# -*- text -*-## $Id: 44b38ce953bccfdff9516584d0da95a54146b517 $## Li

1. # -*- text -*-
2. #
3. # $Id: 44b38ce953bccfdff9516584d0da95a54146b517 $
4.  
5. #
6. # Lightweight Directory Access Protocol (LDAP)
7. #
8. ldap {
9. #
10. # Note that this needs to match the name in the LDAP
11. # server certificate, if you're using ldaps.
12. #
13. # The ldap client libraries can do fail-over from one
14. # server to another. Enable this by specifying
15. # multiple host names, separated by commas.
16. #
17. # e.g. server = "ldap1.example.org,ldap2.example.org"
18. #
19. # Otherwise, it will use just one server.
20. server = "auth1.companyname.local"
21.  
22. # Port to connect on, defaults to 389. Setting this to
23. # 636 will enable LDAPS if start_tls (see below) is not
24. # able to be used.
25. # port = 389
26.  
27. # Administrator account for searching and possibly modifying.
28. # identity = "cn=admin,dc=example,dc=org"
29. # password = mypass
30.  
31. # Unless overridden in another section, the dn from which all
32. # searches will start from.
33. # base_dn = "dc=example,dc=org"
34. base_dn = "dc=companyname,dc=local"
35.  
36. #
37. # Mapping of LDAP directory attributes to RADIUS dictionary attributes.
38. #
39. # WARNING: Although this format is almost identical to the unlang
40. # update section format, it does *NOT* mean that you can use other
41. # unlang constructs in module configuration files.
42. #
43. # Configuration items are in the format:
44. # <radius attr> <op> <ldap attr>
45. #
46. # Where:
47. # <radius attr>: Is the destination RADIUS attribute
48. # with any valid list and request qualifiers.
49. # <op>: Is any assignment attribute (=, :=, +=, -=).
50. # <ldap attr>: Is the attribute associated with user or
51. # profile objects in the LDAP directory.
52. # If the attribute name is wrapped in double
53. # quotes it will be xlat expanded.
54. #
55. # Request and list qualifiers may also be placed after the 'update'
56. # section name to set defaults destination requests/lists
57. # for unqualified RADIUS attributes.
58. #
59. # Note: LDAP attribute names should be single quoted unless you want
60. # the name value to be derived from an xlat expansion, or an
61. # attribute ref.
62. #
63. update {
64. control:Password-With-Header += 'userPassword'
65. # control:NT-Password := 'ntPassword'
66. # reply:Reply-Message := 'radiusReplyMessage'
67. # reply:Tunnel-Type := 'radiusTunnelType'
68. # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
69. # reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
70. }
71.  
72. #
73. # Generic valuepair attribute
74. # If set, this will attribute will be retrieved in addition to any
75. # mapped attributes.
76. #
77. # Values should be in the format:
78. # <radius attr> <op> <value>
79. #
80. # Where:
81. # <radius attr>: Is the attribute you wish to create
82. # with any valid list and request qualifiers.
83. # <op>: Is any assignment attribute (=, :=, +=, -=).
84. # <value>: Is the value to parse into the new valuepair.
85. # If the attribute name is wrapped in double
86. # quotes it will be xlat expanded.
87. #
88. # valuepair_attribute = "radiusAttribute"
89.  
90. # Set to yes if you have eDirectory and want to use the universal
91. # password mechanism.
92. # edir = no
93.  
94. # Set to yes if you want to bind as the user after retrieving the
95. # Cleartext-Password. This will consume the login grace, and
96. # verify user authorization.
97. # edir_autz = no
98.  
99. #
100. # User object identification.
101. #
102. user {
103. # Where to start searching in the tree for users
104. base_dn = "${..base_dn}"
105.  
106. # Filter for user objects, should be specific enough
107. # to identify a single user object.
108. filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
109.  
110. # Search scope, may be 'base', 'one', sub' or 'children'
111. # scope = 'sub'
112.  
113. # If this is undefined, anyone is authorised.
114. # If it is defined, the contents of this attribute
115. # determine whether or not the user is authorised
116. # access_attribute = "dialupAccess"
117.  
118. # Control whether the presence of "access_attribute"
119. # allows access, or denys access.
120. #
121. # If "yes", and the access_attribute is present, or
122. # "no" and the access_attribute is absent then access
123. # will be allowed.
124. #
125. # If "yes", and the access_attribute is absent, or
126. # "no" and the access_attribute is present, then
127. # access will not be allowed.
128. #
129. # If the value of the access_attribute is "false", it
130. # will negate the result.
131. #
132. # e.g.
133. # access_positive = yes
134. # access_attribute = userAccessAllowed
135. #
136. # userAccessAllowed = false
137. #
138. # Will result in the user being locked out.
139. # access_positive = yes
140. }
141.  
142. #
143. # User membership checking.
144. #
145. group {
146. # Where to start searching in the tree for groups
147. base_dn = "${..base_dn}"
148.  
149. # Filter for group objects, should match all available
150. # group objects a user might be a member of.
151. filter = "(objectClass=posixGroup)"
152.  
153. # Search scope, may be 'base', 'one', sub' or 'children'
154. # scope = 'sub'
155.  
156. # Attribute that uniquely identifies a group.
157. # Is used when converting group DNs to group
158. # names.
159. # name_attribute = cn
160.  
161. # Filter to find group objects a user is a member of.
162. # That is, group objects with attributes that
163. # identify members (the inverse of membership_attribute).
164. # membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
165.  
166. # The attribute in user objects which contain the names
167. # or DNs of groups a user is a member of.
168. #
169. # Unless a conversion between group name and group DN is
170. # needed, there's no requirement for the group objects
171. # referenced to actually exist.
172. membership_attribute = "memberOf"
173.  
174. # If cacheable_name or cacheable_dn are enabled,
175. # all group information for the user will be
176. # retrieved from the directory and written to LDAP-Group
177. # attributes appropriate for the instance of rlm_ldap.
178. #
179. # For group comparisons these attributes will be checked
180. # instead of querying the LDAP directory directly.
181. #
182. # This feature is intended to be used with rlm_cache.
183. #
184. # If you with to use this feature, you should enable
185. # the type that matches the format of your check items
186. # i.e. if your groups are specified as DNs then enable
187. # cacheable_dn else enable cacheable_name.
188. # cacheable_name = "no"
189. # cacheable_dn = "no"
190. }
191.  
192. #
193. # User profiles. RADIUS profile objects contain sets of attributes
194. # to insert into the request. These attributes are mapped using
195. # the same mapping scheme applied to user objects.
196. #
197. profile {
198. # Filter for RADIUS profile objects
199. # filter = "(objectclass=radiusprofile)"
200.  
201. # The default profile applied to all users.
202. # default = "cn=radprofile,dc=example,dc=org"
203.  
204. # The list of profiles which are applied (after the default)
205. # to all users.
206. # The "User-Profile" attribute in the control list
207. # will override this setting at run-time.
208. # attribute = "radiusProfileDn"
209. }
210.  
211. #
212. # Bulk load clients from the directory
213. #
214. client {
215. # Where to start searching in the tree for clients
216. base_dn = "${..base_dn}"
217.  
218. #
219. # Filter to match client objects
220. #
221. filter = '(objectClass=frClient)'
222.  
223. # Search scope, may be 'base', 'one', 'sub' or 'children'
224. # scope = 'sub'
225.  
226. #
227. # Client attribute mappings are in the format:
228. # <client attribute> = <ldap attribute>
229. #
230. # Arbitrary attributes (accessible by %{client:<attr>}) are not yet supported.
231. #
232. # The following attributes are required:
233. # * identifier - IPv4 address, or IPv4 address with prefix, or hostname)
234. # * secret - RADIUS shared secret
235. #
236. # The following attributes are optional:
237. # * shortname - Friendly name associated with the client
238. # * nas_type - NAS Type
239. # * virtual_server - Virtual server to associate the client with
240. # * require_message_authenticator - Whether we require the Message-Authenticator
241. # attribute to be present in requests from the client.
242. #
243. # Schemas are available in doc/schemas/ldap for openldap and eDirectory
244. #
245. attribute {
246. identifier = 'radiusClientIdentifier'
247. secret = 'radiusClientSecret'
248. # shortname = 'radiusClientShortname'
249. # nas_type = 'radiusClientType'
250. # virtual_server = 'radiusClientVirtualServer'
251. # require_message_authenticator = 'radiusClientRequireMa'
252. }
253. }
254.  
255. #
256. # Load clients on startup
257. #
258. # read_clients = no
259.  
260. #
261. # Modify user object on receiving Accounting-Request
262. #
263. # Useful for recording things like the last time the user logged
264. # in, or the Acct-Session-ID for CoA/DM.
265. #
266. # LDAP modification items are in the format:
267. # <ldap attr> <op> <value>
268. #
269. # Where:
270. # <ldap attr>: The LDAP attribute to add modify or delete.
271. # <op>: One of the assignment operators:
272. # (:=, +=, -=, ++).
273. # Note: '=' is *not* supported.
274. # <value>: The value to add modify or delete.
275. #
276. # WARNING: If using the ':=' operator with a multi-valued LDAP
277. # attribute, all instances of the attribute will be removed and
278. # replaced with a single attribute.
279. #
280. accounting {
281. reference = "%{tolower:type.%{Acct-Status-Type}}"
282.  
283. type {
284. start {
285. update {
286. description := "Online at %S"
287. }
288. }
289.  
290. interim-update {
291. update {
292. description := "Last seen at %S"
293. }
294. }
295.  
296. stop {
297. update {
298. description := "Offline at %S"
299. }
300. }
301. }
302. }
303.  
304. #
305. # Post-Auth can modify LDAP objects too
306. #
307. post-auth {
308. update {
309. description := "Authenticated at %S"
310. }
311. }
312.  
313. # LDAP connection-specific options.
314. #
315. # These options set timeouts, keep-alives, etc. for the connections.
316. #
317. options {
318. #
319. # The following two configuration items are for Active Directory
320. # compatibility. If you set these to "no", then searches
321. # will likely return "operations error", instead of a
322. # useful result.
323. #
324. chase_referrals = yes
325. rebind = yes
326.  
327. # seconds to wait for LDAP query to finish. default: 20
328. timeout = 10
329.  
330. # seconds LDAP server has to process the query (server-side
331. # time limit). default: 20
332. #
333. # LDAP_OPT_TIMELIMIT is set to this value.
334. timelimit = 3
335.  
336. #
337. # seconds to wait for response of the server. (network
338. # failures) default: 10
339. #
340. # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
341. net_timeout = 1
342.  
343. # LDAP_OPT_X_KEEPALIVE_IDLE
344. idle = 60
345.  
346. # LDAP_OPT_X_KEEPALIVE_PROBES
347. probes = 3
348.  
349. # LDAP_OPT_X_KEEPALIVE_INTERVAL
350. interval = 3
351.  
352. # ldap_debug: debug flag for LDAP SDK
353. # (see OpenLDAP documentation). Set this to enable
354. # huge amounts of LDAP debugging on the screen.
355. # You should only use this if you are an LDAP expert.
356. #
357. # default: 0x0000 (no debugging messages)
358. # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
359. ldap_debug = 0x0028
360. }
361.  
362. #
363. # This subsection configures the tls related items
364. # that control how FreeRADIUS connects to an LDAP
365. # server. It contains all of the "tls_*" configuration
366. # entries used in older versions of FreeRADIUS. Those
367. # configuration entries can still be used, but we recommend
368. # using these.
369. #
370. tls {
371. # Set this to 'yes' to use TLS encrypted connections
372. # to the LDAP database by using the StartTLS extended
373. # operation.
374. #
375. # The StartTLS operation is supposed to be
376. # used with normal ldap connections instead of
377. # using ldaps (port 636) connections
378. # start_tls = yes
379.  
380. # ca_file = ${certdir}/cacert.pem
381.  
382. # ca_path = ${certdir}
383. # certificate_file = /path/to/radius.crt
384. # private_key_file = /path/to/radius.key
385. # random_file = ${certdir}/random
386.  
387. # Certificate Verification requirements. Can be:
388. # "never" (don't even bother trying)
389. # "allow" (try, but don't fail if the certificate
390. # can't be verified)
391. # "demand" (fail if the certificate doesn't verify.)
392. #
393. # The default is "allow"
394. # require_cert = "demand"
395. }
396.  
397.  
398. # As of version 3.0, the "pool" section has replaced the
399. # following configuration items:
400. #
401. # ldap_connections_number
402.  
403. # The connection pool is new for 3.0, and will be used in many
404. # modules, for all kinds of connection-related activity.
405. #
406. pool {
407. # Number of connections to start
408. start = 5
409.  
410. # Minimum number of connections to keep open
411. min = 2
412.  
413. # Maximum number of connections
414. #
415. # If these connections are all in use and a new one
416. # is requested, the request will NOT get a connection.
417. max = 10
418.  
419. # Spare connections to be left idle
420. #
421. # NOTE: Idle connections WILL be closed if "idle_timeout"
422. # is set.
423. spare = 3
424.  
425. # Number of uses before the connection is closed
426. #
427. # 0 means "infinite"
428. uses = 0
429.  
430. # The lifetime (in seconds) of the connection
431. lifetime = 0
432.  
433. # idle timeout (in seconds). A connection which is
434. # unused for this length of time will be closed.
435. idle_timeout = 60
436.  
437. # NOTE: All configuration settings are enforced. If a
438. # connection is closed because of "idle_timeout",
439. # "uses", or "lifetime", then the total number of
440. # connections MAY fall below "min". When that
441. # happens, it will open a new connection. It will
442. # also log a WARNING message.
443. #
444. # The solution is to either lower the "min" connections,
445. # or increase lifetime/idle_timeout.
446. }
447.  
448. }