(새 문서: __FORCETOC__ === RADIUS > 설정 > LDAP 인증 === 외부에 존재하는 LDAP(Lightweight Directory Access Protocol) 서버를 통해 인증을 처리 할 경우 그 서버를 정...) |
|||
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
__FORCETOC__ | __FORCETOC__ | ||
| − | === RADIUS > | + | === RADIUS > Settings > LDAP === |
| + | This setting enables users can be validated from a Lightweight Directory Access Protocol(LDAP) server. | ||
| + | We support the OpenLDAP, Microsoft Active Directory Domain service(AD DS), and Microsoft Active Directory Lightweight directory service(AD LDS).<br> | ||
| + | Similarly to the Pass-Through Authentication, the imRAD decrypts the password in the ACCESS-REQUEST from a user, and then refers to an LDAP server. If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result. | ||
| − | + | {{note|Note that there is no limitation of the LDAP servers but the more LDAP servers, the more time it may take to validate users.}} | |
| − | |||
| − | |||
| − | ==== LDAP | + | |
| − | LDAP | + | ==== Edit LDAP Server ==== |
| + | You can add a new entity by click "Add" button at the right bottom below the LDAP list. If you want to change or delete a entity, click the [[File:popup.png]] icon in front of each entity. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | ! Item !! Required !! Description | ||
| + | |- | ||
| + | | style='width:250px' | Server1 || Yes || Input the address(e.g, a.b.c.d) or URI(e.g. ldap://myldap.test.org) of a LDAP Server. If the LDAP server supports LDAP over SSL, input the address with a prefix(i.e. ldaps://a.b.c.d). More prefixes are described in the "LDAP URI" section. | ||
| + | |- | ||
| + | | Server2 || No || If there is another instance of the LDAP server, input the second server address or URL. | ||
| + | |- | ||
| + | | Port || Yes || It is the port of LDAP server(i.e. 389). | ||
| + | |- | ||
| + | | Identity of administrator account<br>Password of administrator account || No || Some LDAP server requires an administrator account before searching. | ||
| + | |- | ||
| + | | Base Distinguished Name(dn)|| Yes || The dn from which all searches will start from. | ||
| + | |- | ||
| + | | Server Type || Yes || Choose one of them. | ||
| + | |- | ||
| + | | User filter attribute name<br> Group filter attribute name || Yes || These values are set automatically according to a selected server type. If you select the server type as "others", you must confirm the User filter attribute name and the Group filter attribute name. | ||
| + | |- | ||
| + | |} | ||
| + | ===== Advanced ===== | ||
| + | # Control under which situations aliases are followed. | ||
| + | # May be one of 'never', 'searching', 'finding' or 'always' | ||
| + | # default: libldap's default which is usually 'never'. | ||
| + | # | ||
| + | # LDAP_OPT_DEREF is set to this value. | ||
| + | # dereference = 'always' | ||
| + | |||
| + | # | ||
| + | # The following two configuration items control whether the | ||
| + | # server follows references returned by LDAP directory. | ||
| + | # They are mostly for Active Directory compatibility. | ||
| + | # If you set these to 'no', then searches will likely return | ||
| + | # 'operations error', instead of a useful result. | ||
| + | # | ||
| + | chase_referrals = yes | ||
| + | rebind = yes | ||
| + | |||
| + | # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). | ||
| + | # Note - uncomment when using GSS-API sasl mechanism along with TLS | ||
| + | # encryption against Active-Directory LDAP servers (this disables | ||
| + | # sealing and signing at the GSS level as required by AD). | ||
| + | #sasl_secprops = 'noanonymous,noplain,maxssf=0' | ||
| + | |||
| + | # Seconds to wait for LDAP query to finish. default: 20 | ||
| + | res_timeout = 10 | ||
| + | |||
| + | # Seconds LDAP server has to process the query (server-side | ||
| + | # time limit). default: 20 | ||
| + | # | ||
| + | # LDAP_OPT_TIMELIMIT is set to this value. | ||
| + | srv_timelimit = 3 | ||
| + | |||
| + | # Seconds to wait for response of the server. (network | ||
| + | # failures) default: 10 | ||
| + | # | ||
| + | # LDAP_OPT_NETWORK_TIMEOUT is set to this value. | ||
| + | net_timeout = 1 | ||
| + | |||
| + | # LDAP_OPT_X_KEEPALIVE_IDLE | ||
| + | idle = 60 | ||
| + | |||
| + | # LDAP_OPT_X_KEEPALIVE_PROBES | ||
| + | probes = 3 | ||
| + | |||
| + | # LDAP_OPT_X_KEEPALIVE_INTERVAL | ||
| + | interval = 3 | ||
| + | |||
| + | # ldap_debug: debug flag for LDAP SDK | ||
| + | # (see OpenLDAP documentation). Set this to enable | ||
| + | # huge amounts of LDAP debugging on the screen. | ||
| + | # You should only use this if you are an LDAP expert. | ||
| + | # | ||
| + | # default: 0x0000 (no debugging messages) | ||
| + | # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) | ||
| + | ldap_debug = 0x0028 | ||
| + | |||
| + | ===== LDAP URI ===== | ||
| + | ldap:// (LDAP)<br> | ||
| + | ldaps:// (LDAP over SSL)<br> | ||
| + | ldapi:// (LDAP over Unix socket)<br> | ||
| + | ldapc:// (Connectionless LDAP)<br> | ||
| + | |||
| + | ===== Filter Attribute Name ===== | ||
| + | {| class="wikitable" | ||
| + | ! LDAP Server type !! User filter !! Group filter | ||
| + | |- | ||
| + | | OpenLDAP || uid || posixGroup | ||
| + | |- | ||
| + | | Active Directory Domain Services(DS) || sAMAccountName || group | ||
| + | |- | ||
| + | | Active Directory Lightweight Directory Services(LDS) || name|| group | ||
| + | |- | ||
| + | | Others || User defined || User defined | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | ===== LDAP Try ===== | ||
| + | You can test an LDAP server connection and search for a user after adding a server by click the "connect" button on a list. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | ! 메시지 !! 설명 | ||
| + | |- | ||
| + | | ldap_bind(): Unable to bind to server: Can't contact LDAP server || A server address or URI is incorrect. | ||
| + | |- | ||
| + | | ldap_bind(): Unable to bind to server: Invalid credentials || A test account or an administrator account is incorrect. | ||
| + | |- | ||
| + | | success || success | ||
| + | |} | ||
| + | |||
| + | Also, All registered servers are periodically testing in the imRAD system and the status icon on the list will be changed in a few seconds. | ||
Latest revision as of 14:32, 14 May 2021
RADIUS > Settings > LDAP
This setting enables users can be validated from a Lightweight Directory Access Protocol(LDAP) server.
We support the OpenLDAP, Microsoft Active Directory Domain service(AD DS), and Microsoft Active Directory Lightweight directory service(AD LDS).
Similarly to the Pass-Through Authentication, the imRAD decrypts the password in the ACCESS-REQUEST from a user, and then refers to an LDAP server. If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result.
Note that there is no limitation of the LDAP servers but the more LDAP servers, the more time it may take to validate users.
Edit LDAP Server
You can add a new entity by click "Add" button at the right bottom below the LDAP list. If you want to change or delete a entity, click the 
icon in front of each entity.
| Item | Required | Description |
|---|---|---|
| Server1 | Yes | Input the address(e.g, a.b.c.d) or URI(e.g. ldap://myldap.test.org) of a LDAP Server. If the LDAP server supports LDAP over SSL, input the address with a prefix(i.e. ldaps://a.b.c.d). More prefixes are described in the "LDAP URI" section. |
| Server2 | No | If there is another instance of the LDAP server, input the second server address or URL. |
| Port | Yes | It is the port of LDAP server(i.e. 389). |
| Identity of administrator account Password of administrator account |
No | Some LDAP server requires an administrator account before searching. |
| Base Distinguished Name(dn) | Yes | The dn from which all searches will start from. |
| Server Type | Yes | Choose one of them. |
| User filter attribute name Group filter attribute name |
Yes | These values are set automatically according to a selected server type. If you select the server type as "others", you must confirm the User filter attribute name and the Group filter attribute name. |
Advanced
# Control under which situations aliases are followed. # May be one of 'never', 'searching', 'finding' or 'always' # default: libldap's default which is usually 'never'. # # LDAP_OPT_DEREF is set to this value.
- dereference = 'always'
# # The following two configuration items control whether the # server follows references returned by LDAP directory. # They are mostly for Active Directory compatibility. # If you set these to 'no', then searches will likely return # 'operations error', instead of a useful result. # chase_referrals = yes rebind = yes
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). # Note - uncomment when using GSS-API sasl mechanism along with TLS # encryption against Active-Directory LDAP servers (this disables # sealing and signing at the GSS level as required by AD). #sasl_secprops = 'noanonymous,noplain,maxssf=0'
# Seconds to wait for LDAP query to finish. default: 20 res_timeout = 10
# Seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. srv_timelimit = 3
# Seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1
# LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) ldap_debug = 0x0028
LDAP URI
ldap:// (LDAP)
ldaps:// (LDAP over SSL)
ldapi:// (LDAP over Unix socket)
ldapc:// (Connectionless LDAP)
Filter Attribute Name
| LDAP Server type | User filter | Group filter |
|---|---|---|
| OpenLDAP | uid | posixGroup |
| Active Directory Domain Services(DS) | sAMAccountName | group |
| Active Directory Lightweight Directory Services(LDS) | name | group |
| Others | User defined | User defined |
LDAP Try
You can test an LDAP server connection and search for a user after adding a server by click the "connect" button on a list.
| 메시지 | 설명 |
|---|---|
| ldap_bind(): Unable to bind to server: Can't contact LDAP server | A server address or URI is incorrect. |
| ldap_bind(): Unable to bind to server: Invalid credentials | A test account or an administrator account is incorrect. |
| success | success |
Also, All registered servers are periodically testing in the imRAD system and the status icon on the list will be changed in a few seconds.