fixed_ldap

1. # -*- text -*-
2. #
3. # $Id: 18f600589b67177679b9521feb65b7fbb0200ac2 $
4.  
5. # Microsoft CHAP authentication
6. #
7. # This module supports MS-CHAP and MS-CHAPv2 authentication.
8. # It also enforces the SMB-Account-Ctrl attribute.
9. #
10. mschap {
11. #
12. # If you are using /etc/smbpasswd, see the 'passwd'
13. # module for an example of how to use /etc/smbpasswd
14.  
15. # if use_mppe is not set to no mschap will
16. # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
17. # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
18. #
19. # use_mppe = no
20.  
21. # if mppe is enabled require_encryption makes
22. # encryption moderate
23. #
24. # require_encryption = yes
25.  
26. # require_strong always requires 128 bit key
27. # encryption
28. #
29. # require_strong = yes
30.  
31. # The module can perform authentication itself, OR
32. # use a Windows Domain Controller. This configuration
33. # directive tells the module to call the ntlm_auth
34. # program, which will do the authentication, and return
35. # the NT-Key. Note that you MUST have "winbindd" and
36. # "nmbd" running on the local machine for ntlm_auth
37. # to work. See the ntlm_auth program documentation
38. # for details.
39. #
40. # If ntlm_auth is configured below, then the mschap
41. # module will call ntlm_auth for every MS-CHAP
42. # authentication request. If there is a cleartext
43. # or NT hashed password available, you can set
44. # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
45. # and the mschap module will do the authentication itself,
46. # without calling ntlm_auth.
47. #
48. # Be VERY careful when editing the following line!
49. #
50. # You can also try setting the user name as:
51. #
52. # ... --username=%{mschap:User-Name} ...
53. #
54. # In that case, the mschap module will look at the User-Name
55. # attribute, and do prefix/suffix checks in order to obtain
56. # the "best" user name for the request.
57. #
58. #ntlm_auth = "/usr/bin/systemd-run -q -M nsdc -t /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
59. ntlm_auth = "nsdc-run -e /ntlm_auth_nsdc %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap:Challenge}:-00} %{%{mschap:NT-Response}:-00}"
60. # The default is to wait 10 seconds for ntlm_auth to
61. # complete. This is a long time, and if it's taking that
62. # long then you likely have other problems in your domain.
63. # The length of time can be decreased with the following
64. # option, which can save clients waiting if your ntlm_auth
65. # usually finishes quicker. Range 1 to 10 seconds.
66. #
67. # ntlm_auth_timeout = 10
68.  
69. # An alternative to using ntlm_auth is to connect to the
70. # winbind daemon directly for authentication. This option
71. # is likely to be faster and may be useful on busy systems,
72. # but is less well tested.
73. #
74. # Using this option requires libwbclient from Samba 4.2.1
75. # or later to be installed. Make sure that ntlm_auth above is
76. # commented out.
77. #
78. # winbind_username = "%{mschap:User-Name}"
79. # winbind_domain = "%{mschap:NT-Domain}"
80.  
81. # When using single sign-on with a winbind connection and the
82. # client uses a different casing for the username than the
83. # casing is according to the backend, reauth may fail because
84. # of some Windows internals. This switch tries to find the
85. # user in the correct casing in the backend, and retry
86. # authentication with that username.
87. #
88. # winbind_retry_with_normalised_username = no
89.  
90. #
91. # Information for the winbind connection pool. The configuration
92. # items below are the same for all modules which use the new
93. # connection pool.
94. #
95. pool {
96. # Connections to create during module instantiation.
97. # If the server cannot create specified number of
98. # connections during instantiation it will exit.
99. # Set to 0 to allow the server to start without the
100. # winbind daemon being available.
101. start = ${thread[pool].start_servers}
102.  
103. # Minimum number of connections to keep open
104. min = ${thread[pool].min_spare_servers}
105.  
106. # Maximum number of connections
107. #
108. # If these connections are all in use and a new one
109. # is requested, the request will NOT get a connection.
110. #
111. # Setting 'max' to LESS than the number of threads means
112. # that some threads may starve, and you will see errors
113. # like 'No connections available and at max connection limit'
114. #
115. # Setting 'max' to MORE than the number of threads means
116. # that there are more connections than necessary.
117. max = ${thread[pool].max_servers}
118.  
119. # Spare connections to be left idle
120. #
121. # NOTE: Idle connections WILL be closed if "idle_timeout"
122. # is set. This should be less than or equal to "max" above.
123. spare = ${thread[pool].max_spare_servers}
124.  
125. # Number of uses before the connection is closed
126. #
127. # 0 means "infinite"
128. uses = 0
129.  
130. # The number of seconds to wait after the server tries
131. # to open a connection, and fails. During this time,
132. # no new connections will be opened.
133. retry_delay = 30
134.  
135. # The lifetime (in seconds) of the connection
136. #
137. # NOTE: A setting of 0 means infinite (no limit).
138. lifetime = 86400
139.  
140. # The pool is checked for free connections every
141. # "cleanup_interval". If there are free connections,
142. # then one of them is closed.
143. cleanup_interval = 300
144.  
145. # The idle timeout (in seconds). A connection which is
146. # unused for this length of time will be closed.
147. #
148. # NOTE: A setting of 0 means infinite (no timeout).
149. idle_timeout = 600
150.  
151. # NOTE: All configuration settings are enforced. If a
152. # connection is closed because of "idle_timeout",
153. # "uses", or "lifetime", then the total number of
154. # connections MAY fall below "min". When that
155. # happens, it will open a new connection. It will
156. # also log a WARNING message.
157. #
158. # The solution is to either lower the "min" connections,
159. # or increase lifetime/idle_timeout.
160. }
161.  
162. passchange {
163. # This support MS-CHAPv2 (not v1) password change
164. # requests. See doc/mschap.rst for more IMPORTANT
165. # information.
166. #
167. # Samba/ntlm_auth - if you are using ntlm_auth to
168. # validate passwords, you will need to use ntlm_auth
169. # to change passwords. Uncomment the three lines
170. # below, and change the path to ntlm_auth.
171. #
172. # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
173. # ntlm_auth_username = "username: %{mschap:User-Name}"
174. # ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
175.  
176. # To implement a local password change, you need to
177. # supply a string which is then expanded, so that the
178. # password can be placed somewhere. e.g. passed to a
179. # script (exec), or written to SQL (UPDATE/INSERT).
180. # We give both examples here, but only one will be
181. # used.
182. #
183. # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
184. #
185. # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
186. }
187.  
188. # For Apple Server, when running on the same machine as
189. # Open Directory. It has no effect on other systems.
190. #
191. # use_open_directory = yes
192.  
193. # On failure, set (or not) the MS-CHAP error code saying
194. # "retries allowed".
195. # allow_retry = yes
196.  
197. # An optional retry message.
198. # retry_msg = "Re-enter (or reset) the password"
199. }