# -*- text -*-
#
#  $Id$

# Lightweight Directory Access Protocol (LDAP)
#
#  This module definition allows you to use LDAP for
#  authorization and authentication.
#
#  See raddb/sites-available/default for reference to the
#  ldap module in the authorize and authenticate sections.
#
#  However, LDAP can be used for authentication ONLY when the
#  Access-Request packet contains a clear-text User-Password
#  attribute.  LDAP authentication will NOT work for any other
#  authentication method.
#
#  This means that LDAP servers don't understand EAP.  If you
#  force "Auth-Type = LDAP", and then send the server a
#  request containing EAP authentication, then authentication
#  WILL NOT WORK.
#
#  The solution is to use the default configuration, which does
#  work.
#
#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
#  really can't emphasize this enough.
#
ldap {
    #
    #  Note that this needs to match the name in the LDAP
    #  server certificate, if you're using ldaps.
    server = "@@ldap_server@@"
    port = 636
    identity = "cn=admin,@@basedn@@"
    password = @@ldap_pass@@
    basedn = "@@basedn@@"
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    #base_filter = "(objectclass=radiusprofile)"

    #  How many connections to keep open to the LDAP server.
    #  This saves time over opening a new LDAP socket for
    #  every authentication request.
    ldap_connections_number = 5

    # seconds to wait for LDAP query to finish. default: 20
    timeout = 4

    #  seconds LDAP server has to process the query (server-side
    #  time limit). default: 20
    #
    #  LDAP_OPT_TIMELIMIT is set to this value.
    timelimit = 3

    #
    #  seconds to wait for response of the server. (network
    #   failures) default: 10
    #
    #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
    net_timeout = 1

    #
    #  This subsection configures the tls related items
    #  that control how FreeRADIUS connects to an LDAP
    #  server.  It contains all of the "tls_*" configuration
    #  entries used in older versions of FreeRADIUS.  Those
    #  configuration entries can still be used, but we recommend
    #  using these.
    #
    tls {
        # Set this to 'yes' to use TLS encrypted connections
        # to the LDAP database by using the StartTLS extended
        # operation.
        #
        # The StartTLS operation is supposed to be
        # used with normal ldap connections instead of
        # using ldaps (port 689) connections
        start_tls = no

        # cacertfile    = /path/to/cacert.pem
        # cacertdir     = /path/to/ca/dir/
        # certfile      = /path/to/radius.crt
        # keyfile       = /path/to/radius.key
        # randfile      = /path/to/rnd

        #  Certificate Verification requirements.  Can be:
        #    "never" (don't even bother trying)
        #    "allow" (try, but don't fail if the cerificate
        #       can't be verified)
        #    "demand" (fail if the certificate doesn't verify.)
        #
        #   The default is "allow"
        #require_cert    = "never"
    }

    # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
    # profile_attribute = "radiusProfileDn"
    # access_attr = "dialupAccess"

    # Mapping of RADIUS dictionary attributes to LDAP
    # directory attributes.
    dictionary_mapping = ${confdir}/ldap.attrmap

    #  Set password_attribute = nspmPassword to get the
    #  user's password from a Novell eDirectory
    #  backend. This will work ONLY IF FreeRADIUS has been
    #  built with the --with-edir configure option.
    #
    #  See also the following links:
    #
    #  http://www.novell.com/coolsolutions/appnote/16745.html
    #  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
    #
    #  Novell may require TLS encrypted sessions before returning
    #  the user's password.
    #
    # password_attribute = userPassword

    #  Un-comment the following to disable Novell
    #  eDirectory account policy check and intruder
    #  detection. This will work *only if* FreeRADIUS is
    #  configured to build with --with-edir option.
    #
    edir_account_policy_check = no

    #
    #  Group membership checking.  Disabled by default.
    #
    groupname_attribute = cn
    groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
    # groupmembership_attribute = radiusGroupName

    # compare_check_items = yes
    # do_xlat = yes
    # access_attr_used_for_allow = yes

    #
    #  The following two configuration items are for Active Directory
    #  compatibility.  If you see the helpful "operations error"
    #  being returned to the LDAP module, uncomment the next
    #  two lines.
    #
    # chase_referrals = yes
    # rebind = yes

    #
    #  By default, if the packet contains a User-Password,
    #  and no other module is configured to handle the
    #  authentication, the LDAP module sets itself to do
    #  LDAP bind for authentication.
    #
    #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
    #
    #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
    #
    #  You can disable this behavior by setting the following
    #  configuration entry to "no".
    #
    #  allowed values: {no, yes}
    # set_auth_type = yes

    #  ldap_debug: debug flag for LDAP SDK
    #  (see OpenLDAP documentation).  Set this to enable
    #  huge amounts of LDAP debugging on the screen.
    #  You should only use this if you are an LDAP expert.
    #
    #   default: 0x0000 (no debugging messages)
    #   Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
    #ldap_debug = 0x0028
}
