ldap

1. # Lightweight Directory Access Protocol (LDAP)
2. #
3. ldap {
4. # Note that this needs to match the name(s) in the LDAP server
5. # certificate, if you're using ldaps. See OpenLDAP documentation
6. # for the behavioral semantics of specifying more than one host.
7. #
8. # Depending on the libldap in use, server may be an LDAP URI.
9. # In the case of OpenLDAP this allows additional the following
10. # additional schemes:
11. # - ldaps:// (LDAP over SSL)
12. # - ldapi:// (LDAP over Unix socket)
13. # - ldapc:// (Connectionless LDAP)
14. server = 'ldaps://10.44.1.1'
15. # Port to connect on, defaults to 389, will be ignored for LDAP URIs.
16. port = 636
17.  
18. # Administrator account for searching and possibly modifying.
19. # If using SASL + KRB5 these should be commented out.
20. identity = 'ldapservice@AD.TESTSERVER.LOCAL'
21. password = 'ldapservicepassword_here'
22.  
23. # Unless overridden in another section, the dn from which all
24. # searches will start from.
25. base_dn = 'dc=AD,dc=TESTSERVER,dc=LOCAL'
26.  
27. #
28. # SASL parameters to use for admin binds
29. #
30. # When we're prompted by the SASL library, these control
31. # the responses given, as well as the identity and password
32. # directives above.
33. #
34. # If any directive is commented out, a NULL response will be
35. # provided to cyrus-sasl.
36. #
37. # Unfortunately the only way to control Keberos here is through
38. # environmental variables, as cyrus-sasl provides no API to
39. # set the krb5 config directly.
40. #
41. # Full documentation for MIT krb5 can be found here:
42. #
43. # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
44. #
45. # At a minimum you probably want to set KRB5_CLIENT_KTNAME.
46. #
47. sasl {
48. # SASL mechanism
49. # mech = 'PLAIN'
50.  
51. # SASL authorisation identity to proxy.
52. # proxy = 'autz_id'
53.  
54. # SASL realm. Used for kerberos.
55. # realm = 'example.org'
56. }
57.  
58. #
59. # Generic valuepair attribute
60. #
61.  
62. # If set, this will attribute will be retrieved in addition to any
63. # mapped attributes.
64. #
65. # Values should be in the format:
66. # <radius attr> <op> <value>
67. #
68. # Where:
69. # <radius attr>: Is the attribute you wish to create
70. # with any valid list and request qualifiers.
71. # <op>: Is any assignment operator (=, :=, +=, -=).
72. # <value>: Is the value to parse into the new valuepair.
73. # If the value is wrapped in double quotes it
74. # will be xlat expanded.
75. # valuepair_attribute = 'radiusAttribute'
76.  
77. #
78. # Mapping of LDAP directory attributes to RADIUS dictionary attributes.
79. #
80.  
81. # WARNING: Although this format is almost identical to the unlang
82. # update section format, it does *NOT* mean that you can use other
83. # unlang constructs in module configuration files.
84. #
85. # Configuration items are in the format:
86. # <radius attr> <op> <ldap attr>
87. #
88. # Where:
89. # <radius attr>: Is the destination RADIUS attribute
90. # with any valid list and request qualifiers.
91. # <op>: Is any assignment attribute (=, :=, +=, -=).
92. # <ldap attr>: Is the attribute associated with user or
93. # profile objects in the LDAP directory.
94. # If the attribute name is wrapped in double
95. # quotes it will be xlat expanded.
96. #
97. # Request and list qualifiers may also be placed after the 'update'
98. # section name to set defaults destination requests/lists
99. # for unqualified RADIUS attributes.
100. #
101. # Note: LDAP attribute names should be single quoted unless you want
102. # the name value to be derived from an xlat expansion, or an
103. # attribute ref.
104. update {
105. control:Password-With-Header += 'userPassword'
106. # control:NT-Password := 'ntPassword'
107. # reply:Reply-Message := 'radiusReplyMessage'
108. # reply:Tunnel-Type := 'radiusTunnelType'
109. # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
110. # reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
111.  
112. # Where only a list is specified as the RADIUS attribute,
113. # the value of the LDAP attribute is parsed as a valuepair
114. # in the same format as the 'valuepair_attribute' (above).
115. control: += 'radiusControlAttribute'
116. request: += 'radiusRequestAttribute'
117. reply: += 'radiusReplyAttribute'
118. }
119.  
120. # Set to yes if you have eDirectory and want to use the universal
121. # password mechanism.
122. # edir = no
123.  
124. # Set to yes if you want to bind as the user after retrieving the
125. # Cleartext-Password. This will consume the login grace, and
126. # verify user authorization.
127. # edir_autz = no
128.  
129. # Note: set_auth_type was removed in v3.x.x
130. # Equivalent functionality can be achieved by adding the following
131. # stanza to the authorize {} section of your virtual server.
132. #
133. # ldap
134. # if ((ok || updated) && User-Password) {
135. # update {
136. # control:Auth-Type := ldap
137. # }
138. # }
139.  
140. #
141. # User object identification.
142. #
143. user {
144. # Where to start searching in the tree for users
145. base_dn = "${..base_dn}"
146.  
147. # Filter for user objects, should be specific enough
148. # to identify a single user object.
149. #
150. # For Active Directory, you should use
151. # "samaccountname=" instead of "uid="
152. #
153. filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
154.  
155. # SASL parameters to use for user binds
156. #
157. # When we're prompted by the SASL library, these control
158. # the responses given.
159. #
160. # Any of the config items below may be an attribute ref
161. # or and expansion, so different SASL mechs, proxy IDs
162. # and realms may be used for different users.
163. sasl {
164. # SASL mechanism
165. # mech = 'PLAIN'
166.  
167. # SASL authorisation identity to proxy.
168. # proxy = &User-Name
169.  
170. # SASL realm. Used for kerberos.
171. # realm = 'example.org'
172. }
173.  
174. # Search scope, may be 'base', 'one', sub' or 'children'
175. # scope = 'sub'
176.  
177. # Server side result sorting
178. #
179. # A list of space delimited attributes to order the result
180. # set by, if the filter matches multiple objects.
181. # Only the first result in the set will be processed.
182. #
183. # If the attribute name is prefixed with a hyphen '-' the
184. # sorting order will be reversed for that attribute.
185. #
186. # If sort_by is set, and the server does not support sorting
187. # the search will fail.
188. # sort_by = '-uid'
189.  
190. # If this is undefined, anyone is authorised.
191. # If it is defined, the contents of this attribute
192. # determine whether or not the user is authorised
193. # access_attribute = 'dialupAccess'
194.  
195. # Control whether the presence of 'access_attribute'
196. # allows access, or denys access.
197. #
198. # If 'yes', and the access_attribute is present, or
199. # 'no' and the access_attribute is absent then access
200. # will be allowed.
201. #
202. # If 'yes', and the access_attribute is absent, or
203. # 'no' and the access_attribute is present, then
204. # access will not be allowed.
205. #
206. # If the value of the access_attribute is 'false', it
207. # will negate the result.
208. #
209. # e.g.
210. # access_positive = yes
211. # access_attribute = userAccessAllowed
212. #
213. # With an LDAP object containing:
214. # userAccessAllowed: false
215. #
216. # Will result in the user being locked out.
217. # access_positive = yes
218. }
219.  
220. #
221. # User membership checking.
222. #
223. group {
224. # Where to start searching in the tree for groups
225. base_dn = "${..base_dn}"
226.  
227. # Filter for group objects, should match all available
228. # group objects a user might be a member of.
229. filter = '(objectClass=posixGroup)'
230.  
231. # Search scope, may be 'base', 'one', sub' or 'children'
232. # scope = 'sub'
233.  
234. # Attribute that uniquely identifies a group.
235. # Is used when converting group DNs to group
236. # names.
237. # name_attribute = cn
238.  
239. # Filter to find group objects a user is a member of.
240. # That is, group objects with attributes that
241. # identify members (the inverse of membership_attribute).
242. # membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
243.  
244. # The attribute in user objects which contain the names
245. # or DNs of groups a user is a member of.
246. #
247. # Unless a conversion between group name and group DN is
248. # needed, there's no requirement for the group objects
249. # referenced to actually exist.
250. membership_attribute = 'memberOf'
251.  
252. # If cacheable_name or cacheable_dn are enabled,
253. # all group information for the user will be
254. # retrieved from the directory and written to LDAP-Group
255. # attributes appropriate for the instance of rlm_ldap.
256. #
257. # For group comparisons these attributes will be checked
258. # instead of querying the LDAP directory directly.
259. #
260. # This feature is intended to be used with rlm_cache.
261. #
262. # If you wish to use this feature, you should enable
263. # the type that matches the format of your check items
264. # i.e. if your groups are specified as DNs then enable
265. # cacheable_dn else enable cacheable_name.
266. # cacheable_name = 'no'
267. # cacheable_dn = 'no'
268.  
269. # Override the normal cache attribute (<inst>-LDAP-Group or
270. # LDAP-Group if using the default instance) and create a
271. # custom attribute. This can help if multiple module instances
272. # are used in fail-over.
273. # cache_attribute = 'LDAP-Cached-Membership'
274. }
275.  
276. #
277. # User profiles. RADIUS profile objects contain sets of attributes
278. # to insert into the request. These attributes are mapped using
279. # the same mapping scheme applied to user objects (the update section above).
280. #
281. profile {
282. # Filter for RADIUS profile objects
283. # filter = '(objectclass=radiusprofile)'
284.  
285. # The default profile. This may be a DN or an attribute
286. # reference.
287. # To get old v2.2.x style behaviour, or to use the
288. # &User-Profile attribute to specify the default profile,
289. # set this to &control:User-Profile.
290. # default = 'cn=radprofile,dc=example,dc=org'
291.  
292. # The LDAP attribute containing profile DNs to apply
293. # in addition to the default profile above. These are
294. # retrieved from the user object, at the same time as the
295. # attributes from the update section, are are applied
296. # if authorization is successful.
297. # attribute = 'radiusProfileDn'
298. }
299.  
300. #
301. # Bulk load clients from the directory
302. #
303. client {
304. # Where to start searching in the tree for clients
305. base_dn = "${..base_dn}"
306.  
307. #
308. # Filter to match client objects
309. #
310. filter = '(objectClass=radiusClient)'
311.  
312. # Search scope, may be 'base', 'one', 'sub' or 'children'
313. # scope = 'sub'
314.  
315. #
316. # Sets default values (not obtained from LDAP) for new client entries
317. #
318. template {
319. # login = 'test'
320. # password = 'test'
321. # proto = tcp
322. # require_message_authenticator = yes
323.  
324. # Uncomment to add a home_server with the same
325. # attributes as the client.
326. # coa_server {
327. # response_window = 2.0
328. # }
329. }
330.  
331. #
332. # Client attribute mappings are in the format:
333. # <client attribute> = <ldap attribute>
334. #
335. # The following attributes are required:
336. # * ipaddr | ipv4addr | ipv6addr - Client IP Address.
337. # * secret - RADIUS shared secret.
338. #
339. # All other attributes usually supported in a client
340. # definition are also supported here.
341. #
342. # Schemas are available in doc/schemas/ldap for openldap and eDirectory
343. #
344. attribute {
345. ipaddr = 'radiusClientIdentifier'
346. secret = 'radiusClientSecret'
347. # shortname = 'radiusClientShortname'
348. # nas_type = 'radiusClientType'
349. # virtual_server = 'radiusClientVirtualServer'
350. # require_message_authenticator = 'radiusClientRequireMa'
351. }
352. }
353.  
354. # Load clients on startup
355. # read_clients = no
356.  
357. #
358. # Modify user object on receiving Accounting-Request
359. #
360.  
361. # Useful for recording things like the last time the user logged
362. # in, or the Acct-Session-ID for CoA/DM.
363. #
364. # LDAP modification items are in the format:
365. # <ldap attr> <op> <value>
366. #
367. # Where:
368. # <ldap attr>: The LDAP attribute to add modify or delete.
369. # <op>: One of the assignment operators:
370. # (:=, +=, -=, ++).
371. # Note: '=' is *not* supported.
372. # <value>: The value to add modify or delete.
373. #
374. # WARNING: If using the ':=' operator with a multi-valued LDAP
375. # attribute, all instances of the attribute will be removed and
376. # replaced with a single attribute.
377. accounting {
378. reference = "%{tolower:type.%{Acct-Status-Type}}"
379.  
380. type {
381. start {
382. update {
383. description := "Online at %S"
384. }
385. }
386.  
387. interim-update {
388. update {
389. description := "Last seen at %S"
390. }
391. }
392.  
393. stop {
394. update {
395. description := "Offline at %S"
396. }
397. }
398. }
399. }
400.  
401. #
402. # Post-Auth can modify LDAP objects too
403. #
404. post-auth {
405. update {
406. description := "Authenticated at %S"
407. }
408. }
409.  
410. #
411. # LDAP connection-specific options.
412. #
413. # These options set timeouts, keep-alives, etc. for the connections.
414. #
415. options {
416. # Control under which situations aliases are followed.
417. # May be one of 'never', 'searching', 'finding' or 'always'
418. # default: libldap's default which is usually 'never'.
419. #
420. # LDAP_OPT_DEREF is set to this value.
421. # dereference = 'always'
422.  
423. #
424. # The following two configuration items control whether the
425. # server follows references returned by LDAP directory.
426. # They are mostly for Active Directory compatibility.
427. # If you set these to 'no', then searches will likely return
428. # 'operations error', instead of a useful result.
429. #
430. chase_referrals = no
431. rebind = yes
432.  
433. # Seconds to wait for LDAP query to finish. default: 20
434. res_timeout = 10
435.  
436. # Seconds LDAP server has to process the query (server-side
437. # time limit). default: 20
438. #
439. # LDAP_OPT_TIMELIMIT is set to this value.
440. srv_timelimit = 3
441.  
442. # Seconds to wait for response of the server. (network
443. # failures) default: 10
444. #
445. # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
446. net_timeout = 1
447.  
448. # LDAP_OPT_X_KEEPALIVE_IDLE
449. idle = 60
450.  
451. # LDAP_OPT_X_KEEPALIVE_PROBES
452. probes = 3
453.  
454. # LDAP_OPT_X_KEEPALIVE_INTERVAL
455. interval = 3
456.  
457. # ldap_debug: debug flag for LDAP SDK
458. # (see OpenLDAP documentation). Set this to enable
459. # huge amounts of LDAP debugging on the screen.
460. # You should only use this if you are an LDAP expert.
461. #
462. # default: 0x0000 (no debugging messages)
463. # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
464. ldap_debug = 0x0028
465. }
466.  
467. #
468. # This subsection configures the tls related items
469. # that control how FreeRADIUS connects to an LDAP
470. # server. It contains all of the 'tls_*' configuration
471. # entries used in older versions of FreeRADIUS. Those
472. # configuration entries can still be used, but we recommend
473. # using these.
474. #
475. tls {
476. # Set this to 'yes' to use TLS encrypted connections
477. # to the LDAP database by using the StartTLS extended
478. # operation.
479. #
480. # The StartTLS operation is supposed to be
481. # used with normal ldap connections instead of
482. # using ldaps (port 636) connections
483. # start_tls = yes
484.  
485. # ca_file = ${certdir}/cacert.pem
486.  
487. # ca_path = ${certdir}
488. # certificate_file = /path/to/radius.crt
489. # private_key_file = /path/to/radius.key
490. # random_file = /dev/urandom
491.  
492. # Certificate Verification requirements. Can be:
493. # 'never' (do not even bother trying)
494. # 'allow' (try, but don't fail if the certificate
495. # cannot be verified)
496. # 'demand' (fail if the certificate does not verify)
497. # 'hard' (similar to 'demand' but fails if TLS
498. # cannot negotiate)
499. #
500. # The default is libldap's default, which varies based
501. # on the contents of ldap.conf.
502.  
503. # require_cert = 'demand'
504. }
505.  
506. # As of version 3.0, the 'pool' section has replaced the
507. # following configuration items:
508. #
509. # ldap_connections_number
510.  
511. # The connection pool is new for 3.0, and will be used in many
512. # modules, for all kinds of connection-related activity.
513. #
514. # When the server is not threaded, the connection pool
515. # limits are ignored, and only one connection is used.
516. pool {
517. # Connections to create during module instantiation.
518. # If the server cannot create specified number of
519. # connections during instantiation it will exit.
520. # Set to 0 to allow the server to start without the
521. # directory being available.
522. start = ${thread[pool].start_servers}
523.  
524. # Minimum number of connections to keep open
525. min = ${thread[pool].min_spare_servers}
526.  
527. # Maximum number of connections
528. #
529. # If these connections are all in use and a new one
530. # is requested, the request will NOT get a connection.
531. #
532. # Setting 'max' to LESS than the number of threads means
533. # that some threads may starve, and you will see errors
534. # like 'No connections available and at max connection limit'
535. #
536. # Setting 'max' to MORE than the number of threads means
537. # that there are more connections than necessary.
538. max = ${thread[pool].max_servers}
539.  
540. # Spare connections to be left idle
541. #
542. # NOTE: Idle connections WILL be closed if "idle_timeout"
543. # is set. This should be less than or equal to "max" above.
544. spare = ${thread[pool].max_spare_servers}
545.  
546. # Number of uses before the connection is closed
547. #
548. # 0 means "infinite"
549. uses = 0
550.  
551. # The number of seconds to wait after the server tries
552. # to open a connection, and fails. During this time,
553. # no new connections will be opened.
554. retry_delay = 30
555.  
556. # The lifetime (in seconds) of the connection
557. lifetime = 0
558.  
559. # Idle timeout (in seconds). A connection which is
560. # unused for this length of time will be closed.
561. idle_timeout = 60
562.  
563. # NOTE: All configuration settings are enforced. If a
564. # connection is closed because of 'idle_timeout',
565. # 'uses', or 'lifetime', then the total number of
566. # connections MAY fall below 'min'. When that
567. # happens, it will open a new connection. It will
568. # also log a WARNING message.
569. #
570. # The solution is to either lower the 'min' connections,
571. # or increase lifetime/idle_timeout.
572. }
573. }