Gitiles
Code Review Sign In
gerrit.opencord.org / cord-tester / 2b93d6a7a2f956629cf4225457d023afff8d780d / . / src / test / setup / radius-config / freeradius / mods-available / ldap
blob: 8b9e66789d8a72cd9c73a1b0946603d69bc7b653 [file] [log] [blame]
Chetan Gaonker7f4bf742016-05-04 15:56:08 -0700[diff] [blame]1# -*- text -*-
2#
3# $Id: af3f155ff51f4ebe7bfaffcb55a23238f128e843 $
4
5#
6# Lightweight Directory Access Protocol (LDAP)
7#
8ldap {
9 # Note that this needs to match the name(s) in the LDAP server
10 # certificate, if you're using ldaps. See OpenLDAP documentation
11 # for the behavioral semantics of specifying more than one host.
12 server = "ldap.rrdns.example.org ldap.rrdns.example.org ldap.example.org"
13
14 # Port to connect on, defaults to 389. Setting this to 636 will enable
15 # LDAPS if start_tls (see below) is not able to be used.
16# port = 389
17
18 # Administrator account for searching and possibly modifying.
19# identity = "cn=admin,dc=example,dc=org"
20# password = mypass
21
22 # Unless overridden in another section, the dn from which all
23 # searches will start from.
24# base_dn = "dc=example,dc=org"
25
26 #
27 # Generic valuepair attribute
28 #
29
30 # If set, this will attribute will be retrieved in addition to any
31 # mapped attributes.
32 #
33 # Values should be in the format:
34 # <radius attr> <op> <value>
35 #
36 # Where:
37 # <radius attr>: Is the attribute you wish to create
38 # with any valid list and request qualifiers.
39 # <op>: Is any assignment attribute (=, :=, +=, -=).
40 # <value>: Is the value to parse into the new valuepair.
41 # If the attribute name is wrapped in double
42 # quotes it will be xlat expanded.
43# valuepair_attribute = "radiusAttribute"
44
45 #
46 # Mapping of LDAP directory attributes to RADIUS dictionary attributes.
47 #
48
49 # WARNING: Although this format is almost identical to the unlang
50 # update section format, it does *NOT* mean that you can use other
51 # unlang constructs in module configuration files.
52 #
53 # Configuration items are in the format:
54 # <radius attr> <op> <ldap attr>
55 #
56 # Where:
57 # <radius attr>: Is the destination RADIUS attribute
58 # with any valid list and request qualifiers.
59 # <op>: Is any assignment attribute (=, :=, +=, -=).
60 # <ldap attr>: Is the attribute associated with user or
61 # profile objects in the LDAP directory.
62 # If the attribute name is wrapped in double
63 # quotes it will be xlat expanded.
64 #
65 # Request and list qualifiers may also be placed after the 'update'
66 # section name to set defaults destination requests/lists
67 # for unqualified RADIUS attributes.
68 #
69 # Note: LDAP attribute names should be single quoted unless you want
70 # the name value to be derived from an xlat expansion, or an
71 # attribute ref.
72 update {
73 control:Password-With-Header += 'userPassword'
74# control:NT-Password := 'ntPassword'
75# reply:Reply-Message := 'radiusReplyMessage'
76# reply:Tunnel-Type := 'radiusTunnelType'
77# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
78# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
79
80 # These are provided for backwards compatibility.
81 # Where only a list is specified as the RADIUS attribute,
82 # the value of the LDAP attribute is parsed as a valuepair
83 # in the same format as the 'valuepair_attribute' (above).
84# control: += 'radiusCheckAttributes'
85# reply: += 'radiusReplyAttributes'
86 }
87
88 # Set to yes if you have eDirectory and want to use the universal
89 # password mechanism.
90# edir = no
91
92 # Set to yes if you want to bind as the user after retrieving the
93 # Cleartext-Password. This will consume the login grace, and
94 # verify user authorization.
95# edir_autz = no
96
97 # Note: set_auth_type was removed in v3.x.x
98 # Equivalent functionality can be achieved by adding the following
99 # stanza to the authorize {} section of your virtual server.
100 #
101 # ldap
102 # if ((ok || updated) && User-Password) {
103 # update {
104 # control:Auth-Type := ldap
105 # }
106 # }
107
108 #
109 # User object identification.
110 #
111 user {
112 # Where to start searching in the tree for users
113 base_dn = "${..base_dn}"
114
115 # Filter for user objects, should be specific enough
116 # to identify a single user object.
117 filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
118
119 # Search scope, may be 'base', 'one', sub' or 'children'
120# scope = 'sub'
121
122 # If this is undefined, anyone is authorised.
123 # If it is defined, the contents of this attribute
124 # determine whether or not the user is authorised
125# access_attribute = "dialupAccess"
126
127 # Control whether the presence of "access_attribute"
128 # allows access, or denys access.
129 #
130 # If "yes", and the access_attribute is present, or
131 # "no" and the access_attribute is absent then access
132 # will be allowed.
133 #
134 # If "yes", and the access_attribute is absent, or
135 # "no" and the access_attribute is present, then
136 # access will not be allowed.
137 #
138 # If the value of the access_attribute is "false", it
139 # will negate the result.
140 #
141 # e.g.
142 # access_positive = yes
143 # access_attribute = userAccessAllowed
144 #
145 # userAccessAllowed = false
146 #
147 # Will result in the user being locked out.
148# access_positive = yes
149 }
150
151 #
152 # User membership checking.
153 #
154 group {
155 # Where to start searching in the tree for groups
156 base_dn = "${..base_dn}"
157
158 # Filter for group objects, should match all available
159 # group objects a user might be a member of.
160 filter = "(objectClass=posixGroup)"
161
162 # Search scope, may be 'base', 'one', sub' or 'children'
163# scope = 'sub'
164
165 # Attribute that uniquely identifies a group.
166 # Is used when converting group DNs to group
167 # names.
168# name_attribute = cn
169
170 # Filter to find group objects a user is a member of.
171 # That is, group objects with attributes that
172 # identify members (the inverse of membership_attribute).
173# membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
174
175 # The attribute in user objects which contain the names
176 # or DNs of groups a user is a member of.
177 #
178 # Unless a conversion between group name and group DN is
179 # needed, there's no requirement for the group objects
180 # referenced to actually exist.
181 membership_attribute = "memberOf"
182
183 # If cacheable_name or cacheable_dn are enabled,
184 # all group information for the user will be
185 # retrieved from the directory and written to LDAP-Group
186 # attributes appropriate for the instance of rlm_ldap.
187 #
188 # For group comparisons these attributes will be checked
189 # instead of querying the LDAP directory directly.
190 #
191 # This feature is intended to be used with rlm_cache.
192 #
193 # If you wish to use this feature, you should enable
194 # the type that matches the format of your check items
195 # i.e. if your groups are specified as DNs then enable
196 # cacheable_dn else enable cacheable_name.
197# cacheable_name = "no"
198# cacheable_dn = "no"
199
200 # Override the normal cache attribute (<inst>-LDAP-Group)
201 # and create a custom attribute. This can help if multiple
202 # module instances are used in fail-over.
203# cache_attribute = "LDAP-Cached-Membership"
204 }
205
206 #
207 # User profiles. RADIUS profile objects contain sets of attributes
208 # to insert into the request. These attributes are mapped using
209 # the same mapping scheme applied to user objects.
210 #
211 profile {
212 # Filter for RADIUS profile objects
213# filter = "(objectclass=radiusprofile)"
214
215 # The default profile applied to all users.
216# default = "cn=radprofile,dc=example,dc=org"
217
218 # The list of profiles which are applied (after the default)
219 # to all users.
220 # The "User-Profile" attribute in the control list
221 # will override this setting at run-time.
222# attribute = "radiusProfileDn"
223 }
224
225 #
226 # Bulk load clients from the directory
227 #
228 client {
229 # Where to start searching in the tree for clients
230 base_dn = "${..base_dn}"
231
232 #
233 # Filter to match client objects
234 #
235 filter = '(objectClass=frClient)'
236
237 # Search scope, may be 'base', 'one', 'sub' or 'children'
238# scope = 'sub'
239
240 #
241 # Client attribute mappings are in the format:
242 # <client attribute> = <ldap attribute>
243 #
244 # Arbitrary attributes (accessible by %{client:<attr>}) are not yet supported.
245 #
246 # The following attributes are required:
247 # * identifier - IPv4 address, or IPv4 address with prefix, or hostname.
248 # * secret - RADIUS shared secret.
249 #
250 # The following attributes are optional:
251 # * shortname - Friendly name associated with the client
252 # * nas_type - NAS Type
253 # * virtual_server - Virtual server to associate the client with
254 # * require_message_authenticator - Whether we require the Message-Authenticator
255 # attribute to be present in requests from the client.
256 #
257 # Schemas are available in doc/schemas/ldap for openldap and eDirectory
258 #
259 attribute {
260 identifier = 'radiusClientIdentifier'
261 secret = 'radiusClientSecret'
262# shortname = 'radiusClientShortname'
263# nas_type = 'radiusClientType'
264# virtual_server = 'radiusClientVirtualServer'
265# require_message_authenticator = 'radiusClientRequireMa'
266 }
267 }
268
269 # Load clients on startup
270# read_clients = no
271
272 #
273 # Modify user object on receiving Accounting-Request
274 #
275
276 # Useful for recording things like the last time the user logged
277 # in, or the Acct-Session-ID for CoA/DM.
278 #
279 # LDAP modification items are in the format:
280 # <ldap attr> <op> <value>
281 #
282 # Where:
283 # <ldap attr>: The LDAP attribute to add modify or delete.
284 # <op>: One of the assignment operators:
285 # (:=, +=, -=, ++).
286 # Note: '=' is *not* supported.
287 # <value>: The value to add modify or delete.
288 #
289 # WARNING: If using the ':=' operator with a multi-valued LDAP
290 # attribute, all instances of the attribute will be removed and
291 # replaced with a single attribute.
292 accounting {
293 reference = "%{tolower:type.%{Acct-Status-Type}}"
294
295 type {
296 start {
297 update {
298 description := "Online at %S"
299 }
300 }
301
302 interim-update {
303 update {
304 description := "Last seen at %S"
305 }
306 }
307
308 stop {
309 update {
310 description := "Offline at %S"
311 }
312 }
313 }
314 }
315
316 #
317 # Post-Auth can modify LDAP objects too
318 #
319 post-auth {
320 update {
321 description := "Authenticated at %S"
322 }
323 }
324
325 #
326 # LDAP connection-specific options.
327 #
328 # These options set timeouts, keep-alives, etc. for the connections.
329 #
330 options {
331 #
332 # The following two configuration items are for Active Directory
333 # compatibility. If you set these to "no", then searches
334 # will likely return "operations error", instead of a
335 # useful result.
336 #
337 chase_referrals = yes
338 rebind = yes
339
340 # Seconds to wait for LDAP query to finish. default: 20
341 timeout = 10
342
343 # Seconds LDAP server has to process the query (server-side
344 # time limit). default: 20
345 #
346 # LDAP_OPT_TIMELIMIT is set to this value.
347 timelimit = 3
348
349 # Seconds to wait for response of the server. (network
350 # failures) default: 10
351 #
352 # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
353 net_timeout = 1
354
355 # LDAP_OPT_X_KEEPALIVE_IDLE
356 idle = 60
357
358 # LDAP_OPT_X_KEEPALIVE_PROBES
359 probes = 3
360
361 # LDAP_OPT_X_KEEPALIVE_INTERVAL
362 interval = 3
363
364 # ldap_debug: debug flag for LDAP SDK
365 # (see OpenLDAP documentation). Set this to enable
366 # huge amounts of LDAP debugging on the screen.
367 # You should only use this if you are an LDAP expert.
368 #
369 # default: 0x0000 (no debugging messages)
370 # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
371 ldap_debug = 0x0028
372 }
373
374 #
375 # This subsection configures the tls related items
376 # that control how FreeRADIUS connects to an LDAP
377 # server. It contains all of the "tls_*" configuration
378 # entries used in older versions of FreeRADIUS. Those
379 # configuration entries can still be used, but we recommend
380 # using these.
381 #
382 tls {
383 # Set this to 'yes' to use TLS encrypted connections
384 # to the LDAP database by using the StartTLS extended
385 # operation.
386 #
387 # The StartTLS operation is supposed to be
388 # used with normal ldap connections instead of
389 # using ldaps (port 636) connections
390# start_tls = yes
391
392# ca_file = ${certdir}/cacert.pem
393
394# ca_path = ${certdir}
395# certificate_file = /path/to/radius.crt
396# private_key_file = /path/to/radius.key
397# random_file = ${certdir}/random
398
399 # Certificate Verification requirements. Can be:
400 # "never" (don't even bother trying)
401 # "allow" (try, but don't fail if the certificate
402 # can't be verified)
403 # "demand" (fail if the certificate doesn't verify.)
404 #
405 # The default is "allow"
406# require_cert = "demand"
407 }
408
409
410 # As of version 3.0, the "pool" section has replaced the
411 # following configuration items:
412 #
413 # ldap_connections_number
414
415 # The connection pool is new for 3.0, and will be used in many
416 # modules, for all kinds of connection-related activity.
417 #
418 # When the server is not threaded, the connection pool
419 # limits are ignored, and only one connection is used.
420 pool {
421 # Number of connections to start
422 start = 5
423
424 # Minimum number of connections to keep open
425 min = 4
426
427 # Maximum number of connections
428 #
429 # If these connections are all in use and a new one
430 # is requested, the request will NOT get a connection.
431 #
432 # Setting 'max' to LESS than the number of threads means
433 # that some threads may starve, and you will see errors
434 # like "No connections available and at max connection limit"
435 #
436 # Setting 'max' to MORE than the number of threads means
437 # that there are more connections than necessary.
438 max = ${thread[pool].max_servers}
439
440 # Spare connections to be left idle
441 #
442 # NOTE: Idle connections WILL be closed if "idle_timeout"
443 # is set.
444 spare = 3
445
446 # Number of uses before the connection is closed
447 #
448 # 0 means "infinite"
449 uses = 0
450
451 # The lifetime (in seconds) of the connection
452 lifetime = 0
453
454 # Idle timeout (in seconds). A connection which is
455 # unused for this length of time will be closed.
456 idle_timeout = 60
457
458 # NOTE: All configuration settings are enforced. If a
459 # connection is closed because of "idle_timeout",
460 # "uses", or "lifetime", then the total number of
461 # connections MAY fall below "min". When that
462 # happens, it will open a new connection. It will
463 # also log a WARNING message.
464 #
465 # The solution is to either lower the "min" connections,
466 # or increase lifetime/idle_timeout.
467 }
468}