Subversion Repositories ALCASAR

Rev

Details | Last modification | View Log

Rev Author Line No. Line
1 root 1 
# -*- text -*-
2 
#
3 
#  $Id: ldap 56 2010-04-05 13:04:16Z franck $
4 
 
5 
# Lightweight Directory Access Protocol (LDAP)
6 
#
7 
#  This module definition allows you to use LDAP for
8 
#  authorization and authentication.
9 
#
10 
#  See raddb/sites-available/default for reference to the
11 
#  ldap module in the authorize and authenticate sections.
12 
#
13 
#  However, LDAP can be used for authentication ONLY when the
14 
#  Access-Request packet contains a clear-text User-Password
15 
#  attribute.  LDAP authentication will NOT work for any other
16 
#  authentication method.
17 
#
18 
#  This means that LDAP servers don't understand EAP.  If you
19 
#  force "Auth-Type = LDAP", and then send the server a
20 
#  request containing EAP authentication, then authentication
21 
#  WILL NOT WORK.
22 
#
23 
#  The solution is to use the default configuration, which does
24 
#  work.
25 
#
26 
#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
27 
#  really can't emphasize this enough.
28 
#
29 
ldap {
30 
	#
31 
	#  Note that this needs to match the name in the LDAP
32 
	#  server certificate, if you're using ldaps.
33 
server = ""
34 
identity = ""
35 
password =
36 
basedn = "dc=example,dc=com"
37 
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
38 
base_filter = ""
39 
 
40 
	#  How many connections to keep open to the LDAP server.
41 
	#  This saves time over opening a new LDAP socket for
42 
	#  every authentication request.
43 
	ldap_connections_number = 5
44 
 
45 
	# seconds to wait for LDAP query to finish. default: 20
46 
	timeout = 4
47 
 
48 
	#  seconds LDAP server has to process the query (server-side
49 
	#  time limit). default: 20
50 
	#
51 
	#  LDAP_OPT_TIMELIMIT is set to this value.
52 
	timelimit = 3
53 
 
54 
	#
55 
	#  seconds to wait for response of the server. (network
56 
	#   failures) default: 10
57 
	#
58 
	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
59 
	net_timeout = 1
60 
 
61 
	#
62 
	#  This subsection configures the tls related items
63 
	#  that control how FreeRADIUS connects to an LDAP
64 
	#  server.  It contains all of the "tls_*" configuration
65 
	#  entries used in older versions of FreeRADIUS.  Those
66 
	#  configuration entries can still be used, but we recommend
67 
	#  using these.
68 
	#
69 
	tls {
70 
		# Set this to 'yes' to use TLS encrypted connections
71 
		# to the LDAP database by using the StartTLS extended
72 
		# operation.
73 
		#
74 
		# The StartTLS operation is supposed to be
75 
		# used with normal ldap connections instead of
76 
		# using ldaps (port 689) connections
77 
		start_tls = no
78 
 
79 
		# cacertfile	= /path/to/cacert.pem
80 
		# cacertdir		= /path/to/ca/dir/
81 
		# certfile		= /path/to/radius.crt
82 
		# keyfile		= /path/to/radius.key
83 
		# randfile		= /path/to/rnd
84 
 
85 
		#  Certificate Verification requirements.  Can be:
86 
		#    "never" (don't even bother trying)
87 
		#    "allow" (try, but don't fail if the cerificate
88 
		#		can't be verified)
89 
		#    "demand" (fail if the certificate doesn't verify.)
90 
		#
91 
		#	The default is "allow"
92 
		# require_cert	= "demand"
93 
	}
94 
 
95 
	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
96 
	# profile_attribute = "radiusProfileDn"
97 
	# access_attr = "dialupAccess"
98 
 
99 
	# Mapping of RADIUS dictionary attributes to LDAP
100 
	# directory attributes.
101 
	dictionary_mapping = ${confdir}/ldap.attrmap
102 
 
103 
	#  Set password_attribute = nspmPassword to get the
104 
	#  user's password from a Novell eDirectory
105 
	#  backend. This will work ONLY IF FreeRADIUS has been
106 
	#  built with the --with-edir configure option.
107 
	#
108 
	#  See also the following links:
109 
	#
110 
	#  http://www.novell.com/coolsolutions/appnote/16745.html
111 
	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
112 
	#
113 
	#  Novell may require TLS encrypted sessions before returning
114 
	#  the user's password.
115 
	#
116 
	# password_attribute = userPassword
117 
 
118 
	#  Un-comment the following to disable Novell
119 
	#  eDirectory account policy check and intruder
120 
	#  detection. This will work *only if* FreeRADIUS is
121 
	#  configured to build with --with-edir option.
122 
	#
123 
	edir_account_policy_check = no
124 
 
125 
	#
126 
	#  Group membership checking.  Disabled by default.
127 
	#
128 
	# groupname_attribute = cn
129 
	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
130 
	# groupmembership_attribute = radiusGroupName
131 
 
132 
	# compare_check_items = yes
133 
	# do_xlat = yes
134 
	# access_attr_used_for_allow = yes
135 
 
136 
	#
137 
	#  By default, if the packet contains a User-Password,
138 
	#  and no other module is configured to handle the
139 
	#  authentication, the LDAP module sets itself to do
140 
	#  LDAP bind for authentication.
141 
	#
142 
	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
143 
	#
144 
	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
145 
	#
146 
	#  You can disable this behavior by setting the following
147 
	#  configuration entry to "no".
148 
	#
149 
	#  allowed values: {no, yes}
150 
	# set_auth_type = yes
151 
	# set_auth_type = no
152 
 
153 
	#  ldap_debug: debug flag for LDAP SDK
154 
	#  (see OpenLDAP documentation).  Set this to enable
155 
	#  huge amounts of LDAP debugging on the screen.
156 
	#  You should only use this if you are an LDAP expert.
157 
	#
158 
	#	default: 0x0000 (no debugging messages)
159 
	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
160 
	#ldap_debug = 0x0028
161 
}