fix: update systemd config [ci skip]
This commit is contained in:
@@ -24,12 +24,51 @@ Environment=TZ=UTC
|
|||||||
# a leak somewhere.
|
# a leak somewhere.
|
||||||
MemoryLimit=2G
|
MemoryLimit=2G
|
||||||
|
|
||||||
|
# Ensure the daemon can still write its pidfile after it drops
|
||||||
|
# privileges. Combination of options that work on a variety of
|
||||||
|
# systems. Test very carefully if you alter these lines.
|
||||||
RuntimeDirectory=freeradius
|
RuntimeDirectory=freeradius
|
||||||
RuntimeDirectoryMode=0775
|
RuntimeDirectoryMode=0775
|
||||||
|
# This does not work on Debian Jessie:
|
||||||
|
User=freerad
|
||||||
|
Group=freerad
|
||||||
|
# This does not work on Ubuntu Bionic:
|
||||||
|
ExecStartPre=/bin/chown freerad:freerad /var/run/freeradius
|
||||||
|
|
||||||
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
|
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
|
||||||
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
|
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
RestartSec=5
|
RestartSec=3
|
||||||
|
ExecReload=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
|
||||||
|
# Don't elevate privileges after starting
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
|
# Allow binding to secure ports, broadcast addresses, and raw interfaces.
|
||||||
|
#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
|
||||||
|
|
||||||
|
# Private /tmp that isn't shared by other processes
|
||||||
|
PrivateTmp=true
|
||||||
|
|
||||||
|
# cgroups are readable only by radiusd, and child processes
|
||||||
|
ProtectControlGroups=true
|
||||||
|
|
||||||
|
# don't load new kernel modules
|
||||||
|
ProtectKernelModules=true
|
||||||
|
|
||||||
|
# don't tune kernel parameters
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
|
||||||
|
# Only allow native system calls
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
|
# We shouldn't be writing to the configuration directory
|
||||||
|
ReadOnlyDirectories=/etc/freeradius/
|
||||||
|
|
||||||
|
# We can read and write to the log directory.
|
||||||
|
ReadWriteDirectories=/var/log/freeradius/
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
raw {
|
|
||||||
}
|
|
||||||
@@ -1,300 +0,0 @@
|
|||||||
rest {
|
|
||||||
#
|
|
||||||
# This subsection configures the tls related items
|
|
||||||
# that control how FreeRADIUS connects to a HTTPS
|
|
||||||
# server.
|
|
||||||
#
|
|
||||||
tls {
|
|
||||||
# Certificate Authorities:
|
|
||||||
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
|
|
||||||
# File containing a single CA, which is the issuer of the server
|
|
||||||
# certificate.
|
|
||||||
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
|
|
||||||
# File containing a bundle of certificates, which allow to handle
|
|
||||||
# certificate chain validation.
|
|
||||||
# "ca_path" (libcurl option CURLOPT_CAPATH).
|
|
||||||
# Directory holding CA certificates to verify the peer with.
|
|
||||||
# ca_file = ${certdir}/cacert.pem
|
|
||||||
# ca_info_file = ${certdir}/cacert_bundle.pem
|
|
||||||
# ca_path = ${certdir}
|
|
||||||
|
|
||||||
# certificate_file = /path/to/radius.crt
|
|
||||||
# private_key_file = /path/to/radius.key
|
|
||||||
# private_key_password = "supersecret"
|
|
||||||
# random_file = /dev/urandom
|
|
||||||
|
|
||||||
# Server certificate verification requirements. Can be:
|
|
||||||
# "no" (don't even bother trying)
|
|
||||||
# "yes" (verify the cert was issued by one of the
|
|
||||||
# trusted CAs)
|
|
||||||
#
|
|
||||||
# The default is "yes"
|
|
||||||
# check_cert = yes
|
|
||||||
|
|
||||||
# Server certificate CN verification requirements. Can be:
|
|
||||||
# "no" (don't even bother trying)
|
|
||||||
# "yes" (verify the CN in the certificate matches the host
|
|
||||||
# in the URI)
|
|
||||||
#
|
|
||||||
# The default is "yes"
|
|
||||||
# check_cert_cn = yes
|
|
||||||
}
|
|
||||||
|
|
||||||
# rlm_rest will open a connection to the server specified in connect_uri
|
|
||||||
# to populate the connection cache, ready for the first request.
|
|
||||||
# The server will not start if the server specified is unreachable.
|
|
||||||
#
|
|
||||||
# If you wish to disable this pre-caching and reachability check,
|
|
||||||
# comment out the configuration item below.
|
|
||||||
#connect_uri = "http://connectone.me:31668"
|
|
||||||
connect_uri = "http://#API_HOST#:#API_PORT#/"
|
|
||||||
|
|
||||||
#
|
|
||||||
# How long before new connection attempts timeout, defaults to 4.0 seconds.
|
|
||||||
#
|
|
||||||
# connect_timeout = 4.0
|
|
||||||
|
|
||||||
#
|
|
||||||
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
|
|
||||||
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
|
|
||||||
#
|
|
||||||
# http_negotiation = 1.1
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following config items can be used in each of the sections.
|
|
||||||
# The sections themselves reflect the sections in the server.
|
|
||||||
# For example if you list rest in the authorize section of a virtual server,
|
|
||||||
# the settings from the authorize section here will be used.
|
|
||||||
#
|
|
||||||
# The following config items may be listed in any of the sections:
|
|
||||||
# uri - to send the request to.
|
|
||||||
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
|
|
||||||
# 'delete' or any custom HTTP method.
|
|
||||||
# body - The format of the HTTP body sent to the remote server.
|
|
||||||
# May be 'none', 'post' or 'json', defaults to 'none'.
|
|
||||||
# attr_num - If true, the attribute number is supplied for each attribute.
|
|
||||||
# Defaults to false.
|
|
||||||
# raw_value - If true, enumerated attribute values are provided as numeric
|
|
||||||
# values. Defaults to false.
|
|
||||||
# data - Send custom freeform data in the HTTP body. Content-type
|
|
||||||
# may be specified with 'body'. Will be expanded.
|
|
||||||
# Values from expansion will not be escaped, this should be
|
|
||||||
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
|
|
||||||
# force_to - Force the response to be decoded with this decoder.
|
|
||||||
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
|
|
||||||
# or 'json'.
|
|
||||||
# tls - TLS settings for HTTPS.
|
|
||||||
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
|
|
||||||
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
|
|
||||||
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
|
|
||||||
# username - User to authenticate as, will be expanded.
|
|
||||||
# password - Password to use for authentication, will be expanded.
|
|
||||||
# require_auth - Require HTTP authentication.
|
|
||||||
# timeout - HTTP request timeout in seconds, defaults to 4.0.
|
|
||||||
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
|
|
||||||
# send data to the REST server. Make sure that this is large
|
|
||||||
# enough to fit your largest attribute value's text
|
|
||||||
# representation.
|
|
||||||
# A number like 8192 is good.
|
|
||||||
#
|
|
||||||
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
|
|
||||||
# The values of those attributes should be in the format:
|
|
||||||
#
|
|
||||||
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
|
|
||||||
#
|
|
||||||
# The control:REST-HTTP-Header attributes will be consumed
|
|
||||||
# (i.e. deleted) after each call to the rest module, and each
|
|
||||||
# %{rest:} expansion. This is so that headers from one REST
|
|
||||||
# call do not affect headers from a different REST call.
|
|
||||||
#
|
|
||||||
# Body encodings are the same for requests and responses
|
|
||||||
#
|
|
||||||
# POST - All attributes and values are urlencoded
|
|
||||||
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
|
|
||||||
#
|
|
||||||
# JSON - All attributes and values are escaped according to the JSON specification
|
|
||||||
# - attribute Name of the attribute.
|
|
||||||
# - attr_num Number of the attribute. Only available if the configuration item
|
|
||||||
# 'attr_num' is enabled.
|
|
||||||
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
|
|
||||||
# - value Attribute value, for enumerated attributes the human readable value is
|
|
||||||
# provided and not the numeric value (Depends on the 'raw_value' config item).
|
|
||||||
# {
|
|
||||||
# "<attribute0>":{
|
|
||||||
# "attr_num":<attr_num0>,
|
|
||||||
# "type":"<type0>",
|
|
||||||
# "value":[<value0>,<value1>,<valueN>]
|
|
||||||
# },
|
|
||||||
# "<attribute1>":{
|
|
||||||
# "attr_num":<attr_num1>,
|
|
||||||
# "type":"<type1>",
|
|
||||||
# "value":[...]
|
|
||||||
# },
|
|
||||||
# "<attributeN>":{
|
|
||||||
# "attr_num":<attr_numN>,
|
|
||||||
# "type":"<typeN>",
|
|
||||||
# "value":[...]
|
|
||||||
# },
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# The response format adds three optional fields:
|
|
||||||
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
|
|
||||||
# - is_json If true, any nested JSON data will be copied to the attribute
|
|
||||||
# in string form. Defaults to true.
|
|
||||||
# - op Controls how the attribute is inserted into the target list.
|
|
||||||
# Defaults to ':='. To create multiple attributes from multiple
|
|
||||||
# values, this should be set to '+=', otherwise only the last
|
|
||||||
# value will be used, and it will be assigned to a single
|
|
||||||
# attribute.
|
|
||||||
# {
|
|
||||||
# "<attribute0>":{
|
|
||||||
# "is_json":<bool>,
|
|
||||||
# "do_xlat":<bool>,
|
|
||||||
# "op":"<operator>",
|
|
||||||
# "value":[<value0>,<value1>,<valueN>]
|
|
||||||
# },
|
|
||||||
# "<attribute1>":"value",
|
|
||||||
# "<attributeN>":{
|
|
||||||
# "value":[<value0>,<value1>,<valueN>],
|
|
||||||
# "op":"+="
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
|
|
||||||
#
|
|
||||||
# Module return codes are determined by HTTP response codes. These vary depending on the
|
|
||||||
# section.
|
|
||||||
#
|
|
||||||
# If the body is processed and found to be malformed or unsupported fail will be returned.
|
|
||||||
# If the body is processed and found to contain attribute updated will be returned,
|
|
||||||
# except in the case of a 401 code.
|
|
||||||
#
|
|
||||||
|
|
||||||
# Authorize/Authenticate
|
|
||||||
#
|
|
||||||
# Code Meaning Process body Module code
|
|
||||||
# 404 not found no notfound
|
|
||||||
# 410 gone no notfound
|
|
||||||
# 403 forbidden no userlock
|
|
||||||
# 401 unauthorized yes reject
|
|
||||||
# 204 no content no ok
|
|
||||||
# 2xx successful yes ok/updated
|
|
||||||
# 5xx server error no fail
|
|
||||||
# xxx - no invalid
|
|
||||||
#
|
|
||||||
# The status code is held in %{reply:REST-HTTP-Status-Code}.
|
|
||||||
#
|
|
||||||
authorize {
|
|
||||||
uri = "${..connect_uri}radius/auth"
|
|
||||||
method = 'post'
|
|
||||||
body = 'json'
|
|
||||||
data = '{"ip": "%{Packet-Src-IP-Address}", "hotspot-group": "%{raw:Called-Station-Id}", "hotspot-id": "%{raw:NAS-Identifier}"}'
|
|
||||||
force_to = 'json'
|
|
||||||
auth = 'none'
|
|
||||||
require_auth = no
|
|
||||||
timeout = 4.000000
|
|
||||||
}
|
|
||||||
# authorize {
|
|
||||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
|
|
||||||
# method = 'get'
|
|
||||||
# tls = ${..tls}
|
|
||||||
# }
|
|
||||||
# authenticate {
|
|
||||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
|
|
||||||
# method = 'get'
|
|
||||||
# tls = ${..tls}
|
|
||||||
# }
|
|
||||||
|
|
||||||
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
|
|
||||||
#
|
|
||||||
# Code Meaning Process body Module code
|
|
||||||
# 204 no content no ok
|
|
||||||
# 2xx successful yes ok/updated
|
|
||||||
# 5xx server error no fail
|
|
||||||
# xxx - no invalid
|
|
||||||
# preacct {
|
|
||||||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
|
|
||||||
# method = 'post'
|
|
||||||
# tls = ${..tls}
|
|
||||||
# }
|
|
||||||
# accounting {
|
|
||||||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
|
|
||||||
# method = 'post'
|
|
||||||
# tls = ${..tls}
|
|
||||||
# }
|
|
||||||
# post-auth {
|
|
||||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
|
|
||||||
# method = 'post'
|
|
||||||
# tls = ${..tls}
|
|
||||||
# }
|
|
||||||
# pre-proxy {
|
|
||||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
|
|
||||||
# method = 'post'
|
|
||||||
# tls = ${..tls}
|
|
||||||
# }
|
|
||||||
# post-proxy {
|
|
||||||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
|
|
||||||
# method = 'post'
|
|
||||||
# tls = ${..tls}
|
|
||||||
# }
|
|
||||||
|
|
||||||
#
|
|
||||||
# The connection pool is used to pool outgoing connections.
|
|
||||||
#
|
|
||||||
pool {
|
|
||||||
# Connections to create during module instantiation.
|
|
||||||
# If the server cannot create specified number of
|
|
||||||
# connections during instantiation it will exit.
|
|
||||||
# Set to 0 to allow the server to start without the
|
|
||||||
# web service being available.
|
|
||||||
start = ${thread[pool].start_servers}
|
|
||||||
|
|
||||||
# Minimum number of connections to keep open
|
|
||||||
min = ${thread[pool].min_spare_servers}
|
|
||||||
|
|
||||||
# Maximum number of connections
|
|
||||||
#
|
|
||||||
# If these connections are all in use and a new one
|
|
||||||
# is requested, the request will NOT get a connection.
|
|
||||||
#
|
|
||||||
# Setting 'max' to LESS than the number of threads means
|
|
||||||
# that some threads may starve, and you will see errors
|
|
||||||
# like 'No connections available and at max connection limit'
|
|
||||||
#
|
|
||||||
# Setting 'max' to MORE than the number of threads means
|
|
||||||
# that there are more connections than necessary.
|
|
||||||
max = ${thread[pool].max_servers}
|
|
||||||
|
|
||||||
# Spare connections to be left idle
|
|
||||||
#
|
|
||||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
|
||||||
# is set. This should be less than or equal to "max" above.
|
|
||||||
spare = ${thread[pool].max_spare_servers}
|
|
||||||
|
|
||||||
# Number of uses before the connection is closed
|
|
||||||
#
|
|
||||||
# 0 means "infinite"
|
|
||||||
uses = 0
|
|
||||||
|
|
||||||
# The number of seconds to wait after the server tries
|
|
||||||
# to open a connection, and fails. During this time,
|
|
||||||
# no new connections will be opened.
|
|
||||||
retry_delay = 30
|
|
||||||
|
|
||||||
# The lifetime (in seconds) of the connection
|
|
||||||
lifetime = 0
|
|
||||||
|
|
||||||
# idle timeout (in seconds). A connection which is
|
|
||||||
# unused for this length of time will be closed.
|
|
||||||
idle_timeout = 60
|
|
||||||
|
|
||||||
# NOTE: All configuration settings are enforced. If a
|
|
||||||
# connection is closed because of "idle_timeout",
|
|
||||||
# "uses", or "lifetime", then the total number of
|
|
||||||
# connections MAY fall below "min". When that
|
|
||||||
# happens, it will open a new connection. It will
|
|
||||||
# also log a WARNING message.
|
|
||||||
#
|
|
||||||
# The solution is to either lower the "min" connections,
|
|
||||||
# or increase lifetime/idle_timeout.
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,371 +0,0 @@
|
|||||||
# -*- text -*-
|
|
||||||
##
|
|
||||||
## mods-available/sql -- SQL modules
|
|
||||||
##
|
|
||||||
## $Id: 7bcb664d32fecca0cd20c1d81bac13f0e1b9991b $
|
|
||||||
|
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
# Configuration for the SQL module
|
|
||||||
#
|
|
||||||
# The database schemas and queries are located in subdirectories:
|
|
||||||
#
|
|
||||||
# sql/<DB>/main/schema.sql Schema
|
|
||||||
# sql/<DB>/main/queries.conf Authorisation and Accounting queries
|
|
||||||
#
|
|
||||||
# Where "DB" is mysql, mssql, oracle, or postgresql.
|
|
||||||
#
|
|
||||||
# The name used to query SQL is sql_user_name, which is set in the file
|
|
||||||
#
|
|
||||||
# raddb/mods-config/sql/main/${dialect}/queries.conf
|
|
||||||
#
|
|
||||||
# If you are using realms, that configuration should be changed to use
|
|
||||||
# the Stripped-User-Name attribute. See the comments around sql_user_name
|
|
||||||
# for more information.
|
|
||||||
#
|
|
||||||
|
|
||||||
sql {
|
|
||||||
#
|
|
||||||
# The dialect of SQL being used.
|
|
||||||
#
|
|
||||||
# Allowed dialects are:
|
|
||||||
#
|
|
||||||
# mssql
|
|
||||||
# mysql
|
|
||||||
# oracle
|
|
||||||
# postgresql
|
|
||||||
# sqlite
|
|
||||||
# mongo
|
|
||||||
#
|
|
||||||
dialect = "postgresql"
|
|
||||||
|
|
||||||
#
|
|
||||||
# The driver module used to execute the queries. Since we
|
|
||||||
# don't know which SQL drivers are being used, the default is
|
|
||||||
# "rlm_sql_null", which just logs the queries to disk via the
|
|
||||||
# "logfile" directive, below.
|
|
||||||
#
|
|
||||||
# In order to talk to a real database, delete the next line,
|
|
||||||
# and uncomment the one after it.
|
|
||||||
#
|
|
||||||
# If the dialect is "mssql", then the driver should be set to
|
|
||||||
# one of the following values, depending on your system:
|
|
||||||
#
|
|
||||||
# rlm_sql_db2
|
|
||||||
# rlm_sql_firebird
|
|
||||||
# rlm_sql_freetds
|
|
||||||
# rlm_sql_iodbc
|
|
||||||
# rlm_sql_unixodbc
|
|
||||||
#
|
|
||||||
# driver = "rlm_sql_null"
|
|
||||||
driver = "rlm_sql_${dialect}"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Driver-specific subsections. They will only be loaded and
|
|
||||||
# used if "driver" is something other than "rlm_sql_null".
|
|
||||||
# When a real driver is used, the relevant driver
|
|
||||||
# configuration section is loaded, and all other driver
|
|
||||||
# configuration sections are ignored.
|
|
||||||
#
|
|
||||||
sqlite {
|
|
||||||
# Path to the sqlite database
|
|
||||||
filename = "/etc/freeradius/freeradius.db"
|
|
||||||
|
|
||||||
# How long to wait for write locks on the database to be
|
|
||||||
# released (in ms) before giving up.
|
|
||||||
busy_timeout = 200
|
|
||||||
|
|
||||||
# If the file above does not exist and bootstrap is set
|
|
||||||
# a new database file will be created, and the SQL statements
|
|
||||||
# contained within the bootstrap file will be executed.
|
|
||||||
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
|
|
||||||
}
|
|
||||||
|
|
||||||
mysql {
|
|
||||||
# If any of the files below are set, TLS encryption is enabled
|
|
||||||
tls {
|
|
||||||
ca_file = "/etc/ssl/certs/my_ca.crt"
|
|
||||||
ca_path = "/etc/ssl/certs/"
|
|
||||||
certificate_file = "/etc/ssl/certs/private/client.crt"
|
|
||||||
private_key_file = "/etc/ssl/certs/private/client.key"
|
|
||||||
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
|
|
||||||
|
|
||||||
tls_required = yes
|
|
||||||
tls_check_cert = no
|
|
||||||
tls_check_cert_cn = no
|
|
||||||
}
|
|
||||||
|
|
||||||
# If yes, (or auto and libmysqlclient reports warnings are
|
|
||||||
# available), will retrieve and log additional warnings from
|
|
||||||
# the server if an error has occured. Defaults to 'auto'
|
|
||||||
warnings = auto
|
|
||||||
}
|
|
||||||
|
|
||||||
postgresql {
|
|
||||||
|
|
||||||
# unlike MySQL, which has a tls{} connection configuration, postgresql
|
|
||||||
# uses its connection parameters - see the radius_db option below in
|
|
||||||
# this file
|
|
||||||
|
|
||||||
# Send application_name to the postgres server
|
|
||||||
# Only supported in PG 9.0 and greater. Defaults to no.
|
|
||||||
send_application_name = yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# The default application name is "FreeRADIUS - .." with the current version.
|
|
||||||
# The application name can be customized here to any non-zero value.
|
|
||||||
#
|
|
||||||
# application_name = ""
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Configuration for Mongo.
|
|
||||||
#
|
|
||||||
# Note that the Mongo driver is experimental. The FreeRADIUS developers
|
|
||||||
# are unable to help with the syntax of the Mongo queries. Please see
|
|
||||||
# the Mongo documentation for that syntax.
|
|
||||||
#
|
|
||||||
# The Mongo driver supports only the following methods:
|
|
||||||
#
|
|
||||||
# aggregate
|
|
||||||
# findAndModify
|
|
||||||
# findOne
|
|
||||||
# insert
|
|
||||||
#
|
|
||||||
# For examples, see the query files:
|
|
||||||
#
|
|
||||||
# raddb/mods-config/sql/main/mongo/queries.conf
|
|
||||||
# raddb/mods-config/sql/main/ippool/queries.conf
|
|
||||||
#
|
|
||||||
# In order to use findAndModify with an aggretation pipleline, make
|
|
||||||
# sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
|
|
||||||
# assumes that the paramaters passed to the methods are supported by the
|
|
||||||
# version of MongoDB which it is connected to.
|
|
||||||
#
|
|
||||||
mongo {
|
|
||||||
#
|
|
||||||
# The application name to use.
|
|
||||||
#
|
|
||||||
appname = "freeradius"
|
|
||||||
|
|
||||||
#
|
|
||||||
# The TLS parameters here map directly to the Mongo TLS configuration
|
|
||||||
#
|
|
||||||
tls {
|
|
||||||
certificate_file = /path/to/file
|
|
||||||
certificate_password = "password"
|
|
||||||
ca_file = /path/to/file
|
|
||||||
ca_dir = /path/to/directory
|
|
||||||
crl_file = /path/to/file
|
|
||||||
weak_cert_validation = false
|
|
||||||
allow_invalid_hostname = false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Connection info:
|
|
||||||
#
|
|
||||||
server = "#PG_HOST#"
|
|
||||||
port = #PG_PORT#
|
|
||||||
login = "#PG_USER#"
|
|
||||||
password = "#PG_PASS#"
|
|
||||||
|
|
||||||
# Connection info for Mongo
|
|
||||||
# Authentication Without SSL
|
|
||||||
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
|
|
||||||
|
|
||||||
# Authentication With SSL
|
|
||||||
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
|
|
||||||
|
|
||||||
# Authentication with Certificate
|
|
||||||
# Use this command for retrieve Derived username:
|
|
||||||
# openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
|
|
||||||
# server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
|
|
||||||
|
|
||||||
# Database table configuration for everything except Oracle
|
|
||||||
radius_db = "#PG_DB#"
|
|
||||||
|
|
||||||
# If you are using Oracle then use this instead
|
|
||||||
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
|
|
||||||
|
|
||||||
# If you're using postgresql this can also be used instead of the connection info parameters
|
|
||||||
# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
|
|
||||||
|
|
||||||
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
|
|
||||||
# use SSL connections then use this form of connection info parameter
|
|
||||||
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
|
|
||||||
|
|
||||||
# If you want both stop and start records logged to the
|
|
||||||
# same SQL table, leave this as is. If you want them in
|
|
||||||
# different tables, put the start table in acct_table1
|
|
||||||
# and stop table in acct_table2
|
|
||||||
acct_table1 = "radacct"
|
|
||||||
acct_table2 = "radacct"
|
|
||||||
|
|
||||||
# Allow for storing data after authentication
|
|
||||||
postauth_table = "radpostauth"
|
|
||||||
|
|
||||||
# Tables containing 'check' items
|
|
||||||
authcheck_table = "radcheck"
|
|
||||||
groupcheck_table = "radgroupcheck"
|
|
||||||
|
|
||||||
# Tables containing 'reply' items
|
|
||||||
authreply_table = "radreply"
|
|
||||||
groupreply_table = "radgroupreply"
|
|
||||||
|
|
||||||
# Table to keep group info
|
|
||||||
usergroup_table = "radusergroup"
|
|
||||||
|
|
||||||
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
|
|
||||||
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
|
|
||||||
# read_groups = yes
|
|
||||||
|
|
||||||
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
|
|
||||||
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
|
|
||||||
# read_profiles = yes
|
|
||||||
|
|
||||||
# Remove stale session if checkrad does not see a double login
|
|
||||||
delete_stale_sessions = yes
|
|
||||||
|
|
||||||
# Write SQL queries to a logfile. This is potentially useful for tracing
|
|
||||||
# issues with authorization queries. See also "logfile" directives in
|
|
||||||
# mods-config/sql/main/*/queries.conf. You can enable per-section logging
|
|
||||||
# by enabling "logfile" there, or global logging by enabling "logfile" here.
|
|
||||||
#
|
|
||||||
# Per-section logging can be disabled by setting "logfile = ''"
|
|
||||||
# logfile = ${logdir}/sqllog.sql
|
|
||||||
|
|
||||||
# Set the maximum query duration and connection timeout
|
|
||||||
# for rlm_sql_mysql.
|
|
||||||
# query_timeout = 5
|
|
||||||
|
|
||||||
# As of v3, the "pool" section has replaced the
|
|
||||||
# following v2 configuration items:
|
|
||||||
#
|
|
||||||
# num_sql_socks
|
|
||||||
# connect_failure_retry_delay
|
|
||||||
# lifetime
|
|
||||||
# max_queries
|
|
||||||
|
|
||||||
#
|
|
||||||
# The connection pool is used to pool outgoing connections.
|
|
||||||
#
|
|
||||||
# When the server is not threaded, the connection pool
|
|
||||||
# limits are ignored, and only one connection is used.
|
|
||||||
#
|
|
||||||
# If you want to have multiple SQL modules re-use the same
|
|
||||||
# connection pool, use "pool = name" instead of a "pool"
|
|
||||||
# section. e.g.
|
|
||||||
#
|
|
||||||
# sql sql1 {
|
|
||||||
# ...
|
|
||||||
# pool {
|
|
||||||
# ...
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# # sql2 will use the connection pool from sql1
|
|
||||||
# sql sql2 {
|
|
||||||
# ...
|
|
||||||
# pool = sql1
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
pool {
|
|
||||||
# Connections to create during module instantiation.
|
|
||||||
# If the server cannot create specified number of
|
|
||||||
# connections during instantiation it will exit.
|
|
||||||
# Set to 0 to allow the server to start without the
|
|
||||||
# database being available.
|
|
||||||
start = ${thread[pool].start_servers}
|
|
||||||
|
|
||||||
# Minimum number of connections to keep open
|
|
||||||
min = ${thread[pool].min_spare_servers}
|
|
||||||
|
|
||||||
# Maximum number of connections
|
|
||||||
#
|
|
||||||
# If these connections are all in use and a new one
|
|
||||||
# is requested, the request will NOT get a connection.
|
|
||||||
#
|
|
||||||
# Setting 'max' to LESS than the number of threads means
|
|
||||||
# that some threads may starve, and you will see errors
|
|
||||||
# like 'No connections available and at max connection limit'
|
|
||||||
#
|
|
||||||
# Setting 'max' to MORE than the number of threads means
|
|
||||||
# that there are more connections than necessary.
|
|
||||||
max = ${thread[pool].max_servers}
|
|
||||||
|
|
||||||
# Spare connections to be left idle
|
|
||||||
#
|
|
||||||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
|
||||||
# is set. This should be less than or equal to "max" above.
|
|
||||||
spare = ${thread[pool].max_spare_servers}
|
|
||||||
|
|
||||||
# Number of uses before the connection is closed
|
|
||||||
#
|
|
||||||
# 0 means "infinite"
|
|
||||||
uses = 0
|
|
||||||
|
|
||||||
# The number of seconds to wait after the server tries
|
|
||||||
# to open a connection, and fails. During this time,
|
|
||||||
# no new connections will be opened.
|
|
||||||
retry_delay = 30
|
|
||||||
|
|
||||||
# The lifetime (in seconds) of the connection
|
|
||||||
lifetime = 0
|
|
||||||
|
|
||||||
# idle timeout (in seconds). A connection which is
|
|
||||||
# unused for this length of time will be closed.
|
|
||||||
idle_timeout = 60
|
|
||||||
|
|
||||||
# NOTE: All configuration settings are enforced. If a
|
|
||||||
# connection is closed because of "idle_timeout",
|
|
||||||
# "uses", or "lifetime", then the total number of
|
|
||||||
# connections MAY fall below "min". When that
|
|
||||||
# happens, it will open a new connection. It will
|
|
||||||
# also log a WARNING message.
|
|
||||||
#
|
|
||||||
# The solution is to either lower the "min" connections,
|
|
||||||
# or increase lifetime/idle_timeout.
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set to 'yes' to read radius clients from the database ('nas' table)
|
|
||||||
# Clients will ONLY be read on server startup.
|
|
||||||
#
|
|
||||||
# A client can be link to a virtual server via the SQL
|
|
||||||
# module. This link is done via the following process:
|
|
||||||
#
|
|
||||||
# If there is no listener in a virtual server, SQL clients
|
|
||||||
# are added to the global list for that virtual server.
|
|
||||||
#
|
|
||||||
# If there is a listener, and the first listener does not
|
|
||||||
# have a "clients=..." configuration item, SQL clients are
|
|
||||||
# added to the global list.
|
|
||||||
#
|
|
||||||
# If there is a listener, and the first one does have a
|
|
||||||
# "clients=..." configuration item, SQL clients are added to
|
|
||||||
# that list. The client { ...} ` configured in that list are
|
|
||||||
# also added for that listener.
|
|
||||||
#
|
|
||||||
# The only issue is if you have multiple listeners in a
|
|
||||||
# virtual server, each with a different client list, then
|
|
||||||
# the SQL clients are added only to the first listener.
|
|
||||||
#
|
|
||||||
# read_clients = yes
|
|
||||||
|
|
||||||
# Table to keep radius client info
|
|
||||||
client_table = "nas"
|
|
||||||
|
|
||||||
#
|
|
||||||
# The group attribute specific to this instance of rlm_sql
|
|
||||||
#
|
|
||||||
|
|
||||||
# This entry should be used for additional instances (sql foo {})
|
|
||||||
# of the SQL module.
|
|
||||||
# group_attribute = "${.:instance}-SQL-Group"
|
|
||||||
|
|
||||||
# This entry should be used for the default instance (sql {})
|
|
||||||
# of the SQL module.
|
|
||||||
group_attribute = "SQL-Group"
|
|
||||||
|
|
||||||
# Read database-specific queries
|
|
||||||
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
|
|
||||||
}
|
|
||||||
File diff suppressed because it is too large
Load Diff
@@ -1,93 +0,0 @@
|
|||||||
# -*- text -*-
|
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
# Sample configuration file for dynamically updating the list
|
|
||||||
# of RADIUS clients at run time.
|
|
||||||
#
|
|
||||||
# Everything is keyed off of a client "network". (e.g. 192.0.2/24)
|
|
||||||
# This configuration lets the server know that clients within
|
|
||||||
# that network are defined dynamically.
|
|
||||||
#
|
|
||||||
# When the server receives a packet from an unknown IP address
|
|
||||||
# within that network, it tries to find a dynamic definition
|
|
||||||
# for that client. If the definition is found, the IP address
|
|
||||||
# (and other configuration) is added to the server's internal
|
|
||||||
# cache of "known clients", with a configurable lifetime.
|
|
||||||
#
|
|
||||||
# Further packets from that IP address result in the client
|
|
||||||
# definition being found in the cache. Once the lifetime is
|
|
||||||
# reached, the client definition is deleted, and any new requests
|
|
||||||
# from that client are looked up as above.
|
|
||||||
#
|
|
||||||
# If the dynamic definition is not found, then the request is
|
|
||||||
# treated as if it came from an unknown client. i.e. It is
|
|
||||||
# silently discarded.
|
|
||||||
#
|
|
||||||
# As part of protection from Denial of Service (DoS) attacks,
|
|
||||||
# the server will add only one new client per second. This CANNOT
|
|
||||||
# be changed, and is NOT configurable.
|
|
||||||
#
|
|
||||||
# $Id: 0459a7f4b1dc824b1684e9d220a0410c69b3248a $
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# This is the virtual server referenced above by "dynamic_clients".
|
|
||||||
server dynamic_clients {
|
|
||||||
|
|
||||||
#
|
|
||||||
# The only contents of the virtual server is the "authorize" section.
|
|
||||||
authorize {
|
|
||||||
|
|
||||||
#
|
|
||||||
# Put any modules you want here. SQL, LDAP, "exec",
|
|
||||||
# Perl, etc. The only requirements is that the
|
|
||||||
# attributes MUST go into the control item list.
|
|
||||||
#
|
|
||||||
# The request that is processed through this section
|
|
||||||
# is EMPTY. There are NO attributes. The request is fake,
|
|
||||||
# and is NOT the packet that triggered the lookup of
|
|
||||||
# the dynamic client.
|
|
||||||
#
|
|
||||||
# The ONLY piece of useful information is either
|
|
||||||
#
|
|
||||||
# Packet-Src-IP-Address (IPv4 clients)
|
|
||||||
# Packet-Src-IPv6-Address (IPv6 clients)
|
|
||||||
#
|
|
||||||
# The attributes used to define a dynamic client mirror
|
|
||||||
# the configuration items in the "client" structure.
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Example 1: Hard-code a client IP. This example is
|
|
||||||
# useless, but it documents the attributes
|
|
||||||
# you need.
|
|
||||||
#
|
|
||||||
if ("%{raw:NAS-Identifier}") {
|
|
||||||
if ("%{sql: select count(*) from nas where shortname='%{raw:NAS-Identifier}'}" == 1) {
|
|
||||||
update control {
|
|
||||||
&FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
|
||||||
&FreeRADIUS-Client-Require-MA = no
|
|
||||||
&FreeRADIUS-Client-Secret = "%{sql: select nas.secret from nas where shortname='%{raw:NAS-Identifier}'}"
|
|
||||||
&FreeRADIUS-Client-Shortname = "%{sql: select shortname from nas where shortname='%{raw:NAS-Identifier}'}"
|
|
||||||
&FreeRADIUS-Client-NAS-Type = "other"
|
|
||||||
}
|
|
||||||
ok
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
rest
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
reject
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Tell the caller that the client was defined properly.
|
|
||||||
#
|
|
||||||
# If the authorize section does NOT return "ok", then
|
|
||||||
# the new client is ignored.
|
|
||||||
ok
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user