summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/mods-available/ldap')
-rw-r--r--raddb/mods-available/ldap712
1 files changed, 712 insertions, 0 deletions
diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap
new file mode 100644
index 0000000..997d41e
--- /dev/null
+++ b/raddb/mods-available/ldap
@@ -0,0 +1,712 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# Lightweight Directory Access Protocol (LDAP)
+#
+ldap {
+ # Note that this needs to match the name(s) in the LDAP server
+ # certificate, if you're using ldaps. See OpenLDAP documentation
+ # for the behavioral semantics of specifying more than one host.
+ #
+ # Depending on the libldap in use, server may be an LDAP URI.
+ # In the case of OpenLDAP this allows additional the following
+ # additional schemes:
+ # - ldaps:// (LDAP over SSL)
+ # - ldapi:// (LDAP over Unix socket)
+ # - ldapc:// (Connectionless LDAP)
+ server = 'localhost'
+# server = 'ldap.rrdns.example.org'
+# server = 'ldap.rrdns.example.org'
+
+ # Port to connect on, defaults to 389, will be ignored for LDAP URIs.
+# port = 389
+
+ # Administrator account for searching and possibly modifying.
+ # If using SASL + KRB5 these should be commented out.
+# identity = 'cn=admin,dc=example,dc=org'
+# password = mypass
+
+ # Unless overridden in another section, the dn from which all
+ # searches will start from.
+ base_dn = 'dc=example,dc=org'
+
+ #
+ # You can run the 'ldapsearch' command line tool using the
+ # parameters from this module's configuration.
+ #
+ # ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
+ #
+ # That will give you the LDAP information for 'user'.
+ #
+ # Group membership can be queried by using the above "ldapsearch" string,
+ # and adding "memberof" qualifiers. For ActiveDirectory, use:
+ #
+ # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
+ #
+ # Where 'user' is the user as above, and 'group' is the group you are querying for.
+ #
+
+ #
+ # SASL parameters to use for admin binds
+ #
+ # When we're prompted by the SASL library, these control
+ # the responses given, as well as the identity and password
+ # directives above.
+ #
+ # If any directive is commented out, a NULL response will be
+ # provided to cyrus-sasl.
+ #
+ # Unfortunately the only way to control Keberos here is through
+ # environmental variables, as cyrus-sasl provides no API to
+ # set the krb5 config directly.
+ #
+ # Full documentation for MIT krb5 can be found here:
+ #
+ # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
+ #
+ # At a minimum you probably want to set KRB5_CLIENT_KTNAME.
+ #
+ sasl {
+ # SASL mechanism
+# mech = 'PLAIN'
+
+ # SASL authorisation identity to proxy.
+# proxy = 'autz_id'
+
+ # SASL realm. Used for kerberos.
+# realm = 'example.org'
+ }
+
+ #
+ # Generic valuepair attribute
+ #
+
+ # If set, this will attribute will be retrieved in addition to any
+ # mapped attributes.
+ #
+ # Values should be in the format:
+ # <radius attr> <op> <value>
+ #
+ # Where:
+ # <radius attr>: Is the attribute you wish to create
+ # with any valid list and request qualifiers.
+ # <op>: Is any assignment operator (=, :=, +=).
+ # <value>: Is the value to parse into the new valuepair.
+ # If the value is wrapped in double quotes it
+ # will be xlat expanded.
+# valuepair_attribute = 'radiusAttribute'
+
+ #
+ # Mapping of LDAP directory attributes to RADIUS dictionary attributes.
+ #
+
+ # WARNING: Although this format is almost identical to the unlang
+ # update section format, it does *NOT* mean that you can use other
+ # unlang constructs in module configuration files.
+ #
+ # Configuration items are in the format:
+ # <radius attr> <op> <ldap attr>
+ #
+ # Where:
+ # <radius attr>: Is the destination RADIUS attribute
+ # with any valid list and request qualifiers.
+ # <op>: Is any assignment attribute (=, :=, +=, -=).
+ # <ldap attr>: Is the attribute associated with user or
+ # profile objects in the LDAP directory.
+ # If the attribute name is wrapped in double
+ # quotes it will be xlat expanded.
+ #
+ # Request and list qualifiers may also be placed after the 'update'
+ # section name to set defaults destination requests/lists
+ # for unqualified RADIUS attributes.
+ #
+ # Note: LDAP attribute names should be single quoted unless you want
+ # the name value to be derived from an xlat expansion, or an
+ # attribute ref.
+ update {
+ control:Password-With-Header += 'userPassword'
+# control:NT-Password := 'ntPassword'
+# reply:Reply-Message := 'radiusReplyMessage'
+# reply:Tunnel-Type := 'radiusTunnelType'
+# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
+# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
+
+ # Where only a list is specified as the RADIUS attribute,
+ # the value of the LDAP attribute is parsed as a valuepair
+ # in the same format as the 'valuepair_attribute' (above).
+ control: += 'radiusControlAttribute'
+ request: += 'radiusRequestAttribute'
+ reply: += 'radiusReplyAttribute'
+ }
+
+ # Set to yes if you have eDirectory and want to use the universal
+ # password mechanism.
+# edir = no
+
+ # Set to yes if you want to bind as the user after retrieving the
+ # Cleartext-Password. This will consume the login grace, and
+ # verify user authorization.
+# edir_autz = no
+
+ # LDAP "bind as user" configuration to check PAP passwords.
+ #
+ # Active Directory needs "bind as user", which can be done by
+ # adding the following "if" statement to the authorize {} section
+ # of the virtual server, after the "ldap" module. For
+ # example:
+ #
+ # ...
+ # ldap
+ # if ((ok || updated) && User-Password && !control:Auth-Type) {
+ # update {
+ # control:Auth-Type := ldap
+ # }
+ # }
+ # ...
+ #
+ # You will also need to uncomment the "Auth-Type LDAP" block in the
+ # "authenticate" section.
+ #
+ # This configuration is required because AD will not return the users
+ # "known good" password to FreeRADIUS. Instead, FreeRADIUS has to run
+ # "Auth-Type LDAP" in order to do an LDAP "bind as user", which will hand
+ # the user name / password to AD for verification.
+ #
+
+ #
+ # Name of the attribute that contains the user DN.
+ # The default name is LDAP-UserDn.
+ #
+ # If you have multiple LDAP instances, you should
+ # change this configuration item to:
+ #
+ # ${.:instance}-LDAP-UserDn
+ #
+ # That change allows the modules to set their own
+ # User DN, and to not conflict with each other.
+ #
+ user_dn = "LDAP-UserDn"
+
+ #
+ # User object identification.
+ #
+ user {
+ # Where to start searching in the tree for users
+ base_dn = "${..base_dn}"
+
+ # Filter for user objects, should be specific enough
+ # to identify a single user object.
+ #
+ # For Active Directory, you should use
+ # "samaccountname=" instead of "uid="
+ #
+ filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
+
+ # For Active Directory nested group, you should comment out the previous 'filter = ...'
+ # and use the below. Where 'group' is the group you are querying for.
+ #
+ # NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN.
+ # This applies only to DN attributes. This is an extended match operator that walks
+ # the chain of ancestry in objects all the way to the root until it finds a match.
+ # This reveals group nesting. It is available only on domain controllers with
+ # Windows Server 2003 SP2 or Windows Server 2008 (or above).
+ #
+ # See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
+ #
+# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
+
+ # SASL parameters to use for user binds
+ #
+ # When we're prompted by the SASL library, these control
+ # the responses given.
+ #
+ # Any of the config items below may be an attribute ref
+ # or and expansion, so different SASL mechs, proxy IDs
+ # and realms may be used for different users.
+ sasl {
+ # SASL mechanism
+# mech = 'PLAIN'
+
+ # SASL authorisation identity to proxy.
+# proxy = &User-Name
+
+ # SASL realm. Used for kerberos.
+# realm = 'example.org'
+ }
+
+ # Search scope, may be 'base', 'one', sub' or 'children'
+# scope = 'sub'
+
+ # Server side result sorting
+ #
+ # A list of space delimited attributes to order the result
+ # set by, if the filter matches multiple objects.
+ # Only the first result in the set will be processed.
+ #
+ # If the attribute name is prefixed with a hyphen '-' the
+ # sorting order will be reversed for that attribute.
+ #
+ # If sort_by is set, and the server does not support sorting
+ # the search will fail.
+# sort_by = '-uid'
+
+ # If this is undefined, anyone is authorised.
+ # If it is defined, the contents of this attribute
+ # determine whether or not the user is authorised
+# access_attribute = 'dialupAccess'
+
+ # Control whether the presence of 'access_attribute'
+ # allows access, or denys access.
+ #
+ # If 'yes', and the access_attribute is present, or
+ # 'no' and the access_attribute is absent then access
+ # will be allowed.
+ #
+ # If 'yes', and the access_attribute is absent, or
+ # 'no' and the access_attribute is present, then
+ # access will not be allowed.
+ #
+ # If the value of the access_attribute is 'false', it
+ # will negate the result.
+ #
+ # e.g.
+ # access_positive = yes
+ # access_attribute = userAccessAllowed
+ #
+ # With an LDAP object containing:
+ # userAccessAllowed: false
+ #
+ # Will result in the user being locked out.
+# access_positive = yes
+ }
+
+ #
+ # User membership checking.
+ #
+ group {
+ # Where to start searching in the tree for groups
+ base_dn = "${..base_dn}"
+
+ # Filter for group objects, should match all available
+ # group objects a user might be a member of.
+ #
+ # If using Active Directory you are likely to need "group"
+ # instead of "posixGroup".
+ filter = '(objectClass=posixGroup)'
+
+ # Search scope, may be 'base', 'one', sub' or 'children'
+# scope = 'sub'
+
+ # Attribute that uniquely identifies a group.
+ # Is used when converting group DNs to group
+ # names.
+# name_attribute = cn
+
+ # Filter to find all group objects a user is a member of.
+ # That is, group objects with attributes that
+ # identify members (the inverse of membership_attribute).
+ #
+ # Note that this configuration references the "user_dn"
+ # configuration defined above.
+ #
+# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
+
+ # The attribute, in user objects, which contain the names
+ # or DNs of groups a user is a member of.
+ #
+ # Unless a conversion between group name and group DN is
+ # needed, there's no requirement for the group objects
+ # referenced to actually exist.
+ #
+ # If the LDAP server does not support the "memberOf"
+ # attribute (or equivalent), then you will need to use the
+ # membership_filter option above instead. If you can't see
+ # the memberOf attribute then it is also possible that the
+ # LDAP bind user does not have the correct permissions to
+ # view it.
+ membership_attribute = 'memberOf'
+
+ # If cacheable_name or cacheable_dn are enabled,
+ # all group information for the user will be
+ # retrieved from the directory and written to LDAP-Group
+ # attributes appropriate for the instance of rlm_ldap.
+ #
+ # For group comparisons these attributes will be checked
+ # instead of querying the LDAP directory directly.
+ #
+ # This feature is intended to be used with rlm_cache.
+ #
+ # If you wish to use this feature, you should enable
+ # the type that matches the format of your check items
+ # i.e. if your groups are specified as DNs then enable
+ # cacheable_dn else enable cacheable_name.
+# cacheable_name = 'no'
+# cacheable_dn = 'no'
+
+ # Override the normal cache attribute (<inst>-LDAP-Group or
+ # LDAP-Group if using the default instance) and create a
+ # custom attribute. This can help if multiple module instances
+ # are used in fail-over.
+# cache_attribute = 'LDAP-Cached-Membership'
+
+ # If the group being checked is specified as a name, but
+ # the user's groups are referenced by DN, and one of those
+ # group DNs is invalid, the whole group check is treated as
+ # invalid, and a negative result will be returned.
+ # When set to 'yes', this option ignores invalid DN
+ # references.
+# allow_dangling_group_ref = 'no'
+ }
+
+ #
+ # User profiles. RADIUS profile objects contain sets of attributes
+ # to insert into the request. These attributes are mapped using
+ # the same mapping scheme applied to user objects (the update section above).
+ #
+ profile {
+ # Filter for RADIUS profile objects
+# filter = '(objectclass=radiusprofile)'
+
+ # The default profile. This may be a DN or an attribute
+ # reference.
+ # To get old v2.2.x style behaviour, or to use the
+ # &User-Profile attribute to specify the default profile,
+ # set this to &control:User-Profile.
+# default = 'cn=radprofile,dc=example,dc=org'
+
+ # The LDAP attribute containing profile DNs to apply
+ # in addition to the default profile above. These are
+ # retrieved from the user object, at the same time as the
+ # attributes from the update section, are are applied
+ # if authorization is successful.
+# attribute = 'radiusProfileDn'
+ }
+
+ #
+ # Bulk load clients from the directory
+ #
+ client {
+ # Where to start searching in the tree for clients
+ base_dn = "${..base_dn}"
+
+ #
+ # Filter to match client objects
+ #
+ filter = '(objectClass=radiusClient)'
+
+ # Search scope, may be 'base', 'one', 'sub' or 'children'
+# scope = 'sub'
+
+ #
+ # Sets default values (not obtained from LDAP) for new client entries
+ #
+ template {
+# login = 'test'
+# password = 'test'
+# proto = tcp
+# require_message_authenticator = yes
+
+ # Uncomment to add a home_server with the same
+ # attributes as the client.
+# coa_server {
+# response_window = 2.0
+# }
+ }
+
+ #
+ # Client attribute mappings are in the format:
+ # <client attribute> = <ldap attribute>
+ #
+ # The following attributes are required:
+ # * ipaddr | ipv4addr | ipv6addr - Client IP Address.
+ # * secret - RADIUS shared secret.
+ #
+ # All other attributes usually supported in a client
+ # definition are also supported here.
+ #
+ # Schemas are available in doc/schemas/ldap for openldap and eDirectory
+ #
+ attribute {
+ ipaddr = 'radiusClientIdentifier'
+ secret = 'radiusClientSecret'
+# shortname = 'radiusClientShortname'
+# nas_type = 'radiusClientType'
+# virtual_server = 'radiusClientVirtualServer'
+# require_message_authenticator = 'radiusClientRequireMa'
+ }
+ }
+
+ # Load clients on startup
+# read_clients = no
+
+ #
+ # Modify user object on receiving Accounting-Request
+ #
+
+ # Useful for recording things like the last time the user logged
+ # in, or the Acct-Session-ID for CoA/DM.
+ #
+ # LDAP modification items are in the format:
+ # <ldap attr> <op> <value>
+ #
+ # Where:
+ # <ldap attr>: The LDAP attribute to add modify or delete.
+ # <op>: One of the assignment operators:
+ # (:=, +=, -=, ++).
+ # Note: '=' is *not* supported.
+ # <value>: The value to add modify or delete.
+ #
+ # WARNING: If using the ':=' operator with a multi-valued LDAP
+ # attribute, all instances of the attribute will be removed and
+ # replaced with a single attribute.
+ accounting {
+ reference = "%{tolower:type.%{Acct-Status-Type}}"
+
+ type {
+ start {
+ update {
+ description := "Online at %S"
+ }
+ }
+
+ interim-update {
+ update {
+ description := "Last seen at %S"
+ }
+ }
+
+ stop {
+ update {
+ description := "Offline at %S"
+ }
+ }
+ }
+ }
+
+ #
+ # Post-Auth can modify LDAP objects too
+ #
+ post-auth {
+ update {
+ description := "Authenticated at %S"
+ }
+ }
+
+ #
+ # LDAP connection-specific options.
+ #
+ # These options set timeouts, keep-alives, etc. for the connections.
+ #
+ options {
+ # Control under which situations aliases are followed.
+ # May be one of 'never', 'searching', 'finding' or 'always'
+ # default: libldap's default which is usually 'never'.
+ #
+ # LDAP_OPT_DEREF is set to this value.
+# dereference = 'always'
+
+ #
+ # The following two configuration items control whether the
+ # server follows references returned by LDAP directory.
+ # They are mostly for Active Directory compatibility.
+ # If you set these to 'no', then searches will likely return
+ # 'operations error', instead of a useful result.
+ #
+ # 'rebind' causes any connections being established to follow
+ # referrals to be bound using the admin credentials defined
+ # for this module. If it is set to 'no' libldap will bind
+ # to those connections anonymously.
+ #
+ chase_referrals = yes
+ rebind = yes
+
+ # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
+ # Note - uncomment when using GSS-API sasl mechanism along with TLS
+ # encryption against Active-Directory LDAP servers (this disables
+ # sealing and signing at the GSS level as required by AD).
+ #sasl_secprops = 'noanonymous,noplain,maxssf=0'
+
+ # Seconds to wait for LDAP query to finish. default: 20
+ res_timeout = 10
+
+ # Seconds LDAP server has to process the query (server-side
+ # time limit). default: 20
+ #
+ # LDAP_OPT_TIMELIMIT is set to this value.
+ srv_timelimit = 3
+
+ # Seconds to wait for response of the server. (network
+ # failures) default: 10
+ #
+ # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
+ net_timeout = 1
+
+ # LDAP_OPT_X_KEEPALIVE_IDLE
+ idle = 60
+
+ # LDAP_OPT_X_KEEPALIVE_PROBES
+ probes = 3
+
+ # LDAP_OPT_X_KEEPALIVE_INTERVAL
+ interval = 3
+
+ # ldap_debug: debug flag for LDAP SDK
+ # (see OpenLDAP documentation). Set this to enable
+ # huge amounts of LDAP debugging on the screen.
+ # You should only use this if you are an LDAP expert.
+ #
+ # default: 0x0000 (no debugging messages)
+ # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
+ ldap_debug = 0x0028
+ }
+
+ #
+ # This subsection configures the tls related items
+ # that control how FreeRADIUS connects to an LDAP
+ # server. It contains all of the 'tls_*' configuration
+ # entries used in older versions of FreeRADIUS. Those
+ # configuration entries can still be used, but we recommend
+ # using these.
+ #
+ # Note that some distributions use NSS for libldap instead
+ # of OpenSSL.
+ #
+ # If you see something like this in the debug output:
+ #
+ # TLSMC: MozNSS compatibility interception begins.
+ #
+ # Then there is a problem.
+ #
+ # THIS LDAP INSTALLATION WILL NOT WORK WITH FREERADIUS.
+ #
+ # You MUST install fixed LDAP libraries which use OpenSSL.
+ #
+ # For more details, see:
+ #
+ # http://packages.networkradius.com
+ #
+ tls {
+ # Set this to 'yes' to use TLS encrypted connections
+ # to the LDAP database by using the StartTLS extended
+ # operation.
+ #
+ # The StartTLS operation is supposed to be
+ # used with normal ldap connections instead of
+ # using ldaps (port 636) connections
+# start_tls = yes
+
+# ca_file = ${certdir}/cacert.pem
+
+# ca_path = ${certdir}
+# certificate_file = /path/to/radius.crt
+# private_key_file = /path/to/radius.key
+# random_file = /dev/urandom
+
+ # Certificate Verification requirements. Can be:
+ # 'never' (do not even bother trying)
+ # 'allow' (try, but don't fail if the certificate
+ # cannot be verified)
+ # 'demand' (fail if the certificate does not verify)
+ # 'hard' (similar to 'demand' but fails if TLS
+ # cannot negotiate)
+ #
+ # The default is libldap's default, which varies based
+ # on the contents of ldap.conf.
+
+# require_cert = 'demand'
+
+ #
+ # Check the CRL, as with the EAP module.
+ #
+ # The default is "no".
+ #
+# check_crl = yes
+
+ #
+ # Minimum TLS version to accept. We STRONGLY recommend
+ # setting this to "1.2"
+ #
+# tls_min_version = "1.2"
+
+ # Set this option to specify the allowed
+ # TLS cipher suites. The format is listed
+ # in "man 1 ciphers".
+ #
+ cipher_list = "DEFAULT"
+ }
+
+ # As of v3, the 'pool' section has replaced the
+ # following v2 configuration items:
+ #
+ # ldap_connections_number
+
+ #
+ # The connection pool is used to pool outgoing connections.
+ #
+ # When the server is not threaded, the connection pool
+ # limits are ignored, and only one connection is used.
+ pool {
+ # Connections to create during module instantiation.
+ # If the server cannot create specified number of
+ # connections during instantiation it will exit.
+ # Set to 0 to allow the server to start without the
+ # directory being available.
+ start = ${thread[pool].start_servers}
+
+ # Minimum number of connections to keep open
+ min = ${thread[pool].min_spare_servers}
+
+ # Maximum number of connections
+ #
+ # If these connections are all in use and a new one
+ # is requested, the request will NOT get a connection.
+ #
+ # Setting 'max' to LESS than the number of threads means
+ # that some threads may starve, and you will see errors
+ # like 'No connections available and at max connection limit'
+ #
+ # Setting 'max' to MORE than the number of threads means
+ # that there are more connections than necessary.
+ max = ${thread[pool].max_servers}
+
+ # Spare connections to be left idle
+ #
+ # NOTE: Idle connections WILL be closed if "idle_timeout"
+ # is set. This should be less than or equal to "max" above.
+ spare = ${thread[pool].max_spare_servers}
+
+ # Number of uses before the connection is closed
+ #
+ # 0 means "infinite"
+ uses = 0
+
+ # The number of seconds to wait after the server tries
+ # to open a connection, and fails. During this time,
+ # no new connections will be opened.
+ retry_delay = 30
+
+ # The lifetime (in seconds) of the connection
+ lifetime = 0
+
+ # Idle timeout (in seconds). A connection which is
+ # unused for this length of time will be closed.
+ idle_timeout = 60
+
+ # NOTE: All configuration settings are enforced. If a
+ # connection is closed because of 'idle_timeout',
+ # 'uses', or 'lifetime', then the total number of
+ # connections MAY fall below 'min'. When that
+ # happens, it will open a new connection. It will
+ # also log a WARNING message.
+ #
+ # The solution is to either lower the 'min' connections,
+ # or increase lifetime/idle_timeout.
+
+ # Maximum number of times an operation can be retried
+ # if it returns an error which indicates the connection
+ # needs to be restarted. This includes timeouts.
+ max_retries = 5
+ }
+}