Translating ldapsearch arguments to LDAP configuration items

Purpose ldapsearch argument ldap { … } config item

Purpose	ldapsearch argument	`ldap { … }` config item
Limit number of search results	`-z`	Not supported.
Use basic authentication	`-x`	Set by default.
LDAP Host URI	`-H <uri>`	`server = '<uri>'` `port = (389\|<custom port>)`
Base DN	`-b <dn>`	`base_dn = '<dn>'`
Bind DN	`-D <dn>`	`identity = '<dn>'`
Bind Password	`-w <password>`	`password = '<password>'`
Enable LDAPS	`-H ldaps://<uri>`	`server = 'ldaps://<uri>'` `port = (636\|<custom port>)`
Enable StartTLS	`-ZZ`	`tls { start_tls = yes }`
Specify RootCA and intermediaries	`LDAPTLS_CACERT=<ca_cert_and_intermediaries.pem>`	`tls { ca_file = '<ca_cert_and_intermediaries.pem>' }`
Require cert validation to succeed	`LDAPTLS_REQCERT=hard`	`tls { require_cert = 'demand' }`

Limit number of search results

-z

Not supported.

Use basic authentication

-x

Set by default.

LDAP Host URI

-H <uri>

server = '<uri>'
port = (389|<custom port>)

Base DN

-b <dn>

base_dn = '<dn>'

Bind DN

-D <dn>

identity = '<dn>'

Bind Password

-w <password>

password = '<password>'

Enable LDAPS

-H ldaps://<uri>

server = 'ldaps://<uri>'
port = (636|<custom port>)

Enable StartTLS

-ZZ

tls { start_tls = yes }

Specify RootCA and intermediaries

LDAPTLS_CACERT=<ca_cert_and_intermediaries.pem>

tls { ca_file = '<ca_cert_and_intermediaries.pem>' }

Require cert validation to succeed

LDAPTLS_REQCERT=hard

tls { require_cert = 'demand' }

Users

Purpose ldap { user { … } } config item

Purpose	`ldap { user { … } }` config item
Specify where to search for users	`base_dn = '<user_base_dn>'`
Specify how to find a user	```filter = "(&(<user_filter>)(<user_uid_attribute>=%{&Stripped-User-Name
	&User-Name)"```
Retrieve a "known good" password	`&control.Password.With-Header = <user_password_attribute>`
Allow accounts to be explicitly disabled	`access_attribute = '<user_access_disabled_attribute>'` `access_positive = 'no'`
Require accounts to be explicitly enabled	`access_attribute = '<user_access_enabled_attribute>'` `access_positive = 'yes'`

Specify where to search for users

base_dn = '<user_base_dn>'

Specify how to find a user

```filter = "(&(<user_filter>)(<user_uid_attribute>=%{&Stripped-User-Name

&User-Name)"```

Retrieve a "known good" password

&control.Password.With-Header = <user_password_attribute>

Allow accounts to be explicitly disabled

access_attribute = '<user_access_disabled_attribute>'
access_positive = 'no'

Require accounts to be explicitly enabled

access_attribute = '<user_access_enabled_attribute>'
access_positive = 'yes'

Groups - Common

Purpose ldap { group { … } } config item

Purpose	`ldap { group { … } }` config item
Specify where to search for group	`base_dn = '<group_base_dn>'`
Specify which objects are groups	`filter = '<group_object_class_filter>'`
Specify which attribute in a group object identifies the group	`name_attribute = '<group_name_attribute>'`

Specify where to search for group

base_dn = '<group_base_dn>'

Specify which objects are groups

filter = '<group_object_class_filter>'

Specify which attribute in a group object identifies the group

name_attribute = '<group_name_attribute>'

Groups - variant 1

User objects reference groups using DNs.

Purpose ldap { group { … } } config item

Purpose	`ldap { group { … } }` config item
Specify how to find group objects by DN, when referenced by a user object.	`membership_attribute = '<group_membership_attribute>'`

Specify how to find group objects by DN, when referenced by a user object.

membership_attribute = '<group_membership_attribute>'

Groups - variant 2

User objects reference groups using group names.

Purpose ldap { group { … } } config item

Purpose	`ldap { group { … } }` config item
Specify how to find group objects by name, when referenced by a user object.	`membership_attribute = '<group_membership_attribute>'`

Specify how to find group objects by name, when referenced by a user object.

membership_attribute = '<group_membership_attribute>'

Groups - variant 3

Group objects reference users using DNs.

Purpose ldap { group { … } } config item

Purpose	`ldap { group { … } }` config item
Specify how to find group objects referencing a user by DN.	`membership_filter = "(<group_membership_dn_attribute>=%{control.Ldap-UserDn})"`

Specify how to find group objects referencing a user by DN.

membership_filter = "(<group_membership_dn_attribute>=%{control.Ldap-UserDn})"

Groups - variant 4

Group objects reference users using user names.

Purpose ldap { group { … } } config item

Purpose	`ldap { group { … } }` config item
Specify how to find group objects referencing a user by name.	```membership_filter = "(<group_membership_uid_attribute>=%{&Stripped-User-Name
	&User-Name)"```

Specify how to find group objects referencing a user by name.

```membership_filter = "(<group_membership_uid_attribute>=%{&Stripped-User-Name

&User-Name)"```

Mixing and matching group membership schemes

Although rare, it is possible to have all four group membership scheme variants in a single directory. FreeRADIUS supports this configuration.

For variant 1 and variant 2 FreeRADIUS will automatically determine if the user object attribute contained a DN or group name.

For variant 3 and variant 4 it’s possible to construct a filter which matches both on user DN and user name e.g.

membership_filter = "(|(<group_membership_filter_by_uid>=%{control.Ldap-UserDn})(<group_membership_filter_by_name>=%{&Stripped-User-Name || &User-Name))"