+
+
+
+
= LDAP (Lightweight Directory Access Protocol) Module
The `ldap` module allows LDAP directory entries to be retrieved, modified,
[source, unlang]
----
ldap
-if ((ok || updated) && &User-Password) {
- &control.Auth-Type := ::ldap
+if ((ok || updated) && User-Password) {
+ control.Auth-Type := ::ldap
}
----
====
default:: The default profile. This may be a DN or an attribute reference.
-NOTE: To get old v2.2.x style behaviour, or to use the `&User-Profile` attribute
-to specify the default profile, set this to `&control.User-Profile`.
+NOTE: To get old v2.2.x style behaviour, or to use the `User-Profile` attribute
+to specify the default profile, set this to `control.User-Profile`.
+check_attribute:: The LDAP attribute containing conditions which
+will be evaluated to determine whether a profile should be applied.
+
+
+
+fallthrough_attribute:: The LDAP attribute containing a condition
+which will be evaluated to determine whether more profiles should
+be applied after this one.
+
+
+
+fallthrough_def:: If the attribute referenced in fallthrough_attribute
+is not in the reply, what should be the default behaviour
+
+
+
### Modify user object on receiving Accounting-Request
Useful for recording things like the last time the user logged
[source,unlang]
----
-&my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
-&reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
+my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
----
.Output
[source,unlang]
----
-&my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
----
### %ldap.uri.unescape(...)
[source,unlang]
----
-&my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
-&reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
+my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
+reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
----
.Output
}
# valuepair_attribute = 'radiusAttribute'
update {
- &control.Password.With-Header += 'userPassword'
-# &control.Password.NT := 'ntPassword'
-# &reply.Reply-Message := 'radiusReplyMessage'
-# &reply.Tunnel-Type := 'radiusTunnelType'
-# &reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
-# &reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
- &control += 'radiusControlAttribute'
- &request += 'radiusRequestAttribute'
- &reply += 'radiusReplyAttribute'
+ control.Password.With-Header += 'userPassword'
+# control.Password.NT := 'ntPassword'
+# reply.Reply-Message := 'radiusReplyMessage'
+# reply.Tunnel-Type := 'radiusTunnelType'
+# reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
+# reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
+ control += 'radiusControlAttribute'
+ request += 'radiusRequestAttribute'
+ reply += 'radiusReplyAttribute'
}
# edir = no
# edir_autz = no
user {
base_dn = "${..base_dn}"
- filter = "(uid=%{&Stripped-User-Name || &User-Name})"
-# filter = "(&(objectClass=user)(sAMAccountName=%{&Stripped-User-Name || &User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
+ filter = "(uid=%{&Stripped-User-Name || User-Name})"
+# filter = "(&(objectClass=user)(sAMAccountName=%{Stripped-User-Name || User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
sasl {
# mech = 'PLAIN'
-# authname = &User-Name
-# proxy = &User-Name
+# authname = User-Name
+# proxy = User-Name
# realm = 'example.org'
}
-# password_attribute = &User-Password
+# password_attribute = User-Password
# scope = 'sub'
# sort_by = '-uid'
# access_attribute = 'dialupAccess'
filter = '(objectClass=posixGroup)'
# scope = 'sub'
# name_attribute = cn
-# membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{&Stripped-User-Name || &User-Name}))"
+# membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{Stripped-User-Name || User-Name}))"
membership_attribute = 'memberOf'
# cacheable_name = 'no'
# cacheable_dn = 'no'
# attribute = 'radiusProfileDn'
# attribute_suspend = 'radiusProfileDn'
# sort_by = 'radiusProfilePriority'
+# check_attribute = 'radiusProfileCondition'
+# fallthrough_attribute = 'radiusProfileFallthrough'
+# fallthrough_default = yes
}
accounting {
start {
# update { ... }::
#
update {
- &control.Password.With-Header += 'userPassword'
-# &control.Password.NT := 'ntPassword'
-# &reply.Reply-Message := 'radiusReplyMessage'
-# &reply.Tunnel-Type := 'radiusTunnelType'
-# &reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
-# &reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
+ control.Password.With-Header += 'userPassword'
+# control.Password.NT := 'ntPassword'
+# reply.Reply-Message := 'radiusReplyMessage'
+# reply.Tunnel-Type := 'radiusTunnelType'
+# reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'
+# reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# NOTE: Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
- &control += 'radiusControlAttribute'
- &request += 'radiusRequestAttribute'
- &reply += 'radiusReplyAttribute'
+ control += 'radiusControlAttribute'
+ request += 'radiusRequestAttribute'
+ reply += 'radiusReplyAttribute'
}
#
# [source, unlang]
# ----
# ldap
- # if ((ok || updated) && &User-Password) {
- # &control.Auth-Type := ::ldap
+ # if ((ok || updated) && User-Password) {
+ # control.Auth-Type := ::ldap
# }
# ----
# ====
# filter:: Filter for user objects, should be specific enough
# to identify a single user object.
#
- filter = "(uid=%{&Stripped-User-Name || &User-Name})"
+ filter = "(uid=%{&Stripped-User-Name || User-Name})"
# For Active Directory nested group, you should comment out the previous 'filter = ...'
# and use the below. Where 'group' is the group you are querying for.
#
# See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
#
-# filter = "(&(objectClass=user)(sAMAccountName=%{&Stripped-User-Name || &User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
+# filter = "(&(objectClass=user)(sAMAccountName=%{Stripped-User-Name || User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
#
# sasl { ... }:: SASL parameters to use for user binds
# authname:: SASL authentication name. Mechanism specific value
# to use when prompted for the client authentication name.
#
-# authname = &User-Name
+# authname = User-Name
#
# proxy:: SASL authorisation identity to proxy.
#
-# proxy = &User-Name
+# proxy = User-Name
#
# realm:: SASL realm. Used for kerberos.
# Service, CN=Windows NT, CN=Services, CN=Configuration` object. Modify the
# `msDS-Other-Settings` attribute, and add a new entry for `DenyUnauthenticatedBind=1`.
#
-# password_attribute = &User-Password
+# password_attribute = User-Password
#
# scope:: Search scope, may be `base`, `one`, `sub' or `children`.
# That is, group objects with attributes that identify
# members (the inverse of `membership_attribute`).
#
-# membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{&Stripped-User-Name || &User-Name}))"
+# membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{Stripped-User-Name || User-Name}))"
#
# membership_attribute:: The attribute, in user objects, which contain
#
# default:: The default profile. This may be a DN or an attribute reference.
#
- # NOTE: To get old v2.2.x style behaviour, or to use the `&User-Profile` attribute
- # to specify the default profile, set this to `&control.User-Profile`.
+ # NOTE: To get old v2.2.x style behaviour, or to use the `User-Profile` attribute
+ # to specify the default profile, set this to `control.User-Profile`.
#
# default = 'cn=radprofile,dc=example,dc=org'
#
# [source,unlang]
# ----
-# &my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
-# &reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
+# my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+# reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
# ----
#
# .Output
#
# [source,unlang]
# ----
-# &my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+# my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
# ----
#
# ### %ldap.uri.unescape(...)
#
# [source,unlang]
# ----
-# &my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
-# &reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
+# my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
+# reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
# ----
#
# .Output
projects / thirdparty / freeradius-server.git / commitdiff
