aboutsummaryrefslogtreecommitdiffstats
path: root/roles/freeradius/templates/etc/raddb/mods-available/ldap.j2
blob: 85aede1f93556064515f39736e99b8455ea344c1 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

ldap {
{% for server in freeradius_ldap_servers %}
  server = '{{ server }}'
{% endfor %}

  base_dn = '{{ freeipa_user_basedn }}'

  sasl {
    mech = 'GSSAPI'
    realm = '{{ freeipa_realm }}'
  }

  update {
    control:Password-With-Header  += 'userPassword'
    control:      += 'radiusControlAttribute'
    request:      += 'radiusRequestAttribute'
    reply:        += 'radiusReplyAttribute'
  }

  user_dn = "LDAP-UserDn"

  user {
    base_dn = "${..base_dn}"
{% raw %}
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
{% endraw %}
  }

  group {
    base_dn = '{{ freeipa_group_basedn }}'
    filter = '(objectClass=ipagroup)'
    name_attribute = cn
{% raw %}
    membership_filter = "(member=%{control:${..user_dn}})"
{% endraw %}
    membership_attribute = 'memberOf'
    cacheable_name = 'yes'
    cacheable_dn = 'yes'
    allow_dangling_group_ref = 'yes'
  }

  profile { }

  client {
    base_dn = "${..base_dn}"
    filter = '(objectClass=radiusClient)'

    template { }

    attribute {
      ipaddr        = 'radiusClientIdentifier'
      secret        = 'radiusClientSecret'
    }
  }

  read_clients = no

  accounting {
    reference = "%{tolower:type.%{Acct-Status-Type}}"

    type {
      start {
        update {
          description := "Online at %S"
        }
      }

      interim-update {
        update {
          description := "Last seen at %S"
        }
      }

      stop {
        update {
          description := "Offline at %S"
        }
      }
    }
  }

  post-auth {
    update {
      description := "Authenticated at %S"
    }
  }

  options {
    chase_referrals = yes
    rebind = yes
    res_timeout = 10
    srv_timelimit = 3
    net_timeout = 1
    idle = 60
    probes = 3
    interval = 3
    ldap_debug = 0x0000
  }

  tls { }

  pool {
    start = ${thread[pool].start_servers}
    min = ${thread[pool].min_spare_servers}
    max = ${thread[pool].max_servers}

    spare = ${thread[pool].max_spare_servers}
    uses = 0
    retry_delay = 30
    lifetime = 0
    idle_timeout = 60
  }
}
generated by cgit (git 2.34.1) at 2024-09-19 11:58:53 -0400