Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Projets publics
puppet-freeradius
Commits
ae66f489
Commit
ae66f489
authored
Feb 01, 2016
by
Jonathan Gazeley
Browse files
Remove FR2 support from ldap module
parent
c3e3983f
Changes
3
Hide whitespace changes
Inline
Side-by-side
manifests/ldap.pp
View file @
ae66f489
...
...
@@ -25,7 +25,6 @@ define freeradius::ldap (
$fr_service
=
$::freeradius::params::fr_service
$fr_modulepath
=
$::freeradius::params::fr_modulepath
$fr_group
=
$::freeradius::params::fr_group
$fr_version
=
$::freeradius::params::fr_version
# Validate our inputs
# Hostnames
...
...
@@ -70,7 +69,7 @@ define freeradius::ldap (
mode
=>
'0640'
,
owner
=>
'root'
,
group
=>
$fr_group
,
content
=>
template
(
"freeradius/ldap.
fr
${fr_version}
.
erb"
),
content
=>
template
(
"freeradius/ldap.erb"
),
require
=>
[
Package
[
$fr_package
],
Group
[
$fr_group
]],
notify
=>
Service
[
$fr_service
],
}
...
...
templates/ldap.
fr3.
erb
→
templates/ldap.erb
View file @
ae66f489
File moved
templates/ldap.fr2.erb
deleted
100644 → 0
View file @
c3e3983f
# -*- text -*-
#
# $Id$
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See raddb/sites-available/default for reference to the
# ldap module in the authorize and authenticate sections.
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap
<%=
@name
%>
{
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
<%
@serverarray
.
each
do
|
srv
|
-%>
server = "
<%=
srv
%>
"
<%
end
-%>
identity = "
<%=
@identity
%>
"
password =
<%=
@password
%>
basedn = "
<%=
@basedn
%>
"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number =
<%=
@max
%>
# How many times the connection can be used before
# being re-established. This is useful for things
# like load balancers, which may exhibit sticky
# behaviour without it. (0) is unlimited.
max_uses =
<%=
@uses
%>
# Port to connect on, defaults to 389. Setting this to
# 636 will enable LDAPS if start_tls (see below) is not
# able to be used.
port =
<%=
@port
%>
# seconds to wait for LDAP query to finish. default: 20
timeout =
<%=
@timeout
%>
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls =
<%=
@starttls
%>
<%
if
@cafile
-%>
cacertfile =
<%=
@cafile
%><%
end
%>
# cacertdir = /path/to/ca/dir/
<%
if
@certfile
-%>
certfile =
<%=
@certfile
%><%
end
%>
<%
if
@keyfile
-%>
keyfile =
<%=
@keyfile
%><%
end
%>
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
require_cert = "
<%=
@requirecert
%>
"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(
&
(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(
&
(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
chase_referrals = yes
rebind = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle =
<%=
@idle
%>
# LDAP_OPT_X_KEEPALIVE_PROBES
probes =
<%=
@probes
%>
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval =
<%=
@interval
%>
}
}
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment