crans_bcfg2/Python/etc/freeradius/modules/ldap

# -*- coding: utf-8 -*-

include("secrets")
include("ldap")

print """
# -*- text -*-
# ceci est le fichier /etc/freeradius/modules/ldap
#
#  $Id: ldap,v 1.1 2008/05/30 09:18:45 aland Exp $

# Lightweight Directory Access Protocol (LDAP)
#
#  This module definition allows you to use LDAP for
#  authorization and authentication.
#
#  See raddb/sites-available/default for reference to the
#  ldap module in the authorize and authenticate sections.
#
#  However, LDAP can be used for authentication ONLY when the
#  Access-Request packet contains a clear-text User-Password
#  attribute.  LDAP authentication will NOT work for any other
#  authentication method.
#
#  This means that LDAP servers don't understand EAP.  If you
#  force "Auth-Type = LDAP", and then send the server a
#  request containing EAP authentication, then authentication
#  WILL NOT WORK.
#
#  The solution is to use the default configuration, which does
#  work.
#
#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
#  really can't emphasize this enough.
#
ldap {
	#
	#  Note that this needs to match the name in the LDAP
	#  server certificate, if you're using ldaps.
	server = "%(server)s"
	identity = "cn=readonly,dc=crans,dc=org"
	password = %(password)s
	basedn = "ou=data,dc=crans,dc=org"
	# Note: pour pouvoir filter par macAddress=MAC fournie, il faut remplacer les - par des :
	# (la casse n'est pas importante pour ldap)
	# Si toutefois, la variable est vide, on laisse passer (a priori, lorsque ttls, la connexion
	# interne n'est pas issue de la borne mais du tunnel, donc cela ne passe pas, par défaut, 
	# donc tout est accepté, cependant, avec copy_request_to_tunnel = yes dans eap.conf, on s'en sort)
	# Ceci est fait dans le fichier hints par le matching d'une expression régulière, extrait:
	#DEFAULT  Calling-Station-Id =~ "^(..)-(..)-(..)-(..)-(..)-(..)$"
	#Calling-Station-Id := `%%{1}:%%{2}:%%{3}:%%{4}:%%{5}:%%{6}`
	# On auth fdésormais par login=mac OU hostname (sans le .wifi.crans.org)
	filter = "macAddress=%%{Calling-Station-Id:-*}"
	base_filter = "(objectclass=machineWifi)"

	#  How many connections to keep open to the LDAP server.
	#  This saves time over opening a new LDAP socket for
	#  every authentication request.
	ldap_connections_number = 5

	# seconds to wait for LDAP query to finish. default: 20
	timeout = 4

	#  seconds LDAP server has to process the query (server-side
	#  time limit). default: 20
	#
	#  LDAP_OPT_TIMELIMIT is set to this value.
	timelimit = 3

	#
	#  seconds to wait for response of the server. (network
	#   failures) default: 10
	#
	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
	net_timeout = 1

	#
	#  This subsection configures the tls related items
	#  that control how FreeRADIUS connects to an LDAP
	#  server.  It contains all of the "tls_*" configuration
	#  entries used in older versions of FreeRADIUS.  Those
	#  configuration entries can still be used, but we recommend
	#  using these.
	#
	tls {
		# Set this to 'yes' to use TLS encrypted connections
		# to the LDAP database by using the StartTLS extended
		# operation.
		#
		# The StartTLS operation is supposed to be
		# used with normal ldap connections instead of
		# using ldaps (port 689) connections
		start_tls = no

		# cacertfile	= /path/to/cacert.pem
		# cacertdir		= /path/to/ca/dir/
		# certfile		= /path/to/radius.crt
		# keyfile		= /path/to/radius.key
		# randfile		= /path/to/rnd

		#  Certificate Verification requirements.  Can be:
		#    "never" (don't even bother trying)
		#    "allow" (try, but don't fail if the cerificate
		#		can't be verified)
		#    "demand" (fail if the certificate doesn't verify.)
		#
		#	The default is "allow"
		# require_cert	= "demand"
	}

	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
	# profile_attribute = "radiusProfileDn"
	# access_attr = "dialupAccess"

	# Mapping of RADIUS dictionary attributes to LDAP
	# directory attributes.
	dictionary_mapping = ${confdir}/ldap.attrmap

	#  Set password_attribute = nspmPassword to get the
	#  user's password from a Novell eDirectory
	#  backend. This will work ONLY IF FreeRADIUS has been
	#  built with the --with-edir configure option.
	#
	#  See also the following links:
	#
	#  http://www.novell.com/coolsolutions/appnote/16745.html
	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
	#
	#  Novell may require TLS encrypted sessions before returning
	#  the user's password.
	#
	# password_attribute = userPassword

	#  Un-comment the following to disable Novell
	#  eDirectory account policy check and intruder
	#  detection. This will work *only if* FreeRADIUS is
	#  configured to build with --with-edir option.
	#
	edir_account_policy_check = no

	#
	#  Group membership checking.  Disabled by default.
	#
	# groupname_attribute = cn
	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%%{Ldap-UserDn})))"
	# groupmembership_attribute = radiusGroupName

	# compare_check_items = yes
	do_xlat = yes
	# access_attr_used_for_allow = yes

	#
	#  By default, if the packet contains a User-Password,
	#  and no other module is configured to handle the
	#  authentication, the LDAP module sets itself to do
	#  LDAP bind for authentication.
	#
	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
	#
	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
	#
	#  You can disable this behavior by setting the following
	#  configuration entry to "no".
	#
	#  allowed values: {no, yes}
	# set_auth_type = yes

	#  ldap_debug: debug flag for LDAP SDK
	#  (see OpenLDAP documentation).  Set this to enable
	#  huge amounts of LDAP debugging on the screen.
	#  You should only use this if you are an LDAP expert.
	#
	#	default: 0x0000 (no debugging messages)
	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
	#ldap_debug = 0x0028 
}""" % {'password': secrets.ldap_readonly_password, 'server': ldap_host}