1 |
<?php
|
1 |
<?php
|
2 |
/*
|
2 |
/*
|
3 |
This class handled of ldap configuration.
|
3 |
This class handled of ldap configuration.
|
4 |
WARNING! This class can't says if the configuration is valid or not.
|
4 |
WARNING! This class can't says if the configuration is valid or not.
|
5 |
*/
|
5 |
*/
|
6 |
|
6 |
|
7 |
class ldapConfig
|
7 |
class ldapConfig
|
8 |
{
|
8 |
{
|
9 |
protected $_items = Array();
|
9 |
protected $_items = Array();
|
10 |
protected $_tls = array();
|
10 |
protected $_tls = array();
|
11 |
protected $instanceName;
|
11 |
protected $instanceName;
|
12 |
|
12 |
|
13 |
public function __construct($instanceName=null) {
|
13 |
public function __construct($instanceName=null) {
|
14 |
if ($instanceName!== null)
|
14 |
if ($instanceName!== null)
|
15 |
$this->instanceName = $instanceName;
|
15 |
$this->instanceName = $instanceName;
|
16 |
// LDAP setting
|
16 |
// LDAP setting
|
17 |
$this->_items['protocol'] = 'ldap';
|
17 |
$this->_items['protocol'] = 'ldap';
|
18 |
$this->_items['host'] = 'test';
|
18 |
$this->_items['host'] = 'test';
|
19 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
19 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
20 |
$this->_items['port'] = '389';//not use yet (689 = ldaps)
|
20 |
$this->_items['port'] = '389';//not use yet (689 = ldaps)
|
21 |
$this->_items['identity'] = '';
|
21 |
$this->_items['identity'] = '';
|
22 |
$this->_items['password'] = '';
|
22 |
$this->_items['password'] = '';
|
23 |
$this->_items['basedn'] = 'dc=example,dc=com';
|
23 |
$this->_items['basedn'] = 'dc=example,dc=com';
|
24 |
$this->_items['uid'] = 'uid';
|
24 |
$this->_items['uid'] = 'uid';
|
25 |
$this->_items['filter'] = "($this->_items['uid']=%{Stripped-User-Name:-%{User-Name}})";
|
25 |
$this->_items['filter'] = "($this->_items['uid']=%{Stripped-User-Name:-%{User-Name}})";
|
26 |
$this->_items['base_filter'] = '';
|
26 |
$this->_items['base_filter'] = '';
|
27 |
$this->_items['ldap_connections_number'] = '5';
|
27 |
$this->_items['ldap_connections_number'] = '5';
|
28 |
$this->_items['timeout'] = '4';
|
28 |
$this->_items['timeout'] = '4';
|
29 |
$this->_items['timelimit'] = '3';
|
29 |
$this->_items['timelimit'] = '3';
|
30 |
$this->_items['net_timeout'] = '1';
|
30 |
$this->_items['net_timeout'] = '1';
|
31 |
// TLS setting related items
|
31 |
// TLS setting related items
|
32 |
$this->_tls['start_tls'] = 'no'; // if no all tls config are comments
|
32 |
$this->_tls['start_tls'] = 'no'; // if no all tls config are comments
|
33 |
$this->_tls['cacertfile'] = '#';
|
33 |
$this->_tls['cacertfile'] = '#';
|
34 |
$this->_tls['cacertdir'] = '#';
|
34 |
$this->_tls['cacertdir'] = '#';
|
35 |
$this->_tls['certfile'] = '#';
|
35 |
$this->_tls['certfile'] = '#';
|
36 |
$this->_tls['keyfile'] = '#';
|
36 |
$this->_tls['keyfile'] = '#';
|
37 |
$this->_tls['randfile'] = '#';
|
37 |
$this->_tls['randfile'] = '#';
|
38 |
$this->_tls['require_cert'] = '#';
|
38 |
$this->_tls['require_cert'] = '#';
|
39 |
// others ldap setting (optional)
|
39 |
// others ldap setting (optional)
|
40 |
$this->_items['default_profile'] = '#';
|
40 |
$this->_items['default_profile'] = '#';
|
41 |
$this->_items['profile_attribute'] = '#';
|
41 |
$this->_items['profile_attribute'] = '#';
|
42 |
$this->_items['access_attr'] = '#';
|
42 |
$this->_items['access_attr'] = '#';
|
43 |
// Mapping of RADIUS dictionary attributes to LDAP
|
43 |
// Mapping of RADIUS dictionary attributes to LDAP
|
44 |
// directory attributes.
|
44 |
// directory attributes.
|
45 |
$this->_items['dictionary_mapping'] = '${confdir}/ldap.attrmap';
|
45 |
$this->_items['dictionary_mapping'] = '${confdir}/ldap.attrmap';
|
46 |
// for ldap like NOVEL
|
46 |
// for ldap like NOVEL
|
47 |
$this->_items['password_attribute'] = '#';
|
47 |
$this->_items['password_attribute'] = '#';
|
48 |
$this->_items['edir_account_policy_check'] = 'no';
|
48 |
$this->_items['edir_account_policy_check'] = 'no';
|
49 |
// Group membership checking. Disabled by default.
|
49 |
// Group membership checking. Disabled by default.
|
50 |
$this->_items['groupname_attribute'] = '#';
|
50 |
$this->_items['groupname_attribute'] = '#';
|
51 |
$this->_items['groupmembership_filter'] = '#';
|
51 |
$this->_items['groupmembership_filter'] = '#';
|
52 |
$this->_items['groupmembership_attribute'] = '#';
|
52 |
$this->_items['groupmembership_attribute'] = '#';
|
53 |
$this->_items['compare_check_items'] = '#';
|
53 |
$this->_items['compare_check_items'] = '#';
|
54 |
$this->_items['do_xlat'] = '#';
|
54 |
$this->_items['do_xlat'] = '#';
|
55 |
$this->_items['access_attr_used_for_allow'] = '#';
|
55 |
$this->_items['access_attr_used_for_allow'] = '#';
|
56 |
// auth option
|
56 |
// auth option
|
57 |
$this->_items['set_auth_type'] = '#';
|
57 |
$this->_items['set_auth_type'] = '#';
|
58 |
// debug option
|
58 |
// debug option
|
59 |
$this->_items['ldap_debug'] = '#';
|
59 |
$this->_items['ldap_debug'] = '#';
|
60 |
}
|
60 |
}
|
61 |
|
61 |
|
62 |
public function __get($attr){ // to get an $item
|
62 |
public function __get($attr){ // to get an $item
|
63 |
if ($attr==='tls'){
|
63 |
if ($attr==='tls'){
|
64 |
return $this->_tls;
|
64 |
return $this->_tls;
|
65 |
} elseif (array_key_exists($attr, $this->_items)){
|
65 |
} elseif (array_key_exists($attr, $this->_items)){
|
66 |
return $this->_items[$attr];
|
66 |
return $this->_items[$attr];
|
67 |
} elseif (array_key_exists($attr, $this->_tls)){
|
67 |
} elseif (array_key_exists($attr, $this->_tls)){
|
68 |
return $this->_tls[$attr];
|
68 |
return $this->_tls[$attr];
|
69 |
}
|
69 |
}
|
70 |
// nothing else!
|
70 |
// nothing else!
|
71 |
}
|
71 |
}
|
72 |
public function __set($attr, $value){// to set an $item
|
72 |
public function __set($attr, $value){// to set an $item
|
73 |
if (array_key_exists($attr, $this->_items)){
|
73 |
if (array_key_exists($attr, $this->_items)){
|
74 |
switch ($attr){
|
74 |
switch ($attr){
|
75 |
case "protocol":
|
75 |
case "protocol":
|
76 |
$this->_items['protocol'] = $value;
|
76 |
$this->_items['protocol'] = $value;
|
77 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
77 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
78 |
break;
|
78 |
break;
|
79 |
case "host":
|
79 |
case "host":
|
80 |
$this->_items['host'] = $value;
|
80 |
$this->_items['host'] = $value;
|
81 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
81 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
82 |
break;
|
82 |
break;
|
83 |
case "server":
|
83 |
case "server":
|
84 |
// extract protocole & host
|
84 |
// extract protocole & host
|
85 |
$tmp = explode("://",$value,2);
|
85 |
$tmp = explode("://",$value,2);
|
86 |
if (count($tmp) == 2){
|
86 |
if (count($tmp) == 2){
|
87 |
$this->_items['protocol'] = $tmp[0];
|
87 |
$this->_items['protocol'] = $tmp[0];
|
88 |
$this->_items['host'] = $tmp[1];
|
88 |
$this->_items['host'] = $tmp[1];
|
89 |
} else {
|
89 |
} else {
|
90 |
$this->_items['protocol'] = 'ldap';
|
90 |
$this->_items['protocol'] = 'ldap';
|
91 |
$this->_items['host'] = $tmp[1];
|
91 |
$this->_items['host'] = $tmp[0];
|
92 |
}
|
92 |
}
|
93 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
93 |
$this->_items['server'] = $this->_items['protocol'].'://'.$this->_items['host'];
|
94 |
break;
|
94 |
break;
|
95 |
case "uid":
|
95 |
case "uid":
|
96 |
$this->_items['uid'] = $value;
|
96 |
$this->_items['uid'] = $value;
|
97 |
$this->_items['filter'] = "($this->_items['uid']=%{Stripped-User-Name:-%{User-Name}})";
|
97 |
$this->_items['filter'] = "(".$this->_items['uid']."=%{Stripped-User-Name:-%{User-Name}})";
|
98 |
break;
|
98 |
break;
|
99 |
case "filter":
|
99 |
case "filter":
|
100 |
// extract uid
|
100 |
// extract uid
|
101 |
if (preg_match('`^[\(]([\sa-zA-Z0-9_-]*)=\%\{Stripped\-User\-Name:\-\%\{User-Name\}\}\)`',$value)){
|
101 |
if (preg_match('`^[\(]([\sa-zA-Z0-9_-]*)=\%\{Stripped\-User\-Name:\-\%\{User-Name\}\}\)`',$value)){
|
102 |
$this->_items['uid'] = preg_replace('`^[\(]([\sa-zA-Z0-9_-]*)=\%\{Stripped\-User\-Name:\-\%\{User-Name\}\}\)`','$1',$value);
|
102 |
$this->_items['uid'] = preg_replace('`^[\(]([\sa-zA-Z0-9_-]*)=\%\{Stripped\-User\-Name:\-\%\{User-Name\}\}\)`','$1',$value);
|
103 |
} else {
|
103 |
} else {
|
104 |
$this->_items['uid'] = 'uid';
|
104 |
$this->_items['uid'] = 'uid';
|
105 |
}
|
105 |
}
|
106 |
$this->_items['filter'] = "($this->_items['uid']=%{Stripped-User-Name:-%{User-Name}})";
|
106 |
$this->_items['filter'] = "($this->_items['uid']=%{Stripped-User-Name:-%{User-Name}})";
|
107 |
break;
|
107 |
break;
|
108 |
default:
|
108 |
default:
|
109 |
$this->_items[$attr] = $value;
|
109 |
$this->_items[$attr] = $value;
|
110 |
}
|
110 |
}
|
111 |
} elseif (array_key_exists($attr, $this->_tls)){
|
111 |
} elseif (array_key_exists($attr, $this->_tls)){
|
112 |
$this->_tls[$attr] = $value;
|
112 |
$this->_tls[$attr] = $value;
|
113 |
}
|
113 |
}
|
114 |
}
|
114 |
}
|
115 |
public function load($confFile){
|
115 |
public function load($confFile){
|
116 |
// use here the parsing class
|
116 |
// use here the parsing class
|
117 |
require_once("configreader.php");
|
117 |
require_once("configreader.php");
|
118 |
|
- |
|
119 |
$r = new configReader($confFile);
|
118 |
$r = new configReader($confFile);
|
120 |
|
- |
|
121 |
/*
|
119 |
/*
|
122 |
loading only if the file containt only one ldap instance.
|
120 |
loading only if the file containt only one ldap instance.
|
123 |
If more instance are found, we use the default values instead.
|
121 |
If more instance are found, we use the default values instead.
|
124 |
*/
|
122 |
*/
|
125 |
if (is_object($r->ldap)){
|
123 |
if (is_object($r->ldap)){
|
126 |
$this->instanceName = $r->ldap->getInstanceName();
|
124 |
$this->instanceName = $r->ldap->getInstanceName();
|
127 |
$items = $r->ldap->getpair();
|
125 |
$items = $r->ldap->getpair();
|
- |
|
126 |
|
128 |
foreach ($this->_items as $key => $value){
|
127 |
foreach ($items as $pair){
|
- |
|
128 |
$pairName = $pair->getName();
|
- |
|
129 |
$pairValue = $pair->getPair($pairName);
|
129 |
if (array_key_exists($key, $items))
|
130 |
if (array_key_exists($pairName , $this->_items))
|
130 |
$this->_items[$key] = $items[$key];
|
131 |
$this->$pairName = $pairValue; // we use __set() function to have all exceptions!
|
131 |
}
|
132 |
}
|
132 |
if (is_object($r->ldap->tls)){
|
133 |
if (is_object($r->ldap->tls)){
|
133 |
$tls = $r->ldap->tls->getpair();
|
134 |
$tls = $r->ldap->tls->getpair();
|
- |
|
135 |
|
134 |
foreach ($this->_tls as $key => $value){
|
136 |
foreach ($tls as $pair){
|
- |
|
137 |
$tlsPairName = $pair->getName();
|
- |
|
138 |
$tlsPairValue = $pair->getPair($tlsPairName);
|
135 |
if (array_key_exists($key, $tls))
|
139 |
if (array_key_exists($tlsPairName , $this->_tls))
|
136 |
$this->_tls[$key] = $tls[$key];
|
140 |
$this->$tlsPairName = $pairValue; // we use __set() function to have all exceptions!
|
137 |
}
|
141 |
}
|
138 |
}
|
142 |
}
|
139 |
}
|
143 |
}
|
140 |
}
|
144 |
}
|
141 |
public function __toString() {
|
145 |
public function __toString() {
|
142 |
return $this->save(null, true);
|
146 |
return $this->save(null, true);
|
143 |
}
|
147 |
}
|
144 |
protected function _noComment($name, $value, $quote = false){
|
148 |
protected function _noComment($name, $value, $quote = false){
|
145 |
if ($value !== '#'){
|
149 |
if ($value !== '#'){
|
146 |
if ($quote === true){
|
150 |
if ($quote === true){
|
147 |
return $name." = \"".$value."\"";
|
151 |
return $name." = \"".$value."\"";
|
148 |
} else {
|
152 |
} else {
|
149 |
return $name." = ".$value;
|
153 |
return $name." = ".$value;
|
150 |
}
|
154 |
}
|
151 |
}
|
155 |
}
|
152 |
}
|
156 |
}
|
153 |
public function save($savefile = null, $returnconfig = false){
|
157 |
public function save($savefile = null, $returnconfig = false){
|
154 |
// make config file
|
158 |
// make config file
|
155 |
$config = "
|
159 |
$config = "
|
156 |
# Lightweight Directory Access Protocol (LDAP)
|
160 |
# Lightweight Directory Access Protocol (LDAP)
|
157 |
#
|
161 |
#
|
158 |
# This module definition allows you to use LDAP for
|
162 |
# This module definition allows you to use LDAP for
|
159 |
# authorization and authentication.
|
163 |
# authorization and authentication.
|
160 |
#
|
164 |
#
|
161 |
# See raddb/sites-available/default for reference to the
|
165 |
# See raddb/sites-available/default for reference to the
|
162 |
# ldap module in the authorize and authenticate sections.
|
166 |
# ldap module in the authorize and authenticate sections.
|
163 |
#
|
167 |
#
|
164 |
# However, LDAP can be used for authentication ONLY when the
|
168 |
# However, LDAP can be used for authentication ONLY when the
|
165 |
# Access-Request packet contains a clear-text User-Password
|
169 |
# Access-Request packet contains a clear-text User-Password
|
166 |
# attribute. LDAP authentication will NOT work for any other
|
170 |
# attribute. LDAP authentication will NOT work for any other
|
167 |
# authentication method.
|
171 |
# authentication method.
|
168 |
#
|
172 |
#
|
169 |
# This means that LDAP servers don't understand EAP. If you
|
173 |
# This means that LDAP servers don't understand EAP. If you
|
170 |
# force \"Auth-Type = LDAP\", and then send the server a
|
174 |
# force \"Auth-Type = LDAP\", and then send the server a
|
171 |
# request containing EAP authentication, then authentication
|
175 |
# request containing EAP authentication, then authentication
|
172 |
# WILL NOT WORK.
|
176 |
# WILL NOT WORK.
|
173 |
#
|
177 |
#
|
174 |
# The solution is to use the default configuration, which does
|
178 |
# The solution is to use the default configuration, which does
|
175 |
# work.
|
179 |
# work.
|
176 |
#
|
180 |
#
|
177 |
# Setting \"Auth-Type = LDAP\" is ALMOST ALWAYS WRONG. We
|
181 |
# Setting \"Auth-Type = LDAP\" is ALMOST ALWAYS WRONG. We
|
178 |
# really can't emphasize this enough.
|
182 |
# really can't emphasize this enough.
|
179 |
#
|
183 |
#
|
180 |
ldap ".$this->instanceName."{
|
184 |
ldap ".$this->instanceName."{
|
181 |
#
|
185 |
#
|
182 |
# Note that this needs to match the name in the LDAP
|
186 |
# Note that this needs to match the name in the LDAP
|
183 |
# server certificate, if you're using ldaps.
|
187 |
# server certificate, if you're using ldaps.
|
184 |
server = \"".$this->_items['server']."\"
|
188 |
server = \"".$this->_items['server']."\"
|
185 |
identity = \"".$this->_items['identity']."\"
|
189 |
identity = \"".$this->_items['identity']."\"
|
186 |
password = ".$this->_items['password']."
|
190 |
password = ".$this->_items['password']."
|
187 |
basedn = \"".$this->_items['basedn']."\"
|
191 |
basedn = \"".$this->_items['basedn']."\"
|
188 |
filter = \"".$this->_items['filter']."\"
|
192 |
filter = \"".$this->_items['filter']."\"
|
189 |
base_filter = \"".$this->_items['base_filter']."\"
|
193 |
base_filter = \"".$this->_items['base_filter']."\"
|
190 |
|
194 |
|
191 |
# How many connections to keep open to the LDAP server.
|
195 |
# How many connections to keep open to the LDAP server.
|
192 |
# This saves time over opening a new LDAP socket for
|
196 |
# This saves time over opening a new LDAP socket for
|
193 |
# every authentication request.
|
197 |
# every authentication request.
|
194 |
ldap_connections_number = ".$this->_items['ldap_connections_number']."
|
198 |
ldap_connections_number = ".$this->_items['ldap_connections_number']."
|
195 |
|
199 |
|
196 |
# seconds to wait for LDAP query to finish. default: 20
|
200 |
# seconds to wait for LDAP query to finish. default: 20
|
197 |
timeout = ".$this->_items['timeout']."
|
201 |
timeout = ".$this->_items['timeout']."
|
198 |
|
202 |
|
199 |
# seconds LDAP server has to process the query (server-side
|
203 |
# seconds LDAP server has to process the query (server-side
|
200 |
# time limit). default: 20
|
204 |
# time limit). default: 20
|
201 |
#
|
205 |
#
|
202 |
# LDAP_OPT_TIMELIMIT is set to this value.
|
206 |
# LDAP_OPT_TIMELIMIT is set to this value.
|
203 |
timelimit = ".$this->_items['timelimit']."
|
207 |
timelimit = ".$this->_items['timelimit']."
|
204 |
|
208 |
|
205 |
#
|
209 |
#
|
206 |
# seconds to wait for response of the server. (network
|
210 |
# seconds to wait for response of the server. (network
|
207 |
# failures) default: 10
|
211 |
# failures) default: 10
|
208 |
#
|
212 |
#
|
209 |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
213 |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
210 |
net_timeout = ".$this->_items['net_timeout']."
|
214 |
net_timeout = ".$this->_items['net_timeout']."
|
211 |
|
215 |
|
212 |
#
|
216 |
#
|
213 |
# This subsection configures the tls related items
|
217 |
# This subsection configures the tls related items
|
214 |
# that control how FreeRADIUS connects to an LDAP
|
218 |
# that control how FreeRADIUS connects to an LDAP
|
215 |
# server. It contains all of the \"tls_*\" configuration
|
219 |
# server. It contains all of the \"tls_*\" configuration
|
216 |
# entries used in older versions of FreeRADIUS. Those
|
220 |
# entries used in older versions of FreeRADIUS. Those
|
217 |
# configuration entries can still be used, but we recommend
|
221 |
# configuration entries can still be used, but we recommend
|
218 |
# using these.
|
222 |
# using these.
|
219 |
#
|
223 |
#
|
220 |
tls {
|
224 |
tls {
|
221 |
# Set this to 'yes' to use TLS encrypted connections
|
225 |
# Set this to 'yes' to use TLS encrypted connections
|
222 |
# to the LDAP database by using the StartTLS extended
|
226 |
# to the LDAP database by using the StartTLS extended
|
223 |
# operation.
|
227 |
# operation.
|
224 |
#
|
228 |
#
|
225 |
# The StartTLS operation is supposed to be
|
229 |
# The StartTLS operation is supposed to be
|
226 |
# used with normal ldap connections instead of
|
230 |
# used with normal ldap connections instead of
|
227 |
# using ldaps (port 689) connections
|
231 |
# using ldaps (port 689) connections
|
228 |
start_tls = ".$this->_tls['start_tls']."
|
232 |
start_tls = ".$this->_tls['start_tls']."
|
229 |
|
233 |
|
230 |
# cacertfile = /path/to/cacert.pem
|
234 |
# cacertfile = /path/to/cacert.pem
|
231 |
# cacertdir = /path/to/ca/dir/
|
235 |
# cacertdir = /path/to/ca/dir/
|
232 |
# certfile = /path/to/radius.crt
|
236 |
# certfile = /path/to/radius.crt
|
233 |
# keyfile = /path/to/radius.key
|
237 |
# keyfile = /path/to/radius.key
|
234 |
# randfile = /path/to/rnd
|
238 |
# randfile = /path/to/rnd
|
235 |
".$this->_noComment("cacertfile", $this->_tls['cacertfile'])."
|
239 |
".$this->_noComment("cacertfile", $this->_tls['cacertfile'])."
|
236 |
".$this->_noComment("cacertdir", $this->_tls['cacertdir'])."
|
240 |
".$this->_noComment("cacertdir", $this->_tls['cacertdir'])."
|
237 |
".$this->_noComment("certfile", $this->_tls['certfile'])."
|
241 |
".$this->_noComment("certfile", $this->_tls['certfile'])."
|
238 |
".$this->_noComment("keyfile", $this->_tls['keyfile'])."
|
242 |
".$this->_noComment("keyfile", $this->_tls['keyfile'])."
|
239 |
".$this->_noComment("randfile", $this->_tls['randfile'])."
|
243 |
".$this->_noComment("randfile", $this->_tls['randfile'])."
|
240 |
# Certificate Verification requirements. Can be:
|
244 |
# Certificate Verification requirements. Can be:
|
241 |
# \"never\" (don't even bother trying)
|
245 |
# \"never\" (don't even bother trying)
|
242 |
# \"allow\" (try, but don't fail if the cerificate
|
246 |
# \"allow\" (try, but don't fail if the cerificate
|
243 |
# can't be verified)
|
247 |
# can't be verified)
|
244 |
# \"demand\" (fail if the certificate doesn't verify.)
|
248 |
# \"demand\" (fail if the certificate doesn't verify.)
|
245 |
#
|
249 |
#
|
246 |
# The default is \"allow\"
|
250 |
# The default is \"allow\"
|
247 |
# require_cert = \"demand\"
|
251 |
# require_cert = \"demand\"
|
248 |
".$this->_noComment("require_cert", $this->_tls['require_cert'], true)."
|
252 |
".$this->_noComment("require_cert", $this->_tls['require_cert'], true)."
|
249 |
}
|
253 |
}
|
250 |
|
254 |
|
251 |
# default_profile = \"cn=radprofile,ou=dialup,o=My Org,c=UA\"
|
255 |
# default_profile = \"cn=radprofile,ou=dialup,o=My Org,c=UA\"
|
252 |
# profile_attribute = \"radiusProfileDn\"
|
256 |
# profile_attribute = \"radiusProfileDn\"
|
253 |
# access_attr = \"dialupAccess\"
|
257 |
# access_attr = \"dialupAccess\"
|
254 |
".$this->_noComment("default_profile", $this->_items['default_profile'], true)."
|
258 |
".$this->_noComment("default_profile", $this->_items['default_profile'], true)."
|
255 |
".$this->_noComment("profile_attribute", $this->_items['profile_attribute'], true)."
|
259 |
".$this->_noComment("profile_attribute", $this->_items['profile_attribute'], true)."
|
256 |
".$this->_noComment("access_attr", $this->_items['access_attr'], true)."
|
260 |
".$this->_noComment("access_attr", $this->_items['access_attr'], true)."
|
257 |
# Mapping of RADIUS dictionary attributes to LDAP
|
261 |
# Mapping of RADIUS dictionary attributes to LDAP
|
258 |
# directory attributes.
|
262 |
# directory attributes.
|
259 |
dictionary_mapping = ".$this->_items['dictionary_mapping']."
|
263 |
dictionary_mapping = ".$this->_items['dictionary_mapping']."
|
260 |
|
264 |
|
261 |
# Set password_attribute = nspmPassword to get the
|
265 |
# Set password_attribute = nspmPassword to get the
|
262 |
# user's password from a Novell eDirectory
|
266 |
# user's password from a Novell eDirectory
|
263 |
# backend. This will work ONLY IF FreeRADIUS has been
|
267 |
# backend. This will work ONLY IF FreeRADIUS has been
|
264 |
# built with the --with-edir configure option.
|
268 |
# built with the --with-edir configure option.
|
265 |
#
|
269 |
#
|
266 |
# See also the following links:
|
270 |
# See also the following links:
|
267 |
#
|
271 |
#
|
268 |
# http://www.novell.com/coolsolutions/appnote/16745.html
|
272 |
# http://www.novell.com/coolsolutions/appnote/16745.html
|
269 |
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
273 |
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
270 |
#
|
274 |
#
|
271 |
# Novell may require TLS encrypted sessions before returning
|
275 |
# Novell may require TLS encrypted sessions before returning
|
272 |
# the user's password.
|
276 |
# the user's password.
|
273 |
#
|
277 |
#
|
274 |
# password_attribute = userPassword
|
278 |
# password_attribute = userPassword
|
275 |
".$this->_noComment("access_attr", $this->_items['access_attr'])."
|
279 |
".$this->_noComment("access_attr", $this->_items['access_attr'])."
|
276 |
# Un-comment the following to disable Novell
|
280 |
# Un-comment the following to disable Novell
|
277 |
# eDirectory account policy check and intruder
|
281 |
# eDirectory account policy check and intruder
|
278 |
# detection. This will work *only if* FreeRADIUS is
|
282 |
# detection. This will work *only if* FreeRADIUS is
|
279 |
# configured to build with --with-edir option.
|
283 |
# configured to build with --with-edir option.
|
280 |
#
|
284 |
#
|
281 |
edir_account_policy_check = no
|
285 |
edir_account_policy_check = no
|
282 |
".$this->_noComment("access_attr", $this->_items['access_attr'])."
|
286 |
".$this->_noComment("access_attr", $this->_items['access_attr'])."
|
283 |
#
|
287 |
#
|
284 |
# Group membership checking. Disabled by default.
|
288 |
# Group membership checking. Disabled by default.
|
285 |
#
|
289 |
#
|
286 |
# groupname_attribute = cn
|
290 |
# groupname_attribute = cn
|
287 |
# groupmembership_filter = \"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))\"
|
291 |
# groupmembership_filter = \"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))\"
|
288 |
# groupmembership_attribute = radiusGroupName
|
292 |
# groupmembership_attribute = radiusGroupName
|
289 |
".$this->_noComment("groupname_attribute", $this->_items['groupname_attribute'])."
|
293 |
".$this->_noComment("groupname_attribute", $this->_items['groupname_attribute'])."
|
290 |
".$this->_noComment("groupmembership_filter", $this->_items['groupmembership_filter'], true)."
|
294 |
".$this->_noComment("groupmembership_filter", $this->_items['groupmembership_filter'], true)."
|
291 |
".$this->_noComment("groupmembership_attribute", $this->_items['groupmembership_attribute'])."
|
295 |
".$this->_noComment("groupmembership_attribute", $this->_items['groupmembership_attribute'])."
|
292 |
# compare_check_items = yes
|
296 |
# compare_check_items = yes
|
293 |
# do_xlat = yes
|
297 |
# do_xlat = yes
|
294 |
# access_attr_used_for_allow = yes
|
298 |
# access_attr_used_for_allow = yes
|
295 |
".$this->_noComment("compare_check_items", $this->_items['compare_check_items'])."
|
299 |
".$this->_noComment("compare_check_items", $this->_items['compare_check_items'])."
|
296 |
".$this->_noComment("do_xlat", $this->_items['do_xlat'])."
|
300 |
".$this->_noComment("do_xlat", $this->_items['do_xlat'])."
|
297 |
".$this->_noComment("access_attr_used_for_allow", $this->_items['access_attr_used_for_allow'])."
|
301 |
".$this->_noComment("access_attr_used_for_allow", $this->_items['access_attr_used_for_allow'])."
|
298 |
#
|
302 |
#
|
299 |
# By default, if the packet contains a User-Password,
|
303 |
# By default, if the packet contains a User-Password,
|
300 |
# and no other module is configured to handle the
|
304 |
# and no other module is configured to handle the
|
301 |
# authentication, the LDAP module sets itself to do
|
305 |
# authentication, the LDAP module sets itself to do
|
302 |
# LDAP bind for authentication.
|
306 |
# LDAP bind for authentication.
|
303 |
#
|
307 |
#
|
304 |
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
308 |
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
305 |
#
|
309 |
#
|
306 |
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
310 |
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
307 |
#
|
311 |
#
|
308 |
# You can disable this behavior by setting the following
|
312 |
# You can disable this behavior by setting the following
|
309 |
# configuration entry to \"no\".
|
313 |
# configuration entry to \"no\".
|
310 |
#
|
314 |
#
|
311 |
# allowed values: {no, yes}
|
315 |
# allowed values: {no, yes}
|
312 |
# set_auth_type = yes
|
316 |
# set_auth_type = yes
|
313 |
# set_auth_type = no
|
317 |
# set_auth_type = no
|
314 |
".$this->_noComment("set_auth_type", $this->_items['set_auth_type'])."
|
318 |
".$this->_noComment("set_auth_type", $this->_items['set_auth_type'])."
|
315 |
# ldap_debug: debug flag for LDAP SDK
|
319 |
# ldap_debug: debug flag for LDAP SDK
|
316 |
# (see OpenLDAP documentation). Set this to enable
|
320 |
# (see OpenLDAP documentation). Set this to enable
|
317 |
# huge amounts of LDAP debugging on the screen.
|
321 |
# huge amounts of LDAP debugging on the screen.
|
318 |
# You should only use this if you are an LDAP expert.
|
322 |
# You should only use this if you are an LDAP expert.
|
319 |
#
|
323 |
#
|
320 |
# default: 0x0000 (no debugging messages)
|
324 |
# default: 0x0000 (no debugging messages)
|
321 |
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
325 |
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
322 |
#ldap_debug = 0x0028
|
326 |
#ldap_debug = 0x0028
|
323 |
".$this->_noComment("ldap_debug", $this->_items['ldap_debug'])."
|
327 |
".$this->_noComment("ldap_debug", $this->_items['ldap_debug'])."
|
324 |
}
|
328 |
}
|
325 |
";
|
329 |
";
|
326 |
if ($savefile !== null){
|
330 |
if ($savefile !== null){
|
327 |
// save config file
|
331 |
// save config file
|
328 |
if (is_file($savefile)){
|
332 |
if (is_file($savefile)){
|
329 |
// save the file
|
333 |
// save the file
|
330 |
if (!is_writable($savefile))
|
334 |
if (!is_writable($savefile))
|
331 |
return false;
|
335 |
return false;
|
332 |
$updatedFile = fopen( $savefile, 'w' );
|
336 |
$updatedFile = fopen( $savefile, 'w' );
|
333 |
fwrite( $updatedFile, $config );
|
337 |
fwrite( $updatedFile, $config );
|
334 |
fclose( $updatedFile );
|
338 |
fclose( $updatedFile );
|
335 |
} else {
|
339 |
} else {
|
336 |
// create a new file
|
340 |
// create a new file
|
337 |
$newFile = fopen($savefile, 'w') or die("can't create file");
|
341 |
$newFile = fopen($savefile, 'w') or die("can't create file");
|
338 |
fwrite( $newFile, $config );
|
342 |
fwrite( $newFile, $config );
|
339 |
fclose( $newFile );
|
343 |
fclose( $newFile );
|
340 |
}
|
344 |
}
|
341 |
}
|
345 |
}
|
342 |
// test $returnconfig
|
346 |
// test $returnconfig
|
343 |
if (($returnconfig===true)||($returnconfig==="yes")){
|
347 |
if (($returnconfig===true)||($returnconfig==="yes")){
|
344 |
return $config;
|
348 |
return $config;
|
345 |
}else{
|
349 |
}else{
|
346 |
return true;
|
350 |
return true;
|
347 |
}
|
351 |
}
|
348 |
}
|
352 |
}
|
349 |
}
|
353 |
}
|
350 |
?>
|
354 |
?>
|
351 |
|
355 |
|
352 |
Generated by GNU Enscript 1.6.6.
|
356 |
Generated by GNU Enscript 1.6.6.
|
353 |
|
357 |
|
354 |
|
358 |
|
355 |
|
359 |
|