summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/ldap_google
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/mods-available/ldap_google262
1 files changed, 262 insertions, 0 deletions
diff --git a/raddb/mods-available/ldap_google b/raddb/mods-available/ldap_google
new file mode 100644
index 0000000..03c98d3
--- /dev/null
+++ b/raddb/mods-available/ldap_google
@@ -0,0 +1,262 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# This file contains an instance of the ldap module which has been
+# configured for the G Suite / Google Workspace Secure LDAP server.
+# There are a few steps which still need to be taken, but they are
+# documented clearly below.
+#
+# In order to use the Google LDAP server, a client must first be
+# created. See Google's documentation for doing this:
+#
+# https://support.google.com/a/answer/9048434?hl=en&ref_topic=9173976
+#
+# Google LDAP requires that any system connecting to it use a client
+# certificate. However, FreeRADIUS also requires a username and
+# password in the "ldap" module configuration. Therere before
+# downloading the client certificate from Google, you should choose
+# the option to generate access credentials in order to obtain a
+# username and password. That username and password should be used
+# below.
+#
+# Ensure the Goolge client configuration which is used for FreeRADIUS
+# has sufficient permissions to read user information, and, if group
+# membership is part of the FreeRADIUS policy, ensure that the client
+# can read group information. This configuration is done on Google's
+# systems. Please see the Google documentation for more information.
+#
+# NOTE: The Google LDAP database does NOT return user passwords in
+# the search results!
+#
+# Therefore, if Google LDAP is being used for authentication, it will
+# ONLY work when using "LDAP bind as user". The authentication
+# method used there MUST also provide the user password in plain
+# text. This limits the use of Google LDAP to PAP, and TTLS+PAP.
+# Anything else simply will not work, and nothing you do will ever
+# make it work.
+#
+# The Google LDAP service has been observed to have poor
+# performance compared to a dedicated / local LDAP server like
+# OpenLDAP. In order to improve performance, we simply bypass it
+# completely by caching things associated with accept and reject.
+# See mods-available/cache_auth for the cache configuration, and
+# sites-available/google-ldap-auth for a sample virtual server which
+# uses this module, and the cache.
+#
+# In addition, if you are using Google LDAP service as part of WiFi
+# authentication (remember, only TTLS+PAP will work!), then we also
+# recommend enabling the "cache" configuration in mods-available/eap.
+# That cache is a separate one from mods-available/cache_auth, and
+# both caches can be used at the same time.
+#
+#
+# The comments in this file are specific to using the Google Secure
+# LDAP service. For more general LDAP module configuration, see the
+# mods-available/ldap.
+#
+ldap ldap_google {
+ # The standard Google LDAP server URL
+ server = 'ldaps://ldap.google.com:636/'
+
+ # Google LDAP client username and password as generated during
+ # client creation.
+# identity = 'myuser'
+# password = 'mypass'
+
+ # Base dn for your organisation.
+ base_dn = 'dc=example,dc=org'
+
+ #
+ # The default Google LDAP schema can be seen here
+ #
+ # https://support.google.com/a/answer/9188164
+ #
+ # Custom attributes can be added to user profiles, and those
+ # custom attributes can then be accessed in the LDAP
+ # directory:
+ #
+ # https://support.google.com/a/answer/6208725
+ #
+ # You can run the 'ldapsearch' command line tool using the
+ # parameters from this module's configuration.
+ #
+ # LDAPTLS_REQCERT=ALLOW \
+ # LDAPTLS_CERT="<Google certificate file>" \
+ # LDAPTLS_KEY="<Google key file>" \
+ # ldapsearch -H ${server} -b '${base_dn}' '(uid=user)'
+ #
+ # That command will return the LDAP information for 'user'.
+ #
+ # Group membership can be queried by using the above "ldapsearch" string,
+ # and adding "memberof" qualifiers.
+ #
+
+# valuepair_attribute = 'radiusAttribute'
+
+ update {
+# reply:Reply-Message := 'radiusReplyMessage'
+# reply:Tunnel-Type := 'radiusTunnelType'
+# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
+# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
+
+ control: += 'radiusControlAttribute'
+ request: += 'radiusRequestAttribute'
+ reply: += 'radiusReplyAttribute'
+ }
+
+ #
+ # In order to use LDAP "bind as user" authentication, you
+ # should add following "if" statement to the authorize {}
+ # section of the virtual server, after the "ldap" module.
+ # For example:
+ #
+ # ...
+ # ldap_google
+ # if ((ok || updated) && User-Password && !control:Auth-Type) {
+ # update {
+ # &control:Auth-Type := ldap
+ # }
+ # }
+ # ...
+ #
+ # You will also need to uncomment the "Auth-Type LDAP" block in the
+ # "authenticate" section.
+ #
+ # Note that these configuration steps have already been done
+ # in the sample virtual server, in
+ # sites-available/google-ldap-auth.
+ #
+
+ #
+ # If you change this, you will also need to update the
+ # "cache_ldap_user_dn" module in mods-available/cache_auth.
+ #
+ user_dn = "LDAP-UserDn"
+
+ #
+ # User object identification.
+ #
+ user {
+ # The typical Google LDAP configuration has users under "ou=Users..."
+ base_dn = "ou=Users,${..base_dn}"
+
+ filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
+
+ scope = 'sub'
+
+# sort_by = '-uid'
+
+# access_attribute = 'dialupAccess'
+
+# access_positive = yes
+ }
+
+ #
+ # User membership checking.
+ #
+ group {
+ # The typical Google LDAP configuration has groups under "ou=Groups..."
+ base_dn = "ou=Groups,${..base_dn}"
+
+ filter = '(objectClass=posixGroup)'
+
+ scope = 'sub'
+
+ name_attribute = cn
+
+ #
+ # Google Secure LDAP supports the "memberOf"
+ # attribute, which is more efficient than using this
+ # filter.
+ #
+ # You should also check the permissions of the client
+ # in Google's systems to ensure that it is allowed to
+ # read group information.
+ #
+# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
+
+ membership_attribute = 'memberOf'
+
+ #
+ # If the "memberOf" attribute is used for retrieving group membership,
+ # then you should also use "cacheable_dn", in orser to cache the group details.
+ # "memberOf" is a list of fully quallified group DNs which the user belongs to,
+ # so using the DN for the cache avoids further lookups to retrieve group names.
+ #
+# cacheable_name = 'no'
+# cacheable_dn = 'no'
+
+# cache_attribute = 'LDAP-Cached-Membership'
+
+# allow_dangling_group_ref = 'no'
+ }
+
+ options {
+# dereference = 'always'
+
+ # Google Secure LDAP does not appear to do referrals, so we might as well
+ # turn this off.
+ chase_referrals = no
+# rebind = yes
+
+ # Some reasonable defaults for use with Google Secure LDAP
+ #
+ # See mods-available/ldap for a complete description
+ # of what these configuration options mean.
+ #
+ res_timeout = 10
+ srv_timelimit = 3
+ net_timeout = 3
+ idle = 60
+ probes = 3
+ interval = 3
+
+ ldap_debug = 0x0000
+ }
+
+ tls {
+
+ #
+ # The certificate and key which were downloaded from the Google
+ # client tools are configured here.
+ #
+ # By default ${certdir} is raddb/certs/. You can
+ # please these files anywhere you want. The only
+ # requirement is that they are readable by
+ # FreeRADIUS, and NOT readable by anyone else on the
+ # system!
+ #
+# certificate_file = ${certdir}/google/certificate.crt
+# private_key_file = ${certdir}/google/key.key
+# random_file = /dev/urandom
+
+ #
+ # Google Secure LDAP uses a self signed certificate
+ # so this configuration needs to be set to 'allow'
+ #
+ require_cert = 'allow'
+
+ #
+ # We recommend not using TLS 1.0 or 1.1.
+ #
+# tls_min_version = "1.2"
+ }
+
+ #
+ # See mods-available/ldap for documentation on the "pool"
+ # section and its configuration items.
+ #
+ pool {
+ start = ${thread[pool].start_servers}
+ min = ${thread[pool].min_spare_servers}
+ max = ${thread[pool].max_servers}
+ spare = ${thread[pool].max_spare_servers}
+
+ uses = 0
+ retry_delay = 30
+ lifetime = 0
+ idle_timeout = 60
+ }
+}