| 0,0 → 1,161 |
|---|
| # -*- text -*- |
| # |
| # $Id$ |
| |
| # Lightweight Directory Access Protocol (LDAP) |
| # |
| # This module definition allows you to use LDAP for |
| # authorization and authentication. |
| # |
| # See raddb/sites-available/default for reference to the |
| # ldap module in the authorize and authenticate sections. |
| # |
| # However, LDAP can be used for authentication ONLY when the |
| # Access-Request packet contains a clear-text User-Password |
| # attribute. LDAP authentication will NOT work for any other |
| # authentication method. |
| # |
| # This means that LDAP servers don't understand EAP. If you |
| # force "Auth-Type = LDAP", and then send the server a |
| # request containing EAP authentication, then authentication |
| # WILL NOT WORK. |
| # |
| # The solution is to use the default configuration, which does |
| # work. |
| # |
| # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We |
| # really can't emphasize this enough. |
| # |
| ldap { |
| # |
| # Note that this needs to match the name in the LDAP |
| # server certificate, if you're using ldaps. |
| server = "" |
| identity = "" |
| password = |
| basedn = "dc=example,dc=com" |
| filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" |
| base_filter = "" |
| |
| # How many connections to keep open to the LDAP server. |
| # This saves time over opening a new LDAP socket for |
| # every authentication request. |
| ldap_connections_number = 5 |
| |
| # seconds to wait for LDAP query to finish. default: 20 |
| timeout = 4 |
| |
| # seconds LDAP server has to process the query (server-side |
| # time limit). default: 20 |
| # |
| # LDAP_OPT_TIMELIMIT is set to this value. |
| timelimit = 3 |
| |
| # |
| # seconds to wait for response of the server. (network |
| # failures) default: 10 |
| # |
| # LDAP_OPT_NETWORK_TIMEOUT is set to this value. |
| net_timeout = 1 |
| |
| # |
| # This subsection configures the tls related items |
| # that control how FreeRADIUS connects to an LDAP |
| # server. It contains all of the "tls_*" configuration |
| # entries used in older versions of FreeRADIUS. Those |
| # configuration entries can still be used, but we recommend |
| # using these. |
| # |
| tls { |
| # Set this to 'yes' to use TLS encrypted connections |
| # to the LDAP database by using the StartTLS extended |
| # operation. |
| # |
| # The StartTLS operation is supposed to be |
| # used with normal ldap connections instead of |
| # using ldaps (port 689) connections |
| start_tls = no |
| |
| # cacertfile = /path/to/cacert.pem |
| # cacertdir = /path/to/ca/dir/ |
| # certfile = /path/to/radius.crt |
| # keyfile = /path/to/radius.key |
| # randfile = /path/to/rnd |
| |
| # Certificate Verification requirements. Can be: |
| # "never" (don't even bother trying) |
| # "allow" (try, but don't fail if the cerificate |
| # can't be verified) |
| # "demand" (fail if the certificate doesn't verify.) |
| # |
| # The default is "allow" |
| # require_cert = "demand" |
| } |
| |
| # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" |
| # profile_attribute = "radiusProfileDn" |
| # access_attr = "dialupAccess" |
| |
| # Mapping of RADIUS dictionary attributes to LDAP |
| # directory attributes. |
| dictionary_mapping = ${confdir}/ldap.attrmap |
| |
| # Set password_attribute = nspmPassword to get the |
| # user's password from a Novell eDirectory |
| # backend. This will work ONLY IF FreeRADIUS has been |
| # built with the --with-edir configure option. |
| # |
| # See also the following links: |
| # |
| # http://www.novell.com/coolsolutions/appnote/16745.html |
| # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html |
| # |
| # Novell may require TLS encrypted sessions before returning |
| # the user's password. |
| # |
| # password_attribute = userPassword |
| |
| # Un-comment the following to disable Novell |
| # eDirectory account policy check and intruder |
| # detection. This will work *only if* FreeRADIUS is |
| # configured to build with --with-edir option. |
| # |
| edir_account_policy_check = no |
| |
| # |
| # Group membership checking. Disabled by default. |
| # |
| # groupname_attribute = cn |
| # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" |
| # groupmembership_attribute = radiusGroupName |
| |
| # compare_check_items = yes |
| # do_xlat = yes |
| # access_attr_used_for_allow = yes |
| |
| # |
| # By default, if the packet contains a User-Password, |
| # and no other module is configured to handle the |
| # authentication, the LDAP module sets itself to do |
| # LDAP bind for authentication. |
| # |
| # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. |
| # |
| # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). |
| # |
| # You can disable this behavior by setting the following |
| # configuration entry to "no". |
| # |
| # allowed values: {no, yes} |
| # set_auth_type = yes |
| # set_auth_type = no |
| |
| # ldap_debug: debug flag for LDAP SDK |
| # (see OpenLDAP documentation). Set this to enable |
| # huge amounts of LDAP debugging on the screen. |
| # You should only use this if you are an LDAP expert. |
| # |
| # default: 0x0000 (no debugging messages) |
| # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) |
| #ldap_debug = 0x0028 |
| } |