Advertisement
Guest User

ldap

a guest
Aug 9th, 2019
2,029
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Lightweight Directory Access Protocol (LDAP)
  2. #
  3. ldap {
  4. # Note that this needs to match the name(s) in the LDAP server
  5. # certificate, if you're using ldaps. See OpenLDAP documentation
  6. # for the behavioral semantics of specifying more than one host.
  7. #
  8. # Depending on the libldap in use, server may be an LDAP URI.
  9. # In the case of OpenLDAP this allows additional the following
  10. # additional schemes:
  11. # - ldaps:// (LDAP over SSL)
  12. # - ldapi:// (LDAP over Unix socket)
  13. # - ldapc:// (Connectionless LDAP)
  14. server = 'ldaps://10.44.1.1'
  15. # Port to connect on, defaults to 389, will be ignored for LDAP URIs.
  16. port = 636
  17.  
  18. # Administrator account for searching and possibly modifying.
  19. # If using SASL + KRB5 these should be commented out.
  20. identity = 'ldapservice@AD.TESTSERVER.LOCAL'
  21. password = 'ldapservicepassword_here'
  22.  
  23. # Unless overridden in another section, the dn from which all
  24. # searches will start from.
  25. base_dn = 'dc=AD,dc=TESTSERVER,dc=LOCAL'
  26.  
  27. #
  28. # SASL parameters to use for admin binds
  29. #
  30. # When we're prompted by the SASL library, these control
  31. # the responses given, as well as the identity and password
  32. # directives above.
  33. #
  34. # If any directive is commented out, a NULL response will be
  35. # provided to cyrus-sasl.
  36. #
  37. # Unfortunately the only way to control Keberos here is through
  38. # environmental variables, as cyrus-sasl provides no API to
  39. # set the krb5 config directly.
  40. #
  41. # Full documentation for MIT krb5 can be found here:
  42. #
  43. # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
  44. #
  45. # At a minimum you probably want to set KRB5_CLIENT_KTNAME.
  46. #
  47. sasl {
  48. # SASL mechanism
  49. # mech = 'PLAIN'
  50.  
  51. # SASL authorisation identity to proxy.
  52. # proxy = 'autz_id'
  53.  
  54. # SASL realm. Used for kerberos.
  55. # realm = 'example.org'
  56. }
  57.  
  58. #
  59. # Generic valuepair attribute
  60. #
  61.  
  62. # If set, this will attribute will be retrieved in addition to any
  63. # mapped attributes.
  64. #
  65. # Values should be in the format:
  66. # <radius attr> <op> <value>
  67. #
  68. # Where:
  69. # <radius attr>: Is the attribute you wish to create
  70. # with any valid list and request qualifiers.
  71. # <op>: Is any assignment operator (=, :=, +=, -=).
  72. # <value>: Is the value to parse into the new valuepair.
  73. # If the value is wrapped in double quotes it
  74. # will be xlat expanded.
  75. # valuepair_attribute = 'radiusAttribute'
  76.  
  77. #
  78. # Mapping of LDAP directory attributes to RADIUS dictionary attributes.
  79. #
  80.  
  81. # WARNING: Although this format is almost identical to the unlang
  82. # update section format, it does *NOT* mean that you can use other
  83. # unlang constructs in module configuration files.
  84. #
  85. # Configuration items are in the format:
  86. # <radius attr> <op> <ldap attr>
  87. #
  88. # Where:
  89. # <radius attr>: Is the destination RADIUS attribute
  90. # with any valid list and request qualifiers.
  91. # <op>: Is any assignment attribute (=, :=, +=, -=).
  92. # <ldap attr>: Is the attribute associated with user or
  93. # profile objects in the LDAP directory.
  94. # If the attribute name is wrapped in double
  95. # quotes it will be xlat expanded.
  96. #
  97. # Request and list qualifiers may also be placed after the 'update'
  98. # section name to set defaults destination requests/lists
  99. # for unqualified RADIUS attributes.
  100. #
  101. # Note: LDAP attribute names should be single quoted unless you want
  102. # the name value to be derived from an xlat expansion, or an
  103. # attribute ref.
  104. update {
  105. control:Password-With-Header += 'userPassword'
  106. # control:NT-Password := 'ntPassword'
  107. # reply:Reply-Message := 'radiusReplyMessage'
  108. # reply:Tunnel-Type := 'radiusTunnelType'
  109. # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
  110. # reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
  111.  
  112. # Where only a list is specified as the RADIUS attribute,
  113. # the value of the LDAP attribute is parsed as a valuepair
  114. # in the same format as the 'valuepair_attribute' (above).
  115. control: += 'radiusControlAttribute'
  116. request: += 'radiusRequestAttribute'
  117. reply: += 'radiusReplyAttribute'
  118. }
  119.  
  120. # Set to yes if you have eDirectory and want to use the universal
  121. # password mechanism.
  122. # edir = no
  123.  
  124. # Set to yes if you want to bind as the user after retrieving the
  125. # Cleartext-Password. This will consume the login grace, and
  126. # verify user authorization.
  127. # edir_autz = no
  128.  
  129. # Note: set_auth_type was removed in v3.x.x
  130. # Equivalent functionality can be achieved by adding the following
  131. # stanza to the authorize {} section of your virtual server.
  132. #
  133. # ldap
  134. # if ((ok || updated) && User-Password) {
  135. # update {
  136. # control:Auth-Type := ldap
  137. # }
  138. # }
  139.  
  140. #
  141. # User object identification.
  142. #
  143. user {
  144. # Where to start searching in the tree for users
  145. base_dn = "${..base_dn}"
  146.  
  147. # Filter for user objects, should be specific enough
  148. # to identify a single user object.
  149. #
  150. # For Active Directory, you should use
  151. # "samaccountname=" instead of "uid="
  152. #
  153. filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
  154.  
  155. # SASL parameters to use for user binds
  156. #
  157. # When we're prompted by the SASL library, these control
  158. # the responses given.
  159. #
  160. # Any of the config items below may be an attribute ref
  161. # or and expansion, so different SASL mechs, proxy IDs
  162. # and realms may be used for different users.
  163. sasl {
  164. # SASL mechanism
  165. # mech = 'PLAIN'
  166.  
  167. # SASL authorisation identity to proxy.
  168. # proxy = &User-Name
  169.  
  170. # SASL realm. Used for kerberos.
  171. # realm = 'example.org'
  172. }
  173.  
  174. # Search scope, may be 'base', 'one', sub' or 'children'
  175. # scope = 'sub'
  176.  
  177. # Server side result sorting
  178. #
  179. # A list of space delimited attributes to order the result
  180. # set by, if the filter matches multiple objects.
  181. # Only the first result in the set will be processed.
  182. #
  183. # If the attribute name is prefixed with a hyphen '-' the
  184. # sorting order will be reversed for that attribute.
  185. #
  186. # If sort_by is set, and the server does not support sorting
  187. # the search will fail.
  188. # sort_by = '-uid'
  189.  
  190. # If this is undefined, anyone is authorised.
  191. # If it is defined, the contents of this attribute
  192. # determine whether or not the user is authorised
  193. # access_attribute = 'dialupAccess'
  194.  
  195. # Control whether the presence of 'access_attribute'
  196. # allows access, or denys access.
  197. #
  198. # If 'yes', and the access_attribute is present, or
  199. # 'no' and the access_attribute is absent then access
  200. # will be allowed.
  201. #
  202. # If 'yes', and the access_attribute is absent, or
  203. # 'no' and the access_attribute is present, then
  204. # access will not be allowed.
  205. #
  206. # If the value of the access_attribute is 'false', it
  207. # will negate the result.
  208. #
  209. # e.g.
  210. # access_positive = yes
  211. # access_attribute = userAccessAllowed
  212. #
  213. # With an LDAP object containing:
  214. # userAccessAllowed: false
  215. #
  216. # Will result in the user being locked out.
  217. # access_positive = yes
  218. }
  219.  
  220. #
  221. # User membership checking.
  222. #
  223. group {
  224. # Where to start searching in the tree for groups
  225. base_dn = "${..base_dn}"
  226.  
  227. # Filter for group objects, should match all available
  228. # group objects a user might be a member of.
  229. filter = '(objectClass=posixGroup)'
  230.  
  231. # Search scope, may be 'base', 'one', sub' or 'children'
  232. # scope = 'sub'
  233.  
  234. # Attribute that uniquely identifies a group.
  235. # Is used when converting group DNs to group
  236. # names.
  237. # name_attribute = cn
  238.  
  239. # Filter to find group objects a user is a member of.
  240. # That is, group objects with attributes that
  241. # identify members (the inverse of membership_attribute).
  242. # membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
  243.  
  244. # The attribute in user objects which contain the names
  245. # or DNs of groups a user is a member of.
  246. #
  247. # Unless a conversion between group name and group DN is
  248. # needed, there's no requirement for the group objects
  249. # referenced to actually exist.
  250. membership_attribute = 'memberOf'
  251.  
  252. # If cacheable_name or cacheable_dn are enabled,
  253. # all group information for the user will be
  254. # retrieved from the directory and written to LDAP-Group
  255. # attributes appropriate for the instance of rlm_ldap.
  256. #
  257. # For group comparisons these attributes will be checked
  258. # instead of querying the LDAP directory directly.
  259. #
  260. # This feature is intended to be used with rlm_cache.
  261. #
  262. # If you wish to use this feature, you should enable
  263. # the type that matches the format of your check items
  264. # i.e. if your groups are specified as DNs then enable
  265. # cacheable_dn else enable cacheable_name.
  266. # cacheable_name = 'no'
  267. # cacheable_dn = 'no'
  268.  
  269. # Override the normal cache attribute (<inst>-LDAP-Group or
  270. # LDAP-Group if using the default instance) and create a
  271. # custom attribute. This can help if multiple module instances
  272. # are used in fail-over.
  273. # cache_attribute = 'LDAP-Cached-Membership'
  274. }
  275.  
  276. #
  277. # User profiles. RADIUS profile objects contain sets of attributes
  278. # to insert into the request. These attributes are mapped using
  279. # the same mapping scheme applied to user objects (the update section above).
  280. #
  281. profile {
  282. # Filter for RADIUS profile objects
  283. # filter = '(objectclass=radiusprofile)'
  284.  
  285. # The default profile. This may be a DN or an attribute
  286. # reference.
  287. # To get old v2.2.x style behaviour, or to use the
  288. # &User-Profile attribute to specify the default profile,
  289. # set this to &control:User-Profile.
  290. # default = 'cn=radprofile,dc=example,dc=org'
  291.  
  292. # The LDAP attribute containing profile DNs to apply
  293. # in addition to the default profile above. These are
  294. # retrieved from the user object, at the same time as the
  295. # attributes from the update section, are are applied
  296. # if authorization is successful.
  297. # attribute = 'radiusProfileDn'
  298. }
  299.  
  300. #
  301. # Bulk load clients from the directory
  302. #
  303. client {
  304. # Where to start searching in the tree for clients
  305. base_dn = "${..base_dn}"
  306.  
  307. #
  308. # Filter to match client objects
  309. #
  310. filter = '(objectClass=radiusClient)'
  311.  
  312. # Search scope, may be 'base', 'one', 'sub' or 'children'
  313. # scope = 'sub'
  314.  
  315. #
  316. # Sets default values (not obtained from LDAP) for new client entries
  317. #
  318. template {
  319. # login = 'test'
  320. # password = 'test'
  321. # proto = tcp
  322. # require_message_authenticator = yes
  323.  
  324. # Uncomment to add a home_server with the same
  325. # attributes as the client.
  326. # coa_server {
  327. # response_window = 2.0
  328. # }
  329. }
  330.  
  331. #
  332. # Client attribute mappings are in the format:
  333. # <client attribute> = <ldap attribute>
  334. #
  335. # The following attributes are required:
  336. # * ipaddr | ipv4addr | ipv6addr - Client IP Address.
  337. # * secret - RADIUS shared secret.
  338. #
  339. # All other attributes usually supported in a client
  340. # definition are also supported here.
  341. #
  342. # Schemas are available in doc/schemas/ldap for openldap and eDirectory
  343. #
  344. attribute {
  345. ipaddr = 'radiusClientIdentifier'
  346. secret = 'radiusClientSecret'
  347. # shortname = 'radiusClientShortname'
  348. # nas_type = 'radiusClientType'
  349. # virtual_server = 'radiusClientVirtualServer'
  350. # require_message_authenticator = 'radiusClientRequireMa'
  351. }
  352. }
  353.  
  354. # Load clients on startup
  355. # read_clients = no
  356.  
  357. #
  358. # Modify user object on receiving Accounting-Request
  359. #
  360.  
  361. # Useful for recording things like the last time the user logged
  362. # in, or the Acct-Session-ID for CoA/DM.
  363. #
  364. # LDAP modification items are in the format:
  365. # <ldap attr> <op> <value>
  366. #
  367. # Where:
  368. # <ldap attr>: The LDAP attribute to add modify or delete.
  369. # <op>: One of the assignment operators:
  370. # (:=, +=, -=, ++).
  371. # Note: '=' is *not* supported.
  372. # <value>: The value to add modify or delete.
  373. #
  374. # WARNING: If using the ':=' operator with a multi-valued LDAP
  375. # attribute, all instances of the attribute will be removed and
  376. # replaced with a single attribute.
  377. accounting {
  378. reference = "%{tolower:type.%{Acct-Status-Type}}"
  379.  
  380. type {
  381. start {
  382. update {
  383. description := "Online at %S"
  384. }
  385. }
  386.  
  387. interim-update {
  388. update {
  389. description := "Last seen at %S"
  390. }
  391. }
  392.  
  393. stop {
  394. update {
  395. description := "Offline at %S"
  396. }
  397. }
  398. }
  399. }
  400.  
  401. #
  402. # Post-Auth can modify LDAP objects too
  403. #
  404. post-auth {
  405. update {
  406. description := "Authenticated at %S"
  407. }
  408. }
  409.  
  410. #
  411. # LDAP connection-specific options.
  412. #
  413. # These options set timeouts, keep-alives, etc. for the connections.
  414. #
  415. options {
  416. # Control under which situations aliases are followed.
  417. # May be one of 'never', 'searching', 'finding' or 'always'
  418. # default: libldap's default which is usually 'never'.
  419. #
  420. # LDAP_OPT_DEREF is set to this value.
  421. # dereference = 'always'
  422.  
  423. #
  424. # The following two configuration items control whether the
  425. # server follows references returned by LDAP directory.
  426. # They are mostly for Active Directory compatibility.
  427. # If you set these to 'no', then searches will likely return
  428. # 'operations error', instead of a useful result.
  429. #
  430. chase_referrals = no
  431. rebind = yes
  432.  
  433. # Seconds to wait for LDAP query to finish. default: 20
  434. res_timeout = 10
  435.  
  436. # Seconds LDAP server has to process the query (server-side
  437. # time limit). default: 20
  438. #
  439. # LDAP_OPT_TIMELIMIT is set to this value.
  440. srv_timelimit = 3
  441.  
  442. # Seconds to wait for response of the server. (network
  443. # failures) default: 10
  444. #
  445. # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
  446. net_timeout = 1
  447.  
  448. # LDAP_OPT_X_KEEPALIVE_IDLE
  449. idle = 60
  450.  
  451. # LDAP_OPT_X_KEEPALIVE_PROBES
  452. probes = 3
  453.  
  454. # LDAP_OPT_X_KEEPALIVE_INTERVAL
  455. interval = 3
  456.  
  457. # ldap_debug: debug flag for LDAP SDK
  458. # (see OpenLDAP documentation). Set this to enable
  459. # huge amounts of LDAP debugging on the screen.
  460. # You should only use this if you are an LDAP expert.
  461. #
  462. # default: 0x0000 (no debugging messages)
  463. # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
  464. ldap_debug = 0x0028
  465. }
  466.  
  467. #
  468. # This subsection configures the tls related items
  469. # that control how FreeRADIUS connects to an LDAP
  470. # server. It contains all of the 'tls_*' configuration
  471. # entries used in older versions of FreeRADIUS. Those
  472. # configuration entries can still be used, but we recommend
  473. # using these.
  474. #
  475. tls {
  476. # Set this to 'yes' to use TLS encrypted connections
  477. # to the LDAP database by using the StartTLS extended
  478. # operation.
  479. #
  480. # The StartTLS operation is supposed to be
  481. # used with normal ldap connections instead of
  482. # using ldaps (port 636) connections
  483. # start_tls = yes
  484.  
  485. # ca_file = ${certdir}/cacert.pem
  486.  
  487. # ca_path = ${certdir}
  488. # certificate_file = /path/to/radius.crt
  489. # private_key_file = /path/to/radius.key
  490. # random_file = /dev/urandom
  491.  
  492. # Certificate Verification requirements. Can be:
  493. # 'never' (do not even bother trying)
  494. # 'allow' (try, but don't fail if the certificate
  495. # cannot be verified)
  496. # 'demand' (fail if the certificate does not verify)
  497. # 'hard' (similar to 'demand' but fails if TLS
  498. # cannot negotiate)
  499. #
  500. # The default is libldap's default, which varies based
  501. # on the contents of ldap.conf.
  502.  
  503. # require_cert = 'demand'
  504. }
  505.  
  506. # As of version 3.0, the 'pool' section has replaced the
  507. # following configuration items:
  508. #
  509. # ldap_connections_number
  510.  
  511. # The connection pool is new for 3.0, and will be used in many
  512. # modules, for all kinds of connection-related activity.
  513. #
  514. # When the server is not threaded, the connection pool
  515. # limits are ignored, and only one connection is used.
  516. pool {
  517. # Connections to create during module instantiation.
  518. # If the server cannot create specified number of
  519. # connections during instantiation it will exit.
  520. # Set to 0 to allow the server to start without the
  521. # directory being available.
  522. start = ${thread[pool].start_servers}
  523.  
  524. # Minimum number of connections to keep open
  525. min = ${thread[pool].min_spare_servers}
  526.  
  527. # Maximum number of connections
  528. #
  529. # If these connections are all in use and a new one
  530. # is requested, the request will NOT get a connection.
  531. #
  532. # Setting 'max' to LESS than the number of threads means
  533. # that some threads may starve, and you will see errors
  534. # like 'No connections available and at max connection limit'
  535. #
  536. # Setting 'max' to MORE than the number of threads means
  537. # that there are more connections than necessary.
  538. max = ${thread[pool].max_servers}
  539.  
  540. # Spare connections to be left idle
  541. #
  542. # NOTE: Idle connections WILL be closed if "idle_timeout"
  543. # is set. This should be less than or equal to "max" above.
  544. spare = ${thread[pool].max_spare_servers}
  545.  
  546. # Number of uses before the connection is closed
  547. #
  548. # 0 means "infinite"
  549. uses = 0
  550.  
  551. # The number of seconds to wait after the server tries
  552. # to open a connection, and fails. During this time,
  553. # no new connections will be opened.
  554. retry_delay = 30
  555.  
  556. # The lifetime (in seconds) of the connection
  557. lifetime = 0
  558.  
  559. # Idle timeout (in seconds). A connection which is
  560. # unused for this length of time will be closed.
  561. idle_timeout = 60
  562.  
  563. # NOTE: All configuration settings are enforced. If a
  564. # connection is closed because of 'idle_timeout',
  565. # 'uses', or 'lifetime', then the total number of
  566. # connections MAY fall below 'min'. When that
  567. # happens, it will open a new connection. It will
  568. # also log a WARNING message.
  569. #
  570. # The solution is to either lower the 'min' connections,
  571. # or increase lifetime/idle_timeout.
  572. }
  573. }
Advertisement
RAW Paste Data Copied
Advertisement