{

    use esmith::util;
    $OUT = '';

    $pw = esmith::util::LdapPassword();
    $base = esmith::util::ldapBase ($DomainName);

}	ldap \{
		server = "localhost"
		identity = "cn=root,{ $base }"
		password = { $pw }
		base_dn = "{ $base }"
		filter = "(&(objectClass=posixAccount)(uid=%\{Stripped-User-Name:-%\{User-Name\}\}))"
		ldap_connections_number = 5
		timeout = 4
		timelimit = 3
		net_timeout = 3
		tls \{
			start_tls = no
		\}
		groupname_attribute = cn
		groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%\{Stripped-User-Name:-%\{User-Name\}\}))"

        update \{
                control:Password-With-Header    += 'userPassword'

        \}
        user \{
                #  Where to start searching in the tree for users
                base_dn = "$\{..base_dn\}"

                #  Filter for user objects, should be specific enough
                #  to identify a single user object.
                filter = "(uid=%\{%\{Stripped-User-Name\}:-%\{User-Name\}\})"
        \}
        group \{
                #  Where to start searching in the tree for groups
#                base_dn = "$\{..base_dn\}"

                #  Filter for group objects, should match all available
                #  group objects a user might be a member of.
#                filter = "(objectClass=posixGroup)"
#                membership_attribute = "memberOf"
        \}

        profile \{
                #  Filter for RADIUS profile objects
#               filter = "(objectclass=radiusprofile)"

                #  The default profile applied to all users.
#               default = "cn=radprofile,dc=example,dc=org"

                #  The list of profiles which are applied (after the default)
                #  to all users.
                #  The "User-Profile" attribute in the control list
                #  will override this setting at run-time.
#               attribute = "radiusProfileDn"
        \}


        client \{
                #   Where to start searching in the tree for clients
#                base_dn = "$\{..base_dn\}"

                #
                #  Filter to match client objects
                #
#                filter = '(objectClass=frClient)'

                # Search scope, may be 'base', 'one', 'sub' or 'children'
#               scope = 'sub'

                #
                #  Client attribute mappings are in the format:
                #      <client attribute> = <ldap attribute>
                #
                #  Arbitrary attributes (accessible by %\{client:<attr>\}) are not yet supported.
                #
                #  The following attributes are required:
                #    * identifier - IPv4 address, or IPv4 address with prefix, or hostname.
                #    * secret - RADIUS shared secret.
                #
                #  The following attributes are optional:
                #    * shortname - Friendly name associated with the client
                #    * nas_type - NAS Type
                #    * virtual_server - Virtual server to associate the client with
                #    * require_message_authenticator - Whether we require the Message-Authenticator
                #      attribute to be present in requests from the client.
                #
                #  Schemas are available in doc/schemas/ldap for openldap and eDirectory
                #
                attribute \{
#                        identifier                      = 'radiusClientIdentifier'
#                        secret                          = 'radiusClientSecret'
#                       shortname                       = 'radiusClientShortname'
#                       nas_type                        = 'radiusClientType'
#                       virtual_server                  = 'radiusClientVirtualServer'
#                       require_message_authenticator   = 'radiusClientRequireMa'
                \}
        \}



        #  Useful for recording things like the last time the user logged
        #  in, or the Acct-Session-ID for CoA/DM.
        #
        #  LDAP modification items are in the format:
        #       <ldap attr> <op> <value>
        #
        #  Where:
        #       <ldap attr>:    The LDAP attribute to add modify or delete.
        #       <op>:           One of the assignment operators:
        #                       (:=, +=, -=, ++).
        #                       Note: '=' is *not* supported.
        #       <value>:        The value to add modify or delete.
        #
        #  WARNING: If using the ':=' operator with a multi-valued LDAP
        #  attribute, all instances of the attribute will be removed and
        #  replaced with a single attribute.
        accounting \{
                reference = "%\{tolower:type.%\{Acct-Status-Type\}\}"

                type \{
                        start \{
                                update \{
                                        description := "Online at %S"
                               \}
                        \}

                        interim-update \{
                                update \{
                                        description := "Last seen at %S"
                                \}
                        \}

                        stop \{
                                update \{
                                        description := "Offline at %S"
                                \}
                        \}
                \}
        \}




        #
        #  Post-Auth can modify LDAP objects too
        #
        post-auth \{
                update \{
                        description := "Authenticated at %S"
                \}
        \}





        #  LDAP connection-specific options.
        #
        #  These options set timeouts, keep-alives, etc. for the connections.
        #
        options \{
                #  Control under which situations aliases are followed.
                #  May be one of 'never', 'searching', 'finding' or 'always'
                #  default: libldap's default which is usually 'never'.
                #
                #  LDAP_OPT_DEREF is set to this value.
#               dereference = 'always'

                #
                #  The following two configuration items control whether the
                #  server follows references returned by LDAP directory.
                #  They are  mostly for Active Directory compatibility.
                #  If you set these to "no", then searches will likely return
                #  "operations error", instead of a useful result.
                #
                chase_referrals = yes
                rebind = yes

                #  Seconds to wait for LDAP query to finish. default: 20
                timeout = 10

                #  Seconds LDAP server has to process the query (server-side
                #  time limit). default: 20
                #
                #  LDAP_OPT_TIMELIMIT is set to this value.
                timelimit = 3

                #  Seconds to wait for response of the server. (network
                #  failures) default: 10
                #
                #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
                net_timeout = 1

                #  LDAP_OPT_X_KEEPALIVE_IDLE
                idle = 60

                #  LDAP_OPT_X_KEEPALIVE_PROBES
                probes = 3

                #  LDAP_OPT_X_KEEPALIVE_INTERVAL
                interval = 3

                #  ldap_debug: debug flag for LDAP SDK
                #  (see OpenLDAP documentation).  Set this to enable
                #  huge amounts of LDAP debugging on the screen.
                #  You should only use this if you are an LDAP expert.
                #
                #       default: 0x0000 (no debugging messages)
                #       Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
                ldap_debug = 0x0028
        \}


        #  The connection pool is new for 3.0, and will be used in many
        #  modules, for all kinds of connection-related activity.
        #
        #  When the server is not threaded, the connection pool
        #  limits are ignored, and only one connection is used.
        pool \{
                #  Number of connections to start
                start = 5

                #  Minimum number of connections to keep open
                min = 4

                #  Maximum number of connections
                #
                #  If these connections are all in use and a new one
                #  is requested, the request will NOT get a connection.
                #
                #  Setting 'max' to LESS than the number of threads means
                #  that some threads may starve, and you will see errors
                #  like "No connections available and at max connection limit"
                #
                #  Setting 'max' to MORE than the number of threads means
                #  that there are more connections than necessary.
                max = $\{thread[pool].max_servers\}

                #  Spare connections to be left idle
                #
                #  NOTE: Idle connections WILL be closed if "idle_timeout"
                #  is set.
                spare = 3

                #  Number of uses before the connection is closed
                #
                #  0 means "infinite"
                uses = 0

                #  The lifetime (in seconds) of the connection
                lifetime = 0

                #  Idle timeout (in seconds).  A connection which is
                #  unused for this length of time will be closed.
                idle_timeout = 60

                #  NOTE: All configuration settings are enforced.  If a
                #  connection is closed because of "idle_timeout",
                #  "uses", or "lifetime", then the total number of
                #  connections MAY fall below "min".  When that
                #  happens, it will open a new connection.  It will
                #  also log a WARNING message.
                #
                #  The solution is to either lower the "min" connections,
                #  or increase lifetime/idle_timeout.
        \}




















	\}
