You do not have permission to edit this page, for the following reason: The action you have requested is limited to users in the group: Users. You can view and copy the source of this page. __FORCETOC__ === RADIUS > Settings > LDAP === This setting enables users can be validated from a Lightweight Directory Access Protocol(LDAP) server. We support the OpenLDAP, Microsoft Active Directory Domain service(AD DS), and Microsoft Active Directory Lightweight directory service(AD LDS).<br> Similarly to the Pass-Through Authentication, the imRAD decrypts the password in the ACCESS-REQUEST from a user, and then refers to an LDAP server. If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result. {{note|Note that there is no limitation of the LDAP servers but the more LDAP servers, the more time it may take to validate users.}} ==== Edit LDAP Server ==== You can add a new entity by click "Add" button at the right bottom below the LDAP list. If you want to change or delete a entity, click the [[File:popup.png]] icon in front of each entity. {| class="wikitable" ! Item !! Required !! Description |- | style='width:250px' | Server1 || Yes || Input the address(e.g, a.b.c.d) or URI(e.g. ldap://myldap.test.org) of a LDAP Server. If the LDAP server supports LDAP over SSL, input the address with a prefix(i.e. ldaps://a.b.c.d). More prefixes are described in the "LDAP URI" section. |- | Server2 || No || If there is another instance of the LDAP server, input the second server address or URL. |- | Port || Yes || It is the port of LDAP server(i.e. 389). |- | Identity of administrator account<br>Password of administrator account || No || Some LDAP server requires an administrator account before searching. |- | Base Distinguished Name(dn)|| Yes || The dn from which all searches will start from. |- | Server Type || Yes || Choose one of them. |- | User filter attribute name<br> Group filter attribute name || Yes || These values are set automatically according to a selected server type. If you select the server type as "others", you must confirm the User filter attribute name and the Group filter attribute name. |- |} ===== Advanced ===== # Control under which situations aliases are followed. # May be one of 'never', 'searching', 'finding' or 'always' # default: libldap's default which is usually 'never'. # # LDAP_OPT_DEREF is set to this value. # dereference = 'always' # # The following two configuration items control whether the # server follows references returned by LDAP directory. # They are mostly for Active Directory compatibility. # If you set these to 'no', then searches will likely return # 'operations error', instead of a useful result. # chase_referrals = yes rebind = yes # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). # Note - uncomment when using GSS-API sasl mechanism along with TLS # encryption against Active-Directory LDAP servers (this disables # sealing and signing at the GSS level as required by AD). #sasl_secprops = 'noanonymous,noplain,maxssf=0' # Seconds to wait for LDAP query to finish. default: 20 res_timeout = 10 # Seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. srv_timelimit = 3 # Seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 # ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) ldap_debug = 0x0028 ===== LDAP URI ===== ldap:// (LDAP)<br> ldaps:// (LDAP over SSL)<br> ldapi:// (LDAP over Unix socket)<br> ldapc:// (Connectionless LDAP)<br> ===== Filter Attribute Name ===== {| class="wikitable" ! LDAP Server type !! User filter !! Group filter |- | OpenLDAP || uid || posixGroup |- | Active Directory Domain Services(DS) || sAMAccountName || group |- | Active Directory Lightweight Directory Services(LDS) || name|| group |- | Others || User defined || User defined |- |} ===== LDAP Try ===== You can test an LDAP server connection and search for a user after adding a server by click the "connect" button on a list. {| class="wikitable" ! 메시지 !! 설명 |- | ldap_bind(): Unable to bind to server: Can't contact LDAP server || A server address or URI is incorrect. |- | ldap_bind(): Unable to bind to server: Invalid credentials || A test account or an administrator account is incorrect. |- | success || success |} Also, All registered servers are periodically testing in the imRAD system and the status icon on the list will be changed in a few seconds. Template used on this page: Template:Note (view source) Return to LDAP.