1.   INSTALATION

This module depends on OpenLDAP v2.x SDK libraries.
For details on obtaining source of OpenLDAP look at <http://www.openldap.org>.
OpenLDAP SDK in turn depends on OpenSSL crypto libraries and (optionaly) on 
Cyrus-SASL libraries.

2. CONFIGURATION

Add following subsection to the modules{} section of radiusd.conf to control
the rlm_ldap module:

  modules {
	...
	
	ldap {

#	server: space separated list of host[:port]
#	default: settings for your system, as set in etc/openldap/ldap.conf
#
		server   = localhost

#	net_timeout: # of seconds to wait for response of the server 
#			(network failures)
#	default: 10
#
		net_timeout = 1

#	timeout: # seconds to wait for LDAP query to finish
#	default: 20
#
		timeout = 2

#	timelimit: # of seconds server has to process the query 
#			(server-side time limit)
#	default: 20
#
		timelimit = 5

#	ldap_debug: debug flag for LDAP SDK (see OpenLDAP documentation)
#	default: 0x0000 (no debugging messages)
#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
		ldap_debug = 0x0028 

#	identity: DN under which LDAP searches are done
#	password: pasword which authenticate this DN
#	default: anonymous bind, no password required
#	NOTE: searches are done now over unencrypted connection!
#
#	identity = "cn=admin,o=My Org,c=UA"
#	password = mypass

#	basedn = <Base of LDAP searches>
#
		basedn   = "o=My Org,c=UA"

#	filter: LDAP search filter, to locate user object using name
#	supplied by client during Radius authentication
#	
#	default: 
#		filter   = "(uid=%u)"

#	default_profile: DN of a LDAP object, which contains default RADIUS 
#	attributes. 
#	default: NULL - use only user specific attributes or attributes, 
#	supplied by other modules.
#		
	default_profile = "cn=RadProfile,o=My Org,c=UA"

#	profile_attribute: user object attribute, which contains DN of 
#	radiusProfile object for this user.
#	default: NULL - use only user specific attributes or attributes,
#       supplied by other modules.
#
#	profile_attribute = "radiusProfileDn"

#	access_group: membership in this group controls radius access for user
#	default: NULL 
#	(means all users located in the LDAP tree under specified "basedn")
#	
		access_group = "cn=RemoteUsers,o=My Org,c=UA"

#	access_attr: if attribute is specified, module checks for its existance
#	in user object. If it exists and is set to TRUE, user is allowed to get
#	remote access.
#	default: NULL - don't check for the attribute
		access_attr = "dialupAccess"

#	password_header: If the user password is available we add it to the check items
#	(to assist in CHAP ie) striping any headers first.
#	default: NULL
#
#	password_header = "{clear}"

#	password_attribute: Define the attribute which contains the user password.
#	default: NULL - don't add password
#
#	password_attribute = "userPassword"

#	groupname_attribute: The attribute used for searching for a group in the ldap server.
#	default: cn - Search filter is "(cn=%GroupName)"
#
#	groupname_attribute = "cn"

#	groupmembership_filter: The filter to search for group membership of a particular user
#	after we have found the DN for the group.
#	default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
#
#	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"	

	}
}

NOTE:
As LDAP is case insensitive, you should probably also set "lower_user = yes" 
and "lower_time = before" in main section of radiusd.conf, to get limits on 
simultaneous logins working correctly. Otherwise, users will be able get large 
number of sessions, capitalizing parts of their login names.

MODULE MESSAGES:
On user rejection rlm_ldap will return the following module messages:

"rlm_ldap: User not found"
"rlm_ldap: Access Attribute denies access"
"rlm_ldap: User is not an access group member"
"rlm_ldap: Bind as user failed"

These messages will be visible in radius.log as aditional information in
"Login incorrect" and "Invalid user" log messages.

DIRECTORY COMPATIBILITY NOTE:
If you use LDAP only for authorization and authentication (e.g. you can not
 afford schema extention), I propose to set all necessary attributes in 
raddb/users file with following authorize section of radiusd.conf :

authorize { 
	ldap {
		notfound = return
	} 
	files  
}
