Project

General

Profile

Bug #13404 » ldap.conf

Ettore Caprella, 08/11/2022 04:51 AM

 
1
/usr/local/etc/raddb/mods-enabled/ldap
2
ldap {
3
	server = "192.168.1.25"
4
	port = "636"
5
	identity = "uid=CD12345,OU=Caselle Di Servizio,O=basedn"
6
	password = 'xxxxxxx'
7
	base_dn = "o=basedn"
8

    
9
	user {
10
		base_dn = "${..base_dn}"
11
		filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
12
		### access_attr = "dialupAccess" ###
13
	}
14
	group {
15
		base_dn = "${..base_dn}"
16
		filter = '(objectClass=posixGroup)'
17
		### name_attribute = cn ###
18
		### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
19
		### membership_attribute = radiusGroupName ###
20
		### compare_check_items = yes ###
21
		### do_xlat = yes ###
22
		### access_attr_used_for_allow = yes ###
23
	}
24
	profile {
25
		filter = "(objectclass=radiusprofile)"
26
		### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
27
		### profile_attribute = "radiusProfileDn" ###
28
	}
29

    
30
	tls {
31
		start_tls = no
32
		ca_file = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem
33
		ca_path = /usr/local/etc/raddb/certs/
34
		certificate_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt
35
		private_key_file = /usr/local/etc/raddb/certs/radius_ldap1_cert.key
36
		random_file = /dev/urandom
37
		require_cert = "allow"
38
	}
39

    
40

    
41
#	valuepair_attribute = 'radiusAttribute'
42
	update {
43
		control:Auth-Type		:= 'radiusAuthType'
44
		control:Simultaneous-Use	:= 'radiusSimultaneousUse'
45
		control:Called-Station-Id	:= 'radiusCalledStationId'
46
		control:Calling-Station-Id	:= 'radiusCallingStationId'
47
		control:LM-Password		:= 'lmPassword'
48
		control:NT-Password		:= 'ntPassword'
49
		control:LM-Password		:= 'sambaLmPassword'
50
		control:NT-Password		:= 'sambaNtPassword'
51
		control:NT-Password		:= 'ipaNTHash'
52
		control:LM-Password		:= 'dBCSPwd'
53
		control:Password-With-Header	+= 'userPassword'
54
		control:SMB-Account-CTRL-TEXT	:= 'acctFlags'
55
		control:Expiration		:= 'radiusExpiration'
56
		control:NAS-IP-Address		:= 'radiusNASIpAddress'
57
		reply:Service-Type		:= 'radiusServiceType'
58
		reply:Framed-Protocol		:= 'radiusFramedProtocol'
59
		reply:Framed-IP-Address		:= 'radiusFramedIPAddress'
60
		reply:Framed-IP-Netmask		:= 'radiusFramedIPNetmask'
61
		reply:Framed-Route		:= 'radiusFramedRoute'
62
		reply:Framed-Routing		:= 'radiusFramedRouting'
63
		reply:Filter-Id			:= 'radiusFilterId'
64
		reply:Framed-MTU		:= 'radiusFramedMTU'
65
		reply:Framed-Compression	:= 'radiusFramedCompression'
66
		reply:Login-IP-Host		:= 'radiusLoginIPHost'
67
		reply:Login-Service		:= 'radiusLoginService'
68
		reply:Login-TCP-Port		:= 'radiusLoginTCPPort'
69
		reply:Callback-Number		:= 'radiusCallbackNumber'
70
		reply:Callback-Id		:= 'radiusCallbackId'
71
		reply:Framed-IPX-Network	:= 'radiusFramedIPXNetwork'
72
		reply:Class			:= 'radiusClass'
73
		reply:Session-Timeout		:= 'radiusSessionTimeout'
74
		reply:Idle-Timeout		:= 'radiusIdleTimeout'
75
		reply:Termination-Action	:= 'radiusTerminationAction'
76
		reply:Login-LAT-Service		:= 'radiusLoginLATService'
77
		reply:Login-LAT-Node		:= 'radiusLoginLATNode'
78
		reply:Login-LAT-Group		:= 'radiusLoginLATGroup'
79
		reply:Framed-AppleTalk-Link	:= 'radiusFramedAppleTalkLink'
80
		reply:Framed-AppleTalk-Network	:= 'radiusFramedAppleTalkNetwork'
81
		reply:Framed-AppleTalk-Zone	:= 'radiusFramedAppleTalkZone'
82
		reply:Port-Limit		:= 'radiusPortLimit'
83
		reply:Login-LAT-Port		:= 'radiusLoginLATPort'
84
		reply:Reply-Message		:= 'radiusReplyMessage'
85
		reply:Tunnel-Type		:= 'radiusTunnelType'
86
		reply:Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
87
		reply:Tunnel-Private-Group-Id	:= 'radiusTunnelPrivateGroupId'
88
		control:			+= 'radiusControlAttribute'
89
		request:			+= 'radiusRequestAttribute'
90
		reply:				+= 'radiusReplyAttribute'
91
	}
92

    
93
	edir_account_policy_check = no
94

    
95
	options {
96
		idle = 60
97
		probes = 3
98
		interval = 3
99
### MS Active Directory Compatibility is disabled ###
100
		# ldap_debug = 0x0028
101
		res_timeout = 4
102
		srv_timelimit = 3
103
		net_timeout = 1
104
	}
105

    
106
	pool {
107
		start = 0
108
		min = 5
109
		max = 5
110
		spare = ${thread[pool].max_spare_servers}
111
		uses = 0
112
		retry_delay = 30
113
		lifetime = 0
114
		idle_timeout = 60
115
	}
116
	accounting {
117
		reference = "%{tolower:type.%{Acct-Status-Type}}"
118
		type {
119
			start {
120
				update {
121
					description := "Online at %S"
122
				}
123
			}
124
			interim-update {
125
				update {
126
					description := "Last seen at %S"
127
				}
128
			}
129
			stop {
130
				update {
131
					description := "Offline at %S"
132
				}
133
			}
134
		}
135
	}
136
	post-auth {
137
		update {
138
			description := "Authenticated at %S"
139
		}
140
	}
141
}
142

    
143
ldap ldap2 {
144
	server = "ldap.example.com"
145
	port = "389"
146
	identity = "cn=admin,o=My Company Ltd,c=US"
147
	password = ''
148
	base_dn = "o=My Company Ltd,c=US"
149

    
150
	user {
151
		base_dn = "${..base_dn}"
152
		filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
153
		### access_attr = "dialupAccess" ###
154
	}
155
	group {
156
		base_dn = "${..base_dn}"
157
		filter = '(objectClass=posixGroup)'
158
		### name_attribute = cn ###
159
		### membership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###
160
		### membership_attribute = radiusGroupName ###
161
		### compare_check_items = yes ###
162
		### do_xlat = yes ###
163
		### access_attr_used_for_allow = yes ###
164
	}
165
	profile {
166
		filter = "(objectclass=radiusprofile)"
167
		### default_profile = "cn=radprofile,ou=dialup,o=My Company Ltd,c=US" ###
168
		### profile_attribute = "radiusProfileDn" ###
169
	}
170

    
171

    
172
#	valuepair_attribute = 'radiusAttribute'
173
	update {
174
		control:Auth-Type		:= 'radiusAuthType'
175
		control:Simultaneous-Use	:= 'radiusSimultaneousUse'
176
		control:Called-Station-Id	:= 'radiusCalledStationId'
177
		control:Calling-Station-Id	:= 'radiusCallingStationId'
178
		control:LM-Password		:= 'lmPassword'
179
		control:NT-Password		:= 'ntPassword'
180
		control:LM-Password		:= 'sambaLmPassword'
181
		control:NT-Password		:= 'sambaNtPassword'
182
		control:NT-Password		:= 'ipaNTHash'
183
		control:LM-Password		:= 'dBCSPwd'
184
		control:Password-With-Header	+= 'userPassword'
185
		control:SMB-Account-CTRL-TEXT	:= 'acctFlags'
186
		control:Expiration		:= 'radiusExpiration'
187
		control:NAS-IP-Address		:= 'radiusNASIpAddress'
188
		reply:Service-Type		:= 'radiusServiceType'
189
		reply:Framed-Protocol		:= 'radiusFramedProtocol'
190
		reply:Framed-IP-Address		:= 'radiusFramedIPAddress'
191
		reply:Framed-IP-Netmask		:= 'radiusFramedIPNetmask'
192
		reply:Framed-Route		:= 'radiusFramedRoute'
193
		reply:Framed-Routing		:= 'radiusFramedRouting'
194
		reply:Filter-Id			:= 'radiusFilterId'
195
		reply:Framed-MTU		:= 'radiusFramedMTU'
196
		reply:Framed-Compression	:= 'radiusFramedCompression'
197
		reply:Login-IP-Host		:= 'radiusLoginIPHost'
198
		reply:Login-Service		:= 'radiusLoginService'
199
		reply:Login-TCP-Port		:= 'radiusLoginTCPPort'
200
		reply:Callback-Number		:= 'radiusCallbackNumber'
201
		reply:Callback-Id		:= 'radiusCallbackId'
202
		reply:Framed-IPX-Network	:= 'radiusFramedIPXNetwork'
203
		reply:Class			:= 'radiusClass'
204
		reply:Session-Timeout		:= 'radiusSessionTimeout'
205
		reply:Idle-Timeout		:= 'radiusIdleTimeout'
206
		reply:Termination-Action	:= 'radiusTerminationAction'
207
		reply:Login-LAT-Service		:= 'radiusLoginLATService'
208
		reply:Login-LAT-Node		:= 'radiusLoginLATNode'
209
		reply:Login-LAT-Group		:= 'radiusLoginLATGroup'
210
		reply:Framed-AppleTalk-Link	:= 'radiusFramedAppleTalkLink'
211
		reply:Framed-AppleTalk-Network	:= 'radiusFramedAppleTalkNetwork'
212
		reply:Framed-AppleTalk-Zone	:= 'radiusFramedAppleTalkZone'
213
		reply:Port-Limit		:= 'radiusPortLimit'
214
		reply:Login-LAT-Port		:= 'radiusLoginLATPort'
215
		reply:Reply-Message		:= 'radiusReplyMessage'
216
		reply:Tunnel-Type		:= 'radiusTunnelType'
217
		reply:Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
218
		reply:Tunnel-Private-Group-Id	:= 'radiusTunnelPrivateGroupId'
219
		control:			+= 'radiusControlAttribute'
220
		request:			+= 'radiusRequestAttribute'
221
		reply:				+= 'radiusReplyAttribute'
222
	}
223

    
224
	edir_account_policy_check = no
225

    
226
	options {
227
		idle = 60
228
		probes = 3
229
		interval = 3
230
### MS Active Directory Compatibility is disabled ###
231
		# ldap_debug = 0x0028
232
		res_timeout = 4
233
		srv_timelimit = 3
234
		net_timeout = 1
235
	}
236
	pool {
237
		start = 0
238
		min = 5
239
		max = 5
240
		spare = ${thread[pool].max_spare_servers}
241
		uses = 0
242
		retry_delay = 30
243
		lifetime = 0
244
		idle_timeout = 60
245
	}
246
	accounting {
247
		reference = "%{tolower:type.%{Acct-Status-Type}}"
248
		type {
249
			start {
250
				update {
251
					description := "Online at %S"
252
				}
253
			}
254
			interim-update {
255
				update {
256
					description := "Last seen at %S"
257
				}
258
			}
259
			stop {
260
				update {
261
					description := "Offline at %S"
262
				}
263
			}
264
		}
265
	}
266
	post-auth {
267
		update {
268
			description := "Authenticated at %S"
269
		}
270
	}
271
}
(3-3/5)