From: Valentin Vidic Date: Fri, 24 Apr 2009 08:02:30 +0000 (+0200) Subject: Workarounds for aai upgrade bugs. X-Git-Tag: debian/5.0.0~41 X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=commitdiff_plain;h=014ea023f6634ce3ab867bc3c3ecf720b17b8769;p=carnet-upgrade.git Workarounds for aai upgrade bugs. --- diff --git a/files/etc/freeradius/clients.conf.expect b/files/etc/freeradius/clients.conf.expect new file mode 100644 index 0000000..18a05a3 --- /dev/null +++ b/files/etc/freeradius/clients.conf.expect @@ -0,0 +1,42 @@ +# +# clients.conf - client configuration directives +# +# This file is included by default. To disable it, you will need +# to modify the CLIENTS CONFIGURATION section of "radiusd.conf". +# +####################################################################### + +client 161.53.2.202 { + secret = S3u2om1 + shortname = aaiss1 +} + +client 161.53.2.203 { + secret = S3u2om2 + shortname = aaiss2 +} + +client 161.53.2.215 { + secret = A41edu1 + shortname = aaics1 +} + +client 161.53.2.216 { + secret = A41edu2 + shortname = aaics2 +} + +client 161.53.2.217 { + secret = A41edu3 + shortname = aaics3 +} + +client 161.53.2.218 { + secret = A41edu4 + shortname = aaics4 +} + +client 127.0.0.1 { + secret = local + shortname = localhost +} diff --git a/files/etc/freeradius/clients.conf.restore b/files/etc/freeradius/clients.conf.restore new file mode 100644 index 0000000..e752e27 --- /dev/null +++ b/files/etc/freeradius/clients.conf.restore @@ -0,0 +1,111 @@ +# +# clients.conf - client configuration directives +# +####################################################################### + +####################################################################### +# +# Definition of a RADIUS client (usually a NAS). +# +# The information given here over rides anything given in the +# 'clients' file, or in the 'naslist' file. The configuration here +# contains all of the information from those two files, and allows +# for more configuration items. +# +# The "shortname" is be used for logging. The "nastype", "login" and +# "password" fields are mainly used for checkrad and are optional. +# + +# +# Defines a RADIUS client. The format is 'client [hostname|ip-address]' +# +# '127.0.0.1' is another name for 'localhost'. It is enabled by default, +# to allow testing of the server after an initial installation. If you +# are not going to be permitting RADIUS queries from localhost, we suggest +# that you delete, or comment out, this entry. +# +client 127.0.0.1 { + # + # The shared secret use to "encrypt" and "sign" packets between + # the NAS and FreeRADIUS. You MUST change this secret from the + # default, otherwise it's not a secret any more! + # + # The secret can be any string, up to 31 characters in length. + # + secret = testing123 + + # + # The short name is used as an alias for the fully qualified + # domain name, or the IP address. + # + shortname = localhost + + # + # the following three fields are optional, but may be used by + # checkrad.pl for simultaneous use checks + # + + # + # The nastype tells 'checkrad.pl' which NAS-specific method to + # use to query the NAS for simultaneous use. + # + # Permitted NAS types are: + # + # cisco + # computone + # livingston + # max40xx + # multitech + # netserver + # pathras + # patton + # portslave + # tc + # usrhiper + # other # for all other types + + # + nastype = other # localhost isn't usually a NAS... + + # + # The following two configurations are for future use. + # The 'naspasswd' file is currently used to store the NAS + # login name and password, which is used by checkrad.pl + # when querying the NAS for simultaneous use. + # +# login = !root +# password = someadminpas +} + +#client some.host.org { +# secret = testing123 +# shortname = localhost +#} + +# +# You can now specify one secret for a network of clients. +# When a client request comes in, the BEST match is chosen. +# i.e. The entry from the smallest possible network. +# +#client 192.168.0.0/24 { +# secret = testing123-1 +# shortname = private-network-1 +#} +# +#client 192.168.0.0/16 { +# secret = testing123-2 +# shortname = private-network-2 +#} + + +#client 10.10.10.10 { +# # secret and password are mapped through the "secrets" file. +# secret = testing123 +# shortname = liv1 +# # the following three fields are optional, but may be used by +# # checkrad.pl for simultaneous usage checks +# nastype = livingston +# login = !root +# password = someadminpas +#} + diff --git a/files/etc/freeradius/eap.conf.restore b/files/etc/freeradius/eap.conf.restore new file mode 100644 index 0000000..50cf5d5 --- /dev/null +++ b/files/etc/freeradius/eap.conf.restore @@ -0,0 +1,342 @@ +# -*- text -*- +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +# $Id: eap.conf,v 1.4.4.5 2007/04/20 11:58:45 aland Exp $ +# + eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = md5 + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + cisco_accounting_username_bug = no + + # Supported EAP-types + + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # + md5 { + } + + # Cisco LEAP + # + # We do not recommend using LEAP in new deployments. See: + # http://www.securiteam.com/tools/5TP012ACKE.html + # + # Cisco LEAP uses the MS-CHAP algorithm (but not + # the MS-CHAP attributes) to perform it's authentication. + # + # As a result, LEAP *requires* access to the plain-text + # User-Password, or the NT-Password attributes. + # 'System' authentication is impossible with LEAP. + # + leap { + } + + # Generic Token Card. + # + # Currently, this is only permitted inside of EAP-TTLS, + # or EAP-PEAP. The module "challenges" the user with + # text, and the response from the user is taken to be + # the User-Password. + # + # Proxying the tunneled EAP-GTC session is a bad idea, + # the users password will go over the wire in plain-text, + # for anyone to see. + # + gtc { + # The default challenge, which many clients + # ignore.. + #challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, + # and passed to another module for + # authentication. This allows the EAP-GTC + # response to be checked against plain-text, + # or crypt'd passwords. + # + # If you say "Local" instead of "PAP", then + # the module will look for a User-Password + # configured for the request, and do the + # authentication itself. + # + auth_type = PAP + } + + ## EAP-TLS + # + # To generate ctest certificates, run the script + # + # ../scripts/certs.sh + # + # The documents on http://www.freeradius.org/doc + # are old, but may be helpful. + # + # See also: + # + # http://www.dslreports.com/forum/remark,9286052~mode=flat + # + #tls { + # private_key_password = whatever + # private_key_file = ${raddbdir}/certs/cert-srv.pem + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + # certificate_file = ${raddbdir}/certs/cert-srv.pem + + # Trusted Root CA list + # CA_file = ${raddbdir}/certs/demoCA/cacert.pem + + + # + # For DH cipher suites to work, you have to + # run OpenSSL to create the DH file first: + # + # openssl dhparam -out certs/dh 1024 + # + # dh_file = ${raddbdir}/certs/dh + # random_file = ${raddbdir}/certs/random + + # + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accomodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + # fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + # include_length = yes + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) Add 'CA_path=' + # to radiusd.conf's tls section. + # 4) uncomment the line below. + # 5) Restart radiusd + # check_crl = yes + + # + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the cerficate verification will fail, + # rejecting the user. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # check_cert_cn = %{User-Name} + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + # cipher_list = "DEFAULT" + #} + + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + # The TTLS module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-TTLS does not + # require a client certificate. + # + #ttls { + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # TTLS tunnel, we recommend using EAP-MD5. + # If the request does not contain an EAP + # conversation, then this configuration entry + # is ignored. + # default_eap_type = md5 + + # The tunneled authentication request does + # not usually contain useful attributes + # like 'Calling-Station-Id', etc. These + # attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to + # 'yes', any attribute which NOT in the + # tunneled authentication request, but + # which IS available outside of the tunnel, + # is copied to the tunneled request. + # + # allowed values: {no, yes} + # copy_request_to_tunnel = no + + # The reply attributes sent to the NAS are + # usually based on the name of the user + # 'outside' of the tunnel (usually + # 'anonymous'). If you want to send the + # reply attributes based on the user name + # inside of the tunnel, then set this + # configuration entry to 'yes', and the reply + # to the NAS will be taken from the reply to + # the tunneled request. + # + # allowed values: {no, yes} + # use_tunneled_reply = no + #} + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # http://support.microsoft.com/kb/814394/en-us + # + # For additional Windows XP SP2 issues, see: + # + # http://support.microsoft.com/kb/885453/en-us + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + # The PEAP module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-PEAP does not + # require a client certificate. + # + # peap { + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + # default_eap_type = mschapv2 + + # the PEAP module also has these configuration + # items, which are the same as for TTLS. + # copy_request_to_tunnel = no + # use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # proxy_tunneled_request_as_eap = yes + #} + + # + # This takes no configuration. + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + mschapv2 { + } + } + diff --git a/files/etc/freeradius/eap.conf.template b/files/etc/freeradius/eap.conf.template new file mode 100644 index 0000000..1280deb --- /dev/null +++ b/files/etc/freeradius/eap.conf.template @@ -0,0 +1,335 @@ +# -*- text -*- +# +# Whatever you do, do NOT set 'Auth-Type := EAP'. The server +# is smart enough to figure this out on its own. The most +# common side effect of setting 'Auth-Type := EAP' is that the +# users then cannot use ANY other authentication method. +# +# $Id: eap.conf,v 1.4.4.4 2006/10/18 19:15:14 aland Exp $ +# + eap { + # Invoke the default supported EAP type when + # EAP-Identity response is received. + # + # The incoming EAP messages DO NOT specify which EAP + # type they will be using, so it MUST be set here. + # + # For now, only one default EAP type may be used at a time. + # + # If the EAP-Type attribute is set by another module, + # then that EAP type takes precedence over the + # default type configured here. + # + default_eap_type = ttls + + # A list is maintained to correlate EAP-Response + # packets with EAP-Request packets. After a + # configurable length of time, entries in the list + # expire, and are deleted. + # + timer_expire = 60 + + # There are many EAP types, but the server has support + # for only a limited subset. If the server receives + # a request for an EAP type it does not support, then + # it normally rejects the request. By setting this + # configuration to "yes", you can tell the server to + # instead keep processing the request. Another module + # MUST then be configured to proxy the request to + # another RADIUS server which supports that EAP type. + # + # If another module is NOT configured to handle the + # request, then the request will still end up being + # rejected. + ignore_unknown_eap_types = no + + # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given + # a User-Name attribute in an Access-Accept, it copies one + # more byte than it should. + # + # We can work around it by configurably adding an extra + # zero byte. + cisco_accounting_username_bug = no + + # Supported EAP-types + + # + # We do NOT recommend using EAP-MD5 authentication + # for wireless connections. It is insecure, and does + # not provide for dynamic WEP keys. + # + #md5 { + #} + + # Cisco LEAP + # + # We do not recommend using LEAP in new deployments. See: + # http://www.securiteam.com/tools/5TP012ACKE.html + # + # Cisco LEAP uses the MS-CHAP algorithm (but not + # the MS-CHAP attributes) to perform it's authentication. + # + # As a result, LEAP *requires* access to the plain-text + # User-Password, or the NT-Password attributes. + # 'System' authentication is impossible with LEAP. + # + #leap { + #} + + # Generic Token Card. + # + # Currently, this is only permitted inside of EAP-TTLS, + # or EAP-PEAP. The module "challenges" the user with + # text, and the response from the user is taken to be + # the User-Password. + # + # Proxying the tunneled EAP-GTC session is a bad idea, + # the users password will go over the wire in plain-text, + # for anyone to see. + # + #gtc { + # The default challenge, which many clients + # ignore.. + #challenge = "Password: " + + # The plain-text response which comes back + # is put into a User-Password attribute, + # and passed to another module for + # authentication. This allows the EAP-GTC + # response to be checked against plain-text, + # or crypt'd passwords. + # + # If you say "Local" instead of "PAP", then + # the module will look for a User-Password + # configured for the request, and do the + # authentication itself. + # + # auth_type = PAP + #} + + ## EAP-TLS + # + # To generate ctest certificates, run the script + # + # ../scripts/certs.sh + # + # The documents on http://www.freeradius.org/doc + # are old, but may be helpful. + # + # See also: + # + # http://www.dslreports.com/forum/remark,9286052~mode=flat + # + tls { + private_key_password = #PASSWORD# + private_key_file = ${raddbdir}/certs/cert-srv.pem + + # If Private key & Certificate are located in + # the same file, then private_key_file & + # certificate_file must contain the same file + # name. + certificate_file = ${raddbdir}/certs/cert-srv.pem + + # Trusted Root CA list + CA_file = ${raddbdir}/certs/root.pem + + dh_file = ${raddbdir}/certs/dh + random_file = /dev/urandom + + # + # This can never exceed the size of a RADIUS + # packet (4096 bytes), and is preferably half + # that, to accomodate other attributes in + # RADIUS packet. On most APs the MAX packet + # length is configured between 1500 - 1600 + # In these cases, fragment size should be + # 1024 or less. + # + fragment_size = 1024 + + # include_length is a flag which is + # by default set to yes If set to + # yes, Total Length of the message is + # included in EVERY packet we send. + # If set to no, Total Length of the + # message is included ONLY in the + # First packet of a fragment series. + # + include_length = yes + + # Check the Certificate Revocation List + # + # 1) Copy CA certificates and CRLs to same directory. + # 2) Execute 'c_rehash '. + # 'c_rehash' is OpenSSL's command. + # 3) Add 'CA_path=' + # to radiusd.conf's tls section. + # 4) uncomment the line below. + # 5) Restart radiusd + check_crl = yes + + # + # If check_cert_issuer is set, the value will + # be checked against the DN of the issuer in + # the client certificate. If the values do not + # match, the cerficate verification will fail, + # rejecting the user. + # + # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" + + # + # If check_cert_cn is set, the value will + # be xlat'ed and checked against the CN + # in the client certificate. If the values + # do not match, the certificate verification + # will fail rejecting the user. + # + # This check is done only if the previous + # "check_cert_issuer" is not set, or if + # the check succeeds. + # + # check_cert_cn = %{User-Name} + # + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". + # cipher_list = "DEFAULT" + } + + # The TTLS module implements the EAP-TTLS protocol, + # which can be described as EAP inside of Diameter, + # inside of TLS, inside of EAP, inside of RADIUS... + # + # Surprisingly, it works quite well. + # + # The TTLS module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-TTLS does not + # require a client certificate. + # + ttls { + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # TTLS tunnel, we recommend using EAP-MD5. + # If the request does not contain an EAP + # conversation, then this configuration entry + # is ignored. + # default_eap_type = md5 + + # The tunneled authentication request does + # not usually contain useful attributes + # like 'Calling-Station-Id', etc. These + # attributes are outside of the tunnel, + # and normally unavailable to the tunneled + # authentication request. + # + # By setting this configuration entry to + # 'yes', any attribute which NOT in the + # tunneled authentication request, but + # which IS available outside of the tunnel, + # is copied to the tunneled request. + # + # allowed values: {no, yes} + copy_request_to_tunnel = yes + + # The reply attributes sent to the NAS are + # usually based on the name of the user + # 'outside' of the tunnel (usually + # 'anonymous'). If you want to send the + # reply attributes based on the user name + # inside of the tunnel, then set this + # configuration entry to 'yes', and the reply + # to the NAS will be taken from the reply to + # the tunneled request. + # + # allowed values: {no, yes} + use_tunneled_reply = yes + } + + ################################################## + # + # !!!!! WARNINGS for Windows compatibility !!!!! + # + ################################################## + # + # If you see the server send an Access-Challenge, + # and the client never sends another Access-Request, + # then + # + # STOP! + # + # The server certificate has to have special OID's + # in it, or else the Microsoft clients will silently + # fail. See the "scripts/xpextensions" file for + # details, and the following page: + # + # http://support.microsoft.com/kb/814394/en-us + # + # For additional Windows XP SP2 issues, see: + # + # http://support.microsoft.com/kb/885453/en-us + # + # Note that we do not necessarily agree with their + # explanation... but the fix does appear to work. + # + ################################################## + + # + # The tunneled EAP session needs a default EAP type + # which is separate from the one for the non-tunneled + # EAP module. Inside of the TLS/PEAP tunnel, we + # recommend using EAP-MS-CHAPv2. + # + # The PEAP module needs the TLS module to be installed + # and configured, in order to use the TLS tunnel + # inside of the EAP packet. You will still need to + # configure the TLS module, even if you do not want + # to deploy EAP-TLS in your network. Users will not + # be able to request EAP-TLS, as it requires them to + # have a client certificate. EAP-PEAP does not + # require a client certificate. + # + # peap { + # The tunneled EAP session needs a default + # EAP type which is separate from the one for + # the non-tunneled EAP module. Inside of the + # PEAP tunnel, we recommend using MS-CHAPv2, + # as that is the default type supported by + # Windows clients. + # default_eap_type = mschapv2 + + # the PEAP module also has these configuration + # items, which are the same as for TTLS. + # copy_request_to_tunnel = no + # use_tunneled_reply = no + + # When the tunneled session is proxied, the + # home server may not understand EAP-MSCHAP-V2. + # Set this entry to "no" to proxy the tunneled + # EAP-MSCHAP-V2 as normal MSCHAPv2. + # proxy_tunneled_request_as_eap = yes + #} + + # + # This takes no configuration. + # + # Note that it is the EAP MS-CHAPv2 sub-module, not + # the main 'mschap' module. + # + # Note also that in order for this sub-module to work, + # the main 'mschap' module MUST ALSO be configured. + # + # This module is the *Microsoft* implementation of MS-CHAPv2 + # in EAP. There is another (incompatible) implementation + # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not + # currently support. + # + #mschapv2 { + #} + } + diff --git a/files/etc/freeradius/hints.expect b/files/etc/freeradius/hints.expect new file mode 100644 index 0000000..2943d08 --- /dev/null +++ b/files/etc/freeradius/hints.expect @@ -0,0 +1,77 @@ +# hints +# +# The hints file. This file is used to match +# a request, and then add attributes to it. This +# process allows a user to login as "bob.ppp" (for example), +# and receive a PPP connection, even if the NAS doesn't +# ask for PPP. The "hints" file is used to match the +# ".ppp" portion of the username, and to add a set of +# "user requested PPP" attributes to the request. +# +# Matching can take place with the the Prefix and Suffix +# attributes, just like in the "users" file. +# These attributes operate ONLY on the username, though. +# +# Note that the attributes that are set for each +# entry are _NOT_ passed back to the terminal server. +# Instead they are added to the information that has +# been _SENT_ by the terminal server. +# +# This extra information can be used in the users file to +# match on. Usually this is done in the DEFAULT entries, +# of which there can be more than one. +# +# In addition a matching entry can transform a username +# for authentication purposes if the "Strip-User-Name" +# variable is set to Yes in an entry (default is Yes). +# +# A special non-protocol name-value pair called "Hint" +# can be set to match on in the "users" file. +# +# The following is how most ISPs want to set this up. +# +# Version: $Id: hints,v 1.4 2004/01/29 16:42:43 aland Exp $ +# + + +#DEFAULT Suffix == ".ppp", Strip-User-Name = Yes +# Hint = "PPP", +# Service-Type = Framed-User, +# Framed-Protocol = PPP +# +#DEFAULT Suffix == ".slip", Strip-User-Name = Yes +# Hint = "SLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP +# +#DEFAULT Suffix == ".cslip", Strip-User-Name = Yes +# Hint = "CSLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP + +###################################################################### +# +# These entries are old, and commented out by default. +# They confuse too many people when "Peter" logs in, and the +# server thinks that the user "eter" is asking for PPP. +# +#DEFAULT Prefix == "U", Strip-User-Name = No +# Hint = "UUCP" + +#DEFAULT Prefix == "P", Strip-User-Name = Yes +# Hint = "PPP", +# Service-Type = Framed-User, +# Framed-Protocol = PPP + +#DEFAULT Prefix == "S", Strip-User-Name = Yes +# Hint = "SLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP + +#DEFAULT Prefix == "C", Strip-User-Name = Yes +# Hint = "CSLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP + diff --git a/files/etc/freeradius/hints.restore b/files/etc/freeradius/hints.restore new file mode 100644 index 0000000..a4986e6 --- /dev/null +++ b/files/etc/freeradius/hints.restore @@ -0,0 +1,77 @@ +# hints +# +# The hints file. This file is used to match +# a request, and then add attributes to it. This +# process allows a user to login as "bob.ppp" (for example), +# and receive a PPP connection, even if the NAS doesn't +# ask for PPP. The "hints" file is used to match the +# ".ppp" portion of the username, and to add a set of +# "user requested PPP" attributes to the request. +# +# Matching can take place with the the Prefix and Suffix +# attributes, just like in the "users" file. +# These attributes operate ONLY on the username, though. +# +# Note that the attributes that are set for each +# entry are _NOT_ passed back to the terminal server. +# Instead they are added to the information that has +# been _SENT_ by the terminal server. +# +# This extra information can be used in the users file to +# match on. Usually this is done in the DEFAULT entries, +# of which there can be more than one. +# +# In addition a matching entry can transform a username +# for authentication purposes if the "Strip-User-Name" +# variable is set to Yes in an entry (default is Yes). +# +# A special non-protocol name-value pair called "Hint" +# can be set to match on in the "users" file. +# +# The following is how most ISPs want to set this up. +# +# Version: $Id: hints,v 1.4 2004/01/29 16:42:43 aland Exp $ +# + + +DEFAULT Suffix == ".ppp", Strip-User-Name = Yes + Hint = "PPP", + Service-Type = Framed-User, + Framed-Protocol = PPP + +DEFAULT Suffix == ".slip", Strip-User-Name = Yes + Hint = "SLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP + +DEFAULT Suffix == ".cslip", Strip-User-Name = Yes + Hint = "CSLIP", + Service-Type = Framed-User, + Framed-Protocol = SLIP, + Framed-Compression = Van-Jacobson-TCP-IP + +###################################################################### +# +# These entries are old, and commented out by default. +# They confuse too many people when "Peter" logs in, and the +# server thinks that the user "eter" is asking for PPP. +# +#DEFAULT Prefix == "U", Strip-User-Name = No +# Hint = "UUCP" + +#DEFAULT Prefix == "P", Strip-User-Name = Yes +# Hint = "PPP", +# Service-Type = Framed-User, +# Framed-Protocol = PPP + +#DEFAULT Prefix == "S", Strip-User-Name = Yes +# Hint = "SLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP + +#DEFAULT Prefix == "C", Strip-User-Name = Yes +# Hint = "CSLIP", +# Service-Type = Framed-User, +# Framed-Protocol = SLIP, +# Framed-Compression = Van-Jacobson-TCP-IP + diff --git a/files/etc/freeradius/ldap.attrmap.expect b/files/etc/freeradius/ldap.attrmap.expect new file mode 100644 index 0000000..6216e2e --- /dev/null +++ b/files/etc/freeradius/ldap.attrmap.expect @@ -0,0 +1,24 @@ +# +# Mapping of RADIUS dictionary attributes to LDAP directory attributes +# to be used by LDAP authentication and authorization module (rlm_ldap) +# +# Format: +# ItemType RADIUS-Attribute-Name ldapAttributeName +# +# Where: +# ItemType = checkItem or replyItem +# RADIUS-Attribute-Name = attribute name in RADIUS dictionary +# ldapAttributeName = attribute name in LDAP schema +# +# If $ is specified as RADIUS-Attribute-Name, the line specifies +# a LDAP attribute which can be used to store any RADIUS +# attribute/value-pair in LDAP directory. +# +# You should edit this file to suit it to your needs. +# + +replyItem Connect-Info hrEduPersonExpireDate +replyItem Class hrEduPersonUniqueNumber +replyItem Configuration-Token hrEduPersonPrimaryAffiliation +replyItem Callback-Number hrEduPersonUniqueID + diff --git a/files/etc/freeradius/ldap.attrmap.restore b/files/etc/freeradius/ldap.attrmap.restore new file mode 100644 index 0000000..e686556 --- /dev/null +++ b/files/etc/freeradius/ldap.attrmap.restore @@ -0,0 +1,60 @@ +# +# Mapping of RADIUS dictionary attributes to LDAP directory attributes +# to be used by LDAP authentication and authorization module (rlm_ldap) +# +# Format: +# ItemType RADIUS-Attribute-Name ldapAttributeName +# +# Where: +# ItemType = checkItem or replyItem +# RADIUS-Attribute-Name = attribute name in RADIUS dictionary +# ldapAttributeName = attribute name in LDAP schema +# +# If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies +# a LDAP attribute which can be used to store any RADIUS +# attribute/value-pair in LDAP directory. +# +# You should edit this file to suit it to your needs. +# + +checkItem $GENERIC$ radiusCheckItem +replyItem $GENERIC$ radiusReplyItem + +checkItem Auth-Type radiusAuthType +checkItem Simultaneous-Use radiusSimultaneousUse +checkItem Called-Station-Id radiusCalledStationId +checkItem Calling-Station-Id radiusCallingStationId +checkItem LM-Password lmPassword +checkItem NT-Password ntPassword +checkItem SMB-Account-CTRL-TEXT acctFlags +checkItem Expiration radiusExpiration +checkItem NAS-IP-Address radiusNASIpAddress + +replyItem Service-Type radiusServiceType +replyItem Framed-Protocol radiusFramedProtocol +replyItem Framed-IP-Address radiusFramedIPAddress +replyItem Framed-IP-Netmask radiusFramedIPNetmask +replyItem Framed-Route radiusFramedRoute +replyItem Framed-Routing radiusFramedRouting +replyItem Filter-Id radiusFilterId +replyItem Framed-MTU radiusFramedMTU +replyItem Framed-Compression radiusFramedCompression +replyItem Login-IP-Host radiusLoginIPHost +replyItem Login-Service radiusLoginService +replyItem Login-TCP-Port radiusLoginTCPPort +replyItem Callback-Number radiusCallbackNumber +replyItem Callback-Id radiusCallbackId +replyItem Framed-IPX-Network radiusFramedIPXNetwork +replyItem Class radiusClass +replyItem Session-Timeout radiusSessionTimeout +replyItem Idle-Timeout radiusIdleTimeout +replyItem Termination-Action radiusTerminationAction +replyItem Login-LAT-Service radiusLoginLATService +replyItem Login-LAT-Node radiusLoginLATNode +replyItem Login-LAT-Group radiusLoginLATGroup +replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink +replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork +replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone +replyItem Port-Limit radiusPortLimit +replyItem Login-LAT-Port radiusLoginLATPort +replyItem Reply-Message radiusReplyMessage diff --git a/files/etc/freeradius/proxy.conf.restore b/files/etc/freeradius/proxy.conf.restore new file mode 100644 index 0000000..032b7a0 --- /dev/null +++ b/files/etc/freeradius/proxy.conf.restore @@ -0,0 +1,288 @@ +# +# proxy.conf - proxy radius and realm configuration directives +# +# This file is included by default. To disable it, you will need +# to modify the PROXY CONFIGURATION section of "radiusd.conf". +# +####################################################################### +# +# Proxy server configuration +# +# This entry controls the servers behaviour towards ALL other servers +# to which it sends proxy requests. +# +proxy server { + +# +# If the NAS re-sends the request to us, we can immediately re-send +# the proxy request to the end server. To do so, use 'yes' here. +# +# If this is set to 'no', then we send the retries on our own schedule, +# and ignore any duplicate NAS requests. +# +# If you want to have the server send proxy retries ONLY when the NAS +# sends it's retries to the server, then set this to 'yes', and +# set the other proxy configuration parameters to 0 (zero). +# +# Additionally, if you want 'failover' to work, the server must manage +# retries and timeouts. Therefore, if this is set to yes, then no +# failover functionality is possible. +# + synchronous = no + +# +# The time (in seconds) to wait for a response from the proxy, before +# re-sending the proxied request. +# +# If this time is set too high, then the NAS may re-send the request, +# or it may give up entirely, and reject the user. +# +# If it is set too low, then the RADIUS server which receives the proxy +# request will get kicked unnecessarily. +# + retry_delay = 5 + +# +# The number of retries to send before giving up, and sending a reject +# message to the NAS. +# + retry_count = 3 + +# +# If the home server does not respond to any of the multiple retries, +# then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'. +# +# If there are multiple entries configured for this realm, then the +# server will fail-over to the next one listed. If no more are listed, +# then no requests will be proxied to that realm. +# +# +# After a configurable 'dead_time', in seconds, FreeRADIUS will +# speculatively mark the home server active, and start sending requests +# to it again. +# +# If this dead time is set too low, then you will lose requests, +# as FreeRADIUS will quickly switch back to the home server, even if +# it isn't up again. +# +# If this dead time is set too high, then FreeRADIUS may take too long +# to switch back to the primary home server. +# +# Realistic values for this number are in the range of minutes to hours. +# (60 to 3600) +# + dead_time = 120 + +# An ldflag attribute for all realms to be included in a round-robin +# setup must be specified, and that ldflag must be the same for all +# realms of the same name. +# Currently (0 or fail_over) and (1 or round_robin) are the +# supported values for ldflag. Fail over is the default setup. +# +# DO NOT INCLUDE LOCAL AUTH/ACCT HOST REALMS IN A ROUND-ROBIN QUEUE. + + +# +# If all exact matching realms did not respond, we can try the +# DEFAULT realm, too. This is what the server normally does. +# +# This behaviour may be undesired for some cases. e.g. You are proxying +# for two different ISP's, and then act as a general dial-up for Gric. +# If one of the first two ISP's has their RADIUS server go down, you do +# NOT want to proxy those requests to GRIC. Instead, you probably want +# to just drop the requests on the floor. In that case, set this value +# to 'no'. +# +# allowed values: {yes, no} +# + default_fallback = yes + +# +# Older versions of the server would pass proxy requests through the +# 'authorize' sections twice; once when the packet was received +# from the NAS, and again after the reply was received from the home +# server. Now that we have a 'post_proxy' section, the replies from +# the home server should be sent through that, instead of through +# the 'authorize' section again. +# +# However, for backwards compatibility, this behaviour is configurable. +# The default configuration is 'no', because this option is deprecated +# and will be removed in the future. +# +# allowed values: {yes, no} +# + post_proxy_authorize = no + +} + +####################################################################### +# +# Configuration for the proxy realms. +# +# The information given here is used in conjunction with the 'realms' +# file. This format is preferred, as it is more flexible. The realms +# listed here take priority over those listed in the 'realms' file. + +# A standard realm entry. A request from "user@company.com" will be +# sent to radius.company.com as "user", unless the 'nostrip' +# configuration item is specified. If the 'nostrip' configuration +# item is specified, then the request will be proxied as +# "user@company.com" +# +#realm company.com { +# type = radius +# authhost = radius.company.com:1600 +# accthost = radius.company.com:1601 +# secret = testing123 +#} + +# A realm entry with an optional fail-over realm. A request from +# "user@isp2.com" will be sent to radius.isp2.com as "user@isp2.com", +# because the 'nostrip' directive is specified for this realm. +# +#realm isp2.com { +# type = radius +# authhost = radius.isp2.com:1645 +# accthost = radius.isp2.com:1646 +# secret = TheirKey +# nostrip +#} +# +# The fail-over realm for isp2.com +# +#realm isp2.com { +# type = radius +# authhost = radius2.isp2.com:1645 +# accthost = radius2.isp2.com:1646 +# secret = TheirKey2 +# nostrip +#} + +# +# 1st node serv.com...set up for round-robin. +# +# The load balancing 'ldflag' attribute can be used to perform +# load balancing. Allowed values are 'fail_over' and 'round_robin'. +# +# If there is no ldflag attribute, or it is set to 'fail_over', then +# the realms are treated as "fail-over". That is, the first matching +# realm is used, unless it is down, in which case the realm "fails +# over" to the second matching realm. The process continues until an +# active matching realm is found, OR the DEFAULT realm is returned. +# +# If the ldflag attribute is set to 'round_robin', then all active +# realms of the same name are put into a pool internally in the +# server, and the proxied requests are evenly divided among the +# realms in the pool. For this to work, all realms of the same name +# MUST have the same value of their 'ldflag' attributes. Mixing up +# different types of load balancing schemes for the same realm will +# cause problems. +# +# The round_robin load balancing method is a probabilistic method +# which evenly scatters the requests among the home servers. +# +# Note that you CANNOT include local auth/acct host realms in a +# round-robin queue. Having a server load balance requests to itself +# doesn't make any sense, as it only doubles the amount of work +# which is needed to be done. +# +#realm serv.com { +# type = radius +# authhost = radius.serv.com:1645 +# accthost = radius.serv.com:1646 +# secret = TheirKey +# ldflag = round_robin +# nostrip +#} + +# +# Another node for serv.com +# +#realm serv.com { +# type = radius +# authhost = radius2.serv.com:1645 +# accthost = radius2.serv.com:1646 +# secret = TheirKey2 +# ldflag = round_robin +# nostrip +#} + +# +# A third round-robin node realm for serv.com +# +#realm serv.com { +# type = radius +# authhost = radius3.serv.com:1645 +# accthost = radius3.serv.com:1646 +# secret = TheirKey2 +# ldflag = round_robin +# nostrip +#} +# +# + +# +# This is a local realm. The requests are NOT proxied, +# but instead are authenticated by the RADIUS server itself. +# +# You don't need a secret if BOTH 'authhost' and 'accthost' are +# set to LOCAL. +# +#realm bla.com { +# type = radius +# authhost = LOCAL +# accthost = LOCAL +#} + +# +# This is a sample entry for iPass. +# +#realm IPASS { +# type = radius +# authhost = ipass.server.hostname:11812 +# accthost = ipass.server.hostname:11813 +# + # The shared secret here must be the same + # value as the secret of the NetServer found in the + # /usr/ipass/raddb/clients file of your NetServer software. +# secret = mysecret +# nostrip +#} + +# +# This realm is used mainly to cancel proxying. You can have +# the "realm suffix" module configured to proxy all requests for +# a realm, and then later cancel the proxying, based on other +# configuration. +# +# For example, you want to terminate PEAP or EAP-TTLS locally, +# you can add the following to the "users" file: +# +# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL +# +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} + +# +# This realm is for requests which don't have an explicit realm +# prefix or suffix. User names like "bob" will match this one. +# +#realm NULL { +# type = radius +# authhost = radius.company.com:1600 +# accthost = radius.company.com:1601 +# secret = testing123 +#} + +# +# This realm is for ALL OTHER requests. +# +#realm DEFAULT { +# type = radius +# authhost = radius.company.com:1600 +# accthost = radius.company.com:1601 +# secret = testing123 +#} diff --git a/files/etc/freeradius/proxy.conf.template b/files/etc/freeradius/proxy.conf.template new file mode 100644 index 0000000..b40eb4e --- /dev/null +++ b/files/etc/freeradius/proxy.conf.template @@ -0,0 +1,296 @@ +# +# proxy.conf - proxy radius and realm configuration directives +# +# This file is included by default. To disable it, you will need +# to modify the PROXY CONFIGURATION section of "radiusd.conf". +# +####################################################################### +# +# Proxy server configuration +# +# This entry controls the servers behaviour towards ALL other servers +# to which it sends proxy requests. +# +proxy server { + +# +# If the NAS re-sends the request to us, we can immediately re-send +# the proxy request to the end server. To do so, use 'yes' here. +# +# If this is set to 'no', then we send the retries on our own schedule, +# and ignore any duplicate NAS requests. +# +# If you want to have the server send proxy retries ONLY when the NAS +# sends it's retries to the server, then set this to 'yes', and +# set the other proxy configuration parameters to 0 (zero). +# +# Additionally, if you want 'failover' to work, the server must manage +# retries and timeouts. Therefore, if this is set to yes, then no +# failover functionality is possible. +# + synchronous = no + +# +# The time (in seconds) to wait for a response from the proxy, before +# re-sending the proxied request. +# +# If this time is set too high, then the NAS may re-send the request, +# or it may give up entirely, and reject the user. +# +# If it is set too low, then the RADIUS server which receives the proxy +# request will get kicked unnecessarily. +# + retry_delay = 5 + +# +# The number of retries to send before giving up, and sending a reject +# message to the NAS. +# + retry_count = 1 + +# +# If the home server does not respond to any of the multiple retries, +# then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'. +# +# If there are multiple entries configured for this realm, then the +# server will fail-over to the next one listed. If no more are listed, +# then no requests will be proxied to that realm. +# +# +# After a configurable 'dead_time', in seconds, FreeRADIUS will +# speculatively mark the home server active, and start sending requests +# to it again. +# +# If this dead time is set too low, then you will lose requests, +# as FreeRADIUS will quickly switch back to the home server, even if +# it isn't up again. +# +# If this dead time is set too high, then FreeRADIUS may take too long +# to switch back to the primary home server. +# +# Realistic values for this number are in the range of minutes to hours. +# (60 to 3600) +# + dead_time = 30 + +# An ldflag attribute for all realms to be included in a round-robin +# setup must be specified, and that ldflag must be the same for all +# realms of the same name. +# Currently (0 or fail_over) and (1 or round_robin) are the +# supported values for ldflag. Fail over is the default setup. +# +# DO NOT INCLUDE LOCAL AUTH/ACCT HOST REALMS IN A ROUND-ROBIN QUEUE. + + +# +# If all exact matching realms did not respond, we can try the +# DEFAULT realm, too. This is what the server normally does. +# +# This behaviour may be undesired for some cases. e.g. You are proxying +# for two different ISP's, and then act as a general dial-up for Gric. +# If one of the first two ISP's has their RADIUS server go down, you do +# NOT want to proxy those requests to GRIC. Instead, you probably want +# to just drop the requests on the floor. In that case, set this value +# to 'no'. +# +# allowed values: {yes, no} +# + default_fallback = yes + +# +# Older versions of the server would pass proxy requests through the +# 'authorize' sections twice; once when the packet was received +# from the NAS, and again after the reply was received from the home +# server. Now that we have a 'post_proxy' section, the replies from +# the home server should be sent through that, instead of through +# the 'authorize' section again. +# +# However, for backwards compatibility, this behaviour is configurable. +# The default configuration is 'no', because this option is deprecated +# and will be removed in the future. +# +# allowed values: {yes, no} +# + post_proxy_authorize = no + +} + +####################################################################### +# +# Configuration for the proxy realms. +# +# The information given here is used in conjunction with the 'realms' +# file. This format is preferred, as it is more flexible. The realms +# listed here take priority over those listed in the 'realms' file. + +# A standard realm entry. A request from "user@company.com" will be +# sent to radius.company.com as "user", unless the 'nostrip' +# configuration item is specified. If the 'nostrip' configuration +# item is specified, then the request will be proxied as +# "user@company.com" +# +#realm company.com { +# type = radius +# authhost = radius.company.com:1600 +# accthost = radius.company.com:1601 +# secret = testing123 +#} + +# A realm entry with an optional fail-over realm. A request from +# "user@isp2.com" will be sent to radius.isp2.com as "user@isp2.com", +# because the 'nostrip' directive is specified for this realm. +# +#realm isp2.com { +# type = radius +# authhost = radius.isp2.com:1645 +# accthost = radius.isp2.com:1646 +# secret = TheirKey +# nostrip +#} +# +# The fail-over realm for isp2.com +# +#realm isp2.com { +# type = radius +# authhost = radius2.isp2.com:1645 +# accthost = radius2.isp2.com:1646 +# secret = TheirKey2 +# nostrip +#} + +# +# 1st node serv.com...set up for round-robin. +# +# The load balancing 'ldflag' attribute can be used to perform +# load balancing. Allowed values are 'fail_over' and 'round_robin'. +# +# If there is no ldflag attribute, or it is set to 'fail_over', then +# the realms are treated as "fail-over". That is, the first matching +# realm is used, unless it is down, in which case the realm "fails +# over" to the second matching realm. The process continues until an +# active matching realm is found, OR the DEFAULT realm is returned. +# +# If the ldflag attribute is set to 'round_robin', then all active +# realms of the same name are put into a pool internally in the +# server, and the proxied requests are evenly divided among the +# realms in the pool. For this to work, all realms of the same name +# MUST have the same value of their 'ldflag' attributes. Mixing up +# different types of load balancing schemes for the same realm will +# cause problems. +# +# The round_robin load balancing method is a probabilistic method +# which evenly scatters the requests among the home servers. +# +# Note that you CANNOT include local auth/acct host realms in a +# round-robin queue. Having a server load balance requests to itself +# doesn't make any sense, as it only doubles the amount of work +# which is needed to be done. +# +#realm serv.com { +# type = radius +# authhost = radius.serv.com:1645 +# accthost = radius.serv.com:1646 +# secret = TheirKey +# ldflag = round_robin +# nostrip +#} + +# +# Another node for serv.com +# +#realm serv.com { +# type = radius +# authhost = radius2.serv.com:1645 +# accthost = radius2.serv.com:1646 +# secret = TheirKey2 +# ldflag = round_robin +# nostrip +#} + +# +# A third round-robin node realm for serv.com +# +#realm serv.com { +# type = radius +# authhost = radius3.serv.com:1645 +# accthost = radius3.serv.com:1646 +# secret = TheirKey2 +# ldflag = round_robin +# nostrip +#} +# +# + +# +# This is a local realm. The requests are NOT proxied, +# but instead are authenticated by the RADIUS server itself. +# +# You don't need a secret if BOTH 'authhost' and 'accthost' are +# set to LOCAL. +# +#realm bla.com { +# type = radius +# authhost = LOCAL +# accthost = LOCAL +#} + +# +# This is a sample entry for iPass. +# +#realm IPASS { +# type = radius +# authhost = ipass.server.hostname:11812 +# accthost = ipass.server.hostname:11813 +# + # The shared secret here must be the same + # value as the secret of the NetServer found in the + # /usr/ipass/raddb/clients file of your NetServer software. +# secret = mysecret +# nostrip +#} + +# +# This realm is used mainly to cancel proxying. You can have +# the "realm suffix" module configured to proxy all requests for +# a realm, and then later cancel the proxying, based on other +# configuration. +# +# For example, you want to terminate PEAP or EAP-TTLS locally, +# you can add the following to the "users" file: +# +# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL +# +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} + +# +# This realm is for requests which don't have an explicit realm +# prefix or suffix. User names like "bob" will match this one. +# +realm NULL { + type = radius + authhost = LOCAL + accthost = LOCAL +} + +realm #REALM#.hr { + type = radius + authhost = LOCAL + accthost = LOCAL +} + +# +# This realm is for ALL OTHER requests. +# +#realm DEFAULT { +# type = radius +# authhost = LOCAL +# accthost = LOCAL +#} + +# Eduroam configuration +$INCLUDE ${confdir}/proxy-eduroam.conf + diff --git a/files/etc/freeradius/radiusd.conf.expect b/files/etc/freeradius/radiusd.conf.expect new file mode 100644 index 0000000..7906089 --- /dev/null +++ b/files/etc/freeradius/radiusd.conf.expect @@ -0,0 +1,2108 @@ +## +## radiusd.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id: radiusd.conf.in,v 1.188.2.4.2.11 2006/04/20 18:40:29 aland Exp $ +## + +# The location of other config files and +# logfiles are declared in this file +# +# Also general configuration for modules can be done +# in this file, it is exported through the API to +# modules that ask for it. +# +# The configuration variables defined here are of the form ${foo} +# They are local to this file, and do not change from request to +# request. +# +# The per-request variables are of the form %{Attribute-Name}, and +# are taken from the values of the attribute in the incoming +# request. See 'doc/variables.txt' for more information. + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius +radacctdir = ${logdir}/radacct + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/freeradius + +# +# The logging messages for the server are appended to the +# tail of this file. +# +log_file = ${logdir}/radius.log + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid` +# +pidfile = ${run_dir}/freeradius.pid + + +# user/group: The name (or #number) of the user/group to run radiusd as. +# +# If these are commented out, the server will run as the user/group +# that started it. In order to change to a different user/group, you +# MUST be root ( or have root privleges ) to start the server. +# +# We STRONGLY recommend that you run the server with as few permissions +# as possible. That is, if you're not using shadow passwords, the +# user and group items below should be set to 'nobody'. +# +# On SCO (ODT 3) use "user = nouser" and "group = nogroup". +# +# NOTE that some kernels refuse to setgid(group) when the value of +# (unsigned)group is above 60000; don't use group nobody on these systems! +# +# On systems with shadow passwords, you might have to set 'group = shadow' +# for the server to be able to read the shadow password file. If you can +# authenticate users while in debug mode, but not in daemon mode, it may be +# that the debugging mode server is running as a user that can read the +# shadow info, and the user listed below can not. +# +user = freerad +group = freerad + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# delete_blocked_requests: If the request takes MORE THAN 'max_request_time' +# to be handled, then maybe the server should delete it. +# +# If you're running in threaded, or thread pool mode, this setting +# should probably be 'no'. Setting it to 'yes' when using a threaded +# server MAY cause the server to crash! +# +delete_blocked_requests = no + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as seperate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 1024 + +# bind_address: Make the server listen on a particular IP address, and +# send replies out from that address. This directive is most useful +# for machines with multiple IP addresses on one interface. +# +# It can either contain "*", or an IP address, or a fully qualified +# Internet domain name. The default is "*" +# +# As of 1.0, you can also use the "listen" directive. See below for +# more information. +# +bind_address = * + +# port: Allows you to bind FreeRADIUS to a specific port. +# +# The default port that most NAS boxes use is 1645, which is historical. +# RFC 2138 defines 1812 to be the new port. Many new servers and +# NAS boxes use 1812, which can create interoperability problems. +# +# The port is defined here to be 0 so that the server will pick up +# the machine's local configuration for the radius port, as defined +# in /etc/services. +# +# If you want to use the default RADIUS port as defined on your server, +# (usually through 'grep radius /etc/services') set this to 0 (zero). +# +# A port given on the command-line via '-p' over-rides this one. +# +# As of 1.0, you can also use the "listen" directive. See below for +# more information. +# +port = 0 + +# +# By default, the server uses "bind_address" to listen to all IP's +# on a machine, or just one IP. The "port" configuration is used +# to select the authentication port used when listening on those +# addresses. +# +# If you want the server to listen on additional addresses, you can +# use the "listen" section. A sample section (commented out) is included +# below. This "listen" section duplicates the functionality of the +# "bind_address" and "port" configuration entries, but it only listens +# for authentication packets. +# +# If you comment out the "bind_address" and "port" configuration entries, +# then it becomes possible to make the server accept only accounting, +# or authentication packets. Previously, it always listened for both +# types of packets, and it was impossible to make it listen for only +# one type of packet. +# +#listen { + # IP address on which to listen. + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + # wildcard (*) +# ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" +# port = 0 + + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # +# type = auth +#} + + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +# if you're debugging a problem with the server. +# +# allowed values: {no, yes} +# +allow_core_dumps = no + +# Regular expressions +# +# These items are set at configure time. If they're set to "yes", +# then setting them to "no" turns off regular expression support. +# +# If they're set to "no" at configure time, then setting them to "yes" +# WILL NOT WORK. It will give you an error. +# +regular_expressions = yes +extended_expressions = yes + +# Log the full User-Name attribute, as it was found in the request. +# +# allowed values: {no, yes} +# +log_stripped_names = yes + +# Log authentication requests to the log file. +# +# allowed values: {no, yes} +# +log_auth = yes + +# Log passwords with the authentication requests. +# log_auth_badpass - logs password if it's rejected +# log_auth_goodpass - logs password if it's correct +# +# allowed values: {no, yes} +# +log_auth_badpass = no +log_auth_goodpass = no + +# usercollide: Turn "username collision" code on and off. See the +# "doc/duplicate-users" file +# +# WARNING +# !!!!!!! Setting this to "yes" may result in the server behaving +# !!!!!!! strangely. The "username collision" code will ONLY work +# !!!!!!! with clear-text passwords. Even then, it may not do what +# !!!!!!! you want, or what you expect. +# !!!!!!! +# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature, +# !!!!!!! and that you find another way of acheiving the same goal. +# !!!!!!! +# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover' +# WARNING +# +usercollide = no + +# lower_user / lower_pass: +# Lower case the username/password "before" or "after" +# attempting to authenticate. +# +# If "before", the server will first modify the request and then try +# to auth the user. If "after", the server will first auth using the +# values provided by the user. If that fails it will reprocess the +# request after modifying it as you specify below. +# +# This is as close as we can get to case insensitivity. It is the +# admin's job to ensure that the username on the auth db side is +# *also* lowercase to make this work +# +# Default is 'no' (don't lowercase values) +# Valid values = "before" / "after" / "no" +# +lower_user = yes +lower_pass = no + +# nospace_user / nospace_pass: +# +# Some users like to enter spaces in their username or password +# incorrectly. To save yourself the tech support call, you can +# eliminate those spaces here: +# +# Default is 'no' (don't remove spaces) +# Valid values = "before" / "after" / "no" (explanation above) +# +nospace_user = before +nospace_pass = no + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # Useful ranges: 1 to 5 + reject_delay = 0 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # Normally this should be set to "no", because they're useless. + # See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives + # + # However, certain NAS boxes may require them. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept packet, containing a Reply-Message attribute, + # which is a string describing how long the server has been + # running. + # + status_server = no +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE ${confdir}/proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE ${confdir}/clients.conf + + +# SNMP CONFIGURATION +# +# Snmp configuration is only valid if SNMP support was enabled +# at compile time. +# +# To enable SNMP querying of the server, set the value of the +# 'snmp' attribute to 'yes' +# +#snmp = no +#$INCLUDE ${confdir}/snmp.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # below for an example. + # + + # PAP module to authenticate users based on their stored password + # + # Supports multiple encryption schemes + # clear: Clear text + # crypt: Unix crypt + # md5: MD5 ecnryption + # sha1: SHA1 encryption. + # DEFAULT: crypt +# pap { +# encryption_scheme = crypt +# } + + # CHAP module + # + # To authenticate requests containing a CHAP-Password attribute. + # +# chap { +# authtype = CHAP +# } + + # Pluggable Authentication Modules + # + # For Linux, see: + # http://www.kernel.org/pub/linux/libs/pam/index.html + # + # WARNING: On many systems, the system PAM libraries have + # memory leaks! We STRONGLY SUGGEST that you do not + # use PAM for authentication, due to those memory leaks. + # +# pam { + # + # The name to use for PAM authentication. + # PAM looks in /etc/pam.d/${pam_auth_name} + # for it's configuration. See 'redhat/radiusd-pam' + # for a sample PAM configuration file. + # + # Note that any Pam-Auth attribute set in the 'authorize' + # section will over-ride this one. + # +# pam_auth = radiusd +# } + + # Unix /etc/passwd style authentication + # +# unix { + # + # Cache /etc/passwd, /etc/shadow, and /etc/group + # + # The default is to NOT cache them. + # + # For FreeBSD and NetBSD, you do NOT want to enable + # the cache, as it's password lookups are done via a + # database, so set this value to 'no'. + # + # Some systems (e.g. RedHat Linux with pam_pwbd) can + # take *seconds* to check a password, when th passwd + # file containing 1000's of entries. For those systems, + # you should set the cache value to 'yes', and set + # the locations of the 'passwd', 'shadow', and 'group' + # files, below. + # + # allowed values: {no, yes} +# cache = no + + # Reload the cache every 600 seconds (10mins). 0 to disable. +# cache_reload = 600 + + # + # Define the locations of the normal passwd, shadow, and + # group files. + # + # 'shadow' is commented out by default, because not all + # systems have shadow passwords. + # + # To force the module to use the system password functions, + # instead of reading the files, leave the following entries + # commented out. + # + # This is required for some systems, like FreeBSD, + # and Mac OSX. + # + # passwd = /etc/passwd +# shadow = /etc/shadow + # group = /etc/group + + # + # The location of the "wtmp" file. + # This should be moved to it's own module soon. + # + # The only use for 'radlast'. If you don't use + # 'radlast', then you can comment out this item. + # +# radwtmp = ${logdir}/radwtmp +# } + + # Extensible Authentication Protocol + # + # For all EAP related authentications. + # Now in another file, because it is very large. + # +$INCLUDE ${confdir}/eap.conf + + # Microsoft CHAP authentication + # + # This module supports MS-CHAP and MS-CHAPv2 authentication. + # It also enforces the SMB-Account-Ctrl attribute. + # +# mschap { + # + # As of 0.9, the mschap module does NOT support + # reading from /etc/smbpasswd. + # + # If you are using /etc/smbpasswd, see the 'passwd' + # module for an example of how to use /etc/smbpasswd + + # if use_mppe is not set to no mschap will + # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and + # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 + # + #use_mppe = no + + # if mppe is enabled require_encryption makes + # encryption moderate + # + #require_encryption = yes + + # require_strong always requires 128 bit key + # encryption + # + #require_strong = yes + + # Windows sends us a username in the form of + # DOMAIN\user, but sends the challenge response + # based on only the user portion. This hack + # corrects for that incorrect behavior. + # + #with_ntdomain_hack = no + + # The module can perform authentication itself, OR + # use a Windows Domain Controller. This configuration + # directive tells the module to call the ntlm_auth + # program, which will do the authentication, and return + # the NT-Key. Note that you MUST have "winbindd" and + # "nmbd" running on the local machine for ntlm_auth + # to work. See the ntlm_auth program documentation + # for details. + # + # Be VERY careful when editing the following line! + # + #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" +# } + + # Lightweight Directory Access Protocol (LDAP) + # + # This module definition allows you to use LDAP for + # authorization and authentication. + # + # See doc/rlm_ldap for description of configuration options + # and sample authorize{} and authenticate{} blocks + # + # However, LDAP can be used for authentication ONLY when the + # Access-Request packet contains a clear-text User-Password + # attribute. LDAP authentication will NOT work for any other + # authentication method. + # + # This means that LDAP servers don't understand EAP. If you + # force "Auth-Type = LDAP", and then send the server a + # request containing EAP authentication, then authentication + # WILL NOT WORK. + # + # The solution is to use the default configuration, which does + # work. + # + # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We + # really can't emphasize this enough. + # + ldap { + server = "debian.local" + # identity = "cn=admin,o=My Org,c=UA" + # password = mypass + port = 389 + basedn = "dc=local,dc=hr" + filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" + # base_filter = "(objectclass=radiusprofile)" + + # set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # The StartTLS operation is supposed to be used with normal + # ldap connections instead of using ldaps (port 689) connections + start_tls = no + + # tls_cacertfile = /path/to/cacert.pem + # tls_cacertdir = /path/to/ca/dir/ + # tls_certfile = /path/to/radius.crt + # tls_keyfile = /path/to/radius.key + # tls_randfile = /path/to/rnd + # tls_require_cert = "demand" + + # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" + # profile_attribute = "radiusProfileDn" +# access_attr = "dialupAccess" + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = ${raddbdir}/ldap.attrmap + + ldap_connections_number = 5 + + # + # NOTICE: The password_header directive is NOT case insensitive + # + # password_header = "{clear}" + # + # Set: + # password_attribute = nspmPassword + # + # to get the user's password from a Novell eDirectory + # backend. This will work *only if* freeRADIUS is + # configured to build with --with-edir option. + # + # + # The server can usually figure this out on its own, and pull + # the correct User-Password or NT-Password from the database. + # + # Note that NT-Passwords MUST be stored as a 32-digit hex + # string, and MUST start off with "0x", such as: + # + # 0x000102030405060708090a0b0c0d0e0f + # + # Without the leading "0x", NT-Passwords will not work. + # This goes for NT-Passwords stored in SQL, too. + # + password_attribute = userPassword + # + # Un-comment the following to disable Novell eDirectory account + # policy check and intruder detection. This will work *only if* + # FreeRADIUS is configured to build with --with-edir option. + # + # edir_account_policy_check=no + # + # groupname_attribute = cn + # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" + # groupmembership_attribute = radiusGroupName + timeout = 4 + timelimit = 3 + net_timeout = 1 + compare_check_items = no + # do_xlat = yes + # access_attr_used_for_allow = yes + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + } + + # passwd module allows to do authorization via any passwd-like + # file and to extract any attributes from these modules + # + # parameters are: + # filename - path to filename + # format - format for filename record. This parameters + # correlates record in the passwd file and RADIUS + # attributes. + # + # Field marked as '*' is key field. That is, the parameter + # with this name from the request is used to search for + # the record from passwd file + # Attribute marked as '=' is added to reply_itmes instead + # of default configure_itmes + # Attribute marked as '~' is added to request_items + # + # Field marked as ',' may contain a comma separated list + # of attributes. + # authtype - if record found this Auth-Type is used to authenticate + # user + # hashsize - hashtable size. If 0 or not specified records are not + # stored in memory and file is red on every request. + # allowmultiplekeys - if few records for every key are allowed + # ignorenislike - ignore NIS-related records + # delimiter - symbol to use as a field separator in passwd file, + # for format ':' symbol is always used. '\0', '\n' are + # not allowed + # + + # An example configuration for using /etc/smbpasswd. + # + #passwd etc_smbpasswd { + # filename = /etc/smbpasswd + # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" + # authtype = MS-CHAP + # hashsize = 100 + # ignorenislike = no + # allowmultiplekeys = no + #} + + # Similar configuration, for the /etc/group file. Adds a Group-Name + # attribute for every group that the user is member of. + # + #passwd etc_group { + # filename = /etc/group + # format = "=Group-Name:::*,User-Name" + # hashsize = 50 + # ignorenislike = yes + # allowmultiplekeys = yes + # delimiter = ":" + #} + + # Realm module, for proxying. + # + # You can have multiple instances of the realm module to + # support multiple realm syntaxs at the same time. The + # search order is defined by the order in the authorize and + # preacct sections. + # + # Four config options: + # format - must be 'prefix' or 'suffix' + # delimiter - must be a single character + # ignore_default - set to 'yes' or 'no' + # ignore_null - set to 'yes' or 'no' + # + # ignore_default and ignore_null can be set to 'yes' to prevent + # the module from matching against DEFAULT or NULL realms. This + # may be useful if you have have multiple instances of the + # realm module. + # + # They both default to 'no'. + # + + # 'realm/username' + # + # Using this entry, IPASS users have their realm set to "IPASS". +# realm IPASS { +# format = prefix +# delimiter = "/" +# ignore_default = no +# ignore_null = no +# } + + # 'username@realm' + # + realm suffix { + format = suffix + delimiter = "@" + ignore_default = no + ignore_null = no + } + + # 'username%realm' + # +# realm realmpercent { +# format = suffix +# delimiter = "%" +# ignore_default = no +# ignore_null = no +# } + + # + # 'domain\user' + # +# realm ntdomain { +# format = prefix +# delimiter = "\\" +# ignore_default = no +# ignore_null = no +# } + + # A simple value checking module + # + # It can be used to check if an attribute value in the request + # matches a (possibly multi valued) attribute in the check + # items This can be used for example for caller-id + # authentication. For the module to run, both the request + # attribute and the check items attribute must exist + # + # i.e. + # A user has an ldap entry with 2 radiusCallingStationId + # attributes with values "12345678" and "12345679". If we + # enable rlm_checkval, then any request which contains a + # Calling-Station-Id with one of those two values will be + # accepted. Requests with other values for + # Calling-Station-Id will be rejected. + # + # Regular expressions in the check attribute value are allowed + # as long as the operator is '=~' + # +# checkval { + # The attribute to look for in the request +# item-name = Calling-Station-Id + + # The attribute to look for in check items. Can be multi valued +# check-name = Calling-Station-Id + + # The data type. Can be + # string,integer,ipaddr,date,abinary,octets +# data-type = string + + # If set to yes and we dont find the item-name attribute in the + # request then we send back a reject + # DEFAULT is no + #notfound-reject = no +# } + + # rewrite arbitrary packets. Useful in accounting and authorization. + # + # + # The module can also use the Rewrite-Rule attribute. If it + # is set and matches the name of the module instance, then + # that module instance will be the only one which runs. + # + # Also if new_attribute is set to yes then a new attribute + # will be created containing the value replacewith and it + # will be added to searchin (packet, reply, proxy, proxy_reply or config). + # searchfor,ignore_case and max_matches will be ignored in that case. + # + # Backreferences are supported: %{0} will contain the string the whole match + # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses + # + # If max_matches is greater than one the backreferences will correspond to the + # first match + + # + #attr_rewrite sanecallerid { + # attribute = Called-Station-Id + # may be "packet", "reply", "proxy", "proxy_reply" or "config" + # searchin = packet + # searchfor = "[+ ]" + # replacewith = "" + # ignore_case = no + # new_attribute = no + # max_matches = 10 + # ## If set to yes then the replace string will be appended to the original string + # append = no + #} + + # Preprocess the incoming RADIUS request, before handing it off + # to other modules. + # + # This module processes the 'huntgroups' and 'hints' files. + # In addition, it re-writes some weird attributes created + # by some NASes, and converts the attributes into a form which + # is a little more standard. + # + preprocess { +# huntgroups = ${confdir}/huntgroups + hints = ${confdir}/hints + + # This hack changes Ascend's wierd port numberings + # to standard 0-??? port numbers so that the "+" works + # for IP address assignments. +# with_ascend_hack = no +# ascend_channels_per_line = 23 + + # Windows NT machines often authenticate themselves as + # NT_DOMAIN\username + # + # If this is set to 'yes', then the NT_DOMAIN portion + # of the user-name is silently discarded. + # + # This configuration entry SHOULD NOT be used. + # See the "realms" module for a better way to handle + # NT domains. +# with_ntdomain_hack = no + + # Specialix Jetstream 8500 24 port access server. + # + # If the user name is 10 characters or longer, a "/" + # and the excess characters after the 10th are + # appended to the user name. + # + # If you're not running that NAS, you don't need + # this hack. +# with_specialix_jetstream_hack = no + + # Cisco (and Quintum in Cisco mode) sends it's VSA attributes + # with the attribute name *again* in the string, like: + # + # H323-Attribute = "h323-attribute=value". + # + # If this configuration item is set to 'yes', then + # the redundant data in the the attribute text is stripped + # out. The result is: + # + # H323-Attribute = "value" + # + # If you're not running a Cisco or Quintum NAS, you don't + # need this hack. +# with_cisco_vsa_hack = no + } + + # Livingston-style 'users' file + # +# files { +# usersfile = ${confdir}/users +# acctusersfile = ${confdir}/acct_users +# preproxy_usersfile = ${confdir}/preproxy_users + + # If you want to use the old Cistron 'users' file + # with FreeRADIUS, you should change the next line + # to 'compat = cistron'. You can the copy your 'users' + # file from Cistron. +# compat = no +# } + + # Write a detailed log of all accounting records received. + # + detail { + # Note that we do NOT use NAS-IP-Address here, as + # that attribute MAY BE from the originating NAS, and + # NOT from the proxy which actually sent us the + # request. The Client-IP-Address attribute is ALWAYS + # the address of the client which sent us the + # request. + # + # The following line creates a new detail file for + # every radius client (by IP address or hostname). + # In addition, a new detail file is created every + # day, so that the detail file doesn't have to go + # through a 'log rotation' + # + # If your detail files are large, you may also want + # to add a ':%H' (see doc/variables.txt) to the end + # of it, to create a new detail file every hour, e.g.: + # + # ..../detail-%Y%m%d:%H + # + # This will create a new detail file for every hour. + # + detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d + + # + # The Unix-style permissions on the 'detail' file. + # + # The detail file often contains secret or private + # information about users. So by keeping the file + # permissions restrictive, we can prevent unwanted + # people from seeing that information. + detailperm = 0600 + + # + # Certain attributes such as User-Password may be + # "sensitive", so they should not be printed in the + # detail file. This section lists the attributes + # that should be suppressed. + # + # The attributes should be listed one to a line. + # + suppress { + User-Password + } + } + + # + # Many people want to log authentication requests. + # Rather than modifying the server core to print out more + # messages, we can use a different instance of the 'detail' + # module, to log the authentication requests to a file. + # + # You will also need to un-comment the 'auth_log' line + # in the 'authorize' section, below. + # + # detail auth_log { + # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + # detailperm = 0600 + # } + + # + # This module logs authentication reply packets sent + # to a NAS. Both Access-Accept and Access-Reject packets + # are logged. + # + # You will also need to un-comment the 'reply_log' line + # in the 'post-auth' section, below. + # + detail reply_log { + detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + detailperm = 0600 + } + + # + # This module logs packets proxied to a home server. + # + # You will also need to un-comment the 'pre_proxy_log' line + # in the 'pre-proxy' section, below. + # + detail pre_proxy_log { + detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + detailperm = 0600 + } + + # + # This module logs response packets from a home server. + # + # You will also need to un-comment the 'post_proxy_log' line + # in the 'post-proxy' section, below. + # + detail post_proxy_log { + detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + detailperm = 0600 + } + + # + # The rlm_sql_log module appends the SQL queries in a log + # file which is read later by the radsqlrelay program. + # + # This module only performs the dynamic expansion of the + # variables found in the SQL statements. No operation is + # executed on the database server. (this could be done + # later by an external program) That means the module is + # useful only with non-"SELECT" statements. + # + # See rlm_sql_log(5) manpage. + # +# sql_log { +# path = ${radacctdir}/sql-relay +# acct_table = "radacct" +# postauth_table = "radpostauth" +# +# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +# AcctSessionTime, AcctTerminateCause) VALUES \ +# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +# '%{Framed-IP-Address}', '%S', '0', '0', '');" +# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +# AcctSessionTime, AcctTerminateCause) VALUES \ +# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ +# '%{Acct-Terminate-Cause}');" +# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +# AcctSessionTime, AcctTerminateCause) VALUES \ +# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" +# +# Post-Auth = "INSERT INTO ${postauth_table} \ +# (user, pass, reply, date) VALUES \ +# ('%{User-Name}', '%{User-Password:-Chap-Password}', \ +# '%{reply:Packet-Type}', '%S');" +# } + + # + # Create a unique accounting session Id. Many NASes re-use + # or repeat values for Acct-Session-Id, causing no end of + # confusion. + # + # This module will add a (probably) unique session id + # to an accounting packet based on the attributes listed + # below found in the packet. See doc/rlm_acct_unique for + # more information. + # +# acct_unique { +# key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" +# } + + + # Include another file that has the SQL-related configuration. + # This is another file only because it tends to be big. + # + # The following configuration file is for use with MySQL. + # + # For Postgresql, use: ${confdir}/postgresql.conf + # For MS-SQL, use: ${confdir}/mssql.conf + # For Oracle, use: ${confdir}/oraclesql.conf + # +# $INCLUDE ${confdir}/sql.conf + + + # For Cisco VoIP specific accounting with Postgresql, + # use: ${confdir}/pgsql-voip.conf + # + # You will also need the sql schema from: + # src/billing/cisco_h323_db_schema-postgres.sql + # Note: This config can be use AS WELL AS the standard sql + # config if you need SQL based Auth + + + # Write a 'utmp' style file, of which users are currently + # logged in, and where they've logged in from. + # + # This file is used mainly for Simultaneous-Use checking, + # and also 'radwho', to see who's currently logged in. + # +# radutmp { + # Where the file is stored. It's not a log file, + # so it doesn't need rotating. + # +# filename = ${logdir}/radutmp + + # The field in the packet to key on for the + # 'user' name, If you have other fields which you want + # to use to key on to control Simultaneous-Use, + # then you can use them here. + # + # Note, however, that the size of the field in the + # 'utmp' data structure is small, around 32 + # characters, so that will limit the possible choices + # of keys. + # + # You may want instead: %{Stripped-User-Name:-%{User-Name}} +# username = %{User-Name} + + + # Whether or not we want to treat "user" the same + # as "USER", or "User". Some systems have problems + # with case sensitivity, so this should be set to + # 'no' to enable the comparisons of the key attribute + # to be case insensitive. + # +# case_sensitive = yes + + # Accounting information may be lost, so the user MAY + # have logged off of the NAS, but we haven't noticed. + # If so, we can verify this information with the NAS, + # + # If we want to believe the 'utmp' file, then this + # configuration entry can be set to 'no'. + # +# check_with_nas = yes + + # Set the file permissions, as the contents of this file + # are usually private. +# perm = 0600 + +# callerid = "yes" +# } + + # "Safe" radutmp - does not contain caller ID, so it can be + # world-readable, and radwho can work for normal users, without + # exposing any information that isn't already exposed by who(1). + # + # This is another 'instance' of the radutmp module, but it is given + # then name "sradutmp" to identify it later in the "accounting" + # section. +# radutmp sradutmp { +# filename = ${logdir}/sradutmp +# perm = 0644 +# callerid = "no" +# } + + # attr_filter - filters the attributes received in replies from + # proxied servers, to make sure we send back to our RADIUS client + # only allowed attributes. +# attr_filter { +# attrsfile = ${confdir}/attrs +# } + + # counter module: + # This module takes an attribute (count-attribute). + # It also takes a key, and creates a counter for each unique + # key. The count is incremented when accounting packets are + # received by the server. The value of the increment depends + # on the attribute type. + # If the attribute is Acct-Session-Time or of an integer type we add the + # value of the attribute. If it is anything else we increase the + # counter by one. + # + # The 'reset' parameter defines when the counters are all reset to + # zero. It can be hourly, daily, weekly, monthly or never. + # + # hourly: Reset on 00:00 of every hour + # daily: Reset on 00:00:00 every day + # weekly: Reset on 00:00:00 on sunday + # monthly: Reset on 00:00:00 of the first day of each month + # + # It can also be user defined. It should be of the form: + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. In example: + # reset = 10h (reset every 10 hours) + # reset = 12 (reset every 12 days) + # + # + # The check-name attribute defines an attribute which will be + # registered by the counter module and can be used to set the + # maximum allowed value for the counter after which the user + # is rejected. + # Something like: + # + # DEFAULT Max-Daily-Session := 36000 + # Fall-Through = 1 + # + # You should add the counter module in the instantiate + # section so that it registers check-name before the files + # module reads the users file. + # + # If check-name is set and the user is to be rejected then we + # send back a Reply-Message and we log a Failure-Message in + # the radius.log + # If the count attribute is Acct-Session-Time then on each login + # we send back the remaining online time as a Session-Timeout attribute + # + # The counter-name can also be used instead of using the check-name + # like below: + # + # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject + # Reply-Message = "You've used up more than one hour today" + # + # The allowed-servicetype attribute can be used to only take + # into account specific sessions. For example if a user first + # logs in through a login menu and then selects ppp there will + # be two sessions. One for Login-User and one for Framed-User + # service type. We only need to take into account the second one. + # + # The module should be added in the instantiate, authorize and + # accounting sections. Make sure that in the authorize + # section it comes after any module which sets the + # 'check-name' attribute. + # +# counter daily { +# filename = ${raddbdir}/db.daily +# key = User-Name +# count-attribute = Acct-Session-Time +# reset = daily +# counter-name = Daily-Session-Time +# check-name = Max-Daily-Session +# allowed-servicetype = Framed-User +# cache-size = 5000 +# } + + # + # This module is an SQL enabled version of the counter module. + # + # Rather than maintaining seperate (GDBM) databases of + # accounting info for each counter, this module uses the data + # stored in the raddacct table by the sql modules. This + # module NEVER does any database INSERTs or UPDATEs. It is + # totally dependent on the SQL module to process Accounting + # packets. + # + # The 'sqlmod_inst' parameter holds the instance of the sql + # module to use when querying the SQL database. Normally it + # is just "sql". If you define more and one SQL module + # instance (usually for failover situations), you can + # specify which module has access to the Accounting Data + # (radacct table). + # + # The 'reset' parameter defines when the counters are all + # reset to zero. It can be hourly, daily, weekly, monthly or + # never. It can also be user defined. It should be of the + # form: + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. In example: + # reset = 10h (reset every 10 hours) + # reset = 12 (reset every 12 days) + # + # The 'key' parameter specifies the unique identifier for the + # counter records (usually 'User-Name'). + # + # The 'query' parameter specifies the SQL query used to get + # the current Counter value from the database. There are 3 + # parameters that can be used in the query: + # %k 'key' parameter + # %b unix time value of beginning of reset period + # %e unix time value of end of reset period + # + # The 'check-name' parameter is the name of the 'check' + # attribute to use to access the counter in the 'users' file + # or SQL radcheck or radcheckgroup tables. + # + # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject + # Reply-Message = "You've used up more than one hour today" + # +# sqlcounter dailycounter { +# counter-name = Daily-Session-Time +# check-name = Max-Daily-Session +# sqlmod-inst = sql +# key = User-Name +# reset = daily + + # This query properly handles calls that span from the + # previous reset period into the current period but + # involves more work for the SQL server than those + # below +# query = "SELECT SUM(AcctSessionTime - \ +# GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ +# FROM radacct WHERE UserName='%{%k}' AND \ +# UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" + + # This query ignores calls that started in a previous + # reset period and continue into into this one. But it + # is a little easier on the SQL server +# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ +# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" + + # This query is the same as above, but demonstrates an + # additional counter parameter '%e' which is the + # timestamp for the end of the period +# query = "SELECT SUM(AcctSessionTime) FROM radacct \ +# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \ +# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" +# } + +# sqlcounter monthlycounter { +# counter-name = Monthly-Session-Time +# check-name = Max-Monthly-Session +# sqlmod-inst = sql +# key = User-Name +# reset = monthly + + # This query properly handles calls that span from the + # previous reset period into the current period but + # involves more work for the SQL server than those + # below +# query = "SELECT SUM(AcctSessionTime - \ +# GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ +# FROM radacct WHERE UserName='%{%k}' AND \ +# UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" + + # This query ignores calls that started in a previous + # reset period and continue into into this one. But it + # is a little easier on the SQL server +# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ +# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" + + # This query is the same as above, but demonstrates an + # additional counter parameter '%e' which is the + # timestamp for the end of the period +# query = "SELECT SUM(AcctSessionTime) FROM radacct \ +# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \ +# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" +# } + + # + # The "always" module is here for debugging purposes. Each + # instance simply returns the same result, always, without + # doing anything. + always fail { + rcode = fail + } + always reject { + rcode = reject + } + always ok { + rcode = ok + simulcount = 0 + mpp = no + } + + # + # The 'expression' module currently has no configuration. + # + # This module is useful only for 'xlat'. To use it, + # put 'exec' into the 'instantiate' section. You can then + # do dynamic translation of attributes like: + # + # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}` + # + # The value of the attribute will be replaced with the output + # of the program which is executed. Due to RADIUS protocol + # limitations, any output over 253 bytes will be ignored. +# expr { +# } + + # + # The 'digest' module currently has no configuration. + # + # "Digest" authentication against a Cisco SIP server. + # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details + # on performing digest authentication for Cisco SIP servers. + # +# digest { +# } + + # + # Execute external programs + # + # This module is useful only for 'xlat'. To use it, + # put 'exec' into the 'instantiate' section. You can then + # do dynamic translation of attributes like: + # + # Attribute-Name = `%{exec:/path/to/program args}` + # + # The value of the attribute will be replaced with the output + # of the program which is executed. Due to RADIUS protocol + # limitations, any output over 253 bytes will be ignored. + # + # The RADIUS attributes from the user request will be placed + # into environment variables of the executed program, as + # described in 'doc/variables.txt' + # +# exec { +# wait = yes +# input_pairs = request +# } + + # + # This is a more general example of the execute module. + # + # This one is called "echo". + # + # Attribute-Name = `%{echo:/path/to/program args}` + # + # If you wish to execute an external program in more than + # one section (e.g. 'authorize', 'pre_proxy', etc), then it + # is probably best to define a different instance of the + # 'exec' module for every section. + # +# exec echo { + # + # Wait for the program to finish. + # + # If we do NOT wait, then the program is "fire and + # forget", and any output attributes from it are ignored. + # + # If we are looking for the program to output + # attributes, and want to add those attributes to the + # request, then we MUST wait for the program to + # finish, and therefore set 'wait=yes' + # + # allowed values: {no, yes} +# wait = yes + + # + # The name of the program to execute, and it's + # arguments. Dynamic translation is done on this + # field, so things like the following example will + # work. + # +# program = "/bin/echo %{User-Name}" + + # + # The attributes which are placed into the + # environment variables for the program. + # + # Allowed values are: + # + # request attributes from the request + # config attributes from the configuration items list + # reply attributes from the reply + # proxy-request attributes from the proxy request + # proxy-reply attributes from the proxy reply + # + # Note that some attributes may not exist at some + # stages. e.g. There may be no proxy-reply + # attributes if this module is used in the + # 'authorize' section. + # +# input_pairs = request + + # + # Where to place the output attributes (if any) from + # the executed program. The values allowed, and the + # restrictions as to availability, are the same as + # for the input_pairs. + # +# output_pairs = reply + + # + # When to execute the program. If the packet + # type does NOT match what's listed here, then + # the module does NOT execute the program. + # + # For a list of allowed packet types, see + # the 'dictionary' file, and look for VALUEs + # of the Packet-Type attribute. + # + # By default, the module executes on ANY packet. + # Un-comment out the following line to tell the + # module to execute only if an Access-Accept is + # being sent to the NAS. + # + #packet_type = Access-Accept +# } + + # Do server side ip pool management. Should be added in post-auth and + # accounting sections. + # + # The module also requires the existance of the Pool-Name + # attribute. That way the administrator can add the Pool-Name + # attribute in the user profiles and use different pools + # for different users. The Pool-Name attribute is a *check* item not + # a reply item. + # + # Example: + # radiusd.conf: ippool students { [...] } + # users file : DEFAULT Group == students, Pool-Name := "students" + # + # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST ********* + # ********* THEN ERASE THE DB FILES ********* + # +# ippool main_pool { + + # range-start,range-stop: The start and end ip + # addresses for the ip pool +# range-start = 192.168.1.1 +# range-stop = 192.168.3.254 + + # netmask: The network mask used for the ip's +# netmask = 255.255.255.0 + + # cache-size: The gdbm cache size for the db + # files. Should be equal to the number of ip's + # available in the ip pool +# cache-size = 800 + + # session-db: The main db file used to allocate ip's to clients +# session-db = ${raddbdir}/db.ippool + + # ip-index: Helper db index file used in multilink +# ip-index = ${raddbdir}/db.ipindex + + # override: Will this ippool override a Framed-IP-Address already set +# override = no + + # maximum-timeout: If not zero specifies the maximum time in seconds an + # entry may be active. Default: 0 +# maximum-timeout = 0 +# } + + # $INCLUDE ${confdir}/sqlippool.conf + + # OTP token support. Not included by default. + # $INCLUDE ${confdir}/otp.conf + +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initalized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +instantiate { + # + # Allows the execution of external scripts. + # The entire command line (and output) must fit into 253 bytes. + # + # e.g. Framed-Pool = `%{exec:/bin/echo foo}` +# exec + + # + # The expression module doesn't do authorization, + # authentication, or accounting. It only does dynamic + # translation, of the form: + # + # Session-Timeout = `%{expr:2 + 3}` + # + # So the module needs to be instantiated, but CANNOT be + # listed in any other section. See 'doc/rlm_expr' for + # more information. + # +# expr + + # + # We add the counter module here so that it registers + # the check-name attribute before any module which sets + # it +# daily +} + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + # + # It also adds the %{Client-IP-Address} attribute to the request. + preprocess + + # + # If you want to have a log of authentication requests, + # un-comment the following line, and the 'detail auth_log' + # section, above. +# auth_log + +# attr_filter + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set +# chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. +# mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. +# digest + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + eap + + # + # Read the 'users' file +# files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'etc_smbpasswd' module, above. +# etc_smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set + ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + # The ldap module will set Auth-Type to LDAP if it has not already + # been set + ldap +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. +# Auth-Type PAP { +# pap +# } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. +# Auth-Type CHAP { +# chap +# } + + # + # MSCHAP authentication. +# Auth-Type MS-CHAP { +# mschap +# } + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. +# digest + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # +# unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. + Auth-Type LDAP { + ldap + } + + # + # Allow EAP authentication. + eap +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { +# preprocess + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. +# acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS +# suffix +# ntdomain + + # + # Read the 'acct_users' file +# files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. +# unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. +# radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { +# radutmp + + # + # See "Simultaneous Use Checking Querie" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Get an address from the IP Pool. +# main_pool + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. + reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # Uncomment the following and set the module name to the ldap instance + # name if you have set 'edir_account_policy_check = yes' in the ldap + # module sub-section of the 'modules' section. + # +# Post-Auth-Type REJECT { +# insert-module-name-here +# } + +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. + pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. + post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. + +# attr_filter + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap +} diff --git a/files/etc/freeradius/radiusd.conf.restore b/files/etc/freeradius/radiusd.conf.restore new file mode 100644 index 0000000..200cf49 --- /dev/null +++ b/files/etc/freeradius/radiusd.conf.restore @@ -0,0 +1,2146 @@ +## +## radiusd.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id: radiusd.conf.in,v 1.188.2.4.2.18 2007/07/16 10:53:13 pnixon Exp $ +## + +# The location of other config files and +# logfiles are declared in this file +# +# Also general configuration for modules can be done +# in this file, it is exported through the API to +# modules that ask for it. +# +# The configuration variables defined here are of the form ${foo} +# They are local to this file, and do not change from request to +# request. +# +# The per-request variables are of the form %{Attribute-Name}, and +# are taken from the values of the attribute in the incoming +# request. See 'doc/variables.txt' for more information. + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius +radacctdir = ${logdir}/radacct + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/freeradius + +# +# The logging messages for the server are appended to the +# tail of this file. +# +log_file = ${logdir}/radius.log + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid` +# +pidfile = ${run_dir}/freeradius.pid + + +# user/group: The name (or #number) of the user/group to run radiusd as. +# +# If these are commented out, the server will run as the user/group +# that started it. In order to change to a different user/group, you +# MUST be root ( or have root privleges ) to start the server. +# +# We STRONGLY recommend that you run the server with as few permissions +# as possible. That is, if you're not using shadow passwords, the +# user and group items below should be set to 'nobody'. +# +# On SCO (ODT 3) use "user = nouser" and "group = nogroup". +# +# NOTE that some kernels refuse to setgid(group) when the value of +# (unsigned)group is above 60000; don't use group nobody on these systems! +# +# On systems with shadow passwords, you might have to set 'group = shadow' +# for the server to be able to read the shadow password file. If you can +# authenticate users while in debug mode, but not in daemon mode, it may be +# that the debugging mode server is running as a user that can read the +# shadow info, and the user listed below can not. +# +user = freerad +group = freerad + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# delete_blocked_requests: If the request takes MORE THAN 'max_request_time' +# to be handled, then maybe the server should delete it. +# +# If you're running in threaded, or thread pool mode, this setting +# should probably be 'no'. Setting it to 'yes' when using a threaded +# server MAY cause the server to crash! +# +delete_blocked_requests = no + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as seperate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 1024 + +# bind_address: Make the server listen on a particular IP address, and +# send replies out from that address. This directive is most useful +# for machines with multiple IP addresses on one interface. +# +# It can either contain "*", or an IP address, or a fully qualified +# Internet domain name. The default is "*" +# +# As of 1.0, you can also use the "listen" directive. See below for +# more information. +# +bind_address = * + +# port: Allows you to bind FreeRADIUS to a specific port. +# +# The default port that most NAS boxes use is 1645, which is historical. +# RFC 2138 defines 1812 to be the new port. Many new servers and +# NAS boxes use 1812, which can create interoperability problems. +# +# The port is defined here to be 0 so that the server will pick up +# the machine's local configuration for the radius port, as defined +# in /etc/services. +# +# If you want to use the default RADIUS port as defined on your server, +# (usually through 'grep radius /etc/services') set this to 0 (zero). +# +# A port given on the command-line via '-p' over-rides this one. +# +# As of 1.0, you can also use the "listen" directive. See below for +# more information. +# +port = 0 + +# +# By default, the server uses "bind_address" to listen to all IP's +# on a machine, or just one IP. The "port" configuration is used +# to select the authentication port used when listening on those +# addresses. +# +# If you want the server to listen on additional addresses, you can +# use the "listen" section. A sample section (commented out) is included +# below. This "listen" section duplicates the functionality of the +# "bind_address" and "port" configuration entries, but it only listens +# for authentication packets. +# +# If you comment out the "bind_address" and "port" configuration entries, +# then it becomes possible to make the server accept only accounting, +# or authentication packets. Previously, it always listened for both +# types of packets, and it was impossible to make it listen for only +# one type of packet. +# +#listen { + # IP address on which to listen. + # Allowed values are: + # dotted quad (1.2.3.4) + # hostname (radius.example.com) + # wildcard (*) +# ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" +# port = 0 + + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # +# type = auth +#} + + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +# if you're debugging a problem with the server. +# +# allowed values: {no, yes} +# +allow_core_dumps = no + +# Regular expressions +# +# These items are set at configure time. If they're set to "yes", +# then setting them to "no" turns off regular expression support. +# +# If they're set to "no" at configure time, then setting them to "yes" +# WILL NOT WORK. It will give you an error. +# +regular_expressions = yes +extended_expressions = yes + +# Log the full User-Name attribute, as it was found in the request. +# +# allowed values: {no, yes} +# +log_stripped_names = no + +# Log authentication requests to the log file. +# +# allowed values: {no, yes} +# +log_auth = no + +# Log passwords with the authentication requests. +# log_auth_badpass - logs password if it's rejected +# log_auth_goodpass - logs password if it's correct +# +# allowed values: {no, yes} +# +log_auth_badpass = no +log_auth_goodpass = no + +# usercollide: Turn "username collision" code on and off. See the +# "doc/duplicate-users" file +# +# WARNING +# !!!!!!! Setting this to "yes" may result in the server behaving +# !!!!!!! strangely. The "username collision" code will ONLY work +# !!!!!!! with clear-text passwords. Even then, it may not do what +# !!!!!!! you want, or what you expect. +# !!!!!!! +# !!!!!!! We STRONGLY RECOMMEND that you do not use this feature, +# !!!!!!! and that you find another way of acheiving the same goal. +# !!!!!!! +# !!!!!!! e,g. module fail-over. See 'doc/configurable_failover' +# WARNING +# +usercollide = no + +# lower_user / lower_pass: +# Lower case the username/password "before" or "after" +# attempting to authenticate. +# +# If "before", the server will first modify the request and then try +# to auth the user. If "after", the server will first auth using the +# values provided by the user. If that fails it will reprocess the +# request after modifying it as you specify below. +# +# This is as close as we can get to case insensitivity. It is the +# admin's job to ensure that the username on the auth db side is +# *also* lowercase to make this work +# +# Default is 'no' (don't lowercase values) +# Valid values = "before" / "after" / "no" +# +lower_user = no +lower_pass = no + +# nospace_user / nospace_pass: +# +# Some users like to enter spaces in their username or password +# incorrectly. To save yourself the tech support call, you can +# eliminate those spaces here: +# +# Default is 'no' (don't remove spaces) +# Valid values = "before" / "after" / "no" (explanation above) +# +nospace_user = no +nospace_pass = no + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # Normally this should be set to "no", because they're useless. + # See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives + # + # However, certain NAS boxes may require them. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept packet, containing a Reply-Message attribute, + # which is a string describing how long the server has been + # running. + # + status_server = no +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE ${confdir}/proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE ${confdir}/clients.conf + + +# SNMP CONFIGURATION +# +# Snmp configuration is only valid if SNMP support was enabled +# at compile time. +# +# To enable SNMP querying of the server, set the value of the +# 'snmp' attribute to 'yes' +# +snmp = no +$INCLUDE ${confdir}/snmp.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # below for an example. + # + + # PAP module to authenticate users based on their stored password + # + # As of 1.1.4, the "encryption_scheme" configuration should + # no longer be used. For backwards compatibility, it will still + # work as before, but we recommend that it is not used. + # + # The replacement is "auto_header = yes". + # For backwards compatibility, the default is "auto_header = no", + # but we recommend reviewing your use of the PAP module, based + # on the documentation in "man rlm_pap". + # + # The new capability in this module makes it MUCH easier to + # configure the server for multiple crypt/hash schemes, AND + # it supports more methods than before. Please read "man rlm_pap" + # for more detailed documentation. + # + pap { + auto_header = yes + } + + # CHAP module + # + # To authenticate requests containing a CHAP-Password attribute. + # + chap { + authtype = CHAP + } + + # Pluggable Authentication Modules + # + # For Linux, see: + # http://www.kernel.org/pub/linux/libs/pam/index.html + # + # WARNING: On many systems, the system PAM libraries have + # memory leaks! We STRONGLY SUGGEST that you do not + # use PAM for authentication, due to those memory leaks. + # + pam { + # + # The name to use for PAM authentication. + # PAM looks in /etc/pam.d/${pam_auth_name} + # for it's configuration. See 'redhat/radiusd-pam' + # for a sample PAM configuration file. + # + # Note that any Pam-Auth attribute set in the 'authorize' + # section will over-ride this one. + # + pam_auth = radiusd + } + + # Unix /etc/passwd style authentication + # + unix { + # + # Cache /etc/passwd, /etc/shadow, and /etc/group + # + # The default is to NOT cache them. + # + # For FreeBSD and NetBSD, you do NOT want to enable + # the cache, as it's password lookups are done via a + # database, so set this value to 'no'. + # + # Some systems (e.g. RedHat Linux with pam_pwbd) can + # take *seconds* to check a password, when th passwd + # file containing 1000's of entries. For those systems, + # you should set the cache value to 'yes', and set + # the locations of the 'passwd', 'shadow', and 'group' + # files, below. + # + # allowed values: {no, yes} + cache = no + + # Reload the cache every 600 seconds (10mins). 0 to disable. + cache_reload = 600 + + # + # Define the locations of the normal passwd, shadow, and + # group files. + # + # 'shadow' is commented out by default, because not all + # systems have shadow passwords. + # + # To force the module to use the system password functions, + # instead of reading the files, leave the following entries + # commented out. + # + # This is required for some systems, like FreeBSD, + # and Mac OSX. + # + # passwd = /etc/passwd + shadow = /etc/shadow + # group = /etc/group + + # + # The location of the "wtmp" file. + # This should be moved to it's own module soon. + # + # The only use for 'radlast'. If you don't use + # 'radlast', then you can comment out this item. + # + radwtmp = ${logdir}/radwtmp + } + + # Extensible Authentication Protocol + # + # For all EAP related authentications. + # Now in another file, because it is very large. + # +$INCLUDE ${confdir}/eap.conf + + # Microsoft CHAP authentication + # + # This module supports MS-CHAP and MS-CHAPv2 authentication. + # It also enforces the SMB-Account-Ctrl attribute. + # + mschap { + # + # As of 0.9, the mschap module does NOT support + # reading from /etc/smbpasswd. + # + # If you are using /etc/smbpasswd, see the 'passwd' + # module for an example of how to use /etc/smbpasswd + + # if use_mppe is not set to no mschap will + # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and + # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 + # + #use_mppe = no + + # if mppe is enabled require_encryption makes + # encryption moderate + # + #require_encryption = yes + + # require_strong always requires 128 bit key + # encryption + # + #require_strong = yes + + # Windows sends us a username in the form of + # DOMAIN\user, but sends the challenge response + # based on only the user portion. This hack + # corrects for that incorrect behavior. + # + #with_ntdomain_hack = no + + # The module can perform authentication itself, OR + # use a Windows Domain Controller. This configuration + # directive tells the module to call the ntlm_auth + # program, which will do the authentication, and return + # the NT-Key. Note that you MUST have "winbindd" and + # "nmbd" running on the local machine for ntlm_auth + # to work. See the ntlm_auth program documentation + # for details. + # + # Be VERY careful when editing the following line! + # + #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" + } + + # Lightweight Directory Access Protocol (LDAP) + # + # This module definition allows you to use LDAP for + # authorization and authentication. + # + # See doc/rlm_ldap for description of configuration options + # and sample authorize{} and authenticate{} blocks + # + # However, LDAP can be used for authentication ONLY when the + # Access-Request packet contains a clear-text User-Password + # attribute. LDAP authentication will NOT work for any other + # authentication method. + # + # This means that LDAP servers don't understand EAP. If you + # force "Auth-Type = LDAP", and then send the server a + # request containing EAP authentication, then authentication + # WILL NOT WORK. + # + # The solution is to use the default configuration, which does + # work. + # + # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We + # really can't emphasize this enough. + # + ldap { + server = "ldap.your.domain" + # identity = "cn=admin,o=My Org,c=UA" + # password = mypass + basedn = "o=My Org,c=UA" + filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" + # base_filter = "(objectclass=radiusprofile)" + + # set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # The StartTLS operation is supposed to be used with normal + # ldap connections instead of using ldaps (port 689) connections + start_tls = no + + # tls_cacertfile = /path/to/cacert.pem + # tls_cacertdir = /path/to/ca/dir/ + # tls_certfile = /path/to/radius.crt + # tls_keyfile = /path/to/radius.key + # tls_randfile = /path/to/rnd + # tls_require_cert = "demand" + + # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" + # profile_attribute = "radiusProfileDn" + access_attr = "dialupAccess" + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = ${raddbdir}/ldap.attrmap + + ldap_connections_number = 5 + + # + # NOTICE: The password_header directive is NOT case insensitive + # + # password_header = "{clear}" + # + # Set: + # password_attribute = nspmPassword + # + # to get the user's password from a Novell eDirectory + # backend. This will work *only if* freeRADIUS is + # configured to build with --with-edir option. + # + # + # The server can usually figure this out on its own, and pull + # the correct User-Password or NT-Password from the database. + # + # Note that NT-Passwords MUST be stored as a 32-digit hex + # string, and MUST start off with "0x", such as: + # + # 0x000102030405060708090a0b0c0d0e0f + # + # Without the leading "0x", NT-Passwords will not work. + # This goes for NT-Passwords stored in SQL, too. + # + # password_attribute = userPassword + # + # Un-comment the following to disable Novell eDirectory account + # policy check and intruder detection. This will work *only if* + # FreeRADIUS is configured to build with --with-edir option. + # + edir_account_policy_check=no + # + # groupname_attribute = cn + # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" + # groupmembership_attribute = radiusGroupName + timeout = 4 + timelimit = 3 + net_timeout = 1 + # compare_check_items = yes + # do_xlat = yes + # access_attr_used_for_allow = yes + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + } + + # passwd module allows to do authorization via any passwd-like + # file and to extract any attributes from these modules + # + # parameters are: + # filename - path to filename + # format - format for filename record. This parameters + # correlates record in the passwd file and RADIUS + # attributes. + # + # Field marked as '*' is key field. That is, the parameter + # with this name from the request is used to search for + # the record from passwd file + # Attribute marked as '=' is added to reply_itmes instead + # of default configure_itmes + # Attribute marked as '~' is added to request_items + # + # Field marked as ',' may contain a comma separated list + # of attributes. + # authtype - if record found this Auth-Type is used to authenticate + # user + # hashsize - hashtable size. If 0 or not specified records are not + # stored in memory and file is red on every request. + # allowmultiplekeys - if few records for every key are allowed + # ignorenislike - ignore NIS-related records + # delimiter - symbol to use as a field separator in passwd file, + # for format ':' symbol is always used. '\0', '\n' are + # not allowed + # + + # An example configuration for using /etc/smbpasswd. + # + #passwd etc_smbpasswd { + # filename = /etc/smbpasswd + # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" + # authtype = MS-CHAP + # hashsize = 100 + # ignorenislike = no + # allowmultiplekeys = no + #} + + # Similar configuration, for the /etc/group file. Adds a Group-Name + # attribute for every group that the user is member of. + # + #passwd etc_group { + # filename = /etc/group + # format = "=Group-Name:::*,User-Name" + # hashsize = 50 + # ignorenislike = yes + # allowmultiplekeys = yes + # delimiter = ":" + #} + + # Realm module, for proxying. + # + # You can have multiple instances of the realm module to + # support multiple realm syntaxs at the same time. The + # search order is defined by the order in the authorize and + # preacct sections. + # + # Four config options: + # format - must be 'prefix' or 'suffix' + # delimiter - must be a single character + # ignore_default - set to 'yes' or 'no' + # ignore_null - set to 'yes' or 'no' + # + # ignore_default and ignore_null can be set to 'yes' to prevent + # the module from matching against DEFAULT or NULL realms. This + # may be useful if you have have multiple instances of the + # realm module. + # + # They both default to 'no'. + # + + # 'realm/username' + # + # Using this entry, IPASS users have their realm set to "IPASS". + realm IPASS { + format = prefix + delimiter = "/" + ignore_default = no + ignore_null = no + } + + # 'username@realm' + # + realm suffix { + format = suffix + delimiter = "@" + ignore_default = no + ignore_null = no + } + + # 'username%realm' + # + realm realmpercent { + format = suffix + delimiter = "%" + ignore_default = no + ignore_null = no + } + + # + # 'domain\user' + # + realm ntdomain { + format = prefix + delimiter = "\\" + ignore_default = no + ignore_null = no + } + + # A simple value checking module + # + # It can be used to check if an attribute value in the request + # matches a (possibly multi valued) attribute in the check + # items This can be used for example for caller-id + # authentication. For the module to run, both the request + # attribute and the check items attribute must exist + # + # i.e. + # A user has an ldap entry with 2 radiusCallingStationId + # attributes with values "12345678" and "12345679". If we + # enable rlm_checkval, then any request which contains a + # Calling-Station-Id with one of those two values will be + # accepted. Requests with other values for + # Calling-Station-Id will be rejected. + # + # Regular expressions in the check attribute value are allowed + # as long as the operator is '=~' + # + checkval { + # The attribute to look for in the request + item-name = Calling-Station-Id + + # The attribute to look for in check items. Can be multi valued + check-name = Calling-Station-Id + + # The data type. Can be + # string,integer,ipaddr,date,abinary,octets + data-type = string + + # If set to yes and we dont find the item-name attribute in the + # request then we send back a reject + # DEFAULT is no + #notfound-reject = no + } + + # rewrite arbitrary packets. Useful in accounting and authorization. + # + # + # The module can also use the Rewrite-Rule attribute. If it + # is set and matches the name of the module instance, then + # that module instance will be the only one which runs. + # + # Also if new_attribute is set to yes then a new attribute + # will be created containing the value replacewith and it + # will be added to searchin (packet, reply, proxy, proxy_reply or config). + # searchfor,ignore_case and max_matches will be ignored in that case. + # + # Backreferences are supported: %{0} will contain the string the whole match + # and %{1} to %{8} will contain the contents of the 1st to the 8th parentheses + # + # If max_matches is greater than one the backreferences will correspond to the + # first match + + # + #attr_rewrite sanecallerid { + # attribute = Called-Station-Id + # may be "packet", "reply", "proxy", "proxy_reply" or "config" + # searchin = packet + # searchfor = "[+ ]" + # replacewith = "" + # ignore_case = no + # new_attribute = no + # max_matches = 10 + # ## If set to yes then the replace string will be appended to the original string + # append = no + #} + + # Preprocess the incoming RADIUS request, before handing it off + # to other modules. + # + # This module processes the 'huntgroups' and 'hints' files. + # In addition, it re-writes some weird attributes created + # by some NASes, and converts the attributes into a form which + # is a little more standard. + # + preprocess { + huntgroups = ${confdir}/huntgroups + hints = ${confdir}/hints + + # This hack changes Ascend's wierd port numberings + # to standard 0-??? port numbers so that the "+" works + # for IP address assignments. + with_ascend_hack = no + ascend_channels_per_line = 23 + + # Windows NT machines often authenticate themselves as + # NT_DOMAIN\username + # + # If this is set to 'yes', then the NT_DOMAIN portion + # of the user-name is silently discarded. + # + # This configuration entry SHOULD NOT be used. + # See the "realms" module for a better way to handle + # NT domains. + with_ntdomain_hack = no + + # Specialix Jetstream 8500 24 port access server. + # + # If the user name is 10 characters or longer, a "/" + # and the excess characters after the 10th are + # appended to the user name. + # + # If you're not running that NAS, you don't need + # this hack. + with_specialix_jetstream_hack = no + + # Cisco (and Quintum in Cisco mode) sends it's VSA attributes + # with the attribute name *again* in the string, like: + # + # H323-Attribute = "h323-attribute=value". + # + # If this configuration item is set to 'yes', then + # the redundant data in the the attribute text is stripped + # out. The result is: + # + # H323-Attribute = "value" + # + # If you're not running a Cisco or Quintum NAS, you don't + # need this hack. + with_cisco_vsa_hack = no + } + + # Livingston-style 'users' file + # + files { + usersfile = ${confdir}/users + acctusersfile = ${confdir}/acct_users + preproxy_usersfile = ${confdir}/preproxy_users + + # If you want to use the old Cistron 'users' file + # with FreeRADIUS, you should change the next line + # to 'compat = cistron'. You can the copy your 'users' + # file from Cistron. + compat = no + } + + # Write a detailed log of all accounting records received. + # + detail { + # Note that we do NOT use NAS-IP-Address here, as + # that attribute MAY BE from the originating NAS, and + # NOT from the proxy which actually sent us the + # request. The Client-IP-Address attribute is ALWAYS + # the address of the client which sent us the + # request. + # + # The following line creates a new detail file for + # every radius client (by IP address or hostname). + # In addition, a new detail file is created every + # day, so that the detail file doesn't have to go + # through a 'log rotation' + # + # If your detail files are large, you may also want + # to add a ':%H' (see doc/variables.txt) to the end + # of it, to create a new detail file every hour, e.g.: + # + # ..../detail-%Y%m%d:%H + # + # This will create a new detail file for every hour. + # + detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d + + # + # The Unix-style permissions on the 'detail' file. + # + # The detail file often contains secret or private + # information about users. So by keeping the file + # permissions restrictive, we can prevent unwanted + # people from seeing that information. + detailperm = 0600 + + # + # Certain attributes such as User-Password may be + # "sensitive", so they should not be printed in the + # detail file. This section lists the attributes + # that should be suppressed. + # + # The attributes should be listed one to a line. + # + #suppress { + # User-Password + #} + } + + # + # Many people want to log authentication requests. + # Rather than modifying the server core to print out more + # messages, we can use a different instance of the 'detail' + # module, to log the authentication requests to a file. + # + # You will also need to un-comment the 'auth_log' line + # in the 'authorize' section, below. + # + # detail auth_log { + # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + # detailperm = 0600 + # } + + # + # This module logs authentication reply packets sent + # to a NAS. Both Access-Accept and Access-Reject packets + # are logged. + # + # You will also need to un-comment the 'reply_log' line + # in the 'post-auth' section, below. + # + # detail reply_log { + # detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + # detailperm = 0600 + # } + + # + # This module logs packets proxied to a home server. + # + # You will also need to un-comment the 'pre_proxy_log' line + # in the 'pre-proxy' section, below. + # + # detail pre_proxy_log { + # detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + # detailperm = 0600 + # } + + # + # This module logs response packets from a home server. + # + # You will also need to un-comment the 'post_proxy_log' line + # in the 'post-proxy' section, below. + # + # detail post_proxy_log { + # detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d + + # + # This MUST be 0600, otherwise anyone can read + # the users passwords! + # detailperm = 0600 + # } + + # + # The rlm_sql_log module appends the SQL queries in a log + # file which is read later by the radsqlrelay program. + # + # This module only performs the dynamic expansion of the + # variables found in the SQL statements. No operation is + # executed on the database server. (this could be done + # later by an external program) That means the module is + # useful only with non-"SELECT" statements. + # + # See rlm_sql_log(5) manpage. + # +# sql_log { +# path = ${radacctdir}/sql-relay +# acct_table = "radacct" +# postauth_table = "radpostauth" +# +# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +# AcctSessionTime, AcctTerminateCause) VALUES \ +# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +# '%{Framed-IP-Address}', '%S', '0', '0', '');" +# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +# AcctSessionTime, AcctTerminateCause) VALUES \ +# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ +# '%{Acct-Terminate-Cause}');" +# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \ +# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ +# AcctSessionTime, AcctTerminateCause) VALUES \ +# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ +# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');" +# +# Post-Auth = "INSERT INTO ${postauth_table} \ +# (user, pass, reply, date) VALUES \ +# ('%{User-Name}', '%{User-Password:-Chap-Password}', \ +# '%{reply:Packet-Type}', '%S');" +# } + + # + # Create a unique accounting session Id. Many NASes re-use + # or repeat values for Acct-Session-Id, causing no end of + # confusion. + # + # This module will add a (probably) unique session id + # to an accounting packet based on the attributes listed + # below found in the packet. See doc/rlm_acct_unique for + # more information. + # + acct_unique { + key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" + } + + + # Include another file that has the SQL-related configuration. + # This is another file only because it tends to be big. + # + # The following configuration file is for use with MySQL. + # + # For Postgresql, use: ${confdir}/postgresql.conf + # For MS-SQL, use: ${confdir}/mssql.conf + # For Oracle, use: ${confdir}/oraclesql.conf + # + $INCLUDE ${confdir}/sql.conf + + + # For Cisco VoIP specific accounting with Postgresql, + # use: ${confdir}/pgsql-voip.conf + # + # You will also need the sql schema from: + # src/billing/cisco_h323_db_schema-postgres.sql + # Note: This config can be use AS WELL AS the standard sql + # config if you need SQL based Auth + + + # Write a 'utmp' style file, of which users are currently + # logged in, and where they've logged in from. + # + # This file is used mainly for Simultaneous-Use checking, + # and also 'radwho', to see who's currently logged in. + # + radutmp { + # Where the file is stored. It's not a log file, + # so it doesn't need rotating. + # + filename = ${logdir}/radutmp + + # The field in the packet to key on for the + # 'user' name, If you have other fields which you want + # to use to key on to control Simultaneous-Use, + # then you can use them here. + # + # Note, however, that the size of the field in the + # 'utmp' data structure is small, around 32 + # characters, so that will limit the possible choices + # of keys. + # + # You may want instead: %{Stripped-User-Name:-%{User-Name}} + username = %{User-Name} + + + # Whether or not we want to treat "user" the same + # as "USER", or "User". Some systems have problems + # with case sensitivity, so this should be set to + # 'no' to enable the comparisons of the key attribute + # to be case insensitive. + # + case_sensitive = yes + + # Accounting information may be lost, so the user MAY + # have logged off of the NAS, but we haven't noticed. + # If so, we can verify this information with the NAS, + # + # If we want to believe the 'utmp' file, then this + # configuration entry can be set to 'no'. + # + check_with_nas = yes + + # Set the file permissions, as the contents of this file + # are usually private. + perm = 0600 + + callerid = "yes" + } + + # "Safe" radutmp - does not contain caller ID, so it can be + # world-readable, and radwho can work for normal users, without + # exposing any information that isn't already exposed by who(1). + # + # This is another 'instance' of the radutmp module, but it is given + # then name "sradutmp" to identify it later in the "accounting" + # section. + radutmp sradutmp { + filename = ${logdir}/sradutmp + perm = 0644 + callerid = "no" + } + + # attr_filter - filters the attributes received in replies from + # proxied servers, to make sure we send back to our RADIUS client + # only allowed attributes. + attr_filter { + attrsfile = ${confdir}/attrs + } + + # counter module: + # This module takes an attribute (count-attribute). + # It also takes a key, and creates a counter for each unique + # key. The count is incremented when accounting packets are + # received by the server. The value of the increment depends + # on the attribute type. + # If the attribute is Acct-Session-Time or of an integer type we add the + # value of the attribute. If it is anything else we increase the + # counter by one. + # + # The 'reset' parameter defines when the counters are all reset to + # zero. It can be hourly, daily, weekly, monthly or never. + # + # hourly: Reset on 00:00 of every hour + # daily: Reset on 00:00:00 every day + # weekly: Reset on 00:00:00 on sunday + # monthly: Reset on 00:00:00 of the first day of each month + # + # It can also be user defined. It should be of the form: + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. In example: + # reset = 10h (reset every 10 hours) + # reset = 12 (reset every 12 days) + # + # + # The check-name attribute defines an attribute which will be + # registered by the counter module and can be used to set the + # maximum allowed value for the counter after which the user + # is rejected. + # Something like: + # + # DEFAULT Max-Daily-Session := 36000 + # Fall-Through = 1 + # + # You should add the counter module in the instantiate + # section so that it registers check-name before the files + # module reads the users file. + # + # If check-name is set and the user is to be rejected then we + # send back a Reply-Message and we log a Failure-Message in + # the radius.log + # If the count attribute is Acct-Session-Time then on each login + # we send back the remaining online time as a Session-Timeout attribute + # + # The counter-name can also be used instead of using the check-name + # like below: + # + # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject + # Reply-Message = "You've used up more than one hour today" + # + # The allowed-servicetype attribute can be used to only take + # into account specific sessions. For example if a user first + # logs in through a login menu and then selects ppp there will + # be two sessions. One for Login-User and one for Framed-User + # service type. We only need to take into account the second one. + # + # The module should be added in the instantiate, authorize and + # accounting sections. Make sure that in the authorize + # section it comes after any module which sets the + # 'check-name' attribute. + # + counter daily { + filename = ${raddbdir}/db.daily + key = User-Name + count-attribute = Acct-Session-Time + reset = daily + counter-name = Daily-Session-Time + check-name = Max-Daily-Session + allowed-servicetype = Framed-User + cache-size = 5000 + } + + # + # This module is an SQL enabled version of the counter module. + # + # Rather than maintaining seperate (GDBM) databases of + # accounting info for each counter, this module uses the data + # stored in the raddacct table by the sql modules. This + # module NEVER does any database INSERTs or UPDATEs. It is + # totally dependent on the SQL module to process Accounting + # packets. + # + # The 'sqlmod_inst' parameter holds the instance of the sql + # module to use when querying the SQL database. Normally it + # is just "sql". If you define more and one SQL module + # instance (usually for failover situations), you can + # specify which module has access to the Accounting Data + # (radacct table). + # + # The 'reset' parameter defines when the counters are all + # reset to zero. It can be hourly, daily, weekly, monthly or + # never. It can also be user defined. It should be of the + # form: + # num[hdwm] where: + # h: hours, d: days, w: weeks, m: months + # If the letter is ommited days will be assumed. In example: + # reset = 10h (reset every 10 hours) + # reset = 12 (reset every 12 days) + # + # The 'key' parameter specifies the unique identifier for the + # counter records (usually 'User-Name'). + # + # The 'query' parameter specifies the SQL query used to get + # the current Counter value from the database. There are 3 + # parameters that can be used in the query: + # %k 'key' parameter + # %b unix time value of beginning of reset period + # %e unix time value of end of reset period + # + # The 'check-name' parameter is the name of the 'check' + # attribute to use to access the counter in the 'users' file + # or SQL radcheck or radcheckgroup tables. + # + # The 'reply-name' parameter is the name the the attribute + # which holds the time remaining for the user. This is normally + # Session-Timeout, which makes the NAS disconnect the user + # once the session time is up. + # + # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject + # Reply-Message = "You've used up more than one hour today" + # + sqlcounter dailycounter { + counter-name = Daily-Session-Time + check-name = Max-Daily-Session + reply-name = Session-Timeout + sqlmod-inst = sql + key = User-Name + reset = daily + + # This query properly handles calls that span from the + # previous reset period into the current period but + # involves more work for the SQL server than those + # below + # For mysql: + query = "SELECT SUM(AcctSessionTime - \ + GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ + FROM radacct WHERE UserName='%{%k}' AND \ + UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" + + # For postgresql: +# query = "SELECT SUM(AcctSessionTime - \ +# GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \ +# FROM radacct WHERE UserName='%{%k}' AND \ +# AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'" + + # This query ignores calls that started in a previous + # reset period and continue into into this one. But it + # is a little easier on the SQL server + # For mysql: +# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ +# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" + + # For postgresql: +# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ +# UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'" + + # This query is the same as above, but demonstrates an + # additional counter parameter '%e' which is the + # timestamp for the end of the period + # For mysql: +# query = "SELECT SUM(AcctSessionTime) FROM radacct \ +# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \ +# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" + + # For postgresql: +# query = "SELECT SUM(AcctSessionTime) FROM radacct \ +# WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \ +# BETWEEN '%b' AND '%e'" + } + + sqlcounter monthlycounter { + counter-name = Monthly-Session-Time + check-name = Max-Monthly-Session + reply-name = Session-Timeout + sqlmod-inst = sql + key = User-Name + reset = monthly + + # This query properly handles calls that span from the + # previous reset period into the current period but + # involves more work for the SQL server than those + # below + # The same notes above about the differences between mysql + # versus postgres queries apply here. + query = "SELECT SUM(AcctSessionTime - \ + GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ + FROM radacct WHERE UserName='%{%k}' AND \ + UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" + + # This query ignores calls that started in a previous + # reset period and continue into into this one. But it + # is a little easier on the SQL server +# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \ +# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')" + + # This query is the same as above, but demonstrates an + # additional counter parameter '%e' which is the + # timestamp for the end of the period +# query = "SELECT SUM(AcctSessionTime) FROM radacct \ +# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \ +# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" + } + + # + # The "always" module is here for debugging purposes. Each + # instance simply returns the same result, always, without + # doing anything. + always fail { + rcode = fail + } + always reject { + rcode = reject + } + always ok { + rcode = ok + simulcount = 0 + mpp = no + } + + # + # The 'expression' module currently has no configuration. + # + # This module is useful only for 'xlat'. To use it, + # put 'exec' into the 'instantiate' section. You can then + # do dynamic translation of attributes like: + # + # Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}` + # + # The value of the attribute will be replaced with the output + # of the program which is executed. Due to RADIUS protocol + # limitations, any output over 253 bytes will be ignored. + expr { + } + + # + # The 'digest' module currently has no configuration. + # + # "Digest" authentication against a Cisco SIP server. + # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details + # on performing digest authentication for Cisco SIP servers. + # + digest { + } + + # + # Execute external programs + # + # This module is useful only for 'xlat'. To use it, + # put 'exec' into the 'instantiate' section. You can then + # do dynamic translation of attributes like: + # + # Attribute-Name = `%{exec:/path/to/program args}` + # + # The value of the attribute will be replaced with the output + # of the program which is executed. Due to RADIUS protocol + # limitations, any output over 253 bytes will be ignored. + # + # The RADIUS attributes from the user request will be placed + # into environment variables of the executed program, as + # described in 'doc/variables.txt' + # + exec { + wait = yes + input_pairs = request + } + + # + # This is a more general example of the execute module. + # + # This one is called "echo". + # + # Attribute-Name = `%{echo:/path/to/program args}` + # + # If you wish to execute an external program in more than + # one section (e.g. 'authorize', 'pre_proxy', etc), then it + # is probably best to define a different instance of the + # 'exec' module for every section. + # + exec echo { + # + # Wait for the program to finish. + # + # If we do NOT wait, then the program is "fire and + # forget", and any output attributes from it are ignored. + # + # If we are looking for the program to output + # attributes, and want to add those attributes to the + # request, then we MUST wait for the program to + # finish, and therefore set 'wait=yes' + # + # allowed values: {no, yes} + wait = yes + + # + # The name of the program to execute, and it's + # arguments. Dynamic translation is done on this + # field, so things like the following example will + # work. + # + program = "/bin/echo %{User-Name}" + + # + # The attributes which are placed into the + # environment variables for the program. + # + # Allowed values are: + # + # request attributes from the request + # config attributes from the configuration items list + # reply attributes from the reply + # proxy-request attributes from the proxy request + # proxy-reply attributes from the proxy reply + # + # Note that some attributes may not exist at some + # stages. e.g. There may be no proxy-reply + # attributes if this module is used in the + # 'authorize' section. + # + input_pairs = request + + # + # Where to place the output attributes (if any) from + # the executed program. The values allowed, and the + # restrictions as to availability, are the same as + # for the input_pairs. + # + output_pairs = reply + + # + # When to execute the program. If the packet + # type does NOT match what's listed here, then + # the module does NOT execute the program. + # + # For a list of allowed packet types, see + # the 'dictionary' file, and look for VALUEs + # of the Packet-Type attribute. + # + # By default, the module executes on ANY packet. + # Un-comment out the following line to tell the + # module to execute only if an Access-Accept is + # being sent to the NAS. + # + #packet_type = Access-Accept + } + + # Do server side ip pool management. Should be added in post-auth and + # accounting sections. + # + # The module also requires the existance of the Pool-Name + # attribute. That way the administrator can add the Pool-Name + # attribute in the user profiles and use different pools + # for different users. The Pool-Name attribute is a *check* item not + # a reply item. + # + # Example: + # radiusd.conf: ippool students { [...] } + # users file : DEFAULT Group == students, Pool-Name := "students" + # + # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST ********* + # ********* THEN ERASE THE DB FILES ********* + # + ippool main_pool { + + # range-start,range-stop: The start and end ip + # addresses for the ip pool + range-start = 192.168.1.1 + range-stop = 192.168.3.254 + + # netmask: The network mask used for the ip's + netmask = 255.255.255.0 + + # cache-size: The gdbm cache size for the db + # files. Should be equal to the number of ip's + # available in the ip pool + cache-size = 800 + + # session-db: The main db file used to allocate ip's to clients + session-db = ${raddbdir}/db.ippool + + # ip-index: Helper db index file used in multilink + ip-index = ${raddbdir}/db.ipindex + + # override: Will this ippool override a Framed-IP-Address already set + override = no + + # maximum-timeout: If not zero specifies the maximum time in seconds an + # entry may be active. Default: 0 + maximum-timeout = 0 + } + + # $INCLUDE ${confdir}/sqlippool.conf + # $INCLUDE ${confdir}/postgresqlippool.conf + + # OTP token support. Not included by default. + # $INCLUDE ${confdir}/otp.conf + +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initalized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +instantiate { + # + # Allows the execution of external scripts. + # The entire command line (and output) must fit into 253 bytes. + # + # e.g. Framed-Pool = `%{exec:/bin/echo foo}` + exec + + # + # The expression module doesn't do authorization, + # authentication, or accounting. It only does dynamic + # translation, of the form: + # + # Session-Timeout = `%{expr:2 + 3}` + # + # So the module needs to be instantiated, but CANNOT be + # listed in any other section. See 'doc/rlm_expr' for + # more information. + # + expr + + # + # We add the counter module here so that it registers + # the check-name attribute before any module which sets + # it +# daily +} + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + # + # It also adds the %{Client-IP-Address} attribute to the request. + preprocess + + # + # If you want to have a log of authentication requests, + # un-comment the following line, and the 'detail auth_log' + # section, above. +# auth_log + +# attr_filter + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. +# digest + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + eap + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'etc_smbpasswd' module, above. +# etc_smbpasswd + + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set +# ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + # + # As of 1.1.4, you should list "pap" last in this section. + # See "man rlm_pap" for more information. + pap +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. +# digest + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. + unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. + radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool +# sqlippool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Querie" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Get an address from the IP Pool. +# main_pool +# sqlippool + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # Uncomment the following and set the module name to the ldap instance + # name if you have set 'edir_account_policy_check = yes' in the ldap + # module sub-section of the 'modules' section. + # +# Post-Auth-Type REJECT { +# insert-module-name-here +# } + +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. + +# attr_filter + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap +} diff --git a/src/actions/main.queue b/src/actions/main.queue index b2feebf..a550b9f 100644 --- a/src/actions/main.queue +++ b/src/actions/main.queue @@ -33,6 +33,8 @@ pkg mrtg-cn post_upgrade pkgadd munin-cn pkg mrtg-cn pkgrm mrtg-cn pkg munin-cn upgrade_munin # konacno, instalacija novih paketa +pkg openldap-aai prepare_openldap +pkg freeradius-aai upgrade_freeradius pkg openldap-aai upgrade_openldap pkg amavisd-new upgrade_amavis pkg apache2-cn upgrade_apache2 diff --git a/src/functions.sh b/src/functions.sh index 6d192dd..19c76b3 100644 --- a/src/functions.sh +++ b/src/functions.sh @@ -980,8 +980,61 @@ upgrade_amavis () { /etc/init.d/amavis restart } -# fix openldap-aai postinst user handling -upgrade_openldap () { +# handle freerdius config files upgrade +upgrade_freeradius () { + local template config_new password realm + + pkg freeradius-aai lt 2.1.3-0lenny0 || return 0 + + # handle static configs + restore_config freeradius-aai freeradius 2.1.3-0lenny0 \ + /etc/freeradius/clients.conf \ + /etc/freeradius/hints \ + /etc/freeradius/ldap.attrmap \ + /etc/freeradius/radiusd.conf + + # handle template based configs + template=/usr/share/carnet-upgrade/files/etc/freeradius/eap.conf.template + config_new=$(mktemp /var/lib/carnet-upgrade/eap.conf.XXXXXX) + password=$(grep -s '^[[:space:]]*private_key_password[[:space:]]*=' \ + /etc/freeradius/eap.conf) + cp $template $config_new + sed -i "s/.*#PASSWORD#.*/$password/" $config_new + if cmp -s $config_new /etc/freeradius/eap.conf >/dev/null; then + log "Restoring config file /etc/freeradius/eap.conf" + cp -v /usr/share/carnet-upgrade/files/etc/freeradius/eap.conf.restore \ + /etc/freeradius/eap.conf + fi + rm -f $config_new + + template=/usr/share/carnet-upgrade/files/etc/freeradius/proxy.conf.template + config_new=$(mktemp /var/lib/carnet-upgrade/proxy.conf.XXXXXX) + realm=$(sed -n '/^[[:space:]]*suffix[[:space:]]*/ { + s///; s/"//g; s/,dc=/./g; s/dc=//; s/.hr$//; p; q }' /etc/ldap/slapd.conf) + cp $template $config_new + sed -i "s/#REALM#/$realm/" $config_new + if cmp -s $config_new /etc/freeradius/proxy.conf >/dev/null; then + log "Restoring config file /etc/freeradius/proxy.conf" + cp -v /usr/share/carnet-upgrade/files/etc/freeradius/proxy.conf.restore \ + /etc/freeradius/proxy.conf + fi + rm -f $config_new + + # install the new packages + if ! apt-get -y install freeradius; then + # freeradius upgrade fails here, try to fix it by creating certificates + [ -x /etc/freeradius/certs/bootstrap ] && /etc/freeradius/certs/bootstrap + + dpkg --configure -a + apt-get -y -f install + fi + + # finally try to cleanup this mess + pkgadd freeradius-aai +} + +# prepare for slapd upgrade (caused by freeradius installation) +prepare_openldap () { pkg openldap-aai lt 2.4 || return 0 # openldap-aai expects org.ldif to exists @@ -990,12 +1043,19 @@ upgrade_openldap () { if [ -f $ldif ]; then cp -v $ldif $ldif_backup fi +} + +# fix openldap-aai postinst user handling +upgrade_openldap () { + pkg openldap-aai lt 2.4 || return 0 # slapd postinst fails if move_old_database is false echo 'slapd slapd/move_old_database boolean true' | debconf-set-selections pkgadd slapd # slapd removes org.ldif during switch from ldap -> openldap user + local ldif=/var/lib/ldap/org.ldif + local ldif_backup=/var/lib/carnet-upgrade/org.ldif if [ -f $ldif_backup -a ! -f $ldif ]; then cp -v $ldif_backup $ldif fi