1
|
/usr/local/etc/raddb/mods-enabled/ldap
|
2
|
ldap {
|
3
|
server = "192.168.1.25"
|
4
|
port = "636"
|
5
|
identity = "uid=CD12345,OU=Caselle Di Servizio,O=basedn"
|
6
|
password = 'xxxxxxx'
|
7
|
base_dn = "o=basedn"
|
8
|
|
9
|
user {
|
10
|
base_dn = "${..base_dn}"
|
11
|
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
|
12
|
### access_attr = "dialupAccess" ###
|
13
|
}
|
14
|
group {
|
15
|
base_dn = "${..base_dn}"
|
16
|
filter = '(objectClass=posixGroup)'
|
17
|
### name_attribute = cn ###
|
18
|
### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
|
19
|
### membership_attribute = radiusGroupName ###
|
20
|
### compare_check_items = yes ###
|
21
|
### do_xlat = yes ###
|
22
|
### access_attr_used_for_allow = yes ###
|
23
|
}
|
24
|
profile {
|
25
|
filter = "(objectclass=radiusprofile)"
|
26
|
### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
|
27
|
### profile_attribute = "radiusProfileDn" ###
|
28
|
}
|
29
|
|
30
|
tls {
|
31
|
start_tls = no
|
32
|
ca_file = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
|
33
|
ca_path = /usr/local/etc/raddb/certs/
|
34
|
certificate_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
|
35
|
private_key_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.key
|
36
|
random_file = /dev/urandom
|
37
|
require_cert = "allow"
|
38
|
}
|
39
|
|
40
|
|
41
|
# valuepair_attribute = 'radiusAttribute'
|
42
|
update {
|
43
|
control:Auth-Type := 'radiusAuthType'
|
44
|
control:Simultaneous-Use := 'radiusSimultaneousUse'
|
45
|
control:Called-Station-Id := 'radiusCalledStationId'
|
46
|
control:Calling-Station-Id := 'radiusCallingStationId'
|
47
|
control:LM-Password := 'lmPassword'
|
48
|
control:NT-Password := 'ntPassword'
|
49
|
control:LM-Password := 'sambaLmPassword'
|
50
|
control:NT-Password := 'sambaNtPassword'
|
51
|
control:NT-Password := 'ipaNTHash'
|
52
|
control:LM-Password := 'dBCSPwd'
|
53
|
control:Password-With-Header += 'userPassword'
|
54
|
control:SMB-Account-CTRL-TEXT := 'acctFlags'
|
55
|
control:Expiration := 'radiusExpiration'
|
56
|
control:NAS-IP-Address := 'radiusNASIpAddress'
|
57
|
reply:Service-Type := 'radiusServiceType'
|
58
|
reply:Framed-Protocol := 'radiusFramedProtocol'
|
59
|
reply:Framed-IP-Address := 'radiusFramedIPAddress'
|
60
|
reply:Framed-IP-Netmask := 'radiusFramedIPNetmask'
|
61
|
reply:Framed-Route := 'radiusFramedRoute'
|
62
|
reply:Framed-Routing := 'radiusFramedRouting'
|
63
|
reply:Filter-Id := 'radiusFilterId'
|
64
|
reply:Framed-MTU := 'radiusFramedMTU'
|
65
|
reply:Framed-Compression := 'radiusFramedCompression'
|
66
|
reply:Login-IP-Host := 'radiusLoginIPHost'
|
67
|
reply:Login-Service := 'radiusLoginService'
|
68
|
reply:Login-TCP-Port := 'radiusLoginTCPPort'
|
69
|
reply:Callback-Number := 'radiusCallbackNumber'
|
70
|
reply:Callback-Id := 'radiusCallbackId'
|
71
|
reply:Framed-IPX-Network := 'radiusFramedIPXNetwork'
|
72
|
reply:Class := 'radiusClass'
|
73
|
reply:Session-Timeout := 'radiusSessionTimeout'
|
74
|
reply:Idle-Timeout := 'radiusIdleTimeout'
|
75
|
reply:Termination-Action := 'radiusTerminationAction'
|
76
|
reply:Login-LAT-Service := 'radiusLoginLATService'
|
77
|
reply:Login-LAT-Node := 'radiusLoginLATNode'
|
78
|
reply:Login-LAT-Group := 'radiusLoginLATGroup'
|
79
|
reply:Framed-AppleTalk-Link := 'radiusFramedAppleTalkLink'
|
80
|
reply:Framed-AppleTalk-Network := 'radiusFramedAppleTalkNetwork'
|
81
|
reply:Framed-AppleTalk-Zone := 'radiusFramedAppleTalkZone'
|
82
|
reply:Port-Limit := 'radiusPortLimit'
|
83
|
reply:Login-LAT-Port := 'radiusLoginLATPort'
|
84
|
reply:Reply-Message := 'radiusReplyMessage'
|
85
|
reply:Tunnel-Type := 'radiusTunnelType'
|
86
|
reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
|
87
|
reply:Tunnel-Private-Group-Id := 'radiusTunnelPrivateGroupId'
|
88
|
control: += 'radiusControlAttribute'
|
89
|
request: += 'radiusRequestAttribute'
|
90
|
reply: += 'radiusReplyAttribute'
|
91
|
}
|
92
|
|
93
|
edir_account_policy_check = no
|
94
|
|
95
|
options {
|
96
|
idle = 60
|
97
|
probes = 3
|
98
|
interval = 3
|
99
|
### MS Active Directory Compatibility is disabled ###
|
100
|
# ldap_debug = 0x0028
|
101
|
res_timeout = 4
|
102
|
srv_timelimit = 3
|
103
|
net_timeout = 1
|
104
|
}
|
105
|
|
106
|
pool {
|
107
|
start = 0
|
108
|
min = 5
|
109
|
max = 5
|
110
|
spare = ${thread[pool].max_spare_servers}
|
111
|
uses = 0
|
112
|
retry_delay = 30
|
113
|
lifetime = 0
|
114
|
idle_timeout = 60
|
115
|
}
|
116
|
accounting {
|
117
|
reference = "%{tolower:type.%{Acct-Status-Type}}"
|
118
|
type {
|
119
|
start {
|
120
|
update {
|
121
|
description := "Online at %S"
|
122
|
}
|
123
|
}
|
124
|
interim-update {
|
125
|
update {
|
126
|
description := "Last seen at %S"
|
127
|
}
|
128
|
}
|
129
|
stop {
|
130
|
update {
|
131
|
description := "Offline at %S"
|
132
|
}
|
133
|
}
|
134
|
}
|
135
|
}
|
136
|
post-auth {
|
137
|
update {
|
138
|
description := "Authenticated at %S"
|
139
|
}
|
140
|
}
|
141
|
}
|
142
|
|
143
|
ldap ldap2 {
|
144
|
server = "ldap.example.com"
|
145
|
port = "389"
|
146
|
identity = "cn=admin,o=My Company Ltd,c=US"
|
147
|
password = ''
|
148
|
base_dn = "o=My Company Ltd,c=US"
|
149
|
|
150
|
user {
|
151
|
base_dn = "${..base_dn}"
|
152
|
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
|
153
|
### access_attr = "dialupAccess" ###
|
154
|
}
|
155
|
group {
|
156
|
base_dn = "${..base_dn}"
|
157
|
filter = '(objectClass=posixGroup)'
|
158
|
### name_attribute = cn ###
|
159
|
### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
|
160
|
### membership_attribute = radiusGroupName ###
|
161
|
### compare_check_items = yes ###
|
162
|
### do_xlat = yes ###
|
163
|
### access_attr_used_for_allow = yes ###
|
164
|
}
|
165
|
profile {
|
166
|
filter = "(objectclass=radiusprofile)"
|
167
|
### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
|
168
|
### profile_attribute = "radiusProfileDn" ###
|
169
|
}
|
170
|
|
171
|
|
172
|
# valuepair_attribute = 'radiusAttribute'
|
173
|
update {
|
174
|
control:Auth-Type := 'radiusAuthType'
|
175
|
control:Simultaneous-Use := 'radiusSimultaneousUse'
|
176
|
control:Called-Station-Id := 'radiusCalledStationId'
|
177
|
control:Calling-Station-Id := 'radiusCallingStationId'
|
178
|
control:LM-Password := 'lmPassword'
|
179
|
control:NT-Password := 'ntPassword'
|
180
|
control:LM-Password := 'sambaLmPassword'
|
181
|
control:NT-Password := 'sambaNtPassword'
|
182
|
control:NT-Password := 'ipaNTHash'
|
183
|
control:LM-Password := 'dBCSPwd'
|
184
|
control:Password-With-Header += 'userPassword'
|
185
|
control:SMB-Account-CTRL-TEXT := 'acctFlags'
|
186
|
control:Expiration := 'radiusExpiration'
|
187
|
control:NAS-IP-Address := 'radiusNASIpAddress'
|
188
|
reply:Service-Type := 'radiusServiceType'
|
189
|
reply:Framed-Protocol := 'radiusFramedProtocol'
|
190
|
reply:Framed-IP-Address := 'radiusFramedIPAddress'
|
191
|
reply:Framed-IP-Netmask := 'radiusFramedIPNetmask'
|
192
|
reply:Framed-Route := 'radiusFramedRoute'
|
193
|
reply:Framed-Routing := 'radiusFramedRouting'
|
194
|
reply:Filter-Id := 'radiusFilterId'
|
195
|
reply:Framed-MTU := 'radiusFramedMTU'
|
196
|
reply:Framed-Compression := 'radiusFramedCompression'
|
197
|
reply:Login-IP-Host := 'radiusLoginIPHost'
|
198
|
reply:Login-Service := 'radiusLoginService'
|
199
|
reply:Login-TCP-Port := 'radiusLoginTCPPort'
|
200
|
reply:Callback-Number := 'radiusCallbackNumber'
|
201
|
reply:Callback-Id := 'radiusCallbackId'
|
202
|
reply:Framed-IPX-Network := 'radiusFramedIPXNetwork'
|
203
|
reply:Class := 'radiusClass'
|
204
|
reply:Session-Timeout := 'radiusSessionTimeout'
|
205
|
reply:Idle-Timeout := 'radiusIdleTimeout'
|
206
|
reply:Termination-Action := 'radiusTerminationAction'
|
207
|
reply:Login-LAT-Service := 'radiusLoginLATService'
|
208
|
reply:Login-LAT-Node := 'radiusLoginLATNode'
|
209
|
reply:Login-LAT-Group := 'radiusLoginLATGroup'
|
210
|
reply:Framed-AppleTalk-Link := 'radiusFramedAppleTalkLink'
|
211
|
reply:Framed-AppleTalk-Network := 'radiusFramedAppleTalkNetwork'
|
212
|
reply:Framed-AppleTalk-Zone := 'radiusFramedAppleTalkZone'
|
213
|
reply:Port-Limit := 'radiusPortLimit'
|
214
|
reply:Login-LAT-Port := 'radiusLoginLATPort'
|
215
|
reply:Reply-Message := 'radiusReplyMessage'
|
216
|
reply:Tunnel-Type := 'radiusTunnelType'
|
217
|
reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
|
218
|
reply:Tunnel-Private-Group-Id := 'radiusTunnelPrivateGroupId'
|
219
|
control: += 'radiusControlAttribute'
|
220
|
request: += 'radiusRequestAttribute'
|
221
|
reply: += 'radiusReplyAttribute'
|
222
|
}
|
223
|
|
224
|
edir_account_policy_check = no
|
225
|
|
226
|
options {
|
227
|
idle = 60
|
228
|
probes = 3
|
229
|
interval = 3
|
230
|
### MS Active Directory Compatibility is disabled ###
|
231
|
# ldap_debug = 0x0028
|
232
|
res_timeout = 4
|
233
|
srv_timelimit = 3
|
234
|
net_timeout = 1
|
235
|
}
|
236
|
pool {
|
237
|
start = 0
|
238
|
min = 5
|
239
|
max = 5
|
240
|
spare = ${thread[pool].max_spare_servers}
|
241
|
uses = 0
|
242
|
retry_delay = 30
|
243
|
lifetime = 0
|
244
|
idle_timeout = 60
|
245
|
}
|
246
|
accounting {
|
247
|
reference = "%{tolower:type.%{Acct-Status-Type}}"
|
248
|
type {
|
249
|
start {
|
250
|
update {
|
251
|
description := "Online at %S"
|
252
|
}
|
253
|
}
|
254
|
interim-update {
|
255
|
update {
|
256
|
description := "Last seen at %S"
|
257
|
}
|
258
|
}
|
259
|
stop {
|
260
|
update {
|
261
|
description := "Offline at %S"
|
262
|
}
|
263
|
}
|
264
|
}
|
265
|
}
|
266
|
post-auth {
|
267
|
update {
|
268
|
description := "Authenticated at %S"
|
269
|
}
|
270
|
}
|
271
|
}
|