ldap.erb

# -*- text -*-
#
#  $Id$

#
#  Lightweight Directory Access Protocol (LDAP)
#
ldap <%= @name %> {
	#  Note that this needs to match the name(s) in the LDAP server
	#  certificate, if you're using ldaps.  See OpenLDAP documentation
	#  for the behavioral semantics of specifying more than one host.
	#
	#  Depending on the libldap in use, server may be specified as an LDAP
	#  URI.  In the case of OpenLDAP this allows additional the following
	#  additional schemes:
	#
	#    - ldaps:// (LDAP over SSL)
	#    - ldapi:// (LDAP over Unix socket)
	#    - ldapc:// (Connectionless LDAP)
	#
<% @serverconcatarray.each do |srv| -%>	server = '<%= srv %>'
<% end -%>

	#  Port to connect on, defaults to 389, will be ignored for LDAP URIs.
	port = <%= @port %>

	#  Administrator account for searching and possibly modifying.
	#  If using SASL + KRB5 these should be commented out.
<%- if @identity -%>
	identity = '<%= @identity %>'
<%- end -%>
<%- if @password -%>
	password = <%= @password %>
<%- end -%>

	#  Unless overridden in another section, the dn from which all
	#  searches will start from.
	base_dn = '<%= @basedn %>'

	#
	#  SASL parameters to use for admin binds
	#
	#  When we're prompted by the SASL library, the config items in the SASL
	#  section (in addition to the identity password config items above)
	#  determine the responses given.
	#
	#  If any directive is commented out, a NULL response will be
	#  provided to cyrus-sasl.
	#
	#  Unfortunately the only way to control Keberos here is through
	#  environmental variables, as cyrus-sasl provides no API to
	#  set the kerberos (libkrb5) config directly.
	#
	#  Full documentation for MIT krb5 can be found here:
	#
	#	http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
	#
	#  At a minimum you probably want to set KRB5_CLIENT_KTNAME.
	#
	sasl {
		# SASL mechanism
#		mech = 'PLAIN'
<%- if @sasl.has_key?('mech') -%>
		mech = '<%= @sasl['mech'] %>'
<%- end -%>

		# SASL authorisation identity to proxy.
#		proxy = 'autz_id'
<%- if @sasl.has_key?('proxy') -%>
		proxy = '<%= @sasl['proxy'] %>'
<%- end -%>

		# SASL realm. Used for kerberos.
#		realm = 'example.org'
<%- if @sasl.has_key?('realm') -%>
		realm = '<%= @sasl['realm'] %>'
<%- end -%>
	}

	#
	#  Generic valuepair attribute
	#

	#  If set, this will attribute will be retrieved in addition to any
	#  mapped attributes.
	#
	#  Values should be in the format:
	#  	<fr attr> <op> <value>
	#
	#  Where:
	#  	<fr attr>:	Is the attribute you wish to create,
	# 			with any valid list and request qualifiers.
	#  	<op>: 		Is any assignment operator (=, :=, +=, -=).
	#  	<value>:	Is the value to parse into the new attribute.
	# 			If the value is wrapped in double quotes it
	#			will be xlat expanded.
#	valuepair_attribute = 'radiusAttribute'
<%- if @valuepair_attribute -%>
	valuepair_attribute = <%= @valuepair_attribute %>
<%- end -%>

	#
	#  Mapping of LDAP directory attributes to RADIUS dictionary attributes.
	#

	#  WARNING: Although this format is almost identical to the unlang
	#  update section format, it does *NOT* mean that you can use other
	#  unlang constructs in module configuration files.
	#
	#  Configuration items are in the format:
	# 	<fr attr> <op> <ldap attr>
	#
	#  Where:
	#  	<fr attr>:	Is the destination RADIUS attribute
	# 			with any valid list and request qualifiers.
	#  	<op>: 		Is any assignment attribute (=, :=, +=, -=).
	#  	<ldap attr>:	Is the attribute associated with user or
	#			profile objects in the LDAP directory.
	# 			If the attribute name is wrapped in double
	# 			quotes it will be xlat expanded.
	#
	#  Request and list qualifiers may be placed after the 'update'
	#  section name to set default destination requests/lists
	#  for <fr attr>s with no list qualifiers.
	#
	#  Note: LDAP attribute names should be single quoted unless you want
	#  the name to be derived from an xlat expansion, or an attribute ref.
	#
<%- if @update -%>
	update {
		<%= @update.join("\n		") %>
	}
<%- else -%>
	update {
		control:Password-With-Header	+= 'userPassword'
#		control:NT-Password		:= 'ntPassword'
#		reply:Reply-Message		:= 'radiusReplyMessage'
#		reply:Tunnel-Type		:= 'radiusTunnelType'
#		reply:Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
#		reply:Tunnel-Private-Group-ID	:= 'radiusTunnelPrivategroupId'

		#  Where only a list is specified as the RADIUS attribute,
		#  the value of the LDAP attribute is parsed as a valuepair
		#  in the same format as the 'valuepair_attribute' (above).
		control:			+= 'radiusControlAttribute'
		request:			+= 'radiusRequestAttribute'
		reply:				+= 'radiusReplyAttribute'
	}
<%- end -%>

	#  Set to yes if you have eDirectory and want to use the universal
	#  password mechanism.
#	edir = no
<%- if @edir -%>
	edir = <%= @edir %>
<%- end -%>

	#  Set to yes if you want to bind as the user after retrieving the
	#  Cleartext-Password. This will consume the login grace, and
	#  verify user authorization.
#	edir_autz = no
<%- if @edir_autz -%>
	edir_autz = <%= @edir_autz %>
<%- end -%>

	#  Note: set_auth_type was removed in v3.x.x
	#  Equivalent functionality can be achieved by adding the following
	#  stanza to the authorize {} section of your virtual server.
	#
	#    ldap
	#    if ((ok || updated) && User-Password) {
	#        update {
	#            control:Auth-Type := ldap
	#        }
	#    }

	#
	#  User object identification.
	#
	user {
		#  Where to start searching in the tree for users
    base_dn = "<%= @user_base_dn %>"

		#  Filter for user objects, should be specific enough
		#  to identify a single user object.
    filter = "<%= @user_filter %>"

		#  SASL parameters to use for user binds
		#
		#  When we're prompted by the SASL library, these control
		#  the responses given.
		#
		#  Any of the config items below may be an attribute ref
		#  or and expansion.  This allows different SASL mechs,
		#  proxy IDs and realms to be used for different users.
		#
		sasl {
			# SASL mechanism
#			mech = 'PLAIN'
      <%- if @user_sasl.has_key?('mech') -%>
			mech = '<%= @user_sasl['mech'] %>'
      <%- end -%>

			# SASL authorisation identity to proxy.
#			proxy = &User-Name
      <%- if @user_sasl.has_key?('proxy') -%>
			proxy = '<%= @user_sasl['proxy'] %>'
      <%- end -%>

			# SASL realm. Used for kerberos.
#			realm = 'example.org'
      <%- if @user_sasl.has_key?('realm') -%>
			realm = '<%= @user_sasl['realm'] %>'
      <%- end -%>
		}

		#  Search scope, may be 'base', 'one', sub' or 'children'
#		scope = 'sub'
<%- if @user_scope -%>
		scope = '<%= @user_scope %>'
<%- end -%>

		#  Server side result sorting
		#
		#  A list of space delimited attributes to order the result set by.
		#
		#  If the filter matches multiple objects only the first
		#  result will be processed.
		#
		#  If the attribute name is prefixed with a hyphen '-' the
		#  sorting order will be reversed for that attribute.
		#
		#  If sort_by is set, and the server does not support sorting
		#  the search will fail.
		#
		#  If a search returns multiple user objects and sort_by is not
		#  set, the search will fail.
#		sort_by = '-uid'
<%- if @user_sort_by -%>
		sort_by = '<%= @user_sort_by %>'
<%- end -%>

		#  If this is undefined, anyone is authorised.
		#  If it is defined, the contents of this attribute
		#  determine whether or not the user is authorised
#		access_attribute = 'dialupAccess'
<%- if @user_access_attribute -%>
		access_attribute = '<%= @user_access_attribute %>'
<%- end -%>

		#  Control whether the presence of 'access_attribute'
		#  allows access, or denys access.
		#
		#  If 'yes', and the access_attribute is present, or
		#  'no' and the access_attribute is absent then access
		#  will be allowed.
		#
		#  If 'yes', and the access_attribute is absent, or
		#  'no' and the access_attribute is present, then
		#  access will not be allowed.
		#
		#  If the value of the retrieved access_attribute is
		#  'false', it will negate the result.
		#
		#  e.g.
		#    access_positive = yes
		#    access_attribute = userAccessAllowed
		#
		#  With an LDAP object containing:
		#    userAccessAllowed: false
		#
		#  Will result in the user being locked out.
#		access_positive = yes
<%- if @user_access_positive -%>
		access_positive = <%= @user_access_positive %>
<%- end -%>
	}

	#
	#  User membership checking.
	#
	group {
		#  Where to start searching in the tree for groups
		base_dn = "<%= @group_base_dn %>"

		#  Filter for group objects, should match all available
		#  group objects a user might be a member of.
		filter = "<%= @group_filter %>"

		# Search scope, may be 'base', 'one', sub' or 'children'
#		scope = 'sub'
<%- if @group_scope -%>
		scope = '<%= @group_scope %>'
<%- end -%>

		#  Attribute that uniquely identifies a group.
		#  Is used when converting group DNs to group
		#  names.
#		name_attribute = cn
<%- if @group_name_attribute -%>
		name_attribute = <%= @group_name_attribute %>
<%- end -%>

		#  Filter to find group objects a user is a member of.
		#  That is, group objects with attributes that
		#  identify members (the inverse of membership_attribute).
#		membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
<%- if @group_membership_filter -%>
		membership_filter = "<%= @group_membership_filter %>"
<%- end -%>

		#  The attribute in user objects which contain the names
		#  or DNs of groups a user is a member of.
		#
		#  Unless a conversion between group name and group DN is
		#  needed, there's no requirement for the group objects
		#  referenced to actually exist.
		membership_attribute = '<%= @group_membership_attribute %>'

		#  If cacheable_name or cacheable_dn are enabled,
		#  all group information for the user will be
		#  retrieved from the directory and written to LDAP-Group
		#  attributes appropriate for the instance of rlm_ldap.
		#
		#  For group comparisons these attributes will be checked
		#  instead of querying the LDAP directory directly.
		#
		#  This feature is intended to be used with rlm_cache.
		#
		#  If you wish to use this feature, you should enable
		#  the type that matches the format of your check items
		#  i.e. if your groups are specified as DNs then enable
		#  cacheable_dn else enable cacheable_name.
#		cacheable_name = 'no'
<%- if @group_cacheable_name -%>
		cacheable_name = '<%= @group_cacheable_name %>'
<%- end -%>
#		cacheable_dn = 'no'
<%- if @group_cacheable_dn -%>
		cacheable_dn = '<%= @group_cacheable_dn %>'
<%- end -%>

		#  Override the normal cache attribute (<inst>-LDAP-Group or
		#  LDAP-Group if using the default instance) and create a
		#  custom attribute.  This can help if multiple module instances
		#  are used in fail-over.
#		cache_attribute = 'LDAP-Cached-Membership'
<%- if @group_cache_attribute -%>
		cache_attribute = '<%= @group_cache_attribute %>'
<%- end -%>

		#  Override the normal group comparison attribute name
		#  (<inst>-LDAP-Group or LDAP-Group if using the default instance) .
#		group_attribute = "${.:instance}-${.:name}-Group"
<%- if @group_attribute -%>
		group_attribute = '<%= @group_attribute %>'
<%- end -%>
	}

	#
	#  User profiles. RADIUS profile objects contain sets of attributes
	#  to insert into the request. These attributes are mapped using
	#  the same mapping scheme applied to user objects (the update section above).
	#
	profile {
		#  Filter for RADIUS profile objects
#		filter = '(objectclass=radiusprofile)'
<%- if @profile_filter -%>
		filter = '<%= @profile_filter %>'
<%- end -%>

		#  The default profile.  This may be a DN or an attribute
		#  reference.
		#  To get old v2.2.x style behaviour, or to use the
		#  &User-Profile attribute to specify the default profile,
		#  set this to &control:User-Profile.
#		default = 'cn=radprofile,dc=example,dc=org'
<%- if @profile_default -%>
		default = '<%= @profile_default %>'
<%- end -%>

		#  The LDAP attribute containing profile DNs to apply
		#  in addition to the default profile above.  These are
		#  retrieved from the user object, at the same time as the
		#  attributes from the update section, are are applied
		#  if authorization is successful.
#		attribute = 'radiusProfileDn'
<%- if @profile_default -%>
		attribute = '<%= @profile_attribute %>'
<%- end -%>
	}

	#
	#  Bulk load clients from the directory
	#
	client {
		#   Where to start searching in the tree for clients
		base_dn = "<%= @client_base_dn %>"

		#
		#  Filter to match client objects
		#
		filter = '<%= @client_filter %>'

		# Search scope, may be 'base', 'one', 'sub' or 'children'
#		scope = 'sub'
<%- if @client_scope -%>
		scope = '<%= @client_scope %>'
<%- end -%>

		#
		#  Sets default values (not obtained from LDAP) for new client entries
		#
		template {
#			login				= 'test'
#			password			= 'test'
#			proto	 			= tcp
#			require_message_authenticator	= yes

			# Uncomment to add a home_server with the same
			# attributes as the client.
#			coa_server {
#				response_window = 2.0
#			}
		}

		#
		#  Client attribute mappings are in the format:
		#      <client attribute> = <ldap attribute>
		#
		#  The following attributes are required:
		#    * ipaddr | ipv4addr | ipv6addr - Client IP Address.
		#    * secret - RADIUS shared secret.
		#
		#  All other attributes usually supported in a client
		#  definition are also supported here.
		#
		#  Schemas are available in doc/schemas/ldap for openldap and eDirectory
		#
		attribute {
			ipaddr				= 'radiusClientIdentifier'
			secret				= 'radiusClientSecret'
#			shortname			= 'radiusClientShortname'
#			nas_type			= 'radiusClientType'
#			virtual_server			= 'radiusClientVirtualServer'
#			require_message_authenticator	= 'radiusClientRequireMa'
		}
	}

	#  Load clients on startup
#	read_clients = no
<%- if @read_clients -%>
	read_clients = <%= @read_clients %>
<%- end -%>

	#
	#  Modify user object on receiving Accounting-Request
	#

	#  Useful for recording things like the last time the user logged
	#  in, or the Acct-Session-ID for CoA/DM.
	#
	#  LDAP modification items are in the format:
	# 	<ldap attr> <op> <value>
	#
	#  Where:
	#  	<ldap attr>:	The LDAP attribute to add modify or delete.
	#  	<op>: 		One of the assignment operators:
	#			(:=, +=, -=, ++).
	#			Note: '=' is *not* supported.
	#  	<value>:	The value to add modify or delete.
	#
	#  WARNING: If using the ':=' operator with a multi-valued LDAP
	#  attribute, all instances of the attribute will be removed and
	#  replaced with a single attribute.
	accounting {
		reference = "%{tolower:type.%{Acct-Status-Type}}"

		type {
			start {
				update {
					description := "Online at %S"
				}
			}

			interim-update {
				update {
					description := "Last seen at %S"
				}
			}

			stop {
				update {
					description := "Offline at %S"
				}
			}
		}
	}

	#
	#  Post-Auth can modify LDAP objects too
	#
	post-auth {
		update {
			description := "Authenticated at %S"
		}
	}

	#
	#  LDAP connection-specific options.
	#
	#  These options set timeouts, keep-alives, etc. for the connections.
	#
	options {
		#  Control under which situations aliases are followed.
		#  May be one of 'never', 'searching', 'finding' or 'always'
		#  default: libldap's default which is usually 'never'.
		#
		#  LDAP_OPT_DEREF is set to this value.
#		dereference = 'always'
<%- if @dereference -%>
		dereference = '<%= @dereference %>'
<%- end -%>

		#
		#  The following two configuration items control whether the
		#  server follows references returned by LDAP directory.
		#  They are  mostly for Active Directory compatibility.
		#  If you set these to 'no', then searches will likely return
		#  'operations error', instead of a useful result.
		#
		chase_referrals = <%= @chase_referrals %>
		rebind = <%= @rebind %>

		#
		#  On rebind, use the credentials from the rebind url instead
		#  of admin credentials used during the initial bind.
		#  Default 'no'
		#
		use_referral_credentials = <%= @use_referral_credentials %>

		#
		#  If 'yes', then include draft-wahl-ldap-session tracking
		#  controls.
		#
		#  These encode the NAS-IP-Address/NAS-IPv6-Address,
		#  User-Name, Acct-Session-ID, Acct-Multi-Session-ID
		#  as session tracking controls, in applicable LDAP operations.
		#  Default 'no'.
		#
#		session_tracking = yes
<%- if @session_tracking -%>
		session_tracking = <%= @session_tracking %>
<%- end -%>

		#  Seconds to wait for LDAP query to finish. default: 20
		res_timeout = <%= @timeout %>

		#  Seconds LDAP server has to process the query (server-side
		#  time limit). default: 20
		#
		#  LDAP_OPT_TIMELIMIT is set to this value.
		srv_timelimit = <%= @timelimit %>

		#  LDAP_OPT_X_KEEPALIVE_IDLE
		idle = <%= @idle %>

		#  LDAP_OPT_X_KEEPALIVE_PROBES
		probes = <%= @probes %>

		#  LDAP_OPT_X_KEEPALIVE_INTERVAL
		interval = <%= @interval %>

		#  ldap_debug: debug flag for LDAP SDK
		#  (see OpenLDAP documentation).  Set this to enable
		#  huge amounts of LDAP debugging on the screen.
		#  You should only use this if you are an LDAP expert.
		#
		#	default: 0x0000 (no debugging messages)
		#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
		ldap_debug = <%= @ldap_debug %>
	}

	#
	#  This subsection configures the tls related items
	#  that control how FreeRADIUS connects to an LDAP
	#  server.  It contains all of the 'tls_*' configuration
	#  entries used in older versions of FreeRADIUS.  Those
	#  configuration entries can still be used, but we recommend
	#  using these.
	#
	tls {
		# Set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		#
		# The StartTLS operation is supposed to be
		# used with normal ldap connections instead of
		# using ldaps (port 636) connections
		start_tls = <%= @starttls %>

<% if @cafile -%>
		ca_file = <%= @cafile %>
<% end -%>
#               ca_path = ${certdir}
<% if @certfile -%>
		certificate_file = <%= @certfile %>
<% end -%>
<% if @keyfile -%>
		private_key_file = <%= @keyfile %>
<% end -%>
#		random_file = /dev/urandom
<%- if @random_file -%>
		random_file = <%= @random_file %>
<%- end -%>

		#  Certificate Verification requirements.  Can be:
		#    'never' (do not even bother trying)
		#    'allow' (try, but don't fail if the certificate
		#		cannot be verified)
		#    'demand' (fail if the certificate does not verify)
		#    'hard'  (similar to 'demand' but fails if TLS
		#             cannot negotiate)
 		#
		#  The default is libldap's default, which varies based
		#  on the contents of ldap.conf.
		require_cert    = '<%= @requirecert %>'
	}

	#  As of version 3.0, the 'pool' section has replaced the
	#  following configuration items:
	#
	#  ldap_connections_number

	#  The connection pool is new for 3.0, and will be used in many
	#  modules, for all kinds of connection-related activity.
	#
	#  When the server is not threaded, the connection pool
	#  limits are ignored, and only one connection is used.
	pool {
		#  Connections to create during module instantiation.
		#  If the server cannot create specified number of
		#  connections during instantiation it will exit.
		#  Set to 0 to allow the server to start without the
		#  directory being available.
		start = <%= @start %>

		#  Minimum number of connections to keep open
		min = <%= @min %>

		#  Maximum number of connections
		#
		#  If these connections are all in use and a new one
		#  is requested, the request will NOT get a connection.
		#
		#  Setting 'max' to LESS than the number of threads means
		#  that some threads may starve, and you will see errors
		#  like 'No connections available and at max connection limit'
		#
		#  Setting 'max' to MORE than the number of threads means
		#  that there are more connections than necessary.
		max = <%= @max %>

		#  Spare connections to be left idle
		#
		#  NOTE: Idle connections WILL be closed if "idle_timeout"
		#  is set.  This should be less than or equal to "max" above.
		spare = <%= @spare %>

		#  Number of uses before the connection is closed
		#
		#  0 means "infinite"
		uses = <%= @uses %>

		#  The number of seconds to wait after the server tries
		#  to open a connection, and fails.  During this time,
		#  no new connections will be opened.
		retry_delay = <%= @retry_delay %>

		#  The lifetime (in seconds) of the connection
		lifetime = <%= @lifetime %>

		#  Idle timeout (in seconds).  A connection which is
		#  unused for this length of time will be closed.
		idle_timeout = <%= @idle_timeout %>

		#  Connection timeout (in seconds).  The maximum amount of
		#  time to wait for a new connection to be established.
		#  Sets LDAP_OPT_NETWORK_TIMEOUT in libldap.
		connect_timeout = <%= @connect_timeout %>

		#  NOTE: All configuration settings are enforced.  If a
		#  connection is closed because of 'idle_timeout',
		#  'uses', or 'lifetime', then the total number of
		#  connections MAY fall below 'min'.  When that
		#  happens, it will open a new connection.  It will
		#  also log a WARNING message.
		#
		#  The solution is to either lower the 'min' connections,
		#  or increase lifetime/idle_timeout.
	}
}