# -*- text -*-
#########################################################################
#
#	The file contains a sample virtual server which uses Google
#	Secure LDAP for authentication
#
#	This file is designed to be used as an inner tunnel virtual
#	server for EAP-TTLS-PAP authentication.
#
#	Use this virtual server in conjunction with the sample Google
#	Secure LDAP module configuration, which is in
#	mods-available/ldap_google.
#
#	Due to the poor performance of Google Secure LDAP, this
#	configuration also caches information around accepts, rejects,
#	and LDAP qeuries.  See mods-available/cache_auth for the
#	configuration of the various "cache" modules used here.
#
#	The TTL on these caches should be tuned to match site policies
#	- e.g. how long should a user be re-authenticated from a cache
#	without performing an LDAP bind.
#
#	Typically the caches are beneficial when performing
#	authentication for 802.1x wifi where repeated authentications
#	occur as users roam.  We also recommend enabling the "cache"
#	subsection of mods-available/eap.  Both kinds of caching can
#	be done at the same time, and both kinds of caching will help
#	improve system performance and stability.
#
#	$Id: 3be530f0787841628c655031465d2a0e3300629c $
#
#########################################################################

server google-ldap {

#
#  This is only for testing, and not needed in general operation.
#
listen {
	ipaddr = 127.0.0.1
	port = 18123
	type = auth
}

authorize {
	#
	#  Perform sanity checks on the supplied user name
	#
	filter_username

	#
	#  Perform sanity checks comparing inner and outer user name
	#
	filter_inner_identity

	#
	#  Split up user names in the form user@domain
	#
	split_username_nai

	#
	#  Check the authentication cache to see if this user
	#  recently sucessfully authenticated
	#
	update control {
		&Cache-Status-Only := 'yes'
	}
	cache_auth_accept

	#
	#  If there's a cached User-Name / User-Password which matches
	#  what the user sent here, then the user has been
	#  authenticated.  We can then avoid interacting with Google's
	#  LDAP server, which significantly improves the performance
	#  of user authentication.
	#
	if (ok) {
		update {
			&control:Auth-Type := Accept
		}
		return
	}

	#
	#  Check the reject cache to see if this user was
	#  recently rejected
	#
	update control {
		&Cache-Status-Only := 'yes'
	}
	cache_auth_reject

	#
	#  If there's a cached User-Name / User-Password which matches
	#  what the user sent here, then the user has been rejected.
	#  As with authentication above, we don't need to check
	#  Google's LDAP server, and can improve performance.
	#
	#  Note that in may cases rejected users will try over and
	#  over again.  This increased load can significantly affect
	#  performance, and can even prevent other users from
	#  authenticating!  The solution is to just tell the bad users
	#  to "go away" as quickly as possible, while using minimal
	#  resources.
	#
	if (ok) {
		update {
			&Module-Failure-Message := "Rejected by cache entry"
		}
		reject
	}

	#
	#  If group membership checks are required, then ensure that
	#  the relevant "cacheable_" option is set against the ldap
	#  instance, and call the ldap module here.
	#
	#  If group membership is irrelevant, do not call ldap here
	#  to improve performance
	#
	# ldap_google

	#
	#  As Google LDAP does not return user passwords,
	#  authentication is only possible by LDAP "bind as user".  So
	#  only PAP and TTLS+PAP will work.
	#
	#  If the request contains a password, then force LDAP "bind
	#  as user".
	#
	if (&User-Password && !control:Auth-Type)  {
		update {
			&control:Auth-Type := ldap
		}

		#
		#  Look up a user's DN in the cache.
		#
		#  The standard ldap auth mechanism is 3 steps
		#    - bind as admin user
		#    - lookup the user's DN
		#    - bind as the user
		#
		#  Caching the DN removes the first two steps
		#  during the lifetime of the cache entry.
		#
		#  If the ldap module is called above, then this cache
		#  call can be commented out; the DN will have been
		#  retrieved above by the "ldap_google" module.
		#
		update control {
			&Cache-Read-Only := "yes"
		}
		cache_ldap_user_dn

	}
}

authenticate {
	#
	#  Use an LDAP "bind as user" to authenticate.  Google will
	#  check the users' password, and will return success / fail.
	#
	Auth-Type LDAP {
		ldap_google
	}

}

#
#  Google LDAP has no specific session section configuration
#
session {

}

#
#  In post-auth the various caches get updated.
#
#  Add in any additional policy required to set reply attributes
#
post-auth {
	#
	#  Cache the user's DN.  See the authorize section for
	#  how and why this would be used
	#
	cache_ldap_user_dn

	#
	#  If a user was authenticated by ldap, add the users name /
	#  password to the cache of successful authentications.
	#
	#  Otherwise the user was authenticated via the
	#  cache_auth_accept call above, in the "authorize" section.
	#
	if (&control:Auth-Type == ldap) {
		cache_auth_accept
	}

	Post-Auth-Type REJECT {
		attr_filter.access_reject

		#
		#  Record rejects in a cache, as a protection against
		#  repeated attempts from mis-configured clients.
		#
		if (&control:Auth-Type == ldap) {
			cache_auth_reject
		}

		#
		#  Clear the DN cache entry if it exists.
		#  If the DN cache is in use, retaining an incorrect
		#  DN entry could cause issues if the user's DN
		#  has changed.
		#
		update control {
			&Cache-TTL := 0
		}
		cache_ldap_user_dn

	}
}

}
