0,0 → 1,161 |
# -*- text -*- |
# |
# $Id$ |
|
# Lightweight Directory Access Protocol (LDAP) |
# |
# This module definition allows you to use LDAP for |
# authorization and authentication. |
# |
# See raddb/sites-available/default for reference to the |
# ldap module in the authorize and authenticate sections. |
# |
# However, LDAP can be used for authentication ONLY when the |
# Access-Request packet contains a clear-text User-Password |
# attribute. LDAP authentication will NOT work for any other |
# authentication method. |
# |
# This means that LDAP servers don't understand EAP. If you |
# force "Auth-Type = LDAP", and then send the server a |
# request containing EAP authentication, then authentication |
# WILL NOT WORK. |
# |
# The solution is to use the default configuration, which does |
# work. |
# |
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We |
# really can't emphasize this enough. |
# |
ldap { |
# |
# Note that this needs to match the name in the LDAP |
# server certificate, if you're using ldaps. |
server = "" |
identity = "" |
password = |
basedn = "dc=example,dc=com" |
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" |
base_filter = "" |
|
# How many connections to keep open to the LDAP server. |
# This saves time over opening a new LDAP socket for |
# every authentication request. |
ldap_connections_number = 5 |
|
# seconds to wait for LDAP query to finish. default: 20 |
timeout = 4 |
|
# seconds LDAP server has to process the query (server-side |
# time limit). default: 20 |
# |
# LDAP_OPT_TIMELIMIT is set to this value. |
timelimit = 3 |
|
# |
# seconds to wait for response of the server. (network |
# failures) default: 10 |
# |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value. |
net_timeout = 1 |
|
# |
# This subsection configures the tls related items |
# that control how FreeRADIUS connects to an LDAP |
# server. It contains all of the "tls_*" configuration |
# entries used in older versions of FreeRADIUS. Those |
# configuration entries can still be used, but we recommend |
# using these. |
# |
tls { |
# Set this to 'yes' to use TLS encrypted connections |
# to the LDAP database by using the StartTLS extended |
# operation. |
# |
# The StartTLS operation is supposed to be |
# used with normal ldap connections instead of |
# using ldaps (port 689) connections |
start_tls = no |
|
# cacertfile = /path/to/cacert.pem |
# cacertdir = /path/to/ca/dir/ |
# certfile = /path/to/radius.crt |
# keyfile = /path/to/radius.key |
# randfile = /path/to/rnd |
|
# Certificate Verification requirements. Can be: |
# "never" (don't even bother trying) |
# "allow" (try, but don't fail if the cerificate |
# can't be verified) |
# "demand" (fail if the certificate doesn't verify.) |
# |
# The default is "allow" |
# require_cert = "demand" |
} |
|
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" |
# profile_attribute = "radiusProfileDn" |
# access_attr = "dialupAccess" |
|
# Mapping of RADIUS dictionary attributes to LDAP |
# directory attributes. |
dictionary_mapping = ${confdir}/ldap.attrmap |
|
# Set password_attribute = nspmPassword to get the |
# user's password from a Novell eDirectory |
# backend. This will work ONLY IF FreeRADIUS has been |
# built with the --with-edir configure option. |
# |
# See also the following links: |
# |
# http://www.novell.com/coolsolutions/appnote/16745.html |
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html |
# |
# Novell may require TLS encrypted sessions before returning |
# the user's password. |
# |
# password_attribute = userPassword |
|
# Un-comment the following to disable Novell |
# eDirectory account policy check and intruder |
# detection. This will work *only if* FreeRADIUS is |
# configured to build with --with-edir option. |
# |
edir_account_policy_check = no |
|
# |
# Group membership checking. Disabled by default. |
# |
# groupname_attribute = cn |
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" |
# groupmembership_attribute = radiusGroupName |
|
# compare_check_items = yes |
# do_xlat = yes |
# access_attr_used_for_allow = yes |
|
# |
# By default, if the packet contains a User-Password, |
# and no other module is configured to handle the |
# authentication, the LDAP module sets itself to do |
# LDAP bind for authentication. |
# |
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION. |
# |
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). |
# |
# You can disable this behavior by setting the following |
# configuration entry to "no". |
# |
# allowed values: {no, yes} |
# set_auth_type = yes |
# set_auth_type = no |
|
# ldap_debug: debug flag for LDAP SDK |
# (see OpenLDAP documentation). Set this to enable |
# huge amounts of LDAP debugging on the screen. |
# You should only use this if you are an LDAP expert. |
# |
# default: 0x0000 (no debugging messages) |
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) |
#ldap_debug = 0x0028 |
} |
Property changes: |
Added: svn:keywords |
+Id Author Date |
\ No newline at end of property |