Skip to content

Latest commit

 

History

History
81 lines (60 loc) · 2.85 KB

configuration.adoc

File metadata and controls

81 lines (60 loc) · 2.85 KB
Raw

Basic configuration for rlm_ldap

ldap module configuration file.

The ldap module configuration file describes the configuration parameters accepted by the module, and what they do. This document explains how to perform testing with the LDAP module.

Before configuring the LDAP module, the LDAP parameters should first be validated via the ldapsearch command-line tool.

howto:partial$pre_test.adoc

Editing mods-available/ldap

As with all FreeRADIUS configuration files, please change at little as possible in the default configuration. The defaults are usually close to being correct. All that is necessary is to make minor changes, and test them. FreeRADIUS should look for data.

If the ldapsearch tests above pass, then the LDAP module configuration can be copied directly from the command-line options to that tool:

ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}' '${filter}' '*'

Where we have the following configuration paramters:

${identity}

The information going into the identity configuration item of the LDAP module.

This identity should be a read-only, non-administrator account.

${password}

The information going into the password configuration item of the LDAP module.

${server}

The information going into the server configuration item of the LDAP module.

This information could also be taken from the URI in the -H command-line option. We generally recommend using the URI form instead of a bare hostname.

${base_dn}

The information going into the base_dn configuration item of the LDAP module.

This is ususally something like dc=example,dc=com

${filter}

The information going into the filter configuration item of the LDAP module.

The filter configuration item is located inside of the user { …​ } section/

We do not recommend immediately configuring TLS. The best approach is to test one piece in isolation, before proceeding on to the next piece.

Enabling mods-available/ldap

The ldap module is enabled by creating a soft link from the mods-enabled/ directory to the mods-available/ directory.

cd raddb/mods-enabled && ln -s ../mods-available/ldap

It is also possible to copy the mods-available/ldap default configuration file to mods-enabled/ldap, and then edit that file. This process leaves the original mods-available/ldap configuration file in place, if there is a need to refer to it in the future. The choice of which method to use is up to the local administrator.

Testing the Server

howto:partial$post_test.adoc