EditDiscussionPage history

Difference between revisions of "LDAP"

 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
__FORCETOC__
 
__FORCETOC__
=== RADIUS > 설정 > LDAP 인증 ===
+
=== RADIUS > Settings > LDAP ===
 +
This setting enables users can be validated from a Lightweight Directory Access Protocol(LDAP) server.
 +
We support the OpenLDAP, Microsoft Active Directory Domain service(AD DS), and Microsoft Active Directory Lightweight directory service(AD LDS).<br>
 +
Similarly to the Pass-Through Authentication, the imRAD decrypts the password in the ACCESS-REQUEST from a user, and then refers to an LDAP server. If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result.
  
외부에 존재하는 LDAP(Lightweight Directory Access Protocol) 서버를 통해 인증을 처리 할 경우 그 서버를 정의 할 수 있습니다.<br>
+
{{note|Note that there is no limitation of the LDAP servers but the more LDAP servers, the more time it may take to validate users.}}
[[RADIUS 개요]]에서 언급한 바와 같이 OpenLDAP과 Microsoft Active Directory(AD)에 연결해 사용자를 인증 할 수 있습니다.<br>
+
 
등록 할 수 있는 개수는 제한이 없으나 imRAD에 수신된 User-Name/User-Password가 모든 LDAP을 거쳐 확인 되는 과정이 반복되므로 너무 많은 LDAP 서버를 등록하면 성능 하락의 원인이 될 수 있습니다.
+
 
 +
==== Edit LDAP Server ====
 +
You can add a new entity by click "Add" button at the right bottom below the LDAP list. If you want to change or delete a entity, click the [[File:popup.png]] icon in front of each entity.
  
==== LDAP 서버 추가 ====
 
LDAP 목록 하단의 "추가" 버튼을 클릭하여 등록 할 수 있으며 아래 포를 확인 하시고 자세한 정보는 LDAP 또는 AD 서버 담당자에 문의 하세요.
 
 
{| class="wikitable"
 
{| class="wikitable"
! 이름 !! 필수 !! 설명
+
! Item !! Required !! Description
 
|-
 
|-
| Primary instance 주소 || || LDAP 서버의 IP 주소를 입력하세요.<br>LDAP over SSL일 경우 ldaps://a.b.c.d와 같은 형식으로 입력하세요. <br>추가 prefix는 아래 LDAP URI를 참고하세요.
+
| style='width:250px' | Server1 || Yes || Input the address(e.g, a.b.c.d) or URI(e.g. ldap://myldap.test.org) of a LDAP Server. If the LDAP server supports LDAP over SSL, input the address with a prefix(i.e. ldaps://a.b.c.d). More prefixes are described in the "LDAP URI" section.
 
|-
 
|-
| Secondary instance 주소 || 아니오 || LDAP 서버의 Secondary instance IP 주소를 입력하세요.<br>LDAP over SSL일 경우 ldaps://a.b.c.d와 같은 형식으로 입력하세요. <br>추가 prefix는 아래 LDAP URI를 참고하세요.
+
| Server2  || No || If there is another instance of the LDAP server, input the second server address or URL.
 
|-
 
|-
| LDAP Server 포트 || || LDAP 서버 포트(기본 포트 389)를 입력하세요.
+
| Port || Yes || It is the port of LDAP server(i.e. 389).
 
|-
 
|-
| Identity of administrator account<br>Password of administrator account  || 아니오 || 일부 LDAP 서버는 User-Name을 조회 할 때 Administrator account를 요구 하므로<br>그 Administrator account의 ID와 Password를 입력하세요.
+
| Identity of administrator account<br>Password of administrator account  || No || Some LDAP server requires an administrator account before searching.
 
|-
 
|-
| Base distinguished name(dn)|| || User-Name 조회시 시작이되는 기본 DN을 입력하세요.
+
| Base Distinguished Name(dn)|| Yes || The dn from which all searches will start from.
 
|-
 
|-
| LDAP server type || || 지정된 LDAP 형식 중 하나를 선택하세요.
+
| Server Type || Yes || Choose one of them.
 
|-
 
|-
| User filter attribute name<br> Group filter attribute name || || 아래 filter attribute name을 참고하세요.
+
| User filter attribute name<br> Group filter attribute name || Yes || These values are set automatically according to a selected server type. If you select the server type as "others", you must confirm the User filter attribute name and the Group filter attribute name.
 
|-
 
|-
 
|}
 
|}
 +
===== Advanced =====
 +
#  Control under which situations aliases are followed.
 +
#  May be one of 'never', 'searching', 'finding' or 'always'
 +
#  default: libldap's default which is usually 'never'.
 +
#
 +
#  LDAP_OPT_DEREF is set to this value.
 +
# dereference = 'always'
 +
 +
#
 +
#  The following two configuration items control whether the
 +
#  server follows references returned by LDAP directory.
 +
#  They are  mostly for Active Directory compatibility.
 +
#  If you set these to 'no', then searches will likely return
 +
#  'operations error', instead of a useful result.
 +
#
 +
chase_referrals = yes
 +
rebind = yes
 +
 +
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
 +
# Note - uncomment when using GSS-API sasl mechanism along with TLS
 +
# encryption against Active-Directory LDAP servers (this disables
 +
# sealing and signing at the GSS level as required by AD).
 +
#sasl_secprops = 'noanonymous,noplain,maxssf=0'
 +
 +
#  Seconds to wait for LDAP query to finish. default: 20
 +
res_timeout = 10
 +
 +
#  Seconds LDAP server has to process the query (server-side
 +
#  time limit). default: 20
 +
#
 +
#  LDAP_OPT_TIMELIMIT is set to this value.
 +
srv_timelimit = 3
 +
 +
#  Seconds to wait for response of the server. (network
 +
#  failures) default: 10
 +
#
 +
#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
 +
net_timeout = 1
 +
 +
#  LDAP_OPT_X_KEEPALIVE_IDLE
 +
idle = 60
 +
 +
#  LDAP_OPT_X_KEEPALIVE_PROBES
 +
probes = 3
 +
 +
#  LDAP_OPT_X_KEEPALIVE_INTERVAL
 +
interval = 3
 +
 +
#  ldap_debug: debug flag for LDAP SDK
 +
#  (see OpenLDAP documentation).  Set this to enable
 +
#  huge amounts of LDAP debugging on the screen.
 +
#  You should only use this if you are an LDAP expert.
 +
#
 +
# default: 0x0000 (no debugging messages)
 +
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
 +
ldap_debug = 0x0028
  
 
===== LDAP URI =====
 
===== LDAP URI =====
Line 33: Line 92:
 
ldapc:// (Connectionless LDAP)<br>
 
ldapc:// (Connectionless LDAP)<br>
  
===== filter attribute name =====
+
===== Filter Attribute Name =====
 
{| class="wikitable"
 
{| class="wikitable"
 
! LDAP Server type !! User filter !! Group filter
 
! LDAP Server type !! User filter !! Group filter
Line 47: Line 106:
 
|}
 
|}
  
===== LDAP 연결 시험 =====
+
===== LDAP Try =====
생성된 LDAP은 수 분후에 자동으로 그 연결이 올바른지가 확이되나 즉시 User-Name과 User-Password를 시험 하려면 LDAP 목록 우측의 연결 시험 항목의 "연결" 버튼을 클릭하면 "연결 시험" 인터페이스를 열 수 있습니다.<br>
+
You can test an LDAP server connection and search for a user after adding a server by click the "connect" button on a list.
이 인터페이스에 아이디와 비밀번호를 입력하여 연결 시험을 진행 할 수 있습니다.
 
  
잘 알려진 오류는 다음과 같습니다.
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! 메시지 !! 설명
 
! 메시지 !! 설명
 
|-
 
|-
| ldap_bind(): Unable to bind to server: Can't contact LDAP server || 서버에 연결 수 없는 경우 표시됩니다.
+
| ldap_bind(): Unable to bind to server: Can't contact LDAP server || A server address or URI is incorrect.
 
|-
 
|-
| ldap_bind(): Unable to bind to server: Invalid credentials || 입력한 사용자 아이디/비밀번호나 저장된 administrator account가 <br>다를 경우 발생합니다.
+
| ldap_bind(): Unable to bind to server: Invalid credentials || A test account or an administrator account is incorrect.
 
|-
 
|-
| success || 성공
+
| success || success
 
|}
 
|}
 +
 +
Also, All registered servers are periodically testing in the imRAD system and the status icon on the list will be changed in a few seconds.

Latest revision as of 14:32, 14 May 2021

RADIUS > Settings > LDAP

This setting enables users can be validated from a Lightweight Directory Access Protocol(LDAP) server. We support the OpenLDAP, Microsoft Active Directory Domain service(AD DS), and Microsoft Active Directory Lightweight directory service(AD LDS).
Similarly to the Pass-Through Authentication, the imRAD decrypts the password in the ACCESS-REQUEST from a user, and then refers to an LDAP server. If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result.

Note that there is no limitation of the LDAP servers but the more LDAP servers, the more time it may take to validate users.


Edit LDAP Server

You can add a new entity by click "Add" button at the right bottom below the LDAP list. If you want to change or delete a entity, click the Popup.png icon in front of each entity.

Item Required Description
Server1 Yes Input the address(e.g, a.b.c.d) or URI(e.g. ldap://myldap.test.org) of a LDAP Server. If the LDAP server supports LDAP over SSL, input the address with a prefix(i.e. ldaps://a.b.c.d). More prefixes are described in the "LDAP URI" section.
Server2 No If there is another instance of the LDAP server, input the second server address or URL.
Port Yes It is the port of LDAP server(i.e. 389).
Identity of administrator account
Password of administrator account		 No Some LDAP server requires an administrator account before searching.
Base Distinguished Name(dn) Yes The dn from which all searches will start from.
Server Type Yes Choose one of them.
User filter attribute name
Group filter attribute name		 Yes These values are set automatically according to a selected server type. If you select the server type as "others", you must confirm the User filter attribute name and the Group filter attribute name.
Advanced

# Control under which situations aliases are followed. # May be one of 'never', 'searching', 'finding' or 'always' # default: libldap's default which is usually 'never'. # # LDAP_OPT_DEREF is set to this value.

  1. dereference = 'always'

# # The following two configuration items control whether the # server follows references returned by LDAP directory. # They are mostly for Active Directory compatibility. # If you set these to 'no', then searches will likely return # 'operations error', instead of a useful result. # chase_referrals = yes rebind = yes

# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). # Note - uncomment when using GSS-API sasl mechanism along with TLS # encryption against Active-Directory LDAP servers (this disables # sealing and signing at the GSS level as required by AD). #sasl_secprops = 'noanonymous,noplain,maxssf=0'

# Seconds to wait for LDAP query to finish. default: 20 res_timeout = 10

# Seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. srv_timelimit = 3

# Seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1

# LDAP_OPT_X_KEEPALIVE_IDLE idle = 60

# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3

# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3

# ldap_debug: debug flag for LDAP SDK # (see OpenLDAP documentation). Set this to enable # huge amounts of LDAP debugging on the screen. # You should only use this if you are an LDAP expert. # # default: 0x0000 (no debugging messages) # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) ldap_debug = 0x0028

LDAP URI

ldap:// (LDAP)
ldaps:// (LDAP over SSL)
ldapi:// (LDAP over Unix socket)
ldapc:// (Connectionless LDAP)

Filter Attribute Name
LDAP Server type User filter Group filter
OpenLDAP uid posixGroup
Active Directory Domain Services(DS) sAMAccountName group
Active Directory Lightweight Directory Services(LDS) name group
Others User defined User defined
LDAP Try

You can test an LDAP server connection and search for a user after adding a server by click the "connect" button on a list.

메시지 설명
ldap_bind(): Unable to bind to server: Can't contact LDAP server A server address or URI is incorrect.
ldap_bind(): Unable to bind to server: Invalid credentials A test account or an administrator account is incorrect.
success success

Also, All registered servers are periodically testing in the imRAD system and the status icon on the list will be changed in a few seconds.