Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.
Nächste Überarbeitung | Vorherige ÜberarbeitungLetzte ÜberarbeitungBeide Seiten, nächste Überarbeitung | ||
prebuilt_systems:ucs:radius_macadressenkontrolle_fuer_wlan_ueber_ldapauth_mit_fortinet_accesspoints [2021/07/31 00:09] – angelegt loma | prebuilt_systems:ucs:radius_macadressenkontrolle_fuer_wlan_ueber_ldapauth_mit_fortinet_accesspoints [2022/07/25 21:09] – loma | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Radius Macadressenkontrolle für WLAN über LDAPauth mit Fortinet Accesspoints ====== | + | ====== Radius Macadressenkontrolle für WLAN über LDAPauth |
+ | Du möchtest dich gerne für unsere Hilfe erkenntlich zeigen 8-o. Gerne. Wir bedanken uns bei dir für deine Spende! LOL \\ | ||
+ | [[https:// | ||
+ | \\ | ||
+ | Hauseigenes Apt-Repo: [[https:// | ||
+ | \\ | ||
+ | GITLAB Enterprise: [[https:// | ||
+ | \\ | ||
+ | \\ | ||
+ | In diesem HowTo beschreibe ich wie man zusätzlich zur WLAN WPA2/3 Enterprise Auth. mit UCS (Univention) LDAP auch eine Macadressenkontrolle mit Radius umsetzen kann. Als Accesspoints verwenden wir hier FortiAP' | ||
+ | __Folgende OS Versionen wurden eingesetzt: | ||
+ | 4.4-8 errata1019 \\ | ||
+ | 5.0-2 errata366 (Upgradeanleitung beachten)\\ | ||
+ | FortiOS v7.0.1 \\ | ||
+ | ForitAP v7.0.1 \\ | ||
+ | |||
+ | ===== Konfiguration ===== | ||
+ | Voraussetzung ist hier das man sich bereits erfolgreich am WLAN mit WPA2/3 Enterprise anmelden kann, wenn man in einer ausgewählten LDAP-Gruppe des UCS-System Mitglied ist. | ||
+ | |||
+ | ==== WLAN Fortinet ==== | ||
+ | Um nun die MAC-Kontrolle für eine SSID zu aktivieren, geht man folgender Maßen for: | ||
+ | < | ||
+ | config wireless-controller vap | ||
+ | edit " | ||
+ | set ssid " | ||
+ | | ||
+ | | ||
+ | set security wpa2-only-enterprise | ||
+ | set pmf enable | ||
+ | | ||
+ | | ||
+ | set auth usergroup | ||
+ | set local-bridging enable | ||
+ | set usergroup " | ||
+ | set schedule " | ||
+ | set vlanid 44 | ||
+ | next | ||
+ | end | ||
+ | </ | ||
+ | Essentiell sind die Zeilen mit dem " | ||
+ | |||
+ | ==== Konfiguration Univention UCS ==== | ||
+ | Hierfür sind einige Dinge zu beachten. Zum einen muß die Funktion für die Macadressenkontrolle aktiviert werden: | ||
+ | usr set radius/ | ||
+ | Weiters muss ein Filter im LDAP Modul von Radius verändert werden. Vorher legen wir noch kurz ein Backup der Dateien an: | ||
+ | < | ||
+ | cp / | ||
+ | cp / | ||
+ | </ | ||
+ | Nun die Änderungen durchführen: | ||
+ | < | ||
+ | nano / | ||
+ | |||
+ | @!@ | ||
+ | auth_type = configRegistry.get(' | ||
+ | if auth_type and ' | ||
+ | #else: | ||
+ | # | ||
+ | #print ' | ||
+ | @!@ | ||
+ | filter = " | ||
+ | </ | ||
+ | Nun noch die Änderungen in die Konfiguration übernehmen und den Radius neu starten. | ||
+ | Danach den Radius neu starten: | ||
+ | ucr commit / | ||
+ | Die Änderungen müssen natürlich auf allen Radiusservern im Netzwerk durchgeführt werden. | ||
+ | |||
+ | Zu guter letzt ist es noch wichtig für die Konten den Gerätetyp " | ||
+ | |||
+ | Danach muss man unter " | ||
+ | 24-EF-BA-96-D2-03 -> <color # | ||
+ | 24: | ||
+ | 24: | ||
+ | |||
+ | Und schon ist die Macadressenkontrolle aktiv. | ||
+ | |||
+ | === Upgrade UCS5 === | ||
+ | Das File ''/ | ||
+ | |||
+ | |||
+ | === Clientfalle === | ||
+ | Ändert man das Device/ | ||
+ | |||
+ | ==== Radius Debug ==== | ||
+ | |||
+ | Wichtig ist hier zu erwähnen das dies je nach Router/WLAN das man verwendet etwas anders sein kann. Um zu erfahren welches Passwort der Client nun wirklich mitsendet. Stoppt man Radius und startet ihn im Debugmode neu: | ||
+ | < | ||
+ | service freeradius stop | ||
+ | freeradius -X | ||
+ | </ | ||
+ | Nun lässt man einen Client per WLAN verbinden. Sämtliche Anfragen und Logs sieht man nun live in dieser Ausgabe, auch welches Passwort vom Client mit gesendet wird. | ||
+ | |||
+ | UCS 4.4 kommt mit einer verbesserten Fehlersuche. Mit dem Kommandozeilentool '' | ||
+ | Die RADIUS-App protokolliert die Ereignisse und schreibt sie in die Logdatei ''/ | ||
+ | |||
+ | ==== Files für UCS5 Upgrade ==== | ||
+ | |||
+ | <file python ldap> | ||
+ | @%@UCRWARNING=# | ||
+ | # -*- text -*- | ||
+ | # | ||
+ | # $Id: 4b7e4585c029b8617aa7b9169a42bf50a5ec4938 $ | ||
+ | |||
+ | # | ||
+ | # Lightweight Directory Access Protocol (LDAP) | ||
+ | # | ||
+ | ldap { | ||
+ | # Note that this needs to match the name(s) in the LDAP server | ||
+ | # certificate, | ||
+ | # for the behavioral semantics of specifying more than one host. | ||
+ | # | ||
+ | # Depending on the libldap in use, server may be an LDAP URI. | ||
+ | # In the case of OpenLDAP this allows additional the following | ||
+ | # additional schemes: | ||
+ | # - ldaps:// (LDAP over SSL) | ||
+ | # - ldapi:// (LDAP over Unix socket) | ||
+ | # - ldapc:// (Connectionless LDAP) | ||
+ | server = " | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Port to connect on, defaults to 389, will be ignored for LDAP URIs. | ||
+ | # port = 389 | ||
+ | @!@ | ||
+ | print(' | ||
+ | @!@ | ||
+ | |||
+ | # Administrator account for searching and possibly modifying. | ||
+ | # If using SASL + KRB5 these should be commented out. | ||
+ | # | ||
+ | identity = " | ||
+ | # | ||
+ | @!@ | ||
+ | with open('/ | ||
+ | print(" | ||
+ | @!@ | ||
+ | |||
+ | # Unless overridden in another section, the dn from which all | ||
+ | # searches will start from. | ||
+ | # | ||
+ | base_dn = " | ||
+ | |||
+ | # | ||
+ | # SASL parameters to use for admin binds | ||
+ | # | ||
+ | # When we're prompted by the SASL library, these control | ||
+ | # the responses given, as well as the identity and password | ||
+ | # directives above. | ||
+ | # | ||
+ | # If any directive is commented out, a NULL response will be | ||
+ | # provided to cyrus-sasl. | ||
+ | # | ||
+ | # Unfortunately the only way to control Keberos here is through | ||
+ | # environmental variables, as cyrus-sasl provides no API to | ||
+ | # set the krb5 config directly. | ||
+ | # | ||
+ | # Full documentation for MIT krb5 can be found here: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # At a minimum you probably want to set KRB5_CLIENT_KTNAME. | ||
+ | # | ||
+ | sasl { | ||
+ | # SASL mechanism | ||
+ | # mech = ' | ||
+ | |||
+ | # SASL authorisation identity to proxy. | ||
+ | # proxy = ' | ||
+ | |||
+ | # SASL realm. Used for kerberos. | ||
+ | # realm = ' | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Generic valuepair attribute | ||
+ | # | ||
+ | |||
+ | # If set, this will attribute will be retrieved in addition to any | ||
+ | # mapped attributes. | ||
+ | # | ||
+ | # Values should be in the format: | ||
+ | # < | ||
+ | # | ||
+ | # Where: | ||
+ | # < | ||
+ | # with any valid list and request qualifiers. | ||
+ | # < | ||
+ | # < | ||
+ | # If the value is wrapped in double quotes it | ||
+ | # will be xlat expanded. | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # Mapping of LDAP directory attributes to RADIUS dictionary attributes. | ||
+ | # | ||
+ | |||
+ | # WARNING: Although this format is almost identical to the unlang | ||
+ | # update section format, it does *NOT* mean that you can use other | ||
+ | # unlang constructs in module configuration files. | ||
+ | # | ||
+ | # Configuration items are in the format: | ||
+ | # < | ||
+ | # | ||
+ | # Where: | ||
+ | # < | ||
+ | # with any valid list and request qualifiers. | ||
+ | # < | ||
+ | # < | ||
+ | # | ||
+ | # If the attribute name is wrapped in double | ||
+ | # | ||
+ | # | ||
+ | # Request and list qualifiers may also be placed after the ' | ||
+ | # section name to set defaults destination requests/ | ||
+ | # for unqualified RADIUS attributes. | ||
+ | # | ||
+ | # Note: LDAP attribute names should be single quoted unless you want | ||
+ | # the name value to be derived from an xlat expansion, or an | ||
+ | # attribute ref. | ||
+ | update { | ||
+ | control: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Where only a list is specified as the RADIUS attribute, | ||
+ | # the value of the LDAP attribute is parsed as a valuepair | ||
+ | # in the same format as the ' | ||
+ | control: | ||
+ | request: | ||
+ | reply: | ||
+ | @!@ | ||
+ | auth_type = configRegistry.get(' | ||
+ | |||
+ | if auth_type and ' | ||
+ | print(' | ||
+ | print(' | ||
+ | else: | ||
+ | print(' | ||
+ | print(' | ||
+ | print(' | ||
+ | print(' | ||
+ | @!@ | ||
+ | } | ||
+ | |||
+ | # Set to yes if you have eDirectory and want to use the universal | ||
+ | # password mechanism. | ||
+ | # edir = no | ||
+ | |||
+ | # Set to yes if you want to bind as the user after retrieving the | ||
+ | # Cleartext-Password. This will consume the login grace, and | ||
+ | # verify user authorization. | ||
+ | # | ||
+ | |||
+ | # Note: set_auth_type was removed in v3.x.x | ||
+ | # Equivalent functionality can be achieved by adding the following | ||
+ | # stanza to the authorize {} section of your virtual server. | ||
+ | # | ||
+ | # ldap | ||
+ | # if ((ok || updated) && User-Password) { | ||
+ | # update { | ||
+ | # control: | ||
+ | # } | ||
+ | # } | ||
+ | |||
+ | # | ||
+ | # User object identification. | ||
+ | # | ||
+ | user { | ||
+ | # Where to start searching in the tree for users | ||
+ | base_dn = " | ||
+ | |||
+ | # Filter for user objects, should be specific enough | ||
+ | # to identify a single user object. | ||
+ | # | ||
+ | # For Active Directory, you should use | ||
+ | # " | ||
+ | # | ||
+ | # | ||
+ | @!@ | ||
+ | auth_type = configRegistry.get(' | ||
+ | |||
+ | if auth_type and ' | ||
+ | filter = ' | ||
+ | #else: | ||
+ | # | ||
+ | # | ||
+ | @!@ | ||
+ | filter = " | ||
+ | |||
+ | # SASL parameters to use for user binds | ||
+ | # | ||
+ | # When we're prompted by the SASL library, these control | ||
+ | # the responses given. | ||
+ | # | ||
+ | # Any of the config items below may be an attribute ref | ||
+ | # or and expansion, so different SASL mechs, proxy IDs | ||
+ | # and realms may be used for different users. | ||
+ | sasl { | ||
+ | # SASL mechanism | ||
+ | # mech = ' | ||
+ | |||
+ | # SASL authorisation identity to proxy. | ||
+ | # proxy = & | ||
+ | |||
+ | # SASL realm. Used for kerberos. | ||
+ | # realm = ' | ||
+ | } | ||
+ | |||
+ | # Search scope, may be ' | ||
+ | # scope = ' | ||
+ | |||
+ | # Server side result sorting | ||
+ | # | ||
+ | # A list of space delimited attributes to order the result | ||
+ | # set by, if the filter matches multiple objects. | ||
+ | # Only the first result in the set will be processed. | ||
+ | # | ||
+ | # If the attribute name is prefixed with a hyphen ' | ||
+ | # sorting order will be reversed for that attribute. | ||
+ | # | ||
+ | # If sort_by is set, and the server does not support sorting | ||
+ | # the search will fail. | ||
+ | # | ||
+ | |||
+ | # If this is undefined, anyone is authorised. | ||
+ | # If it is defined, the contents of this attribute | ||
+ | # determine whether or not the user is authorised | ||
+ | # | ||
+ | |||
+ | # Control whether the presence of ' | ||
+ | # allows access, or denys access. | ||
+ | # | ||
+ | # If ' | ||
+ | # ' | ||
+ | # will be allowed. | ||
+ | # | ||
+ | # If ' | ||
+ | # ' | ||
+ | # access will not be allowed. | ||
+ | # | ||
+ | # If the value of the access_attribute is ' | ||
+ | # will negate the result. | ||
+ | # | ||
+ | # e.g. | ||
+ | # access_positive = yes | ||
+ | # access_attribute = userAccessAllowed | ||
+ | # | ||
+ | # With an LDAP object containing: | ||
+ | # userAccessAllowed: | ||
+ | # | ||
+ | # Will result in the user being locked out. | ||
+ | # | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # User membership checking. | ||
+ | # | ||
+ | group { | ||
+ | # Where to start searching in the tree for groups | ||
+ | base_dn = " | ||
+ | |||
+ | # Filter for group objects, should match all available | ||
+ | # group objects a user might be a member of. | ||
+ | filter = ' | ||
+ | |||
+ | # Search scope, may be ' | ||
+ | # scope = ' | ||
+ | |||
+ | # Attribute that uniquely identifies a group. | ||
+ | # Is used when converting group DNs to group | ||
+ | # names. | ||
+ | # | ||
+ | |||
+ | # Filter to find group objects a user is a member of. | ||
+ | # That is, group objects with attributes that | ||
+ | # identify members (the inverse of membership_attribute). | ||
+ | # | ||
+ | |||
+ | # The attribute in user objects which contain the names | ||
+ | # or DNs of groups a user is a member of. | ||
+ | # | ||
+ | # Unless a conversion between group name and group DN is | ||
+ | # needed, there' | ||
+ | # referenced to actually exist. | ||
+ | membership_attribute = ' | ||
+ | |||
+ | # If cacheable_name or cacheable_dn are enabled, | ||
+ | # all group information for the user will be | ||
+ | # retrieved from the directory and written to LDAP-Group | ||
+ | # attributes appropriate for the instance of rlm_ldap. | ||
+ | # | ||
+ | # For group comparisons these attributes will be checked | ||
+ | # instead of querying the LDAP directory directly. | ||
+ | # | ||
+ | # This feature is intended to be used with rlm_cache. | ||
+ | # | ||
+ | # If you wish to use this feature, you should enable | ||
+ | # the type that matches the format of your check items | ||
+ | # i.e. if your groups are specified as DNs then enable | ||
+ | # cacheable_dn else enable cacheable_name. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Override the normal cache attribute (< | ||
+ | # LDAP-Group if using the default instance) and create a | ||
+ | # custom attribute. | ||
+ | # are used in fail-over. | ||
+ | # | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # User profiles. RADIUS profile objects contain sets of attributes | ||
+ | # to insert into the request. These attributes are mapped using | ||
+ | # the same mapping scheme applied to user objects (the update section above). | ||
+ | # | ||
+ | profile { | ||
+ | # Filter for RADIUS profile objects | ||
+ | # | ||
+ | |||
+ | # The default profile. | ||
+ | # reference. | ||
+ | # To get old v2.2.x style behavior, or to use the | ||
+ | # & | ||
+ | # set this to & | ||
+ | # | ||
+ | |||
+ | # The LDAP attribute containing profile DNs to apply | ||
+ | # in addition to the default profile above. | ||
+ | # retrieved from the user object, at the same time as the | ||
+ | # attributes from the update section, are are applied | ||
+ | # if authorization is successful. | ||
+ | attribute = ' | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Bulk load clients from the directory | ||
+ | # | ||
+ | client { | ||
+ | # Where to start searching in the tree for clients | ||
+ | base_dn = " | ||
+ | |||
+ | # | ||
+ | # Filter to match client objects | ||
+ | # | ||
+ | filter = ' | ||
+ | |||
+ | # Search scope, may be ' | ||
+ | # scope = ' | ||
+ | |||
+ | # | ||
+ | # Sets default values (not obtained from LDAP) for new client entries | ||
+ | # | ||
+ | template { | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Uncomment to add a home_server with the same | ||
+ | # attributes as the client. | ||
+ | # | ||
+ | # | ||
+ | # } | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Client attribute mappings are in the format: | ||
+ | # <client attribute> | ||
+ | # | ||
+ | # The following attributes are required: | ||
+ | # * ipaddr | ipv4addr | ipv6addr - Client IP Address. | ||
+ | # * secret - RADIUS shared secret. | ||
+ | # | ||
+ | # All other attributes usually supported in a client | ||
+ | # definition are also supported here. | ||
+ | # | ||
+ | # Schemas are available in doc/ | ||
+ | # | ||
+ | attribute { | ||
+ | ipaddr | ||
+ | secret | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # Load clients on startup | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # Modify user object on receiving Accounting-Request | ||
+ | # | ||
+ | |||
+ | # Useful for recording things like the last time the user logged | ||
+ | # in, or the Acct-Session-ID for CoA/DM. | ||
+ | # | ||
+ | # LDAP modification items are in the format: | ||
+ | # < | ||
+ | # | ||
+ | # Where: | ||
+ | # < | ||
+ | # < | ||
+ | # (:=, +=, -=, ++). | ||
+ | # Note: ' | ||
+ | # < | ||
+ | # | ||
+ | # WARNING: If using the ': | ||
+ | # attribute, all instances of the attribute will be removed and | ||
+ | # replaced with a single attribute. | ||
+ | accounting { | ||
+ | reference = " | ||
+ | |||
+ | type { | ||
+ | start { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | interim-update { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | stop { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Post-Auth can modify LDAP objects too | ||
+ | # | ||
+ | post-auth { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # LDAP connection-specific options. | ||
+ | # | ||
+ | # These options set timeouts, keep-alive, etc. for the connections. | ||
+ | # | ||
+ | options { | ||
+ | # Control under which situations aliases are followed. | ||
+ | # May be one of ' | ||
+ | # default: libldap' | ||
+ | # | ||
+ | # LDAP_OPT_DEREF is set to this value. | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # The following two configuration items control whether the | ||
+ | # server follows references returned by LDAP directory. | ||
+ | # They are mostly for Active Directory compatibility. | ||
+ | # If you set these to ' | ||
+ | # ' | ||
+ | # | ||
+ | chase_referrals = yes | ||
+ | rebind = yes | ||
+ | |||
+ | # Seconds to wait for LDAP query to finish. default: 20 | ||
+ | res_timeout = 10 | ||
+ | |||
+ | # Seconds LDAP server has to process the query (server-side | ||
+ | # time limit). default: 20 | ||
+ | # | ||
+ | # LDAP_OPT_TIMELIMIT is set to this value. | ||
+ | srv_timelimit = 3 | ||
+ | |||
+ | # Seconds to wait for response of the server. (network | ||
+ | # failures) default: 10 | ||
+ | # | ||
+ | # LDAP_OPT_NETWORK_TIMEOUT is set to this value. | ||
+ | net_timeout = 1 | ||
+ | |||
+ | # LDAP_OPT_X_KEEPALIVE_IDLE | ||
+ | idle = 60 | ||
+ | |||
+ | # LDAP_OPT_X_KEEPALIVE_PROBES | ||
+ | probes = 3 | ||
+ | |||
+ | # LDAP_OPT_X_KEEPALIVE_INTERVAL | ||
+ | interval = 3 | ||
+ | |||
+ | # ldap_debug: debug flag for LDAP SDK | ||
+ | # (see OpenLDAP documentation). | ||
+ | # huge amounts of LDAP debugging on the screen. | ||
+ | # You should only use this if you are an LDAP expert. | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | ldap_debug = 0x0028 | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # This subsection configures the tls related items | ||
+ | # that control how FreeRADIUS connects to an LDAP | ||
+ | # server. | ||
+ | # entries used in older versions of FreeRADIUS. | ||
+ | # configuration entries can still be used, but we recommend | ||
+ | # using these. | ||
+ | # | ||
+ | tls { | ||
+ | # Set this to ' | ||
+ | # to the LDAP database by using the StartTLS extended | ||
+ | # operation. | ||
+ | # | ||
+ | # The StartTLS operation is supposed to be | ||
+ | # used with normal ldap connections instead of | ||
+ | # using ldaps (port 636) connections | ||
+ | # | ||
+ | @!@ | ||
+ | print(' | ||
+ | @!@ | ||
+ | |||
+ | # | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Certificate Verification requirements. | ||
+ | # ' | ||
+ | # ' | ||
+ | # | ||
+ | # ' | ||
+ | # ' | ||
+ | # | ||
+ | # | ||
+ | # The default is libldap' | ||
+ | # on the contents of ldap.conf. | ||
+ | |||
+ | # | ||
+ | } | ||
+ | |||
+ | # As of version 3.0, the ' | ||
+ | # following configuration items: | ||
+ | # | ||
+ | # ldap_connections_number | ||
+ | |||
+ | # The connection pool is new for 3.0, and will be used in many | ||
+ | # modules, for all kinds of connection-related activity. | ||
+ | # | ||
+ | # When the server is not threaded, the connection pool | ||
+ | # limits are ignored, and only one connection is used. | ||
+ | pool { | ||
+ | # Connections to create during module instantiation. | ||
+ | # If the server cannot create specified number of | ||
+ | # connections during instantiation it will exit. | ||
+ | # Set to 0 to allow the server to start without the | ||
+ | # directory being available. | ||
+ | start = ${thread[pool].start_servers} | ||
+ | |||
+ | # Minimum number of connections to keep open | ||
+ | min = ${thread[pool].min_spare_servers} | ||
+ | |||
+ | # Maximum number of connections | ||
+ | # | ||
+ | # If these connections are all in use and a new one | ||
+ | # is requested, the request will NOT get a connection. | ||
+ | # | ||
+ | # Setting ' | ||
+ | # that some threads may starve, and you will see errors | ||
+ | # like 'No connections available and at max connection limit' | ||
+ | # | ||
+ | # Setting ' | ||
+ | # that there are more connections than necessary. | ||
+ | max = ${thread[pool].max_servers} | ||
+ | |||
+ | # Spare connections to be left idle | ||
+ | # | ||
+ | # NOTE: Idle connections WILL be closed if " | ||
+ | # is set. This should be less than or equal to " | ||
+ | spare = ${thread[pool].max_spare_servers} | ||
+ | |||
+ | # Number of uses before the connection is closed | ||
+ | # | ||
+ | # 0 means " | ||
+ | uses = 0 | ||
+ | |||
+ | # The number of seconds to wait after the server tries | ||
+ | # to open a connection, and fails. | ||
+ | # no new connections will be opened. | ||
+ | retry_delay = 30 | ||
+ | |||
+ | # The lifetime (in seconds) of the connection | ||
+ | lifetime = 0 | ||
+ | |||
+ | # Idle timeout (in seconds). | ||
+ | # unused for this length of time will be closed. | ||
+ | idle_timeout = 60 | ||
+ | |||
+ | # NOTE: All configuration settings are enforced. | ||
+ | # connection is closed because of ' | ||
+ | # ' | ||
+ | # connections MAY fall below ' | ||
+ | # happens, it will open a new connection. | ||
+ | # also log a WARNING message. | ||
+ | # | ||
+ | # The solution is to either lower the ' | ||
+ | # or increase lifetime/ | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | |||
+ | <file python ldap_orig_UCS5> | ||
+ | @%@UCRWARNING=# | ||
+ | # -*- text -*- | ||
+ | # | ||
+ | # $Id: 4b7e4585c029b8617aa7b9169a42bf50a5ec4938 $ | ||
+ | |||
+ | # | ||
+ | # Lightweight Directory Access Protocol (LDAP) | ||
+ | # | ||
+ | ldap { | ||
+ | # Note that this needs to match the name(s) in the LDAP server | ||
+ | # certificate, | ||
+ | # for the behavioral semantics of specifying more than one host. | ||
+ | # | ||
+ | # Depending on the libldap in use, server may be an LDAP URI. | ||
+ | # In the case of OpenLDAP this allows additional the following | ||
+ | # additional schemes: | ||
+ | # - ldaps:// (LDAP over SSL) | ||
+ | # - ldapi:// (LDAP over Unix socket) | ||
+ | # - ldapc:// (Connectionless LDAP) | ||
+ | server = " | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Port to connect on, defaults to 389, will be ignored for LDAP URIs. | ||
+ | # port = 389 | ||
+ | @!@ | ||
+ | print(' | ||
+ | @!@ | ||
+ | |||
+ | # Administrator account for searching and possibly modifying. | ||
+ | # If using SASL + KRB5 these should be commented out. | ||
+ | # | ||
+ | identity = " | ||
+ | # | ||
+ | @!@ | ||
+ | with open('/ | ||
+ | print(" | ||
+ | @!@ | ||
+ | |||
+ | # Unless overridden in another section, the dn from which all | ||
+ | # searches will start from. | ||
+ | # | ||
+ | base_dn = " | ||
+ | |||
+ | # | ||
+ | # SASL parameters to use for admin binds | ||
+ | # | ||
+ | # When we're prompted by the SASL library, these control | ||
+ | # the responses given, as well as the identity and password | ||
+ | # directives above. | ||
+ | # | ||
+ | # If any directive is commented out, a NULL response will be | ||
+ | # provided to cyrus-sasl. | ||
+ | # | ||
+ | # Unfortunately the only way to control Keberos here is through | ||
+ | # environmental variables, as cyrus-sasl provides no API to | ||
+ | # set the krb5 config directly. | ||
+ | # | ||
+ | # Full documentation for MIT krb5 can be found here: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # At a minimum you probably want to set KRB5_CLIENT_KTNAME. | ||
+ | # | ||
+ | sasl { | ||
+ | # SASL mechanism | ||
+ | # mech = ' | ||
+ | |||
+ | # SASL authorisation identity to proxy. | ||
+ | # proxy = ' | ||
+ | |||
+ | # SASL realm. Used for kerberos. | ||
+ | # realm = ' | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Generic valuepair attribute | ||
+ | # | ||
+ | |||
+ | # If set, this will attribute will be retrieved in addition to any | ||
+ | # mapped attributes. | ||
+ | # | ||
+ | # Values should be in the format: | ||
+ | # < | ||
+ | # | ||
+ | # Where: | ||
+ | # < | ||
+ | # with any valid list and request qualifiers. | ||
+ | # < | ||
+ | # < | ||
+ | # If the value is wrapped in double quotes it | ||
+ | # will be xlat expanded. | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # Mapping of LDAP directory attributes to RADIUS dictionary attributes. | ||
+ | # | ||
+ | |||
+ | # WARNING: Although this format is almost identical to the unlang | ||
+ | # update section format, it does *NOT* mean that you can use other | ||
+ | # unlang constructs in module configuration files. | ||
+ | # | ||
+ | # Configuration items are in the format: | ||
+ | # < | ||
+ | # | ||
+ | # Where: | ||
+ | # < | ||
+ | # with any valid list and request qualifiers. | ||
+ | # < | ||
+ | # < | ||
+ | # | ||
+ | # If the attribute name is wrapped in double | ||
+ | # | ||
+ | # | ||
+ | # Request and list qualifiers may also be placed after the ' | ||
+ | # section name to set defaults destination requests/ | ||
+ | # for unqualified RADIUS attributes. | ||
+ | # | ||
+ | # Note: LDAP attribute names should be single quoted unless you want | ||
+ | # the name value to be derived from an xlat expansion, or an | ||
+ | # attribute ref. | ||
+ | update { | ||
+ | control: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Where only a list is specified as the RADIUS attribute, | ||
+ | # the value of the LDAP attribute is parsed as a valuepair | ||
+ | # in the same format as the ' | ||
+ | control: | ||
+ | request: | ||
+ | reply: | ||
+ | @!@ | ||
+ | auth_type = configRegistry.get(' | ||
+ | |||
+ | if auth_type and ' | ||
+ | print(' | ||
+ | print(' | ||
+ | else: | ||
+ | print(' | ||
+ | print(' | ||
+ | print(' | ||
+ | print(' | ||
+ | @!@ | ||
+ | } | ||
+ | |||
+ | # Set to yes if you have eDirectory and want to use the universal | ||
+ | # password mechanism. | ||
+ | # edir = no | ||
+ | |||
+ | # Set to yes if you want to bind as the user after retrieving the | ||
+ | # Cleartext-Password. This will consume the login grace, and | ||
+ | # verify user authorization. | ||
+ | # | ||
+ | |||
+ | # Note: set_auth_type was removed in v3.x.x | ||
+ | # Equivalent functionality can be achieved by adding the following | ||
+ | # stanza to the authorize {} section of your virtual server. | ||
+ | # | ||
+ | # ldap | ||
+ | # if ((ok || updated) && User-Password) { | ||
+ | # update { | ||
+ | # control: | ||
+ | # } | ||
+ | # } | ||
+ | |||
+ | # | ||
+ | # User object identification. | ||
+ | # | ||
+ | user { | ||
+ | # Where to start searching in the tree for users | ||
+ | base_dn = " | ||
+ | |||
+ | # Filter for user objects, should be specific enough | ||
+ | # to identify a single user object. | ||
+ | # | ||
+ | # For Active Directory, you should use | ||
+ | # " | ||
+ | # | ||
+ | # | ||
+ | @!@ | ||
+ | auth_type = configRegistry.get(' | ||
+ | |||
+ | if auth_type and ' | ||
+ | filter = ' | ||
+ | else: | ||
+ | filter = ' | ||
+ | print(' | ||
+ | @!@ | ||
+ | |||
+ | # SASL parameters to use for user binds | ||
+ | # | ||
+ | # When we're prompted by the SASL library, these control | ||
+ | # the responses given. | ||
+ | # | ||
+ | # Any of the config items below may be an attribute ref | ||
+ | # or and expansion, so different SASL mechs, proxy IDs | ||
+ | # and realms may be used for different users. | ||
+ | sasl { | ||
+ | # SASL mechanism | ||
+ | # mech = ' | ||
+ | |||
+ | # SASL authorisation identity to proxy. | ||
+ | # proxy = & | ||
+ | |||
+ | # SASL realm. Used for kerberos. | ||
+ | # realm = ' | ||
+ | } | ||
+ | |||
+ | # Search scope, may be ' | ||
+ | # scope = ' | ||
+ | |||
+ | # Server side result sorting | ||
+ | # | ||
+ | # A list of space delimited attributes to order the result | ||
+ | # set by, if the filter matches multiple objects. | ||
+ | # Only the first result in the set will be processed. | ||
+ | # | ||
+ | # If the attribute name is prefixed with a hyphen ' | ||
+ | # sorting order will be reversed for that attribute. | ||
+ | # | ||
+ | # If sort_by is set, and the server does not support sorting | ||
+ | # the search will fail. | ||
+ | # | ||
+ | |||
+ | # If this is undefined, anyone is authorised. | ||
+ | # If it is defined, the contents of this attribute | ||
+ | # determine whether or not the user is authorised | ||
+ | # | ||
+ | |||
+ | # Control whether the presence of ' | ||
+ | # allows access, or denys access. | ||
+ | # | ||
+ | # If ' | ||
+ | # ' | ||
+ | # will be allowed. | ||
+ | # | ||
+ | # If ' | ||
+ | # ' | ||
+ | # access will not be allowed. | ||
+ | # | ||
+ | # If the value of the access_attribute is ' | ||
+ | # will negate the result. | ||
+ | # | ||
+ | # e.g. | ||
+ | # access_positive = yes | ||
+ | # access_attribute = userAccessAllowed | ||
+ | # | ||
+ | # With an LDAP object containing: | ||
+ | # userAccessAllowed: | ||
+ | # | ||
+ | # Will result in the user being locked out. | ||
+ | # | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # User membership checking. | ||
+ | # | ||
+ | group { | ||
+ | # Where to start searching in the tree for groups | ||
+ | base_dn = " | ||
+ | |||
+ | # Filter for group objects, should match all available | ||
+ | # group objects a user might be a member of. | ||
+ | filter = ' | ||
+ | |||
+ | # Search scope, may be ' | ||
+ | # scope = ' | ||
+ | |||
+ | # Attribute that uniquely identifies a group. | ||
+ | # Is used when converting group DNs to group | ||
+ | # names. | ||
+ | # | ||
+ | |||
+ | # Filter to find group objects a user is a member of. | ||
+ | # That is, group objects with attributes that | ||
+ | # identify members (the inverse of membership_attribute). | ||
+ | # | ||
+ | |||
+ | # The attribute in user objects which contain the names | ||
+ | # or DNs of groups a user is a member of. | ||
+ | # | ||
+ | # Unless a conversion between group name and group DN is | ||
+ | # needed, there' | ||
+ | # referenced to actually exist. | ||
+ | membership_attribute = ' | ||
+ | |||
+ | # If cacheable_name or cacheable_dn are enabled, | ||
+ | # all group information for the user will be | ||
+ | # retrieved from the directory and written to LDAP-Group | ||
+ | # attributes appropriate for the instance of rlm_ldap. | ||
+ | # | ||
+ | # For group comparisons these attributes will be checked | ||
+ | # instead of querying the LDAP directory directly. | ||
+ | # | ||
+ | # This feature is intended to be used with rlm_cache. | ||
+ | # | ||
+ | # If you wish to use this feature, you should enable | ||
+ | # the type that matches the format of your check items | ||
+ | # i.e. if your groups are specified as DNs then enable | ||
+ | # cacheable_dn else enable cacheable_name. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Override the normal cache attribute (< | ||
+ | # LDAP-Group if using the default instance) and create a | ||
+ | # custom attribute. | ||
+ | # are used in fail-over. | ||
+ | # | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # User profiles. RADIUS profile objects contain sets of attributes | ||
+ | # to insert into the request. These attributes are mapped using | ||
+ | # the same mapping scheme applied to user objects (the update section above). | ||
+ | # | ||
+ | profile { | ||
+ | # Filter for RADIUS profile objects | ||
+ | # | ||
+ | |||
+ | # The default profile. | ||
+ | # reference. | ||
+ | # To get old v2.2.x style behavior, or to use the | ||
+ | # & | ||
+ | # set this to & | ||
+ | # | ||
+ | |||
+ | # The LDAP attribute containing profile DNs to apply | ||
+ | # in addition to the default profile above. | ||
+ | # retrieved from the user object, at the same time as the | ||
+ | # attributes from the update section, are are applied | ||
+ | # if authorization is successful. | ||
+ | # | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Bulk load clients from the directory | ||
+ | # | ||
+ | client { | ||
+ | # Where to start searching in the tree for clients | ||
+ | base_dn = " | ||
+ | |||
+ | # | ||
+ | # Filter to match client objects | ||
+ | # | ||
+ | filter = ' | ||
+ | |||
+ | # Search scope, may be ' | ||
+ | # scope = ' | ||
+ | |||
+ | # | ||
+ | # Sets default values (not obtained from LDAP) for new client entries | ||
+ | # | ||
+ | template { | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Uncomment to add a home_server with the same | ||
+ | # attributes as the client. | ||
+ | # | ||
+ | # | ||
+ | # } | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Client attribute mappings are in the format: | ||
+ | # <client attribute> | ||
+ | # | ||
+ | # The following attributes are required: | ||
+ | # * ipaddr | ipv4addr | ipv6addr - Client IP Address. | ||
+ | # * secret - RADIUS shared secret. | ||
+ | # | ||
+ | # All other attributes usually supported in a client | ||
+ | # definition are also supported here. | ||
+ | # | ||
+ | # Schemas are available in doc/ | ||
+ | # | ||
+ | attribute { | ||
+ | ipaddr | ||
+ | secret | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # Load clients on startup | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # Modify user object on receiving Accounting-Request | ||
+ | # | ||
+ | |||
+ | # Useful for recording things like the last time the user logged | ||
+ | # in, or the Acct-Session-ID for CoA/DM. | ||
+ | # | ||
+ | # LDAP modification items are in the format: | ||
+ | # < | ||
+ | # | ||
+ | # Where: | ||
+ | # < | ||
+ | # < | ||
+ | # (:=, +=, -=, ++). | ||
+ | # Note: ' | ||
+ | # < | ||
+ | # | ||
+ | # WARNING: If using the ': | ||
+ | # attribute, all instances of the attribute will be removed and | ||
+ | # replaced with a single attribute. | ||
+ | accounting { | ||
+ | reference = " | ||
+ | |||
+ | type { | ||
+ | start { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | interim-update { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | stop { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # Post-Auth can modify LDAP objects too | ||
+ | # | ||
+ | post-auth { | ||
+ | update { | ||
+ | # | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # LDAP connection-specific options. | ||
+ | # | ||
+ | # These options set timeouts, keep-alive, etc. for the connections. | ||
+ | # | ||
+ | options { | ||
+ | # Control under which situations aliases are followed. | ||
+ | # May be one of ' | ||
+ | # default: libldap' | ||
+ | # | ||
+ | # LDAP_OPT_DEREF is set to this value. | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # The following two configuration items control whether the | ||
+ | # server follows references returned by LDAP directory. | ||
+ | # They are mostly for Active Directory compatibility. | ||
+ | # If you set these to ' | ||
+ | # ' | ||
+ | # | ||
+ | chase_referrals = yes | ||
+ | rebind = yes | ||
+ | |||
+ | # Seconds to wait for LDAP query to finish. default: 20 | ||
+ | res_timeout = 10 | ||
+ | |||
+ | # Seconds LDAP server has to process the query (server-side | ||
+ | # time limit). default: 20 | ||
+ | # | ||
+ | # LDAP_OPT_TIMELIMIT is set to this value. | ||
+ | srv_timelimit = 3 | ||
+ | |||
+ | # Seconds to wait for response of the server. (network | ||
+ | # failures) default: 10 | ||
+ | # | ||
+ | # LDAP_OPT_NETWORK_TIMEOUT is set to this value. | ||
+ | net_timeout = 1 | ||
+ | |||
+ | # LDAP_OPT_X_KEEPALIVE_IDLE | ||
+ | idle = 60 | ||
+ | |||
+ | # LDAP_OPT_X_KEEPALIVE_PROBES | ||
+ | probes = 3 | ||
+ | |||
+ | # LDAP_OPT_X_KEEPALIVE_INTERVAL | ||
+ | interval = 3 | ||
+ | |||
+ | # ldap_debug: debug flag for LDAP SDK | ||
+ | # (see OpenLDAP documentation). | ||
+ | # huge amounts of LDAP debugging on the screen. | ||
+ | # You should only use this if you are an LDAP expert. | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | ldap_debug = 0x0028 | ||
+ | } | ||
+ | |||
+ | # | ||
+ | # This subsection configures the tls related items | ||
+ | # that control how FreeRADIUS connects to an LDAP | ||
+ | # server. | ||
+ | # entries used in older versions of FreeRADIUS. | ||
+ | # configuration entries can still be used, but we recommend | ||
+ | # using these. | ||
+ | # | ||
+ | tls { | ||
+ | # Set this to ' | ||
+ | # to the LDAP database by using the StartTLS extended | ||
+ | # operation. | ||
+ | # | ||
+ | # The StartTLS operation is supposed to be | ||
+ | # used with normal ldap connections instead of | ||
+ | # using ldaps (port 636) connections | ||
+ | # | ||
+ | @!@ | ||
+ | print(' | ||
+ | @!@ | ||
+ | |||
+ | # | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Certificate Verification requirements. | ||
+ | # ' | ||
+ | # ' | ||
+ | # | ||
+ | # ' | ||
+ | # ' | ||
+ | # | ||
+ | # | ||
+ | # The default is libldap' | ||
+ | # on the contents of ldap.conf. | ||
+ | |||
+ | # | ||
+ | } | ||
+ | |||
+ | # As of version 3.0, the ' | ||
+ | # following configuration items: | ||
+ | # | ||
+ | # ldap_connections_number | ||
+ | |||
+ | # The connection pool is new for 3.0, and will be used in many | ||
+ | # modules, for all kinds of connection-related activity. | ||
+ | # | ||
+ | # When the server is not threaded, the connection pool | ||
+ | # limits are ignored, and only one connection is used. | ||
+ | pool { | ||
+ | # Connections to create during module instantiation. | ||
+ | # If the server cannot create specified number of | ||
+ | # connections during instantiation it will exit. | ||
+ | # Set to 0 to allow the server to start without the | ||
+ | # directory being available. | ||
+ | start = ${thread[pool].start_servers} | ||
+ | |||
+ | # Minimum number of connections to keep open | ||
+ | min = ${thread[pool].min_spare_servers} | ||
+ | |||
+ | # Maximum number of connections | ||
+ | # | ||
+ | # If these connections are all in use and a new one | ||
+ | # is requested, the request will NOT get a connection. | ||
+ | # | ||
+ | # Setting ' | ||
+ | # that some threads may starve, and you will see errors | ||
+ | # like 'No connections available and at max connection limit' | ||
+ | # | ||
+ | # Setting ' | ||
+ | # that there are more connections than necessary. | ||
+ | max = ${thread[pool].max_servers} | ||
+ | |||
+ | # Spare connections to be left idle | ||
+ | # | ||
+ | # NOTE: Idle connections WILL be closed if " | ||
+ | # is set. This should be less than or equal to " | ||
+ | spare = ${thread[pool].max_spare_servers} | ||
+ | |||
+ | # Number of uses before the connection is closed | ||
+ | # | ||
+ | # 0 means " | ||
+ | uses = 0 | ||
+ | |||
+ | # The number of seconds to wait after the server tries | ||
+ | # to open a connection, and fails. | ||
+ | # no new connections will be opened. | ||
+ | retry_delay = 30 | ||
+ | |||
+ | # The lifetime (in seconds) of the connection | ||
+ | lifetime = 0 | ||
+ | |||
+ | # Idle timeout (in seconds). | ||
+ | # unused for this length of time will be closed. | ||
+ | idle_timeout = 60 | ||
+ | |||
+ | # NOTE: All configuration settings are enforced. | ||
+ | # connection is closed because of ' | ||
+ | # ' | ||
+ | # connections MAY fall below ' | ||
+ | # happens, it will open a new connection. | ||
+ | # also log a WARNING message. | ||
+ | # | ||
+ | # The solution is to either lower the ' | ||
+ | # or increase lifetime/ | ||
+ | } | ||
+ | } | ||
+ | </ |