PEAP MSCHAPv2 - Novell eDir
O'Connell Catriona
cczcso at nottingham.ac.uk
Wed Jul 26 15:25:10 CEST 2006
Hi Josh,
LDAP section appended:
ldap {
server = "ldapsvr.nottingham.ac.uk"
port = 636
identity = "cn=RADIUSadmin,o=university"
password = x
basedn = "o=university"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
# start_tls = yes
tls_cacertfile =
/etc/raddb/certs/UONLDAP-CA-SelfSignedCert.b64
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case
insensitive
#
# password_header = "{clear}"
#
# Set:
# password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own,
and pull
# the correct User-Password or NT-Password from the
database.
#
# Note that NT-Passwords MUST be stored as a 32-digit
hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = nspmPassword
#
# Un-comment the following to disable Novell eDirectory
account
# policy check and intruder detection. This will work
*only if*
# FreeRADIUS is configured to build with --with-edir
option.
#
# edir_account_policy_check=no
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(membe
r=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap
-UserDn}
)))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the
following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}
> Hi Catriona,
>
> If this is for the JRS, you can also get support (from me or Alan
> Buxey, who is also on this list!) from service at ukerna.ac.uk.
>
> Anyway, could you please post the ldap { } section in radiusd.conf?
> (please obfuscate any passwords, etc).
>
> josh.
>
This message has been checked for viruses but the contents of an attachment
may still contain software viruses, which could damage your computer system:
you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation.
More information about the Freeradius-Users
mailing list