ldap module configuration file.
The ldap module configuration file describes the configuration parameters accepted by the module, and what they do. This document explains how to perform testing with the LDAP module.
Before configuring the LDAP module, the LDAP parameters should first be
validated via the ldapsearch
command-line tool.
howto:partial$pre_test.adoc
As with all FreeRADIUS configuration files, please change at little as possible in the default configuration. The defaults are usually close to being correct. All that is necessary is to make minor changes, and test them. FreeRADIUS should look for data.
If the ldapsearch
tests above pass,
then the LDAP module configuration can be copied directly from the
command-line options to that tool:
ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}' '${filter}' '*'
Where we have the following configuration paramters:
${identity}
-
The information going into the
identity
configuration item of the LDAP module.This identity should be a read-only, non-administrator account.
${password}
-
The information going into the
password
configuration item of the LDAP module. ${server}
-
The information going into the
server
configuration item of the LDAP module.This information could also be taken from the URI in the
-H
command-line option. We generally recommend using the URI form instead of a bare hostname. ${base_dn}
-
The information going into the
base_dn
configuration item of the LDAP module.This is ususally something like
dc=example,dc=com
${filter}
-
The information going into the
filter
configuration item of the LDAP module.The
filter
configuration item is located inside of theuser { … }
section/
We do not recommend immediately configuring TLS. The best approach is to test one piece in isolation, before proceeding on to the next piece.
The ldap
module is enabled by creating a soft link from the
mods-enabled/
directory to the mods-available/
directory.
cd raddb/mods-enabled && ln -s ../mods-available/ldap
It is also possible to copy the mods-available/ldap
default
configuration file to mods-enabled/ldap
, and then edit that file.
This process leaves the original mods-available/ldap
configuration
file in place, if there is a need to refer to it in the future. The
choice of which method to use is up to the local administrator.