rlm_ldap

Synopsis

The ldap module implements support for querying LDAP servers via the Lightweight Directory Access Protocol (LDAP).

Processing Sections

authorize

When listed in the authorize section, the ldap module looks up the user, caches group memberships, and applies a set of user profiles.

Return codes

noop The module did nothing.

fail The module failed to expand a query, or connect to the LDAP server.

userlock The users' account is locked.

reject The users' account is rejected.

notfound The users' account was no found.

ok The users' account was found, and the profile has been updated,

authenticate

When listed in the authenticate section, the ldap module performs User-Password authentication, by binding to the LDAP server as the user.

Return codes

noop The module did nothing.

fail The module failed to expand a query, or connect to the LDAP server.

userlock The users' account is locked.

notfound The users' account was no found.

reject The user failed authentication.

ok The user succeeded in authenticating.

accounting

When listed in the accounting section, the ldap module updates the users information in LDAP, using the information from the accounting section below.

Return codes

noop The module did nothing.

fail The module was unable to connect to the LDAP server.

invalid The modification used an invalid LDAP query.

ok The modification succeeded.

post-auth

When listed in the post-auth section, the ldap module updates users information in LDAP, using the information from the post-auth section below.

Return codes

See accounting, above.

Expansions

This module registers only one expansion.

ldap
Syntax

%{ldap: …​}

Contents

The contents of the expansion should an LDAP query string. The output of the expansion is the string returned from the LDAP query.

Directives

basedn
Syntax

basedn = string

Default

dc=example,dc=org

Description

Unless overridden in user or group, the dn from which all searches start.

identity
Syntax

identity = string

Default

cn=admin,dc=example,dc=org

Description

Read-only administrator account for initial binding and searching.

password
Syntax

password = string

Default

mypass

Description

FIXME

port
Syntax

port = integer

Default

389

Description

Port on which to connect. Setting this value to 636 will enable LDAPS if start_tls is not available for use.

server
Syntax

server = hostname

Default

ldap.example.org

Description

If ldaps is used, then server needs to match the name on the LDAP server certificate.

edir
Syntax

edir = boolean

Default

no

Description

Set to yes if you have eDirectory and want to use the universal password mechanism.

edir_autz
Syntax

edir_autz = boolean

Default

no

Description

Set to yes if you want to bind as the user after retrieving the Cleartext-Password. This will consume the login grace and verify user authorization.

valuepair_attr
Syntax

valuepair_attr = string

Default

radiusValuePair

Description

Generic valuepair attribute. If set, this attribute will be retrieved in addition to any mapped attributes. Values should be in the following format: <radius attr> <op> <value>

Where:

<radius attr>

Is the attribute you wish to create with any valid list and request qualifiers.

<op>

Is any assignment attribute (= := += -=).

<value>

Is the value to parse into the new valuepair. If the attribute name is wrapped in double quotes it will be xlat expanded.

read_clients
Syntax

read_clients = boolean

Default

no

Description

Set to yes if you wish to bulk load clients definitions from the LDAP directory when the server starts.

update

Synopsis

Warning
Although this format is almost identical to the unlang update section format, it does NOT mean that you can use other unlang constructs in module configuration files.

Configuration items are in the format: <radius attr> <op> <ldap attr>

Where:

radius attr

Is the destination RADIUS attribute with any valid list and request qualifiers.

op

Is any assignment attribute (= := =` `-=+).

ldap attr

Is the attribute associated with user or profile objects in the LDAP directory. If the attribute name is wrapped in double quotes it will be xlat expanded.

Request and list qualifiers may also be placed after the update section name to set defaults destination requests/lists for unqualified RADIUS attributes.

Note
LDAP attribute names should be single quoted unless you want the name value to be derived from an xlat expansion, or an attribute ref.
Example update block
update {
	control:NT-Password		:= 'ntPassword'
	reply:Reply-Message		:= 'radiusReplyMessage'
	reply:Tunnel-Type		:= 'radiusTunnelType'
	reply:Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
	reply:Tunnel-Private-Group-ID	:= 'radiusTunnelPrivategroupId'
}

User

Synopsis

User object identification.

Directives

access_attribute
Syntax

access_attribute = string

Default

dialupAccess

Description

If this is undefined, anyone is authorized. If it is defined, the contents of this attribute determine whether or not the user is authorized.

filter
Syntax

filter = string

Default

(uid=%\{​%{Stripped-User-Name}:-%{User-Name}})

Description

Filter for user objects, should be specific enough to identify a single user object.

positive_access
Syntax

positive_access = boolean

Default

yes

Description

Control whether or not access_attribute is used to determine authorization. If set to yes, then access_attribute existing means allow access. access_attribute not existing means deny access. If set to no, then access_attribute existing means deny access. access_attribute not existing means allow access.

Group

Synopsis

User membership checking.

Directives

cacheable_dn
Syntax

cacheable_dn = boolean

Default

no

Description

If cacheable_name or cacheable_dn are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropriate for the instance of rlm_ldap. For group comparisons these attributes will be checked instead of querying the LDAP directory directly. This feature is intended to be used with rlm_cache. If this feature is used, then the type that matches the format of the check items should be enabled, i.e., if your groups are specified as DNs, then enable cacheable_dn; otherwise, enable cacheable_name.

cacheable_name
Syntax

cacheable_name = boolean

Default

no

Description

If cacheable_name or cacheable_dn are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropriate for the instance of rlm_ldap. For group comparisons these attributes will be checked instead of querying the LDAP directory directly. This feature is intended to be used with rlm_cache. If this feature is used, then the type that matches the format of the check items should be enabled, i.e., if your groups are specified as DNs, then enable cacheable_dn; otherwise, enable cacheable_name.

filter
Syntax

filter = string

Default

(objectClass=posixGroup)

Description

Filter for group objects; should match all available group objects for which a user might be a member.

membership_filter
Syntax

membership_filter = string

Default

(|(member=%\{control:Ldap-UserDn})(memberUid=%\{​%{Stripped-User-Name}:-%{User-Name}}))

Description

Filter to find group objects of which a user is a member. The group objects that are found using this method are those that contain attributes that identify members (the inverse of membership_attribute). .name_attribute

membership_attribute
Syntax

membership_attribute = string

Default

memberOf

Description

The attribute in user objects that contains the names or DNs of groups for which the user is a member. Unless a conversion between group name and group DN is needed, there’s no requirement for the group objects referenced to actually exist.

name_attribute
Syntax

name_attribute = string

Default cn

Description

Attribute that uniquely identifies a group; this attribute is used when converting group DNs to group names.

Profile

Synopsis

User profiles. RADIUS profile objects contain sets of attributes to insert into the request. These attributes are mapped using the same mapping scheme as that applied to user objects.

Directives

default_profile
Syntax

default_profile = string

Default

cn=radprofile,dc=example,dc=org

Description

The default profile applied to all users.

filter
Syntax

filter = string

Default

(objectclass=radiusprofile)

Description

Filter for RAIDUS profile objects. This value should match all available group objects of which a user might be a member.

profile_attribute
Syntax

profile_attribute = string

Default

radiusProfileDn

Description

The list of profiles that are applied (after the default) to all users. The User-Profile attribute in the control list will over-ride this setting at run-time.

Client

Synopsis

Client definitions. Clients can be represented by objects in the LDAP directory. The client section specifies how to locate clients objects in the LDAP directory, and the attribute sub-section maps LDAP attributes to client attributes.

Directives

base_dn
Syntax

base_dn = string

Default

__

Description

Where to start searching in the tree for clients.

filter
Syntax

filter = string

Default

(objectClass=frClient)

Description

Filter to match client objects

scope
Syntax

scope = string

Default

sub

Description

Search scope, may be 'base', 'one', 'sub' or 'children'.

Accounting

Synopsis

Modifies user object on receiving Accounting-Request. Useful for recording things like the last time the user logged in, or the Acct-Session-ID for CoA/DM. LDAP modification items are in the format: <ldap attr> <op> <value>

Where:

<ldap attr>

The LDAP attribute to add modify or delete.

<op>

One of the assignment operators: ( FIXME := `= -= `+). Note: '=' is not supported.

<value>

The value to add modify or delete.

Warning
If using the ':=' operator with a multivalued LDAP attribute, all instances of the attribute will be removed and replaced with a single attribute.
accounting {
    reference = "%\{tolower:type.%\{Acct-Status-Type}}"

        type {
            start {
                update {
                    description := "Online at %S"
                }
            }

            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }

            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }

Post-Auth can modify LDAP objects too.

For eDir users this is performed after the post-auth login checks:

post-auth {
    update {
        description := "Authenticated at %S"
    }
}

LDAP connection-specific options.

These options set timeouts, keepalives, etc. for the connections.

Directives

chase_referrals
Syntax

chase_referrals = boolean

Default

yes

Description

chase_referrals and rebind are used to ensure (FIXME) Active Directory compatibility. If you set these to no, then searches will likely return operations error instead of a useful result.

idle
Syntax

idle = integer

Default 60

Description

LDAP_OPT_X_KEEPALIVE_IDLE

interval
Syntax

interval = integer

Default

3

Description

LDAP_OPT_X_KEEPALIVE_INTERVAL

ldap_debug
Syntax

ldap_debug = string

Default

0x0028

Description

Debug flag for LDAP SDK (see OpenLDAP documentation). Set this to enable huge amounts of LDAP debugging on the screen. You should only use this if you are an LDAP expert. default: 0x0000 (no debugging messages) Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)

net_timeout
Syntax

net_timeout = integer

Default

1

Description

Seconds to wait for response of the server (network failures). Default: 10 (FIXME - line below states =1) LDAP_OPT_NETWORK_TIMEOUT is set to this value.

probes
Syntax

probes = integer

Default

3

Description

LDAP_OPT_X_KEEPALIVE_PROBES

rebind
Syntax

rebind = boolean

Default

yes

Description

chase_referrals and rebind are used to ensure (FIXME) Active Directory compatibility. If you set these to no, then searches will likely return operations error instead of a useful result.

timelimit
Syntax

timelimit = integer

Default

3

Description

Seconds LDAP server has to process the query (server-side time limit). Default: 3

LDAP_OPT_TIMELIMIT is set to this value.

timeout
Syntax

timeout = integer

Default

10

Description

Seconds to wait for LDAP query to finish. Default: 20 (FIXME - line below indicated default was 10!!!)

start_tls
Syntax

start_tls = boolean

Default

yes

Description

Set this to yes to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation. The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections.

pool
Syntax

pool { …​ }

Description

A sub-section that manages connections to the database. See the pool documentation for more information.

tls
Syntax

tls { …​ }

Description

A sub-section that manages TLS related parameters. See the tls documentation for more information.