3
3
This module depends on OpenLDAP v2.x SDK libraries. For details on obtaining
4
4
source of OpenLDAP look at <http://www.openldap.org>. OpenLDAP SDK in turn
5
5
depends on OpenSSL crypto libraries and (optionaly) on Cyrus-SASL libraries.
7
See also: http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html
9
It's not up to date, though. For example, you do NOT have to edit
10
the "dictionary" file.
9
14
The mapping between radius and ldap attributes is in raddb/ldap.attrmap. You
179
184
# password_attribute: Define the attribute which contains the user
186
# While integrating FreeRADIUS with Novell eDirectory, set
187
# 'password_attribute = nspmpassword' in order to use the universal
188
# password of the eDirectory users for RADIUS authentication. This will
189
# work only if FreeRADIUS is configured to build with --with-edir option.
182
191
# default: NULL - don't add password
184
193
# password_attribute = "userPassword"
195
# edir_account_policy_check: Specifies if the module has to enforce
196
# Novell eDirectory account policy check and intruder detection for
197
# RADIUS users. This will work only if FreeRADIUS is configured to build
198
# with --with-edir option.
200
# default: yes - eDirectory account policy check enabled
202
# edir_account_policy_check = no
186
204
# groupname_attribute: The attribute containing group name in the LDAP
187
205
# server. It is used to search group by name.
294
Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is
295
registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if
296
in radiusd.conf we configure an ldap module instance like:
312
Also if you are using multiple ldap module instances a per instance
313
Ldap-Group attribute is registered and can be used. It is of the form
314
<instance_name>-Ldap-Group. In other words if in radiusd.conf we
315
configure an ldap module instance like:
298
317
ldap myname { [...] }
300
we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the
301
ldap module is instantiated *before* the files module so that it will have time to register
302
the corresponding attribute. One solution would be to add the ldap module in the instantiate{}
303
block in radiusd.conf
319
we can then use the myname-Ldap-Group attribute to match user
320
groups. Make sure though that the ldap module is instantiated *before*
321
the files module so that it will have time to register the
322
corresponding attribute. One solution would be to add the ldap module
323
in the instantiate{} block in radiusd.conf
306
326
USERDN Attribute:
307
When rlm_ldap has found the DN corresponding to the username provided in the access-request
308
(all this happens in the authorize section) it will add an Ldap-UserDN attribute in the check
309
items list containing that DN. The attribute will be searched for in the authenticate section
310
and if present will be used for authentication (ldap bind with the user DN/password). Otherwise
311
a search will be performed to find the user dn. If the administrator wishes to use rlm_ldap only
312
for authentication or does not wish to populate the identity,password configuration attributes
313
he can set this attribute by other means and avoid the ldap search completely. For instance it can
314
be set through the users file in the authorize section:
327
When rlm_ldap has found the DN corresponding to the username provided
328
in the access-request (all this happens in the authorize section) it
329
will add an Ldap-UserDN attribute in the request items list containing
330
that DN. The attribute will be searched for in the authenticate
331
section and if present will be used for authentication (ldap bind with
332
the user DN/password). Otherwise a search will be performed to find
333
the user dn. If the administrator wishes to use rlm_ldap only for
334
authentication or does not wish to populate the identity,password
335
configuration attributes he can set this attribute by other means and
336
avoid the ldap search completely. For instance it can be set through
337
the hints file in the authorize section:
316
339
DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
341
The "users" file won't work, because it can't add items to the request.
319
344
DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and
320
345
authentication (e.g. you can not afford schema extention), I propose to set
322
347
of radiusd.conf :
324
349
authorize { ldap { notfound = return } files }
351
LDAP and Active Directory
352
-------------------------
354
Active directory does not return anything in the userPassword
355
attribute, unlike other LDAP servers. As a result, you cannot use
356
Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication.
357
You can only use PAP, and then only if you list "ldap" in the
358
"authenticate" section.
360
To do MS-CHAP against an Active Directory domain, see the comments in
361
radiusd.conf, about "ntlm_auth". You will need to install Samba.
364
If you see "Operations error" returned from an LDAp query, you may
365
need to set dsHeuristics to 0000002 in Active Directory. This allows
366
searches to function similar to how they did in Active Directory
367
2k2. You can update dsHeuristics by launching ldp.exe, going to
368
'connection' and create a new connection. Then goto bind and bind to
369
your ldap server. Next select the 'Browse' menu and choose
370
'modify'. The DN *might* look like this:
372
CN=Directory Service,CN=Windows
373
NT,CN=Services,CN=Configuration,DC=mycompany,DC=com
375
Attribute is: dsHeuristics
378
Set the operation to replace and you should be set. This should solve
379
the 'Operations error' error that happens when attempting to search
380
without specifying an OU.