diff --git a/Bundler/freeradius.xml b/Bundler/freeradius.xml index 42d4355..d3527f5 100644 --- a/Bundler/freeradius.xml +++ b/Bundler/freeradius.xml @@ -1,4 +1,10 @@ + + + + diff --git a/Metadata/groups.xml b/Metadata/groups.xml index 3623c71..fb8c176 100644 --- a/Metadata/groups.xml +++ b/Metadata/groups.xml @@ -56,7 +56,7 @@ --> - + @@ -69,7 +69,7 @@ - + - + @@ -316,7 +316,7 @@ - + @@ -831,8 +831,17 @@ + + + + + + + + + diff --git a/Python/etc/freeradius/modules/ldap b/Python/etc/freeradius/modules/ldap new file mode 100644 index 0000000..082eb58 --- /dev/null +++ b/Python/etc/freeradius/modules/ldap @@ -0,0 +1,180 @@ +# -*- coding: utf-8 -*- + +include("secrets") + +if has("db-replicat"): + server = 'localhost' +else: + server = 'ldap.adm.crans.org' +print """ +# -*- text -*- +# ceci est le fichier /etc/freeradius/modules/ldap +# +# $Id: ldap,v 1.1 2008/05/30 09:18:45 aland Exp $ + +# Lightweight Directory Access Protocol (LDAP) +# +# This module definition allows you to use LDAP for +# authorization and authentication. +# +# See raddb/sites-available/default for reference to the +# ldap module in the authorize and authenticate sections. +# +# However, LDAP can be used for authentication ONLY when the +# Access-Request packet contains a clear-text User-Password +# attribute. LDAP authentication will NOT work for any other +# authentication method. +# +# This means that LDAP servers don't understand EAP. If you +# force "Auth-Type = LDAP", and then send the server a +# request containing EAP authentication, then authentication +# WILL NOT WORK. +# +# The solution is to use the default configuration, which does +# work. +# +# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We +# really can't emphasize this enough. +# +ldap { + # + # Note that this needs to match the name in the LDAP + # server certificate, if you're using ldaps. + server = "%(server)s" + identity = "cn=readonly,dc=crans,dc=org" + password = %(password)s + basedn = "ou=data,dc=crans,dc=org" + # Note: pour pouvoir filter par macAddress=MAC fournie, il faut remplacer les - par des : + # (la casse n'est pas importante pour ldap) + # Si toutefois, la variable est vide, on laisse passer (a priori, lorsque ttls, la connexion + # interne n'est pas issue de la borne mais du tunnel, donc cela ne passe pas, par défaut, + # donc tout est accepté, cependant, avec copy_request_to_tunnel = yes dans eap.conf, on s'en sort) + # Ceci est fait dans le fichier hints par le matching d'une expression régulière, extrait: + #DEFAULT Calling-Station-Id =~ "^(..)-(..)-(..)-(..)-(..)-(..)$" + #Calling-Station-Id := `%%{1}:%%{2}:%%{3}:%%{4}:%%{5}:%%{6}` + # On auth désormais par login=mac OU hostname (sans le .wifi.crans.org) + filter = "(&(macAddress=%%{Calling-Station-Id:-*})(|(macAddress=%%{Stripped-User-Name:-%%{User-Name}})(host=%%{Stripped-User-Name:-%%{User-Name}}.wifi.crans.org)))" + #filter = "(&(macAddress=%%{Stripped-User-Name:-%%{User-Name}})(objectclass=machineWifi))" + base_filter = "(objectclass=machineWifi)" + + # How many connections to keep open to the LDAP server. + # This saves time over opening a new LDAP socket for + # every authentication request. + ldap_connections_number = 5 + + # seconds to wait for LDAP query to finish. default: 20 + timeout = 4 + + # seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = 3 + + # + # seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = 1 + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the "tls_*" configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 689) connections + start_tls = no + + # cacertfile = /path/to/cacert.pem + # cacertdir = /path/to/ca/dir/ + # certfile = /path/to/radius.crt + # keyfile = /path/to/radius.key + # randfile = /path/to/rnd + + # Certificate Verification requirements. Can be: + # "never" (don't even bother trying) + # "allow" (try, but don't fail if the cerificate + # can't be verified) + # "demand" (fail if the certificate doesn't verify.) + # + # The default is "allow" + # require_cert = "demand" + } + + # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" + # profile_attribute = "radiusProfileDn" + # access_attr = "dialupAccess" + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = ${confdir}/ldap.attrmap + + # Set password_attribute = nspmPassword to get the + # user's password from a Novell eDirectory + # backend. This will work ONLY IF FreeRADIUS has been + # built with the --with-edir configure option. + # + # See also the following links: + # + # http://www.novell.com/coolsolutions/appnote/16745.html + # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html + # + # Novell may require TLS encrypted sessions before returning + # the user's password. + # + # password_attribute = userPassword + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + edir_account_policy_check = no + + # + # Group membership checking. Disabled by default. + # + # groupname_attribute = cn + # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%%{Ldap-UserDn})))" + # groupmembership_attribute = radiusGroupName + + # compare_check_items = yes + do_xlat = yes + # access_attr_used_for_allow = yes + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. + # + # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + #ldap_debug = 0x0028 +}""" % {'password': secrets.ldap_readonly_password, 'server': server}