  Keepalive configuration.  This MAY NOT be supported by your
176        #  LDAP library.  If these configuration entries appear in the
177        #  output of "radiusd -X", then they are supported.  Otherwise,
178        #  they are unsupported, and changing them will do nothing.
179        #
180        keepalive {
181                # LDAP_OPT_X_KEEPALIVE_IDLE
182                idle = 60
183
184                # LDAP_OPT_X_KEEPALIVE_PROBES
185                probes = 3
186
187                # LDAP_OPT_X_KEEPALIVE_INTERVAL
188                interval = 3
189        }
190}
Note: See TracBrowser for help on using the repository browser.