Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # -*- text -*- |
| 2 | # |
| 3 | # $Id: af3f155ff51f4ebe7bfaffcb55a23238f128e843 $ |
| 4 | |
| 5 | # |
| 6 | # Lightweight Directory Access Protocol (LDAP) |
| 7 | # |
| 8 | ldap { |
| 9 | # Note that this needs to match the name(s) in the LDAP server |
| 10 | # certificate, if you're using ldaps. See OpenLDAP documentation |
| 11 | # for the behavioral semantics of specifying more than one host. |
| 12 | server = "ldap.rrdns.example.org ldap.rrdns.example.org ldap.example.org" |
| 13 | |
| 14 | # Port to connect on, defaults to 389. Setting this to 636 will enable |
| 15 | # LDAPS if start_tls (see below) is not able to be used. |
| 16 | # port = 389 |
| 17 | |
| 18 | # Administrator account for searching and possibly modifying. |
| 19 | # identity = "cn=admin,dc=example,dc=org" |
| 20 | # password = mypass |
| 21 | |
| 22 | # Unless overridden in another section, the dn from which all |
| 23 | # searches will start from. |
| 24 | # base_dn = "dc=example,dc=org" |
| 25 | |
| 26 | # |
| 27 | # Generic valuepair attribute |
| 28 | # |
| 29 | |
| 30 | # If set, this will attribute will be retrieved in addition to any |
| 31 | # mapped attributes. |
| 32 | # |
| 33 | # Values should be in the format: |
| 34 | # <radius attr> <op> <value> |
| 35 | # |
| 36 | # Where: |
| 37 | # <radius attr>: Is the attribute you wish to create |
| 38 | # with any valid list and request qualifiers. |
| 39 | # <op>: Is any assignment attribute (=, :=, +=, -=). |
| 40 | # <value>: Is the value to parse into the new valuepair. |
| 41 | # If the attribute name is wrapped in double |
| 42 | # quotes it will be xlat expanded. |
| 43 | # valuepair_attribute = "radiusAttribute" |
| 44 | |
| 45 | # |
| 46 | # Mapping of LDAP directory attributes to RADIUS dictionary attributes. |
| 47 | # |
| 48 | |
| 49 | # WARNING: Although this format is almost identical to the unlang |
| 50 | # update section format, it does *NOT* mean that you can use other |
| 51 | # unlang constructs in module configuration files. |
| 52 | # |
| 53 | # Configuration items are in the format: |
| 54 | # <radius attr> <op> <ldap attr> |
| 55 | # |
| 56 | # Where: |
| 57 | # <radius attr>: Is the destination RADIUS attribute |
| 58 | # with any valid list and request qualifiers. |
| 59 | # <op>: Is any assignment attribute (=, :=, +=, -=). |
| 60 | # <ldap attr>: Is the attribute associated with user or |
| 61 | # profile objects in the LDAP directory. |
| 62 | # If the attribute name is wrapped in double |
| 63 | # quotes it will be xlat expanded. |
| 64 | # |
| 65 | # Request and list qualifiers may also be placed after the 'update' |
| 66 | # section name to set defaults destination requests/lists |
| 67 | # for unqualified RADIUS attributes. |
| 68 | # |
| 69 | # Note: LDAP attribute names should be single quoted unless you want |
| 70 | # the name value to be derived from an xlat expansion, or an |
| 71 | # attribute ref. |
| 72 | update { |
| 73 | control:Password-With-Header += 'userPassword' |
| 74 | # control:NT-Password := 'ntPassword' |
| 75 | # reply:Reply-Message := 'radiusReplyMessage' |
| 76 | # reply:Tunnel-Type := 'radiusTunnelType' |
| 77 | # reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' |
| 78 | # reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' |
| 79 | |
| 80 | # These are provided for backwards compatibility. |
| 81 | # Where only a list is specified as the RADIUS attribute, |
| 82 | # the value of the LDAP attribute is parsed as a valuepair |
| 83 | # in the same format as the 'valuepair_attribute' (above). |
| 84 | # control: += 'radiusCheckAttributes' |
| 85 | # reply: += 'radiusReplyAttributes' |
| 86 | } |
| 87 | |
| 88 | # Set to yes if you have eDirectory and want to use the universal |
| 89 | # password mechanism. |
| 90 | # edir = no |
| 91 | |
| 92 | # Set to yes if you want to bind as the user after retrieving the |
| 93 | # Cleartext-Password. This will consume the login grace, and |
| 94 | # verify user authorization. |
| 95 | # edir_autz = no |
| 96 | |
| 97 | # Note: set_auth_type was removed in v3.x.x |
| 98 | # Equivalent functionality can be achieved by adding the following |
| 99 | # stanza to the authorize {} section of your virtual server. |
| 100 | # |
| 101 | # ldap |
| 102 | # if ((ok || updated) && User-Password) { |
| 103 | # update { |
| 104 | # control:Auth-Type := ldap |
| 105 | # } |
| 106 | # } |
| 107 | |
| 108 | # |
| 109 | # User object identification. |
| 110 | # |
| 111 | user { |
| 112 | # Where to start searching in the tree for users |
| 113 | base_dn = "${..base_dn}" |
| 114 | |
| 115 | # Filter for user objects, should be specific enough |
| 116 | # to identify a single user object. |
| 117 | filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" |
| 118 | |
| 119 | # Search scope, may be 'base', 'one', sub' or 'children' |
| 120 | # scope = 'sub' |
| 121 | |
| 122 | # If this is undefined, anyone is authorised. |
| 123 | # If it is defined, the contents of this attribute |
| 124 | # determine whether or not the user is authorised |
| 125 | # access_attribute = "dialupAccess" |
| 126 | |
| 127 | # Control whether the presence of "access_attribute" |
| 128 | # allows access, or denys access. |
| 129 | # |
| 130 | # If "yes", and the access_attribute is present, or |
| 131 | # "no" and the access_attribute is absent then access |
| 132 | # will be allowed. |
| 133 | # |
| 134 | # If "yes", and the access_attribute is absent, or |
| 135 | # "no" and the access_attribute is present, then |
| 136 | # access will not be allowed. |
| 137 | # |
| 138 | # If the value of the access_attribute is "false", it |
| 139 | # will negate the result. |
| 140 | # |
| 141 | # e.g. |
| 142 | # access_positive = yes |
| 143 | # access_attribute = userAccessAllowed |
| 144 | # |
| 145 | # userAccessAllowed = false |
| 146 | # |
| 147 | # Will result in the user being locked out. |
| 148 | # access_positive = yes |
| 149 | } |
| 150 | |
| 151 | # |
| 152 | # User membership checking. |
| 153 | # |
| 154 | group { |
| 155 | # Where to start searching in the tree for groups |
| 156 | base_dn = "${..base_dn}" |
| 157 | |
| 158 | # Filter for group objects, should match all available |
| 159 | # group objects a user might be a member of. |
| 160 | filter = "(objectClass=posixGroup)" |
| 161 | |
| 162 | # Search scope, may be 'base', 'one', sub' or 'children' |
| 163 | # scope = 'sub' |
| 164 | |
| 165 | # Attribute that uniquely identifies a group. |
| 166 | # Is used when converting group DNs to group |
| 167 | # names. |
| 168 | # name_attribute = cn |
| 169 | |
| 170 | # Filter to find group objects a user is a member of. |
| 171 | # That is, group objects with attributes that |
| 172 | # identify members (the inverse of membership_attribute). |
| 173 | # membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" |
| 174 | |
| 175 | # The attribute in user objects which contain the names |
| 176 | # or DNs of groups a user is a member of. |
| 177 | # |
| 178 | # Unless a conversion between group name and group DN is |
| 179 | # needed, there's no requirement for the group objects |
| 180 | # referenced to actually exist. |
| 181 | membership_attribute = "memberOf" |
| 182 | |
| 183 | # If cacheable_name or cacheable_dn are enabled, |
| 184 | # all group information for the user will be |
| 185 | # retrieved from the directory and written to LDAP-Group |
| 186 | # attributes appropriate for the instance of rlm_ldap. |
| 187 | # |
| 188 | # For group comparisons these attributes will be checked |
| 189 | # instead of querying the LDAP directory directly. |
| 190 | # |
| 191 | # This feature is intended to be used with rlm_cache. |
| 192 | # |
| 193 | # If you wish to use this feature, you should enable |
| 194 | # the type that matches the format of your check items |
| 195 | # i.e. if your groups are specified as DNs then enable |
| 196 | # cacheable_dn else enable cacheable_name. |
| 197 | # cacheable_name = "no" |
| 198 | # cacheable_dn = "no" |
| 199 | |
| 200 | # Override the normal cache attribute (<inst>-LDAP-Group) |
| 201 | # and create a custom attribute. This can help if multiple |
| 202 | # module instances are used in fail-over. |
| 203 | # cache_attribute = "LDAP-Cached-Membership" |
| 204 | } |
| 205 | |
| 206 | # |
| 207 | # User profiles. RADIUS profile objects contain sets of attributes |
| 208 | # to insert into the request. These attributes are mapped using |
| 209 | # the same mapping scheme applied to user objects. |
| 210 | # |
| 211 | profile { |
| 212 | # Filter for RADIUS profile objects |
| 213 | # filter = "(objectclass=radiusprofile)" |
| 214 | |
| 215 | # The default profile applied to all users. |
| 216 | # default = "cn=radprofile,dc=example,dc=org" |
| 217 | |
| 218 | # The list of profiles which are applied (after the default) |
| 219 | # to all users. |
| 220 | # The "User-Profile" attribute in the control list |
| 221 | # will override this setting at run-time. |
| 222 | # attribute = "radiusProfileDn" |
| 223 | } |
| 224 | |
| 225 | # |
| 226 | # Bulk load clients from the directory |
| 227 | # |
| 228 | client { |
| 229 | # Where to start searching in the tree for clients |
| 230 | base_dn = "${..base_dn}" |
| 231 | |
| 232 | # |
| 233 | # Filter to match client objects |
| 234 | # |
| 235 | filter = '(objectClass=frClient)' |
| 236 | |
| 237 | # Search scope, may be 'base', 'one', 'sub' or 'children' |
| 238 | # scope = 'sub' |
| 239 | |
| 240 | # |
| 241 | # Client attribute mappings are in the format: |
| 242 | # <client attribute> = <ldap attribute> |
| 243 | # |
| 244 | # Arbitrary attributes (accessible by %{client:<attr>}) are not yet supported. |
| 245 | # |
| 246 | # The following attributes are required: |
| 247 | # * identifier - IPv4 address, or IPv4 address with prefix, or hostname. |
| 248 | # * secret - RADIUS shared secret. |
| 249 | # |
| 250 | # The following attributes are optional: |
| 251 | # * shortname - Friendly name associated with the client |
| 252 | # * nas_type - NAS Type |
| 253 | # * virtual_server - Virtual server to associate the client with |
| 254 | # * require_message_authenticator - Whether we require the Message-Authenticator |
| 255 | # attribute to be present in requests from the client. |
| 256 | # |
| 257 | # Schemas are available in doc/schemas/ldap for openldap and eDirectory |
| 258 | # |
| 259 | attribute { |
| 260 | identifier = 'radiusClientIdentifier' |
| 261 | secret = 'radiusClientSecret' |
| 262 | # shortname = 'radiusClientShortname' |
| 263 | # nas_type = 'radiusClientType' |
| 264 | # virtual_server = 'radiusClientVirtualServer' |
| 265 | # require_message_authenticator = 'radiusClientRequireMa' |
| 266 | } |
| 267 | } |
| 268 | |
| 269 | # Load clients on startup |
| 270 | # read_clients = no |
| 271 | |
| 272 | # |
| 273 | # Modify user object on receiving Accounting-Request |
| 274 | # |
| 275 | |
| 276 | # Useful for recording things like the last time the user logged |
| 277 | # in, or the Acct-Session-ID for CoA/DM. |
| 278 | # |
| 279 | # LDAP modification items are in the format: |
| 280 | # <ldap attr> <op> <value> |
| 281 | # |
| 282 | # Where: |
| 283 | # <ldap attr>: The LDAP attribute to add modify or delete. |
| 284 | # <op>: One of the assignment operators: |
| 285 | # (:=, +=, -=, ++). |
| 286 | # Note: '=' is *not* supported. |
| 287 | # <value>: The value to add modify or delete. |
| 288 | # |
| 289 | # WARNING: If using the ':=' operator with a multi-valued LDAP |
| 290 | # attribute, all instances of the attribute will be removed and |
| 291 | # replaced with a single attribute. |
| 292 | accounting { |
| 293 | reference = "%{tolower:type.%{Acct-Status-Type}}" |
| 294 | |
| 295 | type { |
| 296 | start { |
| 297 | update { |
| 298 | description := "Online at %S" |
| 299 | } |
| 300 | } |
| 301 | |
| 302 | interim-update { |
| 303 | update { |
| 304 | description := "Last seen at %S" |
| 305 | } |
| 306 | } |
| 307 | |
| 308 | stop { |
| 309 | update { |
| 310 | description := "Offline at %S" |
| 311 | } |
| 312 | } |
| 313 | } |
| 314 | } |
| 315 | |
| 316 | # |
| 317 | # Post-Auth can modify LDAP objects too |
| 318 | # |
| 319 | post-auth { |
| 320 | update { |
| 321 | description := "Authenticated at %S" |
| 322 | } |
| 323 | } |
| 324 | |
| 325 | # |
| 326 | # LDAP connection-specific options. |
| 327 | # |
| 328 | # These options set timeouts, keep-alives, etc. for the connections. |
| 329 | # |
| 330 | options { |
| 331 | # |
| 332 | # The following two configuration items are for Active Directory |
| 333 | # compatibility. If you set these to "no", then searches |
| 334 | # will likely return "operations error", instead of a |
| 335 | # useful result. |
| 336 | # |
| 337 | chase_referrals = yes |
| 338 | rebind = yes |
| 339 | |
| 340 | # Seconds to wait for LDAP query to finish. default: 20 |
| 341 | timeout = 10 |
| 342 | |
| 343 | # Seconds LDAP server has to process the query (server-side |
| 344 | # time limit). default: 20 |
| 345 | # |
| 346 | # LDAP_OPT_TIMELIMIT is set to this value. |
| 347 | timelimit = 3 |
| 348 | |
| 349 | # Seconds to wait for response of the server. (network |
| 350 | # failures) default: 10 |
| 351 | # |
| 352 | # LDAP_OPT_NETWORK_TIMEOUT is set to this value. |
| 353 | net_timeout = 1 |
| 354 | |
| 355 | # LDAP_OPT_X_KEEPALIVE_IDLE |
| 356 | idle = 60 |
| 357 | |
| 358 | # LDAP_OPT_X_KEEPALIVE_PROBES |
| 359 | probes = 3 |
| 360 | |
| 361 | # LDAP_OPT_X_KEEPALIVE_INTERVAL |
| 362 | interval = 3 |
| 363 | |
| 364 | # ldap_debug: debug flag for LDAP SDK |
| 365 | # (see OpenLDAP documentation). Set this to enable |
| 366 | # huge amounts of LDAP debugging on the screen. |
| 367 | # You should only use this if you are an LDAP expert. |
| 368 | # |
| 369 | # default: 0x0000 (no debugging messages) |
| 370 | # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) |
| 371 | ldap_debug = 0x0028 |
| 372 | } |
| 373 | |
| 374 | # |
| 375 | # This subsection configures the tls related items |
| 376 | # that control how FreeRADIUS connects to an LDAP |
| 377 | # server. It contains all of the "tls_*" configuration |
| 378 | # entries used in older versions of FreeRADIUS. Those |
| 379 | # configuration entries can still be used, but we recommend |
| 380 | # using these. |
| 381 | # |
| 382 | tls { |
| 383 | # Set this to 'yes' to use TLS encrypted connections |
| 384 | # to the LDAP database by using the StartTLS extended |
| 385 | # operation. |
| 386 | # |
| 387 | # The StartTLS operation is supposed to be |
| 388 | # used with normal ldap connections instead of |
| 389 | # using ldaps (port 636) connections |
| 390 | # start_tls = yes |
| 391 | |
| 392 | # ca_file = ${certdir}/cacert.pem |
| 393 | |
| 394 | # ca_path = ${certdir} |
| 395 | # certificate_file = /path/to/radius.crt |
| 396 | # private_key_file = /path/to/radius.key |
| 397 | # random_file = ${certdir}/random |
| 398 | |
| 399 | # Certificate Verification requirements. Can be: |
| 400 | # "never" (don't even bother trying) |
| 401 | # "allow" (try, but don't fail if the certificate |
| 402 | # can't be verified) |
| 403 | # "demand" (fail if the certificate doesn't verify.) |
| 404 | # |
| 405 | # The default is "allow" |
| 406 | # require_cert = "demand" |
| 407 | } |
| 408 | |
| 409 | |
| 410 | # As of version 3.0, the "pool" section has replaced the |
| 411 | # following configuration items: |
| 412 | # |
| 413 | # ldap_connections_number |
| 414 | |
| 415 | # The connection pool is new for 3.0, and will be used in many |
| 416 | # modules, for all kinds of connection-related activity. |
| 417 | # |
| 418 | # When the server is not threaded, the connection pool |
| 419 | # limits are ignored, and only one connection is used. |
| 420 | pool { |
| 421 | # Number of connections to start |
| 422 | start = 5 |
| 423 | |
| 424 | # Minimum number of connections to keep open |
| 425 | min = 4 |
| 426 | |
| 427 | # Maximum number of connections |
| 428 | # |
| 429 | # If these connections are all in use and a new one |
| 430 | # is requested, the request will NOT get a connection. |
| 431 | # |
| 432 | # Setting 'max' to LESS than the number of threads means |
| 433 | # that some threads may starve, and you will see errors |
| 434 | # like "No connections available and at max connection limit" |
| 435 | # |
| 436 | # Setting 'max' to MORE than the number of threads means |
| 437 | # that there are more connections than necessary. |
| 438 | max = ${thread[pool].max_servers} |
| 439 | |
| 440 | # Spare connections to be left idle |
| 441 | # |
| 442 | # NOTE: Idle connections WILL be closed if "idle_timeout" |
| 443 | # is set. |
| 444 | spare = 3 |
| 445 | |
| 446 | # Number of uses before the connection is closed |
| 447 | # |
| 448 | # 0 means "infinite" |
| 449 | uses = 0 |
| 450 | |
| 451 | # The lifetime (in seconds) of the connection |
| 452 | lifetime = 0 |
| 453 | |
| 454 | # Idle timeout (in seconds). A connection which is |
| 455 | # unused for this length of time will be closed. |
| 456 | idle_timeout = 60 |
| 457 | |
| 458 | # NOTE: All configuration settings are enforced. If a |
| 459 | # connection is closed because of "idle_timeout", |
| 460 | # "uses", or "lifetime", then the total number of |
| 461 | # connections MAY fall below "min". When that |
| 462 | # happens, it will open a new connection. It will |
| 463 | # also log a WARNING message. |
| 464 | # |
| 465 | # The solution is to either lower the "min" connections, |
| 466 | # or increase lifetime/idle_timeout. |
| 467 | } |
| 468 | } |