diff options
Diffstat (limited to 'raddb/mods-available/ldap_google')
-rw-r--r-- | raddb/mods-available/ldap_google | 262 |
1 files changed, 262 insertions, 0 deletions
diff --git a/raddb/mods-available/ldap_google b/raddb/mods-available/ldap_google new file mode 100644 index 0000000..03c98d3 --- /dev/null +++ b/raddb/mods-available/ldap_google @@ -0,0 +1,262 @@ +# -*- text -*- +# +# $Id$ + +# +# This file contains an instance of the ldap module which has been +# configured for the G Suite / Google Workspace Secure LDAP server. +# There are a few steps which still need to be taken, but they are +# documented clearly below. +# +# In order to use the Google LDAP server, a client must first be +# created. See Google's documentation for doing this: +# +# https://support.google.com/a/answer/9048434?hl=en&ref_topic=9173976 +# +# Google LDAP requires that any system connecting to it use a client +# certificate. However, FreeRADIUS also requires a username and +# password in the "ldap" module configuration. Therere before +# downloading the client certificate from Google, you should choose +# the option to generate access credentials in order to obtain a +# username and password. That username and password should be used +# below. +# +# Ensure the Goolge client configuration which is used for FreeRADIUS +# has sufficient permissions to read user information, and, if group +# membership is part of the FreeRADIUS policy, ensure that the client +# can read group information. This configuration is done on Google's +# systems. Please see the Google documentation for more information. +# +# NOTE: The Google LDAP database does NOT return user passwords in +# the search results! +# +# Therefore, if Google LDAP is being used for authentication, it will +# ONLY work when using "LDAP bind as user". The authentication +# method used there MUST also provide the user password in plain +# text. This limits the use of Google LDAP to PAP, and TTLS+PAP. +# Anything else simply will not work, and nothing you do will ever +# make it work. +# +# The Google LDAP service has been observed to have poor +# performance compared to a dedicated / local LDAP server like +# OpenLDAP. In order to improve performance, we simply bypass it +# completely by caching things associated with accept and reject. +# See mods-available/cache_auth for the cache configuration, and +# sites-available/google-ldap-auth for a sample virtual server which +# uses this module, and the cache. +# +# In addition, if you are using Google LDAP service as part of WiFi +# authentication (remember, only TTLS+PAP will work!), then we also +# recommend enabling the "cache" configuration in mods-available/eap. +# That cache is a separate one from mods-available/cache_auth, and +# both caches can be used at the same time. +# +# +# The comments in this file are specific to using the Google Secure +# LDAP service. For more general LDAP module configuration, see the +# mods-available/ldap. +# +ldap ldap_google { + # The standard Google LDAP server URL + server = 'ldaps://ldap.google.com:636/' + + # Google LDAP client username and password as generated during + # client creation. +# identity = 'myuser' +# password = 'mypass' + + # Base dn for your organisation. + base_dn = 'dc=example,dc=org' + + # + # The default Google LDAP schema can be seen here + # + # https://support.google.com/a/answer/9188164 + # + # Custom attributes can be added to user profiles, and those + # custom attributes can then be accessed in the LDAP + # directory: + # + # https://support.google.com/a/answer/6208725 + # + # You can run the 'ldapsearch' command line tool using the + # parameters from this module's configuration. + # + # LDAPTLS_REQCERT=ALLOW \ + # LDAPTLS_CERT="<Google certificate file>" \ + # LDAPTLS_KEY="<Google key file>" \ + # ldapsearch -H ${server} -b '${base_dn}' '(uid=user)' + # + # That command will return the LDAP information for 'user'. + # + # Group membership can be queried by using the above "ldapsearch" string, + # and adding "memberof" qualifiers. + # + +# valuepair_attribute = 'radiusAttribute' + + update { +# reply:Reply-Message := 'radiusReplyMessage' +# reply:Tunnel-Type := 'radiusTunnelType' +# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' +# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' + + control: += 'radiusControlAttribute' + request: += 'radiusRequestAttribute' + reply: += 'radiusReplyAttribute' + } + + # + # In order to use LDAP "bind as user" authentication, you + # should add following "if" statement to the authorize {} + # section of the virtual server, after the "ldap" module. + # For example: + # + # ... + # ldap_google + # if ((ok || updated) && User-Password && !control:Auth-Type) { + # update { + # &control:Auth-Type := ldap + # } + # } + # ... + # + # You will also need to uncomment the "Auth-Type LDAP" block in the + # "authenticate" section. + # + # Note that these configuration steps have already been done + # in the sample virtual server, in + # sites-available/google-ldap-auth. + # + + # + # If you change this, you will also need to update the + # "cache_ldap_user_dn" module in mods-available/cache_auth. + # + user_dn = "LDAP-UserDn" + + # + # User object identification. + # + user { + # The typical Google LDAP configuration has users under "ou=Users..." + base_dn = "ou=Users,${..base_dn}" + + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + + scope = 'sub' + +# sort_by = '-uid' + +# access_attribute = 'dialupAccess' + +# access_positive = yes + } + + # + # User membership checking. + # + group { + # The typical Google LDAP configuration has groups under "ou=Groups..." + base_dn = "ou=Groups,${..base_dn}" + + filter = '(objectClass=posixGroup)' + + scope = 'sub' + + name_attribute = cn + + # + # Google Secure LDAP supports the "memberOf" + # attribute, which is more efficient than using this + # filter. + # + # You should also check the permissions of the client + # in Google's systems to ensure that it is allowed to + # read group information. + # +# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" + + membership_attribute = 'memberOf' + + # + # If the "memberOf" attribute is used for retrieving group membership, + # then you should also use "cacheable_dn", in orser to cache the group details. + # "memberOf" is a list of fully quallified group DNs which the user belongs to, + # so using the DN for the cache avoids further lookups to retrieve group names. + # +# cacheable_name = 'no' +# cacheable_dn = 'no' + +# cache_attribute = 'LDAP-Cached-Membership' + +# allow_dangling_group_ref = 'no' + } + + options { +# dereference = 'always' + + # Google Secure LDAP does not appear to do referrals, so we might as well + # turn this off. + chase_referrals = no +# rebind = yes + + # Some reasonable defaults for use with Google Secure LDAP + # + # See mods-available/ldap for a complete description + # of what these configuration options mean. + # + res_timeout = 10 + srv_timelimit = 3 + net_timeout = 3 + idle = 60 + probes = 3 + interval = 3 + + ldap_debug = 0x0000 + } + + tls { + + # + # The certificate and key which were downloaded from the Google + # client tools are configured here. + # + # By default ${certdir} is raddb/certs/. You can + # please these files anywhere you want. The only + # requirement is that they are readable by + # FreeRADIUS, and NOT readable by anyone else on the + # system! + # +# certificate_file = ${certdir}/google/certificate.crt +# private_key_file = ${certdir}/google/key.key +# random_file = /dev/urandom + + # + # Google Secure LDAP uses a self signed certificate + # so this configuration needs to be set to 'allow' + # + require_cert = 'allow' + + # + # We recommend not using TLS 1.0 or 1.1. + # +# tls_min_version = "1.2" + } + + # + # See mods-available/ldap for documentation on the "pool" + # section and its configuration items. + # + pool { + start = ${thread[pool].start_servers} + min = ${thread[pool].min_spare_servers} + max = ${thread[pool].max_servers} + spare = ${thread[pool].max_spare_servers} + + uses = 0 + retry_delay = 30 + lifetime = 0 + idle_timeout = 60 + } +} |