rlm_ldap

Synopsis

The ldap module implements support for querying LDAP servers via the Lightweight Directory Access Protocol (LDAP).

Processing Sections

authorize

When listed in the authorize section, the ldap module looks up the user, caches group memberships, and applies a set of user profiles.

Return codes: noop The module did nothing.
: fail The module failed to expand a query, or connect to the LDAP server.
: userlock The users' account is locked.
: reject The users' account is rejected.
: notfound The users' account was no found.
: ok The users' account was found, and the profile has been updated,

authenticate

When listed in the authenticate section, the ldap module performs User-Password authentication, by binding to the LDAP server as the user.

Return codes: noop The module did nothing.
: fail The module failed to expand a query, or connect to the LDAP server.
: userlock The users' account is locked.
: notfound The users' account was no found.
: reject The user failed authentication.
: ok The user succeeded in authenticating.

accounting

When listed in the accounting section, the ldap module updates the users information in LDAP, using the information from the accounting section below.

Return codes: noop The module did nothing.
: fail The module was unable to connect to the LDAP server.
: invalid The modification used an invalid LDAP query.
: ok The modification succeeded.

post-auth

When listed in the post-auth section, the ldap module updates users information in LDAP, using the information from the post-auth section below.

Return codes: See accounting, above.

Expansions

This module registers only one expansion.

ldap

Syntax: %{ldap: …}
Contents: The contents of the expansion should an LDAP query string. The output of the expansion is the string returned from the LDAP query.

Directives

basedn

Syntax: basedn = string
Default: dc=example,dc=org
Description: Unless overridden in user or group, the dn from which all searches start.

identity

Syntax: identity = string
Default: cn=admin,dc=example,dc=org
Description: Read-only administrator account for initial binding and searching.

password

Syntax: password = string
Default: mypass
Description: FIXME

port

Syntax: port = integer
Default: 389
Description: Port on which to connect. Setting this value to 636 will enable LDAPS if start_tls is not available for use.

server

Syntax: server = hostname
Default: ldap.example.org
Description: If ldaps is used, then server needs to match the name on the LDAP server certificate.

edir

Syntax: edir = boolean
Default: no
Description: Set to yes if you have eDirectory and want to use the universal password mechanism.

edir_autz

Syntax: edir_autz = boolean
Default: no
Description: Set to yes if you want to bind as the user after retrieving the Cleartext-Password. This will consume the login grace and verify user authorization.

valuepair_attr

Syntax: valuepair_attr = string
Default: radiusValuePair
Description: Generic valuepair attribute. If set, this attribute will be retrieved in addition to any mapped attributes. Values should be in the following format: <radius attr> <op> <value>

Where:

Is the attribute you wish to create with any valid list and request qualifiers.

<op>

Is any assignment attribute (= := += -=).

<value>

Is the value to parse into the new valuepair. If the attribute name is wrapped in double quotes it will be xlat expanded.

read_clients

Syntax: read_clients = boolean
Default: no
Description: Set to yes if you wish to bulk load clients definitions from the LDAP directory when the server starts.

update

Synopsis

Warning

Although this format is almost identical to the unlang update section format, it does NOT mean that you can use other unlang constructs in module configuration files.

Configuration items are in the format: <radius attr> <op> <ldap attr>

Where:

radius attr

Is the destination RADIUS attribute with any valid list and request qualifiers.

Is any assignment attribute (= := =` `-=+).

ldap attr

Is the attribute associated with user or profile objects in the LDAP directory. If the attribute name is wrapped in double quotes it will be xlat expanded.

Request and list qualifiers may also be placed after the update section name to set defaults destination requests/lists for unqualified RADIUS attributes.

Note	`LDAP` attribute names should be single quoted unless you want the name value to be derived from an `xlat` expansion, or an attribute ref.

Example update block

update {
	control:NT-Password		:= 'ntPassword'
	reply:Reply-Message		:= 'radiusReplyMessage'
	reply:Tunnel-Type		:= 'radiusTunnelType'
	reply:Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
	reply:Tunnel-Private-Group-ID	:= 'radiusTunnelPrivategroupId'
}

User

Synopsis

User object identification.

Directives

access_attribute

Syntax: access_attribute = string
Default: dialupAccess
Description: If this is undefined, anyone is authorized. If it is defined, the contents of this attribute determine whether or not the user is authorized.

filter

Syntax: filter = string
Default: (uid=%\{%{Stripped-User-Name}:-%{User-Name}})
Description: Filter for user objects, should be specific enough to identify a single user object.

positive_access

Syntax: positive_access = boolean
Default: yes
Description: Control whether or not access_attribute is used to determine authorization. If set to yes, then access_attribute existing means allow access. access_attribute not existing means deny access. If set to no, then access_attribute existing means deny access. access_attribute not existing means allow access.

Group

Synopsis

User membership checking.

Directives

cacheable_dn

Syntax: cacheable_dn = boolean
Default: no
Description: If cacheable_name or cacheable_dn are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropriate for the instance of rlm_ldap. For group comparisons these attributes will be checked instead of querying the LDAP directory directly. This feature is intended to be used with rlm_cache. If this feature is used, then the type that matches the format of the check items should be enabled, i.e., if your groups are specified as DNs, then enable cacheable_dn; otherwise, enable cacheable_name.

cacheable_name

Syntax: cacheable_name = boolean
Default: no
Description: If cacheable_name or cacheable_dn are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropriate for the instance of rlm_ldap. For group comparisons these attributes will be checked instead of querying the LDAP directory directly. This feature is intended to be used with rlm_cache. If this feature is used, then the type that matches the format of the check items should be enabled, i.e., if your groups are specified as DNs, then enable cacheable_dn; otherwise, enable cacheable_name.

filter

Syntax: filter = string
Default: (objectClass=posixGroup)
Description: Filter for group objects; should match all available group objects for which a user might be a member.

membership_filter

Syntax: membership_filter = string
Default: (|(member=%\{control:Ldap-UserDn})(memberUid=%\{%{Stripped-User-Name}:-%{User-Name}}))
Description: Filter to find group objects of which a user is a member. The group objects that are found using this method are those that contain attributes that identify members (the inverse of membership_attribute). .name_attribute

membership_attribute

Syntax: membership_attribute = string
Default: memberOf
Description: The attribute in user objects that contains the names or DNs of groups for which the user is a member. Unless a conversion between group name and group DN is needed, there’s no requirement for the group objects referenced to actually exist.

name_attribute

Syntax: name_attribute = string

Default cn

Description: Attribute that uniquely identifies a group; this attribute is used when converting group DNs to group names.

Profile

Synopsis

User profiles. RADIUS profile objects contain sets of attributes to insert into the request. These attributes are mapped using the same mapping scheme as that applied to user objects.

Directives

default_profile

Syntax: default_profile = string
Default: cn=radprofile,dc=example,dc=org
Description: The default profile applied to all users.

filter

Syntax: filter = string
Default: (objectclass=radiusprofile)
Description: Filter for RAIDUS profile objects. This value should match all available group objects of which a user might be a member.

profile_attribute

Syntax: profile_attribute = string
Default: radiusProfileDn
Description: The list of profiles that are applied (after the default) to all users. The User-Profile attribute in the control list will over-ride this setting at run-time.

Client

Synopsis

Client definitions. Clients can be represented by objects in the LDAP directory. The client section specifies how to locate clients objects in the LDAP directory, and the attribute sub-section maps LDAP attributes to client attributes.

Directives

base_dn

Syntax: base_dn = string
Default: __
Description: Where to start searching in the tree for clients.

filter

Syntax: filter = string
Default: (objectClass=frClient)
Description: Filter to match client objects

scope

Syntax: scope = string
Default: sub
Description: Search scope, may be 'base', 'one', 'sub' or 'children'.

Accounting

Synopsis

Modifies user object on receiving Accounting-Request. Useful for recording things like the last time the user logged in, or the Acct-Session-ID for CoA/DM. LDAP modification items are in the format: <ldap attr> <op> <value>

Where:

The LDAP attribute to add modify or delete.

<op>

One of the assignment operators: ( FIXME := `= -= `+). Note: '=' is not supported.

<value>

The value to add modify or delete.

Warning

If using the ':=' operator with a multivalued LDAP attribute, all instances of the attribute will be removed and replaced with a single attribute.

accounting {
    reference = "%\{tolower:type.%\{Acct-Status-Type}}"

        type {
            start {
                update {
                    description := "Online at %S"
                }
            }

            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }

            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }

Post-Auth can modify LDAP objects too.

For eDir users this is performed after the post-auth login checks:

post-auth {
    update {
        description := "Authenticated at %S"
    }
}

LDAP connection-specific options.

These options set timeouts, keepalives, etc. for the connections.

Directives

chase_referrals

Syntax: chase_referrals = boolean
Default: yes
Description: chase_referrals and rebind are used to ensure (FIXME) Active Directory compatibility. If you set these to no, then searches will likely return operations error instead of a useful result.

idle

Syntax: idle = integer

Default 60

Description: LDAP_OPT_X_KEEPALIVE_IDLE

interval

Syntax: interval = integer
Default: 3
Description: LDAP_OPT_X_KEEPALIVE_INTERVAL

ldap_debug

Syntax: ldap_debug = string
Default: 0x0028
Description: Debug flag for LDAP SDK (see OpenLDAP documentation). Set this to enable huge amounts of LDAP debugging on the screen. You should only use this if you are an LDAP expert. default: 0x0000 (no debugging messages) Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)

net_timeout

Syntax: net_timeout = integer
Default: 1
Description: Seconds to wait for response of the server (network failures). Default: 10 (FIXME - line below states =1) LDAP_OPT_NETWORK_TIMEOUT is set to this value.

probes

Syntax: probes = integer
Default: 3
Description: LDAP_OPT_X_KEEPALIVE_PROBES

rebind

Syntax: rebind = boolean
Default: yes
Description: chase_referrals and rebind are used to ensure (FIXME) Active Directory compatibility. If you set these to no, then searches will likely return operations error instead of a useful result.

timelimit

Syntax: timelimit = integer
Default: 3
Description: Seconds LDAP server has to process the query (server-side time limit). Default: 3
: LDAP_OPT_TIMELIMIT is set to this value.

timeout

Syntax: timeout = integer
Default: 10
Description: Seconds to wait for LDAP query to finish. Default: 20 (FIXME - line below indicated default was 10!!!)

start_tls

Syntax: start_tls = boolean
Default: yes
Description: Set this to yes to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation. The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections.

pool

Syntax: pool { … }
Description: A sub-section that manages connections to the database. See the pool documentation for more information.

tls

Syntax: tls { … }
Description: A sub-section that manages TLS related parameters. See the tls documentation for more information.