-
-
Save dwinurhadia/217bf5e1bb5784e62acf2fa01c439068 to your computer and use it in GitHub Desktop.
Ldap Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- text -*- | |
# | |
# $Id: 1f0ee0383834684c7314a89be40003933023c401 $ | |
# | |
# Lightweight Directory Access Protocol (LDAP) | |
# | |
ldap { | |
# Note that this needs to match the name(s) in the LDAP server | |
# certificate, if you're using ldaps. See OpenLDAP documentation | |
# for the behavioral semantics of specifying more than one host. | |
server = "<isikan alamat ip server>" | |
# Port to connect on, defaults to 389. Setting this to 636 will enable | |
# LDAPS if start_tls (see below) is not able to be used. | |
port = 389 | |
# Administrator account for searching and possibly modifying. | |
identity = "uid=<isikan username testing>,ou=people,o=Universitas Gadjah Mada,dc=ugm,dc=ac,dc=id" | |
password = "<isikan password username testing>" | |
# Unless overridden in another section, the dn from which all | |
# searches will start from. | |
# base_dn = "dc=example,dc=org" | |
base_dn = "ou=people,o=Universitas Gadjah Mada,dc=ugm,dc=ac,dc=id" | |
# | |
# Generic valuepair attribute | |
# | |
# If set, this will attribute will be retrieved in addition to any | |
# mapped attributes. | |
# | |
# Values should be in the format: | |
# <radius attr> <op> <value> | |
# | |
# Where: | |
# <radius attr>: Is the attribute you wish to create | |
# with any valid list and request qualifiers. | |
# <op>: Is any assignment attribute (=, :=, +=, -=). | |
# <value>: Is the value to parse into the new valuepair. | |
# If the attribute name is wrapped in double | |
# quotes it will be xlat expanded. | |
# valuepair_attribute = "radiusAttribute" | |
# | |
# Mapping of LDAP directory attributes to RADIUS dictionary attributes. | |
# | |
# WARNING: Although this format is almost identical to the unlang | |
# update section format, it does *NOT* mean that you can use other | |
# unlang constructs in module configuration files. | |
# | |
# Configuration items are in the format: | |
# <radius attr> <op> <ldap attr> | |
# | |
# Where: | |
# <radius attr>: Is the destination RADIUS attribute | |
# with any valid list and request qualifiers. | |
# <op>: Is any assignment attribute (=, :=, +=, -=). | |
# <ldap attr>: Is the attribute associated with user or | |
# profile objects in the LDAP directory. | |
# If the attribute name is wrapped in double | |
# quotes it will be xlat expanded. | |
# | |
# Request and list qualifiers may also be placed after the 'update' | |
# section name to set defaults destination requests/lists | |
# for unqualified RADIUS attributes. | |
# | |
# Note: LDAP attribute names should be single quoted unless you want | |
# the name value to be derived from an xlat expansion, or an | |
# attribute ref. | |
update { | |
control:Password-With-Header += 'userPassword' | |
control:User-Password := 'userPassword' | |
# control:NT-Password := 'ntPassword' | |
# reply:Reply-Message := 'radiusReplyMessage' | |
# reply:Tunnel-Type := 'radiusTunnelType' | |
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' | |
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' | |
# These are provided for backwards compatibility. | |
# Where only a list is specified as the RADIUS attribute, | |
# the value of the LDAP attribute is parsed as a valuepair | |
# in the same format as the 'valuepair_attribute' (above). | |
# control: += 'radiusCheckAttributes' | |
# reply: += 'radiusReplyAttributes' | |
} | |
# Set to yes if you have eDirectory and want to use the universal | |
# password mechanism. | |
# edir = no | |
# Set to yes if you want to bind as the user after retrieving the | |
# Cleartext-Password. This will consume the login grace, and | |
# verify user authorization. | |
# edir_autz = no | |
# Note: set_auth_type was removed in v3.x.x | |
# Equivalent functionality can be achieved by adding the following | |
# stanza to the authorize {} section of your virtual server. | |
# | |
# ldap | |
# if ((ok || updated) && User-Password) { | |
# update { | |
# control:Auth-Type := ldap | |
# } | |
# } | |
# | |
# User object identification. | |
# | |
user { | |
# Where to start searching in the tree for users | |
base_dn = "${..base_dn}" | |
# Filter for user objects, should be specific enough | |
# to identify a single user object. | |
#ifilter = "(uid=%{%{Stripped-User-Name}:-%{User-Name:-None}})" | |
#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" | |
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(!(employeeType=Alumni))(!(employeeType=Instansi)))" | |
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})(!(employeeType=Alumni))(!(employeeType=Instansi))" | |
#filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(!(employeeType=Alumni))(!(employeeType=Instansi)))" | |
#filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" | |
# Search scope, may be 'base', 'one', sub' or 'children' | |
scope = 'sub' | |
# If this is undefined, anyone is authorised. | |
# If it is defined, the contents of this attribute | |
# determine whether or not the user is authorised | |
# access_attribute = "dialupAccess" | |
# Control whether the presence of "access_attribute" | |
# allows access, or denys access. | |
# | |
# If "yes", and the access_attribute is present, or | |
# "no" and the access_attribute is absent then access | |
# will be allowed. | |
# | |
# If "yes", and the access_attribute is absent, or | |
# "no" and the access_attribute is present, then | |
# access will not be allowed. | |
# | |
# If the value of the access_attribute is "false", it | |
# will negate the result. | |
# | |
# e.g. | |
# access_positive = yes | |
# access_attribute = userAccessAllowed | |
# | |
# userAccessAllowed = false | |
# | |
# Will result in the user being locked out. | |
# access_positive = yes | |
} | |
# | |
# User membership checking. | |
# | |
group { | |
# Where to start searching in the tree for groups | |
base_dn = "${..base_dn}" | |
# Filter for group objects, should match all available | |
# group objects a user might be a member of. | |
filter = "(objectClass=posixGroup)" | |
# Search scope, may be 'base', 'one', sub' or 'children' | |
# scope = 'sub' | |
# Attribute that uniquely identifies a group. | |
# Is used when converting group DNs to group | |
# names. | |
# name_attribute = cn | |
# Filter to find group objects a user is a member of. | |
# That is, group objects with attributes that | |
# identify members (the inverse of membership_attribute). | |
# membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" | |
# The attribute in user objects which contain the names | |
# or DNs of groups a user is a member of. | |
# | |
# Unless a conversion between group name and group DN is | |
# needed, there's no requirement for the group objects | |
# referenced to actually exist. | |
membership_attribute = "memberOf" | |
# If cacheable_name or cacheable_dn are enabled, | |
# all group information for the user will be | |
# retrieved from the directory and written to LDAP-Group | |
# attributes appropriate for the instance of rlm_ldap. | |
# | |
# For group comparisons these attributes will be checked | |
# instead of querying the LDAP directory directly. | |
# | |
# This feature is intended to be used with rlm_cache. | |
# | |
# If you wish to use this feature, you should enable | |
# the type that matches the format of your check items | |
# i.e. if your groups are specified as DNs then enable | |
# cacheable_dn else enable cacheable_name. | |
# cacheable_name = "no" | |
# cacheable_dn = "no" | |
# Override the normal cache attribute (<inst>-LDAP-Group) | |
# and create a custom attribute. This can help if multiple | |
# module instances are used in fail-over. | |
# cache_attribute = "LDAP-Cached-Membership" | |
} | |
# | |
# User profiles. RADIUS profile objects contain sets of attributes | |
# to insert into the request. These attributes are mapped using | |
# the same mapping scheme applied to user objects. | |
# | |
profile { | |
# Filter for RADIUS profile objects | |
# filter = "(objectclass=radiusprofile)" | |
# The default profile applied to all users. | |
# default = "cn=radprofile,dc=example,dc=org" | |
# The list of profiles which are applied (after the default) | |
# to all users. | |
# The "User-Profile" attribute in the control list | |
# will override this setting at run-time. | |
# attribute = "radiusProfileDn" | |
} | |
# | |
# Bulk load clients from the directory | |
# | |
client { | |
# Where to start searching in the tree for clients | |
base_dn = "${..base_dn}" | |
# | |
# Filter to match client objects | |
# | |
# Tambahan (Dicomment) | |
#filter = '(objectClass=frClient)' | |
# Search scope, may be 'base', 'one', 'sub' or 'children' | |
# scope = 'sub' | |
# | |
# Client attribute mappings are in the format: | |
# <client attribute> = <ldap attribute> | |
# | |
# Arbitrary attributes (accessible by %{client:<attr>}) are not yet supported. | |
# | |
# The following attributes are required: | |
# * identifier - IPv4 address, or IPv4 address with prefix, or hostname. | |
# * secret - RADIUS shared secret. | |
# | |
# The following attributes are optional: | |
# * shortname - Friendly name associated with the client | |
# * nas_type - NAS Type | |
# * virtual_server - Virtual server to associate the client with | |
# * require_message_authenticator - Whether we require the Message-Authenticator | |
# attribute to be present in requests from the client. | |
# | |
# Schemas are available in doc/schemas/ldap for openldap and eDirectory | |
# | |
attribute { | |
identifier = 'radiusClientIdentifier' | |
secret = 'radiusClientSecret' | |
# shortname = 'radiusClientShortname' | |
# nas_type = 'radiusClientType' | |
# virtual_server = 'radiusClientVirtualServer' | |
# require_message_authenticator = 'radiusClientRequireMa' | |
} | |
} | |
# Load clients on startup | |
# read_clients = no | |
# | |
# Modify user object on receiving Accounting-Request | |
# | |
# Useful for recording things like the last time the user logged | |
# in, or the Acct-Session-ID for CoA/DM. | |
# | |
# LDAP modification items are in the format: | |
# <ldap attr> <op> <value> | |
# | |
# Where: | |
# <ldap attr>: The LDAP attribute to add modify or delete. | |
# <op>: One of the assignment operators: | |
# (:=, +=, -=, ++). | |
# Note: '=' is *not* supported. | |
# <value>: The value to add modify or delete. | |
# | |
# WARNING: If using the ':=' operator with a multi-valued LDAP | |
# attribute, all instances of the attribute will be removed and | |
# replaced with a single attribute. | |
accounting { | |
reference = "%{tolower:type.%{Acct-Status-Type}}" | |
type { | |
start { | |
update { | |
description := "Online at %S" | |
} | |
} | |
interim-update { | |
update { | |
description := "Last seen at %S" | |
} | |
} | |
stop { | |
update { | |
description := "Offline at %S" | |
} | |
} | |
} | |
} | |
# | |
# Post-Auth can modify LDAP objects too | |
# | |
post-auth { | |
update { | |
description := "Authenticated at %S" | |
} | |
} | |
# | |
# LDAP connection-specific options. | |
# | |
# These options set timeouts, keep-alives, etc. for the connections. | |
# | |
options { | |
# Control under which situations aliases are followed. | |
# May be one of 'never', 'searching', 'finding' or 'always' | |
# default: libldap's default which is usually 'never'. | |
# | |
# LDAP_OPT_DEREF is set to this value. | |
# dereference = 'always' | |
# | |
# The following two configuration items control whether the | |
# server follows references returned by LDAP directory. | |
# They are mostly for Active Directory compatibility. | |
# If you set these to "no", then searches will likely return | |
# "operations error", instead of a useful result. | |
# | |
chase_referrals = yes | |
rebind = yes | |
# Seconds to wait for LDAP query to finish. default: 20 | |
timeout = 20 | |
# Seconds LDAP server has to process the query (server-side | |
# time limit). default: 20 | |
# | |
# LDAP_OPT_TIMELIMIT is set to this value. | |
timelimit = 20 | |
# Seconds to wait for response of the server. (network | |
# failures) default: 10 | |
# | |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value. | |
net_timeout = 1 | |
# LDAP_OPT_X_KEEPALIVE_IDLE | |
idle = 30 | |
# LDAP_OPT_X_KEEPALIVE_PROBES | |
probes = 3 | |
# LDAP_OPT_X_KEEPALIVE_INTERVAL | |
interval = 3 | |
# ldap_debug: debug flag for LDAP SDK | |
# (see OpenLDAP documentation). Set this to enable | |
# huge amounts of LDAP debugging on the screen. | |
# You should only use this if you are an LDAP expert. | |
# | |
# default: 0x0000 (no debugging messages) | |
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) | |
ldap_debug = 0x0028 | |
} | |
# | |
# This subsection configures the tls related items | |
# that control how FreeRADIUS connects to an LDAP | |
# server. It contains all of the "tls_*" configuration | |
# entries used in older versions of FreeRADIUS. Those | |
# configuration entries can still be used, but we recommend | |
# using these. | |
# | |
tls { | |
# Set this to 'yes' to use TLS encrypted connections | |
# to the LDAP database by using the StartTLS extended | |
# operation. | |
# | |
# The StartTLS operation is supposed to be | |
# used with normal ldap connections instead of | |
# using ldaps (port 636) connections | |
# start_tls = yes | |
# start_tls = yes | |
# ca_file = ${certdir}/cacert.pem | |
# ca_path = ${certdir} | |
# certificate_file = /path/to/radius.crt | |
# private_key_file = /path/to/radius.key | |
# random_file = ${certdir}/random | |
# Certificate Verification requirements. Can be: | |
# "never" (don't even bother trying) | |
# "allow" (try, but don't fail if the certificate | |
# can't be verified) | |
# "demand" (fail if the certificate doesn't verify.) | |
# | |
# The default is "allow" | |
# require_cert = "demand" | |
# require_cert = "never" | |
} | |
# As of version 3.0, the "pool" section has replaced the | |
# following configuration items: | |
# | |
# ldap_connections_number | |
# The connection pool is new for 3.0, and will be used in many | |
# modules, for all kinds of connection-related activity. | |
# | |
# When the server is not threaded, the connection pool | |
# limits are ignored, and only one connection is used. | |
pool { | |
# Number of connections to start | |
start = 10 | |
# Minimum number of connections to keep open | |
min = 1 | |
# Maximum number of connections | |
# | |
# If these connections are all in use and a new one | |
# is requested, the request will NOT get a connection. | |
# | |
# Setting 'max' to LESS than the number of threads means | |
# that some threads may starve, and you will see errors | |
# like "No connections available and at max connection limit" | |
# | |
# Setting 'max' to MORE than the number of threads means | |
# that there are more connections than necessary. | |
max = ${thread[pool].max_servers} | |
# Spare connections to be left idle | |
# | |
# NOTE: Idle connections WILL be closed if "idle_timeout" | |
# is set. | |
spare = 30 | |
# Number of uses before the connection is closed | |
# | |
# 0 means "infinite" | |
uses = 0 | |
# The lifetime (in seconds) of the connection | |
lifetime = 0 | |
# Idle timeout (in seconds). A connection which is | |
# unused for this length of time will be closed. | |
idle_timeout = 360 | |
# NOTE: All configuration settings are enforced. If a | |
# connection is closed because of "idle_timeout", | |
# "uses", or "lifetime", then the total number of | |
# connections MAY fall below "min". When that | |
# happens, it will open a new connection. It will | |
# also log a WARNING message. | |
# | |
# The solution is to either lower the "min" connections, | |
# or increase lifetime/idle_timeout. | |
} | |
#dictionary_mapping = "${confdir}/ldap.attrmap" | |
#dictionary_mapping = /etc/raddb/ldap.attrmap | |
#password_attribute = 'userPassword' | |
#edir_account_policy_check = no | |
#authtype = ldap | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment