From 2c13e0d224c441dd7e9601a5f53665b65a60dfb7 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 4 Aug 2022 03:02:35 +0000 Subject: [PATCH] Remove unused modules --- .../raddb/mods-available/README.rst | 116 --- .../raddb/mods-available/abfab_psk_sql | 15 - .../raddb/mods-available/cache | 132 ---- .../raddb/mods-available/couchbase | 205 ------ .../raddb/mods-available/counter | 82 --- .../raddb/mods-available/cui | 53 -- .../raddb/mods-available/detail.example.com | 27 - .../raddb/mods-available/dhcp | 19 - .../raddb/mods-available/dhcp_files | 56 -- .../raddb/mods-available/dhcp_passwd | 20 - .../raddb/mods-available/dhcp_sql | 92 --- .../raddb/mods-available/dhcp_sqlippool | 101 --- .../raddb/mods-available/etc_group | 28 - .../raddb/mods-available/idn | 28 - .../raddb/mods-available/inner-eap | 107 --- .../raddb/mods-available/ippool | 66 -- .../raddb/mods-available/krb5 | 82 --- .../raddb/mods-available/ldap | 666 ------------------ .../raddb/mods-available/mac2ip | 25 - .../raddb/mods-available/mac2vlan | 18 - .../mods-available/moonshot-targeted-ids | 57 -- .../raddb/mods-available/opendirectory | 26 - .../raddb/mods-available/otp | 75 -- .../raddb/mods-available/pam | 26 - .../raddb/mods-available/perl | 94 --- .../raddb/mods-available/python | 65 -- .../raddb/mods-available/python3 | 65 -- .../raddb/mods-available/redis | 99 --- .../raddb/mods-available/rediswho | 52 -- .../raddb/mods-available/rest | 290 -------- .../raddb/mods-available/smbpasswd | 16 - .../raddb/mods-available/smsotp | 94 --- .../raddb/mods-available/sometimes | 12 - .../raddb/mods-available/sql | 366 ---------- .../raddb/mods-available/sql_map | 49 -- .../raddb/mods-available/sqlcounter | 115 --- .../raddb/mods-available/sqlippool | 115 --- .../raddb/mods-available/unbound | 4 - .../raddb/mods-available/wimax | 165 ----- .../raddb/mods-available/yubikey | 158 ----- 40 files changed, 3881 deletions(-) delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/python delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax delete mode 100644 pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst deleted file mode 100644 index 79ed5c3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst +++ /dev/null @@ -1,116 +0,0 @@ -Modules in Version 3 -==================== - -As of Version 3, all of the modules have been placed in the -"mods-available/" directory. This practice follows that used by other -servers such as Nginx, Apache, etc. The "modules" directory should -not be used. - -Modules are enabled by creating a file in the mods-enabled/ directory. -You can also create a soft-link from one directory to another:: - - $ cd raddb/mods-enabled - $ ln -s ../mods-available/foo - -This will enable module "foo". Be sure that you have configured the -module correctly before enabling it, otherwise the server will not -start. You can verify the server configuration by running -"radiusd -XC". - -A large number of modules are enabled by default. This allows the -server to work with the largest number of authentication protocols. -Please be careful when disabling modules. You will likely need to -edit the "sites-enabled/" files to remove references to any disabled -modules. - -Conditional Modules -------------------- - -Version 3 allows modules to be conditionally loaded. This is useful -when you want to have a virtual server which references a module, but -does not require it. Instead of editing the virtual server file, you -can just conditionally enable the module. - -Modules are conditionally enabled by adding a "-" before their name in -a virtual server. For example, you can do:: - - server { - authorize { - ... - ldap - -sql - ... - } - } - -This says "require the LDAP module, but use the SQL module only if it -is configured." - -This feature is not very useful for production configurations. It is, -however, very useful for the default examples that ship with the -server. - -Ignoring module ---------------- - -If you see this message:: - - Ignoring module (see raddb/mods-available/README.rst) - -Then you are in the right place. Most of the time this message can be -ignored. The message can be fixed by finding the references to "-module" -in the virtual server, and deleting them. - -Another way to fix it is to configure the module, as described above. - -Simplification --------------- - -Allowing conditional modules simplifies the default virtual servers -that are shipped with FreeRADIUS. This means that if you want to -enable LDAP (for example), you no longer need to edit the files in -raddb/sites-available/ in order to enable it. - -Instead, you should edit the raddb/mods-available/ldap file to point -to your local LDAP server. Then, enable the module via the soft-link -method described above. - -Once the module is enabled, it will automatically be used in the -default configuration. - -Multiple Instances ------------------- - -It is sometimes necessary to have the same module do two different -things. The server supports this functionality via "instances" of -modules. - -Normally, a module configuration looks like this: - - sql { - ... sql stuff ... - } - -This module is then refereed to as the "sql" module. - - -But what happens if you want to connect to two different SQL -databases? The solution is simple; copy the "sql" module -configuration, and add an instance name after the "sql" string: - - sql mysql1 { - ... configuration for connecting to mysql11 ... - } - - sql mysql2 { - ... configuration for connecting to mysql12 ... - } - -This configuration says "load the SQL module, but create two copies of -it, with different configurations". The different configurations can -be referred to by name, as "mysql1" and "mysql2". That is, anywhere -you would normally use "sql", you could use either "mysql1" or -"mysql2". - -For further examples of using module instances, see the "attr_filter" -module configuration in this directory. diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql deleted file mode 100644 index d02e3b7..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql +++ /dev/null @@ -1,15 +0,0 @@ -# -*- text -*- -## -## Module for PSK authorizations from ABFAB trust router -## -## $Id: d75130da8a9faeb9712619bf49e68afadc30b73a $ - -sql psksql { - - driver = "rlm_sql_sqlite" - - sqlite { - filename = "/var/lib/trust_router/keys" - } - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache deleted file mode 100644 index 565bdf5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache +++ /dev/null @@ -1,132 +0,0 @@ -# -*- text -*- -# -# $Id: 8bd4730cf570fdfedc9c516dc6974eab39981600 $ - -# -# A module to cache attributes. The idea is that you can look -# up information in a database, and then cache it. Repeated -# requests for the same information will then have the cached -# values added to the request. -# -# The module can cache a fixed set of attributes per key. -# It can be listed in "authorize", "post-auth", "pre-proxy" -# and "post-proxy". -# -# If you want different things cached for authorize and post-auth, -# you will need to define two instances of the "cache" module. -# -# The module returns "ok" if it found or created a cache entry. -# The module returns "updated" if it merged a cached entry. -# The module returns "noop" if it did nothing. -# The module returns "fail" on error. -# -cache { - # The backend datastore used to store the cache entries. - # Current datastores are - # rlm_cache_rbtree - An in memory, non persistent rbtree based datastore. - # Useful for caching data locally. - # rlm_cache_memcached - A non persistent "webscale" distributed datastore. - # Useful if the cached data need to be shared between - # a cluster of RADIUS servers. -# driver = "rlm_cache_rbtree" - - # - # Some drivers accept specific options, to set them a - # config section with the the name as the driver should be added - # to the cache instance. - # - # Driver specific options are: - # -# memcached { -# # Memcached configuration options, as documented here: -# # http://docs.libmemcached.org/libmemcached_configuration.html#memcached -# options = "--SERVER=localhost" -# -# pool { -# start = ${thread[pool].start_servers} -# min = ${thread[pool].min_spare_servers} -# max = ${thread[pool].max_servers} -# spare = ${thread[pool].max_spare_servers} -# uses = 0 -# lifetime = 0 -# idle_timeout = 60 -# } -# } - - # The key used to index the cache. It is dynamically expanded - # at run time. - key = "%{User-Name}" - - # The TTL of cache entries, in seconds. Entries older than this - # will be expired. - # - # This value should be between 10 and 86400. - ttl = 10 - - # If yes the following attributes will be added to the request: - # * &request:Cache-Entry-Hits - The number of times this entry - # has been retrieved. - # - # Note: Not supported by the rlm_cache_memcached module. - add_stats = no - - # - # The list of attributes to cache for a particular key. - # - # Each key gets the same set of cached attributes. The attributes - # are dynamically expanded at run time. - # - # The semantics of this construct are identical to an unlang - # update block, except the left hand side of the expression - # represents the cache entry. see man unlang for more information - # on update blocks. - # - # Note: Only request, reply, control and session-state lists - # are available in cache entries. Attempting to store attributes - # in other lists will raise an error during config validation. - # - update { - # : - - # Cache all instances of Reply-Message in the reply list - &reply:Reply-Message += &reply:Reply-Message[*] - - # Add our own to show when the cache was last updated - &reply:Reply-Message += "Cache last updated at %t" - - &reply:Class := "%{randstr:ssssssssssssssssssssssssssssssss}" - } - - # This module supports a number of runtime configuration parameters - # represented by attributes in the &control: list. - # - # &control:Cache-TTL - Sets the TTL of an entry to be created, or - # modifies the TTL of an existing entry. - # - Setting a Cache-TTL of > 0 means set the TTL of the entry to - # the new value (and reset the expiry timer). - # - Setting a Cache-TTL of < 0 means expire the existing entry - # (without merging) and create a new one with TTL set to - # value * -1. - # - Setting a Cache-TTL of 0 means expire the existing entry - # (without merging) and don't create a new one. - # - # &control:Cache-Status-Only - If present and set to 'yes' will - # prevent a new entry from being created, and existing entries from - # being merged. It will also alter the module's return codes. - # - The module will return "ok" if a cache entry was found. - # - The module will return "notfound" if no cache entry was found. - # - # &control:Cache-Read-Only - If present and set to 'yes' will - # prevent a new entry from being created, but will allow existing - # entries to be merged. It will also alter the module's return codes. - # - The module will return "updated" if a cache entry was found. - # - The module will return "notfound" if no cache was found. - # - # &control:Cache-Merge - If present and set to 'yes' will merge new - # cache entries into the current request. Useful if results - # of execs or expansions are stored directly in the cache. - # - # All runtime configuration attributes will be removed from the - # &control: list after the cache module is called. - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase deleted file mode 100644 index b83daea..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase +++ /dev/null @@ -1,205 +0,0 @@ -couchbase { - # - # List of Couchbase hosts (hosts may be space, tab, comma or semi-colon separated). - # Ports are optional if servers are listening on the standard port. - # Complete pool urls are preferred. - # - server = "http://cb01.blargs.com:8091/pools/ http://cb04.blargs.com:8091/pools/" - - # Couchbase bucket name - bucket = "radius" - - # Couchbase bucket password (optional) - #password = "password" - - # Couchbase accounting document key (unlang supported) - acct_key = "radacct_%{%{Acct-Unique-Session-Id}:-%{Acct-Session-Id}}" - - # Value for the 'docType' element in the json body for accounting documents - doctype = "radacct" - - ## Accounting document expire time in seconds (0 = never) - expire = 2592000 - - # - # Map attribute names to json element names for accounting. - # - # Configuration items are in the format: - # = '' - # - # Element names should be single quoted. - # - # Note: Attributes not in this map will not be recorded. - # - update { - Acct-Session-Id = 'sessionId' - Acct-Unique-Session-Id = 'uniqueId' - Acct-Status-Type = 'lastStatus' - Acct-Authentic = 'authentic' - User-Name = 'userName' - Stripped-User-Name = 'strippedUserName' - Stripped-User-Domain = 'strippedUserDomain' - Realm = 'realm' - NAS-IP-Address = 'nasIpAddress' - NAS-Identifier = 'nasIdentifier' - NAS-Port = 'nasPort' - Called-Station-Id = 'calledStationId' - Called-Station-SSID = 'calledStationSSID' - Calling-Station-Id = 'callingStationId' - Framed-Protocol = 'framedProtocol' - Framed-IP-Address = 'framedIpAddress' - NAS-Port-Type = 'nasPortType' - Connect-Info = 'connectInfo' - Acct-Session-Time = 'sessionTime' - Acct-Input-Packets = 'inputPackets' - Acct-Output-Packets = 'outputPackets' - Acct-Input-Octets = 'inputOctets' - Acct-Output-Octets = 'outputOctets' - Acct-Input-Gigawords = 'inputGigawords' - Acct-Output-Gigawords = 'outputGigawords' - Event-Timestamp = 'lastUpdated' - } - - # Couchbase document key for user documents (unlang supported) - user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}" - - # Set to 'yes' to read radius clients from the Couchbase view specified below. - # NOTE: Clients will ONLY be read on server startup. - #read_clients = no - - # - # Map attribute names to json element names when loading clients. - # - # Configuration follows the same rules as the accounting map above. - # - client { - # Couchbase view that should return all available client documents. - view = "_design/client/_view/by_id" - - # - # Sets default values (not obtained from couchbase) for new client entries - # - template { -# login = 'test' -# password = 'test' -# proto = tcp -# require_message_authenticator = yes - - # Uncomment to add a home_server with the same - # attributes as the client. -# coa_server { -# response_window = 2.0 -# } - } - - # - # Client mappings are in the format: - # = '' - # - # Element names should be single quoted. - # - # The following attributes are required: - # * ipaddr | ipv4addr | ipv6addr - Client IP Address. - # * secret - RADIUS shared secret. - # - # All attributes usually supported in a client - # definition are also supported here. - # - attribute { - ipaddr = 'clientIdentifier' - secret = 'clientSecret' - shortname = 'clientShortname' - nas_type = 'nasType' - virtual_server = 'virtualServer' - require_message_authenticator = 'requireMessageAuthenticator' - limit { - max_connections = 'maxConnections' - lifetime = 'clientLifetime' - idle_timeout = 'idleTimeout' - } - } - } - - # Set to 'yes' to enable simultaneous use checking (multiple logins). - # NOTE: This will cause the execution of a view request on every check - # and may be a performance penalty. -# check_simul = no - - # Couchbase view that should return all account documents keyed by username. -# simul_view = "_design/acct/_view/by_user" - - # The key to the above view. - # NOTE: This will need to match EXACTLY what you emit from your view. -# simul_vkey = "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}" - - # Set to 'yes' to enable verification of the results returned from the above view. - # NOTE: This may be an additional performance penalty to the actual check and - # should be avoided unless absolutely neccessary. -# verify_simul = no - - # Remove stale session if checkrad does not see a double login. - # NOTE: This will only be executed if both check_simul and verify_simul - # are set to 'yes' above. -# delete_stale_sessions = yes - - # - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # couchbase being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 0 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 1200 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter deleted file mode 100644 index 54a1e00..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter +++ /dev/null @@ -1,82 +0,0 @@ -# -*- text -*- -# -# $Id: a5ac1e60ef117a2c59ace1a9d061d8f70d1da538 $ - -# counter module: -# This module takes an attribute (count-attribute). -# It also takes a key, and creates a counter for each unique -# key. The count is incremented when accounting packets are -# received by the server. The value of the increment depends -# on the attribute type. -# If the attribute is Acct-Session-Time or of an integer type we add -# the value of the attribute. If it is anything else we increase the -# counter by one. -# -# The 'reset' parameter defines when the counters are all reset to -# zero. It can be hourly, daily, weekly, monthly or never. -# -# hourly: Reset on 00:00 of every hour -# daily: Reset on 00:00:00 every day -# weekly: Reset on 00:00:00 on sunday -# monthly: Reset on 00:00:00 of the first day of each month -# -# It can also be user defined. It should be of the form: -# num[hdwm] where: -# h: hours, d: days, w: weeks, m: months -# If the letter is omitted days will be assumed. In example: -# reset = 10h (reset every 10 hours) -# reset = 12 (reset every 12 days) -# -# -# The check_name attribute defines an attribute which will be -# registered by the counter module and can be used to set the -# maximum allowed value for the counter after which the user -# is rejected. -# Something like: -# -# DEFAULT Max-Daily-Session := 36000 -# Fall-Through = 1 -# -# You should add the counter module in the instantiate -# section so that it registers check_name before the files -# module reads the users file. -# -# If check_name is set and the user is to be rejected then we -# send back a Reply-Message and we log a Failure-Message in -# the radius.log -# -# If the count attribute is Acct-Session-Time then on each -# login we send back the remaining online time as a -# Session-Timeout attribute ELSE and if the reply_name is -# set, we send back that attribute. The reply_name attribute -# MUST be of an integer type. -# -# The counter-name can also be used instead of using the check_name -# like below: -# -# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject -# Reply-Message = "You've used up more than one hour today" -# -# The allowed_service_type attribute can be used to only take -# into account specific sessions. For example if a user first -# logs in through a login menu and then selects ppp there will -# be two sessions. One for Login-User and one for Framed-User -# service type. We only need to take into account the second one. -# -# The module should be added in the instantiate, authorize and -# accounting sections. Make sure that in the authorize -# section it comes after any module which sets the -# 'check_name' attribute. -# -counter daily { - filename = ${db_dir}/db.daily - key = User-Name - count_attribute = Acct-Session-Time - reset = daily - counter_name = Daily-Session-Time - check_name = Max-Daily-Session - reply_name = Session-Timeout - allowed_service_type = Framed-User - cache_size = 5000 -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui deleted file mode 100644 index b7c4392..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui +++ /dev/null @@ -1,53 +0,0 @@ -# -*- text -*- -# -# $Id: 54842d4106800babe8db1d58d2e8b7a5cad017db $ - -# -# Write Chargeable-User-Identity to the database. -# -# Schema raddb/mods-config/sql/cui//schema.sql -# Queries raddb/mods-config/sql/cui//queries.conf -# -sql cuisql { - - # The dialect of SQL you want to use, this should usually match - # the driver below. - # - # If you're using rlm_sql_null, then it should be the type of - # database the logged queries are going to be executed against. - dialect = "sqlite" - - # The sub-module to use to execute queries. This should match - # the database you're attempting to connect to. - # - # There are CUI queries available for: - # * rlm_sql_mysql - # * rlm_sql_postgresql - # * rlm_sql_sqlite - # * rlm_sql_null (log queries to disk) - # - driver = "rlm_sql_${dialect}" - - sqlite { - filename = ${radacctdir}/cui.sqlite - bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql - } - - # Write CUI queries to a logfile. Useful for debugging. -# logfile = ${logdir}/cuilog.sql - - pool { - start = 5 - min = 4 - max = 10 - spare = 3 - uses = 0 - lifetime = 0 - idle_timeout = 60 - } - - cui_table = "cui" - sql_user_name = "%{User-Name}" - - $INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com deleted file mode 100644 index 745e1f1..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com +++ /dev/null @@ -1,27 +0,0 @@ -# -*- text -*- -# -# Detail file writer, used in the following examples: -# -# raddb/sites-available/robust-proxy-accounting -# raddb/sites-available/decoupled-accounting -# -# Note that this module can write detail files that are read by -# only ONE "listen" section. If you use BOTH of the examples -# above, you will need to define TWO "detail" modules. -# -# e.g. detail1.example.com && detail2.example.com -# -# -# We write *multiple* detail files here. They will be processed by -# the detail "listen" section in the order that they were created. -# The directory containing these files should NOT be used for any -# other purposes. i.e. It should have NO other files in it. -# -# Writing multiple detail enables the server to process the pieces -# in smaller chunks. This helps in certain catastrophic corner cases. -# -# $Id: 827cdf57e70dc2ff2252016194f4bb846eecead2 $ -# -detail detail.example.com { - filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp deleted file mode 100644 index d4e9c85..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp +++ /dev/null @@ -1,19 +0,0 @@ -# -*- text -*- -# -# $Id: a4316335d7f73b37ec5aa9278de91d37dd28eddc $ - -# -# This module is useful only for 'xlat'. To use it, -# put 'dhcp' into the 'instantiate' section. -# -# %{dhcp_options:} may be used to decode -# DHCP options data included in RADIUS packets by vendors -# of DHCP to RADIUS gateways. -# -# This is known to work with the following VSAs: -# * Juniper - ERX-Dhcp-Options -# * Alcatel lucent SR - Alc-ToServer-Dhcp-Options -# - Alc-ToClient-Dhcp-Options -# -dhcp { -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files deleted file mode 100644 index 58717d5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files +++ /dev/null @@ -1,56 +0,0 @@ -# -*- text -*- -# -# $Id: 243a241a8d28d8de9696e5364c59e25558789219 $ - -# Instances of the "files" module for managing DHCP options -# -files dhcp_network { - # The file containing network-specific DHCP options mapping - filename = ${modconfdir}/files/dhcp - - # For network lookups we use a fixed key. Matching - # actual networks is done by additional filtering within - # the file - key = "network" -} - -files dhcp_subnet { - # The file containing subnet-specific DHCP options mapping - filename = ${modconfdir}/files/dhcp - - # For subnet lookups we use a fixed key. Matching - # actual subnets is done by additional filtering within - # the file - key = "subnet" -} - -files dhcp_set_group_options { - # An example of looking up DHCP group options. This - # is designed to be called from a policy configured in - # policy.d/dhcp. - # - # If clients are never members of more than one group, - # then this could be simplified such that DHCP-Group-Name - # is used here in place of Foreach-Variable-0 and this - # module instance called directly rather than the policy - - # Use the same file as for subnets - could be split - # for large, complex installations - filename = ${modconfdir}/files/dhcp - - # The key is a temporary string populated by the calling policy - # which uses a foreach loop. - key = "%{Foreach-Variable-0}" -} - -files dhcp_hosts { - # An example of a DHCP host mapping for option setting - - # Use the same file as for subnets - could be split - # for large, complex installations - filename = ${modconfdir}/files/dhcp - - # If a different identifier is needed for looking up - # host specific entries then amend this key. - key = "host-%{DHCP-Client-Hardware-Address}" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd deleted file mode 100644 index e2adab2..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd +++ /dev/null @@ -1,20 +0,0 @@ -# -*- text -*- -# -# $Id: 7884a00298935db8e33fd9f850c2619e61d9b5a9 $ - -# An instance of the passwd module designed for looking up -# DHCP client membership. This example is based on hardware -# address. -# The "groups" file should be of the format: -# |,, -# |,, -# -# See the passwd module for more details. - -passwd dhcp_group_membership { - filename = "${modconfdir}/files/dhcp_groups" - format = "~DHCP-Group-Name:*,DHCP-Client-Hardware-Address" - hash_size = 100 - allow_multiple_keys = yes - delimiter = "|" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql deleted file mode 100644 index f2d7446..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql +++ /dev/null @@ -1,92 +0,0 @@ -# -*- text -*- -## -## mods-available/sql -- SQL modules -## -## $Id: 20dbe3a35be942acaaec8ee0ced7e85786fc46a7 $ - -###################################################################### -# -# Configuration for the DHCP-specific instance of the SQL module -# -# The database schemas and queries are located in subdirectories: -# -# sql/dhcp//schema.sql Schema -# sql/dhcp//queries.conf Reply options lookup queries -# -# Where "DB" is mysql, mssql, oracle, or postgresql. -# - -# -# See raddb/mods-available/sql for a description of the configuration items -# for the sql module. -# -sql dhcp_sql { - dialect = "sqlite" - driver = "rlm_sql_null" -# driver = "rlm_sql_${dialect}" - - sqlite { - filename = "/tmp/freeradius.db" - busy_timeout = 200 - bootstrap = "${modconfdir}/${..:name}/dhcp/sqlite/schema.sql" - } - - mysql { - tls { - ca_file = "/etc/ssl/certs/my_ca.crt" - ca_path = "/etc/ssl/certs/" - certificate_file = "/etc/ssl/certs/private/client.crt" - private_key_file = "/etc/ssl/certs/private/client.key" - cipher = "DHE-RSA-AES256-SHA:AES128-SHA" - - tls_required = yes - tls_check_cert = no - tls_check_cert_cn = no - } - warnings = auto - } - - postgresql { - send_application_name = yes - } - - mongo { - appname = "freeradius" - tls { - certificate_file = /path/to/file - certificate_password = "password" - ca_file = /path/to/file - ca_dir = /path/to/directory - crl_file = /path/to/file - weak_cert_validation = false - allow_invalid_hostname = false - } - } - -# server = "localhost" -# port = 3306 -# login = "radius" -# password = "radpass" - - radius_db = "radius" - - dhcpreply_table = "dhcpreply" - groupreply_table = "dhcpgroupreply" - dhcpgroup_table = "dhcpgroup" - read_groups = no - - pool { - start = ${thread[pool].start_servers} - min = ${thread[pool].min_spare_servers} - max = ${thread[pool].max_servers} - spare = ${thread[pool].max_spare_servers} - uses = 0 - retry_delay = 30 - lifetime = 0 - idle_timeout = 60 - } - - group_attribute = "${.:instance}-SQL-Group" - - $INCLUDE ${modconfdir}/${.:name}/dhcp/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool deleted file mode 100644 index fa2db00..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool +++ /dev/null @@ -1,101 +0,0 @@ -# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool). -# -# See raddb/mods-available/sqlippool for common configuration explanation -# -# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows -# the RADIUS based "sqlippool" module to be used for DHCP. -# -# See raddb/sites-available/dhcp for instructions on how to configure -# the DHCP server. -# -# The database schemas are available at: -# -# raddb/mods-config/sql/ippool-dhcp//schema.sql -# -# $Id: 909b93c7ebcbbeb16b123ca38e696790b5771dda $ - -sqlippool dhcp_sqlippool { - # SQL instance to use (from mods-available/sql) - # - # If you have multiple sql instances, such as "sql sql1 {...}", - # use the *instance* name here: sql1. - sql_module_instance = "dhcp_sql" - - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - - # Name of the check item attribute to be used as a key in the SQL queries - pool_name = "Pool-Name" - - # SQL table to use for ippool range and lease info - ippool_table = "dhcpippool" - - # The duration for which a lease is reserved whilst under offer - offer_duration = 10 - - # IP lease duration. (Leases expire even if no DHCP-Release packet is received) - # Either use the value to be sent to the client or a hard coded one. - lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}" - #lease_duration = 7200 - - # The attribute in which the IP address is returned in the reply - attribute_name = "DHCP-Your-IP-Address" - - # Assign the IP address, even if the above attribute already exists in - # the reply. - # -# allow_duplicates = no - - # The attribute in which an IP address hint may be supplied - req_attribute_name = "DHCP-Requested-IP-Address" - - # - # RFC 2132 allows the DHCP client to supply a unique - # identifier ("uid") using Option 61 (DHCP-Client-Identifier) - # in which case it must be used as the lookup key for - # configuration data. - # - pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}" - # - # The "uid" is generated by the OS which means that clients - # whose BMC piggybacks on the main interface (sharing its MAC, - # but generating a distinct uid) and dual-booting clients can - # be allocated multiple IPs, consuming more pool entries. To - # avoid this you can ignore the RFCs and key the configuration - # data based only on the client MAC address. - # - # pool_key = "%{DHCP-Client-Hardware-Address}" - - ################################################################ - # - # WARNING: MySQL (MyISAM) has certain limitations that means it can - # hand out the same IP address to 2 different users. - # - # We suggest using an SQL DB with proper transaction - # support, such as PostgreSQL, or using MySQL - # with InnoDB. - # - ################################################################ - - # These messages are added to the "control" items, as - # Module-Success-Message. They are not logged anywhere else, - # unlike previous versions. If you want to have them logged - # to a file, see the "linelog" module, and create an entry - # which writes Module-Success-Message message. - # - messages { - exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - - nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})" - } - - $INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group deleted file mode 100644 index 6aea41b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group +++ /dev/null @@ -1,28 +0,0 @@ -# -*- text -*- -# -# $Id: f58b72f560ba067991d67295b546691bcd992d44 $ - -# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name -# attribute for every group that the user is member of. -# -# You will have to define the Etc-Group-Name in the 'dictionary' file -# as a 'string' type. -# -# The Group and Group-Name attributes are automatically created by -# the Unix module, and do checking against /etc/group automatically. -# This means that you CANNOT use Group or Group-Name to do any other -# kind of grouping in the server. You MUST define a new group -# attribute. -# -# i.e. this module should NOT be used as-is, but should be edited to -# point to a different group file. -# -passwd etc_group { - filename = /etc/group - format = "=Etc-Group-Name:::*,User-Name" - hash_size = 50 - ignore_nislike = yes - allow_multiple_keys = yes - delimiter = ":" -} - diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn deleted file mode 100644 index 31874c5..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn +++ /dev/null @@ -1,28 +0,0 @@ -# -*- text -*- -# -# $Id: 534054077d52a7bb0bf8e02c1e861e5c86b76df9 $ - -# -# Internationalised domain names. -# - -# The expansion string: %{idn: example.com} results in an ASCII -# punycode version of the domain name. That version can then be used -# for name comparisons. Using an i18n version of the name is NOT -# RECOMMENDED, as that version is not canonical. -# -# i.e. the "same" domain name can be represented in many, many, -# different ways. Only the idn version has *one* representation. -# -idn { - # - # Allow use of unassigned Unicode code points. - # - allow_unassigned = no - - # - # Prohibit underscores and other invalid characters in domain - # names. - use_std3_ascii_rules = yes - -} \ No newline at end of file diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap deleted file mode 100644 index 83bf460..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap +++ /dev/null @@ -1,107 +0,0 @@ -# -*- text -*- -# -# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $ - -# -# Sample configuration for an EAP module that occurs *inside* -# of a tunneled method. It is used to limit the EAP types that -# can occur inside of the inner tunnel. -# -# See also raddb/sites-available/inner-tunnel -# -# See raddb/mods-available/eap for full documentation on the meaning of these -# configuration entries. -# -eap inner-eap { - # This is the best choice for PEAP. - default_eap_type = mschapv2 - - timer_expire = 60 - - # This should be the same as the outer eap "max sessions" - max_sessions = 2048 - - # Supported EAP-types - md5 { - } - - gtc { - # The default challenge, which many clients - # ignore.. - #challenge = "Password: " - - auth_type = PAP - } - - mschapv2 { - # See eap for documentation -# send_error = no - } - - # No TTLS or PEAP configuration should be listed here. - - ## EAP-TLS - # - # You SHOULD use different certificates than are used - # for the outer EAP configuration! - # - # You can create the "inner-server.pem" file by doing: - # - # cd raddb/certs - # vi inner-server.cnf - # make inner-server - # - # The certificate MUST be different from the "server.cnf" - # file. - # - # Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental. - # It might work, or it might not. - # - tls { - private_key_password = whatever - private_key_file = ${certdir}/inner-server.pem - - # If Private key & Certificate are located in - # the same file, then private_key_file & - # certificate_file must contain the same file - # name. - # - # If ca_file (below) is not used, then the - # certificate_file below MUST include not - # only the server certificate, but ALSO all - # of the CA certificates used to sign the - # server certificate. - certificate_file = ${certdir}/inner-server.pem - - # You may want different CAs for inner and outer - # certificates. If so, edit this file. - ca_file = ${cadir}/ca.pem - - cipher_list = "DEFAULT" - - # You may want to set a very small fragment size. - # The TLS data here needs to go inside of the - # outer EAP-TLS protocol. - # - # Try values and see if they work... - # fragment_size = 1024 - - # Other needful things - dh_file = ${certdir}/dh - random_file = /dev/urandom - - # CRL and OCSP things go here. See the main "eap" - # file for details. - # check_crl = yes - # ca_path = /path/to/directory/with/ca_certs/and/crls/ - - # Accept an expired Certificate Revocation List - # -# allow_expired_crl = no - - # - # The session resumption / fast re-authentication - # cache CANNOT be used for inner sessions. - # - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool deleted file mode 100644 index 8b263bd..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool +++ /dev/null @@ -1,66 +0,0 @@ -# -*- text -*- -# -# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $ - -# Do server side ip pool management. Should be added in -# post-auth and accounting sections. -# -# The module also requires the existence of the Pool-Name -# attribute. That way the administrator can add the Pool-Name -# attribute in the user profiles and use different pools for -# different users. The Pool-Name attribute is a *check* item -# not a reply item. -# -# The Pool-Name should be set to the ippool module instance -# name or to DEFAULT to match any module. - -# -# Example: -# radiusd.conf: ippool students { [...] } -# ippool teachers { [...] } -# users file : DEFAULT Group == students, Pool-Name := "students" -# DEFAULT Group == teachers, Pool-Name := "teachers" -# DEFAULT Group == other, Pool-Name := "DEFAULT" -# -# Note: If you change the range parameters you must then erase the -# db files. -# -ippool main_pool { - # The main db file used to allocate addresses. - filename = ${db_dir}/db.ippool - - # The start and end ip addresses for this pool. - range_start = 192.0.2.1 - range_stop = 192.0.2.254 - - # The network mask used for this pool. - netmask = 255.255.255.0 - - # The gdbm cache size for the db files. Should - # be equal to the number of ip's available in - # the ip pool - cache_size = 800 - - # Helper db index file used in multilink - ip_index = ${db_dir}/db.ipindex - - # If set, the Framed-IP-Address already in the - # reply (if any) will be discarded, and replaced - # ith a Framed-IP-Address assigned here. - override = no - - # Specifies the maximum time in seconds that an - # entry may be active. If set to zero, means - # "no timeout". The default value is 0 - maximum_timeout = 0 - - # The key to use for the session database (which - # holds the allocated ip's) normally it should - # just be the nas ip/port (which is the default). - # - # If your NAS sends the same value of NAS-Port - # all requests, the key should be based on some - # other attribute that is in ALL requests, AND - # is unique to each machine needing an IP address. -# key = "%{NAS-IP-Address} %{NAS-Port}" -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 deleted file mode 100644 index 1e13225..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5 +++ /dev/null @@ -1,82 +0,0 @@ -# -*- text -*- -# -# $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $ - -# -# Kerberos. See doc/modules/rlm_krb5 for minimal docs. -# -krb5 { - # - # The keytab file MUST be owned by the UID/GID used by the server. - # The keytab file MUST be writable by the server. - # The keytab file MUST NOT be readable by other users on the system. - # The keytab file MUST exist before the server is started. - # - keytab = ${localstatedir}/lib/radiusd/keytab - service_principal = name_of_principle - - # Pool of krb5 contexts, this allows us to make the module multithreaded - # and to avoid expensive operations like resolving and opening keytabs - # on every request. It may also allow TCP connections to the KDC to be - # cached if that is supported by the version of libkrb5 used. - # - # The context pool is only used if the underlying libkrb5 reported - # that it was thread safe at compile time. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # KDC being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 0 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 0 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap deleted file mode 100644 index 289444f..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap +++ /dev/null @@ -1,666 +0,0 @@ -# -*- text -*- -# -# $Id: 015ae6907b8113771691ae3a3c1d53b05756d143 $ - -# -# Lightweight Directory Access Protocol (LDAP) -# -ldap { - # Note that this needs to match the name(s) in the LDAP server - # certificate, if you're using ldaps. See OpenLDAP documentation - # for the behavioral semantics of specifying more than one host. - # - # Depending on the libldap in use, server may be an LDAP URI. - # In the case of OpenLDAP this allows additional the following - # additional schemes: - # - ldaps:// (LDAP over SSL) - # - ldapi:// (LDAP over Unix socket) - # - ldapc:// (Connectionless LDAP) - server = 'localhost' -# server = 'ldap.rrdns.example.org' -# server = 'ldap.rrdns.example.org' - - # Port to connect on, defaults to 389, will be ignored for LDAP URIs. -# port = 389 - - # Administrator account for searching and possibly modifying. - # If using SASL + KRB5 these should be commented out. -# identity = 'cn=admin,dc=example,dc=org' -# password = mypass - - # Unless overridden in another section, the dn from which all - # searches will start from. - base_dn = 'dc=example,dc=org' - - # - # You can run the 'ldapsearch' command line tool using the - # parameters from this module's configuration. - # - # ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}' - # - # That will give you the LDAP information for 'user'. - # - # Group membership can be queried by using the above "ldapsearch" string, - # and adding "memberof" qualifiers. For ActiveDirectory, use: - # - # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))' - # - # Where 'user' is the user as above, and 'group' is the group you are querying for. - # - - # - # SASL parameters to use for admin binds - # - # When we're prompted by the SASL library, these control - # the responses given, as well as the identity and password - # directives above. - # - # If any directive is commented out, a NULL response will be - # provided to cyrus-sasl. - # - # Unfortunately the only way to control Keberos here is through - # environmental variables, as cyrus-sasl provides no API to - # set the krb5 config directly. - # - # Full documentation for MIT krb5 can be found here: - # - # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html - # - # At a minimum you probably want to set KRB5_CLIENT_KTNAME. - # - sasl { - # SASL mechanism -# mech = 'PLAIN' - - # SASL authorisation identity to proxy. -# proxy = 'autz_id' - - # SASL realm. Used for kerberos. -# realm = 'example.org' - } - - # - # Generic valuepair attribute - # - - # If set, this will attribute will be retrieved in addition to any - # mapped attributes. - # - # Values should be in the format: - # - # - # Where: - # : Is the attribute you wish to create - # with any valid list and request qualifiers. - # : Is any assignment operator (=, :=, +=, -=). - # : Is the value to parse into the new valuepair. - # If the value is wrapped in double quotes it - # will be xlat expanded. -# valuepair_attribute = 'radiusAttribute' - - # - # Mapping of LDAP directory attributes to RADIUS dictionary attributes. - # - - # WARNING: Although this format is almost identical to the unlang - # update section format, it does *NOT* mean that you can use other - # unlang constructs in module configuration files. - # - # Configuration items are in the format: - # - # - # Where: - # : Is the destination RADIUS attribute - # with any valid list and request qualifiers. - # : Is any assignment attribute (=, :=, +=, -=). - # : Is the attribute associated with user or - # profile objects in the LDAP directory. - # If the attribute name is wrapped in double - # quotes it will be xlat expanded. - # - # Request and list qualifiers may also be placed after the 'update' - # section name to set defaults destination requests/lists - # for unqualified RADIUS attributes. - # - # Note: LDAP attribute names should be single quoted unless you want - # the name value to be derived from an xlat expansion, or an - # attribute ref. - update { - control:Password-With-Header += 'userPassword' -# control:NT-Password := 'ntPassword' -# reply:Reply-Message := 'radiusReplyMessage' -# reply:Tunnel-Type := 'radiusTunnelType' -# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' -# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' - - # Where only a list is specified as the RADIUS attribute, - # the value of the LDAP attribute is parsed as a valuepair - # in the same format as the 'valuepair_attribute' (above). - control: += 'radiusControlAttribute' - request: += 'radiusRequestAttribute' - reply: += 'radiusReplyAttribute' - } - - # Set to yes if you have eDirectory and want to use the universal - # password mechanism. -# edir = no - - # Set to yes if you want to bind as the user after retrieving the - # Cleartext-Password. This will consume the login grace, and - # verify user authorization. -# edir_autz = no - - # Note: set_auth_type was removed in v3.x.x - # - # Equivalent functionality can be achieved by adding the - # following "if" statement to the authorize {} section of - # the virtual server, after the "ldap" module. For example: - # - # ... - # ldap - # if ((ok || updated) && User-Password && !control:Auth-Type) { - # update { - # control:Auth-Type := ldap - # } - # } - # ... - # - # You will also need to uncomment the "Auth-Type LDAP" block in the - # "authenticate" section. - # - - # - # Name of the attribute that contains the user DN. - # The default name is LDAP-UserDn. - # - # If you have multiple LDAP instances, you should - # change this configuration item to: - # - # ${.:instance}-LDAP-UserDn - # - # That change allows the modules to set their own - # User DN, and to not conflict with each other. - # - user_dn = "LDAP-UserDn" - - # - # User object identification. - # - user { - # Where to start searching in the tree for users - base_dn = "${..base_dn}" - - # Filter for user objects, should be specific enough - # to identify a single user object. - # - # For Active Directory, you should use - # "samaccountname=" instead of "uid=" - # - filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" - - # For Active Directory nested group, you should comment out the previous 'filter = ...' - # and use the below. Where 'group' is the group you are querying for. - # - # NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN. - # This applies only to DN attributes. This is an extended match operator that walks - # the chain of ancestry in objects all the way to the root until it finds a match. - # This reveals group nesting. It is available only on domain controllers with - # Windows Server 2003 SP2 or Windows Server 2008 (or above). - # - # See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx - # -# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))" - - # SASL parameters to use for user binds - # - # When we're prompted by the SASL library, these control - # the responses given. - # - # Any of the config items below may be an attribute ref - # or and expansion, so different SASL mechs, proxy IDs - # and realms may be used for different users. - sasl { - # SASL mechanism -# mech = 'PLAIN' - - # SASL authorisation identity to proxy. -# proxy = &User-Name - - # SASL realm. Used for kerberos. -# realm = 'example.org' - } - - # Search scope, may be 'base', 'one', sub' or 'children' -# scope = 'sub' - - # Server side result sorting - # - # A list of space delimited attributes to order the result - # set by, if the filter matches multiple objects. - # Only the first result in the set will be processed. - # - # If the attribute name is prefixed with a hyphen '-' the - # sorting order will be reversed for that attribute. - # - # If sort_by is set, and the server does not support sorting - # the search will fail. -# sort_by = '-uid' - - # If this is undefined, anyone is authorised. - # If it is defined, the contents of this attribute - # determine whether or not the user is authorised -# access_attribute = 'dialupAccess' - - # Control whether the presence of 'access_attribute' - # allows access, or denys access. - # - # If 'yes', and the access_attribute is present, or - # 'no' and the access_attribute is absent then access - # will be allowed. - # - # If 'yes', and the access_attribute is absent, or - # 'no' and the access_attribute is present, then - # access will not be allowed. - # - # If the value of the access_attribute is 'false', it - # will negate the result. - # - # e.g. - # access_positive = yes - # access_attribute = userAccessAllowed - # - # With an LDAP object containing: - # userAccessAllowed: false - # - # Will result in the user being locked out. -# access_positive = yes - } - - # - # User membership checking. - # - group { - # Where to start searching in the tree for groups - base_dn = "${..base_dn}" - - # Filter for group objects, should match all available - # group objects a user might be a member of. - # - # If using Active Directory you are likely to need "group" - # instead of "posixGroup". - filter = '(objectClass=posixGroup)' - - # Search scope, may be 'base', 'one', sub' or 'children' -# scope = 'sub' - - # Attribute that uniquely identifies a group. - # Is used when converting group DNs to group - # names. -# name_attribute = cn - - # Filter to find all group objects a user is a member of. - # That is, group objects with attributes that - # identify members (the inverse of membership_attribute). - # - # Note that this configuration references the "user_dn" - # configuration defined above. - # -# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" - - # The attribute, in user objects, which contain the names - # or DNs of groups a user is a member of. - # - # Unless a conversion between group name and group DN is - # needed, there's no requirement for the group objects - # referenced to actually exist. - # - # If the LDAP server does not support the "memberOf" - # attribute (or equivalent), then you will need to use the - # membership_filter option above instead. If you can't see - # the memberOf attribute then it is also possible that the - # LDAP bind user does not have the correct permissions to - # view it. - membership_attribute = 'memberOf' - - # If cacheable_name or cacheable_dn are enabled, - # all group information for the user will be - # retrieved from the directory and written to LDAP-Group - # attributes appropriate for the instance of rlm_ldap. - # - # For group comparisons these attributes will be checked - # instead of querying the LDAP directory directly. - # - # This feature is intended to be used with rlm_cache. - # - # If you wish to use this feature, you should enable - # the type that matches the format of your check items - # i.e. if your groups are specified as DNs then enable - # cacheable_dn else enable cacheable_name. -# cacheable_name = 'no' -# cacheable_dn = 'no' - - # Override the normal cache attribute (-LDAP-Group or - # LDAP-Group if using the default instance) and create a - # custom attribute. This can help if multiple module instances - # are used in fail-over. -# cache_attribute = 'LDAP-Cached-Membership' - - # If the group being checked is specified as a name, but - # the user's groups are referenced by DN, and one of those - # group DNs is invalid, the whole group check is treated as - # invalid, and a negative result will be returned. - # When set to 'yes', this option ignores invalid DN - # references. -# allow_dangling_group_ref = 'no' - } - - # - # User profiles. RADIUS profile objects contain sets of attributes - # to insert into the request. These attributes are mapped using - # the same mapping scheme applied to user objects (the update section above). - # - profile { - # Filter for RADIUS profile objects -# filter = '(objectclass=radiusprofile)' - - # The default profile. This may be a DN or an attribute - # reference. - # To get old v2.2.x style behaviour, or to use the - # &User-Profile attribute to specify the default profile, - # set this to &control:User-Profile. -# default = 'cn=radprofile,dc=example,dc=org' - - # The LDAP attribute containing profile DNs to apply - # in addition to the default profile above. These are - # retrieved from the user object, at the same time as the - # attributes from the update section, are are applied - # if authorization is successful. -# attribute = 'radiusProfileDn' - } - - # - # Bulk load clients from the directory - # - client { - # Where to start searching in the tree for clients - base_dn = "${..base_dn}" - - # - # Filter to match client objects - # - filter = '(objectClass=radiusClient)' - - # Search scope, may be 'base', 'one', 'sub' or 'children' -# scope = 'sub' - - # - # Sets default values (not obtained from LDAP) for new client entries - # - template { -# login = 'test' -# password = 'test' -# proto = tcp -# require_message_authenticator = yes - - # Uncomment to add a home_server with the same - # attributes as the client. -# coa_server { -# response_window = 2.0 -# } - } - - # - # Client attribute mappings are in the format: - # = - # - # The following attributes are required: - # * ipaddr | ipv4addr | ipv6addr - Client IP Address. - # * secret - RADIUS shared secret. - # - # All other attributes usually supported in a client - # definition are also supported here. - # - # Schemas are available in doc/schemas/ldap for openldap and eDirectory - # - attribute { - ipaddr = 'radiusClientIdentifier' - secret = 'radiusClientSecret' -# shortname = 'radiusClientShortname' -# nas_type = 'radiusClientType' -# virtual_server = 'radiusClientVirtualServer' -# require_message_authenticator = 'radiusClientRequireMa' - } - } - - # Load clients on startup -# read_clients = no - - # - # Modify user object on receiving Accounting-Request - # - - # Useful for recording things like the last time the user logged - # in, or the Acct-Session-ID for CoA/DM. - # - # LDAP modification items are in the format: - # - # - # Where: - # : The LDAP attribute to add modify or delete. - # : One of the assignment operators: - # (:=, +=, -=, ++). - # Note: '=' is *not* supported. - # : The value to add modify or delete. - # - # WARNING: If using the ':=' operator with a multi-valued LDAP - # attribute, all instances of the attribute will be removed and - # replaced with a single attribute. - accounting { - reference = "%{tolower:type.%{Acct-Status-Type}}" - - type { - start { - update { - description := "Online at %S" - } - } - - interim-update { - update { - description := "Last seen at %S" - } - } - - stop { - update { - description := "Offline at %S" - } - } - } - } - - # - # Post-Auth can modify LDAP objects too - # - post-auth { - update { - description := "Authenticated at %S" - } - } - - # - # LDAP connection-specific options. - # - # These options set timeouts, keep-alives, etc. for the connections. - # - options { - # Control under which situations aliases are followed. - # May be one of 'never', 'searching', 'finding' or 'always' - # default: libldap's default which is usually 'never'. - # - # LDAP_OPT_DEREF is set to this value. -# dereference = 'always' - - # - # The following two configuration items control whether the - # server follows references returned by LDAP directory. - # They are mostly for Active Directory compatibility. - # If you set these to 'no', then searches will likely return - # 'operations error', instead of a useful result. - # - chase_referrals = yes - rebind = yes - - # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). - # Note - uncomment when using GSS-API sasl mechanism along with TLS - # encryption against Active-Directory LDAP servers (this disables - # sealing and signing at the GSS level as required by AD). - #sasl_secprops = 'noanonymous,noplain,maxssf=0' - - # Seconds to wait for LDAP query to finish. default: 20 - res_timeout = 10 - - # Seconds LDAP server has to process the query (server-side - # time limit). default: 20 - # - # LDAP_OPT_TIMELIMIT is set to this value. - srv_timelimit = 3 - - # Seconds to wait for response of the server. (network - # failures) default: 10 - # - # LDAP_OPT_NETWORK_TIMEOUT is set to this value. - net_timeout = 1 - - # LDAP_OPT_X_KEEPALIVE_IDLE - idle = 60 - - # LDAP_OPT_X_KEEPALIVE_PROBES - probes = 3 - - # LDAP_OPT_X_KEEPALIVE_INTERVAL - interval = 3 - - # ldap_debug: debug flag for LDAP SDK - # (see OpenLDAP documentation). Set this to enable - # huge amounts of LDAP debugging on the screen. - # You should only use this if you are an LDAP expert. - # - # default: 0x0000 (no debugging messages) - # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) - ldap_debug = 0x0028 - } - - # - # This subsection configures the tls related items - # that control how FreeRADIUS connects to an LDAP - # server. It contains all of the 'tls_*' configuration - # entries used in older versions of FreeRADIUS. Those - # configuration entries can still be used, but we recommend - # using these. - # - tls { - # Set this to 'yes' to use TLS encrypted connections - # to the LDAP database by using the StartTLS extended - # operation. - # - # The StartTLS operation is supposed to be - # used with normal ldap connections instead of - # using ldaps (port 636) connections -# start_tls = yes - -# ca_file = ${certdir}/cacert.pem - -# ca_path = ${certdir} -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key -# random_file = /dev/urandom - - # Certificate Verification requirements. Can be: - # 'never' (do not even bother trying) - # 'allow' (try, but don't fail if the certificate - # cannot be verified) - # 'demand' (fail if the certificate does not verify) - # 'hard' (similar to 'demand' but fails if TLS - # cannot negotiate) - # - # The default is libldap's default, which varies based - # on the contents of ldap.conf. - -# require_cert = 'demand' - - # - # Minimum TLS version to accept. We STRONGLY recommend - # setting this to "1.2" - # -# tls_min_version = "1.2" - } - - # As of version 3.0, the 'pool' section has replaced the - # following configuration items: - # - # ldap_connections_number - - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - # When the server is not threaded, the connection pool - # limits are ignored, and only one connection is used. - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # directory being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # Idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of 'idle_timeout', - # 'uses', or 'lifetime', then the total number of - # connections MAY fall below 'min'. When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the 'min' connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip deleted file mode 100644 index 5d646af..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip +++ /dev/null @@ -1,25 +0,0 @@ -# -*- text -*- -# -# $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $ - -###################################################################### -# -# This next section is a sample configuration for the "passwd" -# module, that reads flat-text files. -# -# The file is in the format , -# -# 00:01:02:03:04:05,192.0.2.100 -# 01:01:02:03:04:05,192.0.2.101 -# 02:01:02:03:04:05,192.0.2.102 -# -# This lets you perform simple static IP assignments from a flat-text -# file. You will have to define lease times yourself. -# -###################################################################### - -passwd mac2ip { - filename = ${modconfdir}/${.:name}/${.:instance} - format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" - delimiter = "," -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan deleted file mode 100644 index ee8e4b3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan +++ /dev/null @@ -1,18 +0,0 @@ -# -*- text -*- -# -# $Id: a1db803a71cddbb98daeeeda515cff2fc77ea318 $ - -# A simple file to map a MAC address to a VLAN. -# -# The file should be in the format MAC,VLAN -# the VLAN name cannot have spaces in it, for example: -# -# 00:01:02:03:04:05,VLAN1 -# 03:04:05:06:07:08,VLAN2 -# ... -# -passwd mac2vlan { - filename = ${modconfdir}/${.:name}/${.:instance} - format = "*VMPS-Mac:=VMPS-VLAN-Name" - delimiter = "," -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids deleted file mode 100644 index 4503a56..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids +++ /dev/null @@ -1,57 +0,0 @@ -# -*- text -*- -# -# $Id: 1b27b44b5a2d82e23d67c07ba19f0ef3293960d2 $ - -# -# Write Moonshot-*-TargetedId (MSTID) to the database. -# -# Schema raddb/mods-config/sql/moonshot-targeted-ids//schema.sql -# Queries raddb/mods-config/sql/moonshot-targeted-ids//queries.conf -# -sql moonshot_tid_sql { - - # The dialect of SQL you want to use, this should usually match - # the driver below. - # - # If you're using rlm_sql_null, then it should be the type of - # database the logged queries are going to be executed against. - dialect = "sqlite" - - # The sub-module to use to execute queries. This should match - # the database you're attempting to connect to. - # - # There are MSTID queries available for: - # * rlm_sql_mysql - # * rlm_sql_postgresql - # * rlm_sql_sqlite - # * rlm_sql_null (log queries to disk) - # - driver = "rlm_sql_${dialect}" - - sqlite { - filename = ${radacctdir}/moonshot-targeted-ids.sqlite - bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql - } - - # Write MSTID queries to a logfile. Useful for debugging. -# logfile = ${logdir}/moonshot-targeted-id-log.sql - - pool { - start = 5 - min = 4 - max = 10 - spare = 3 - uses = 0 - lifetime = 0 - idle_timeout = 60 - } - - # If you adjust the table name here, you must also modify the table name in - # the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids - # and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree. - # - moonshot_tid_table = "moonshot_targeted_ids" - sql_user_name = "%{User-Name}" - - $INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory deleted file mode 100644 index 4bd6a18..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory +++ /dev/null @@ -1,26 +0,0 @@ -# -*- text -*- -# -# $Id: 443d74dc08f19ddb59ea342f756c90066623e1c6 $ - -# This module is only used when the server is running on the same -# system as OpenDirectory. The configuration of the module is hard-coded -# by Apple, and cannot be changed here. -# -# There are no configuration entries for this module. -# -# The MS-CHAP module will automatically talk to OpenDirectory, if the -# server is built on an OSX machine. However, you must also set -# dsAttrTypeNative:apple-enabled-auth-mech attribute in the -# /config/dirserv OpenDirectory record. You will probably also need -# to change the user passwords in order to re-generate the -# appropriate hashes. -# -# Complete OSX configuration information is available on Apple's web site: -# -# https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf -# -# See also https://discussions.apple.com/thread/6053980?tstart=0 -# -opendirectory { - -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp deleted file mode 100644 index aa5c612..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp +++ /dev/null @@ -1,75 +0,0 @@ -# -# Configuration for the OTP module. -# - -# This module allows you to use various handheld OTP tokens -# for authentication (Auth-Type := otp). These tokens are -# available from various vendors. -# -# It works in conjunction with otpd, which implements token -# management and OTP verification functions; and lsmd or gsmd, -# which implements synchronous state management functions. - -# You must list this module in BOTH the authorize and authenticate -# sections in order to use it. -otp { - # otpd rendezvous point. - # (default: /var/run/otpd/socket) - #otpd_rp = /var/run/otpd/socket - - # Text to use for the challenge. - # Default "Challenge: %{reply:OTP-Challenge}\n Response: " - - challenge_prompt = "Challenge: %{reply:OTP-Challenge} \n Response: " - - # Length of the challenge. Most tokens probably support a - # max of 8 digits. (range: 5-32 digits, default 6) - #challenge_length = 6 - - # Maximum time, in seconds, that a challenge is valid. - # (The user must respond to a challenge within this time.) - # It is also the minimal time between consecutive async mode - # authentications, a necessary restriction due to an inherent - # weakness of the RADIUS protocol which allows replay attacks. - # (default: 30) - #challenge_delay = 30 - - # Whether or not to allow asynchronous ("pure" challenge/ - # response) mode authentication. Since sync mode is much more - # usable, and all reasonable tokens support it, the typical - # use of async mode is to allow re-sync of event based tokens. - # But because of the vulnerability of async mode with some tokens, - # you probably want to disable this and require that out-of-sync - # users re-sync from specifically secured terminals. - # See the otpd docs for more info. - # (default: no) - #allow_async = no - - # Whether or not to allow synchronous mode authentication. - # When using otpd with lsmd, it is *CRITICALLY IMPORTANT* - # that if your OTP users can authenticate to multiple RADIUS - # servers, this must be "yes" for the primary/default server, - # and "no" for the others. This is because lsmd does not - # share state information across multiple servers. Using "yes" - # on all your RADIUS servers would allow replay attacks! - # Also, for event based tokens, the user will be out of sync - # on the "other" servers. In order to use "yes" on all your - # servers, you must either use gsmd, which synchronises state - # globally, or implement your own state synchronisation method. - # (default: yes) - #allow_sync = yes - - # If both allow_async and allow_sync are "yes", a challenge is - # always presented to the user. This is incompatible with NAS - # that can't present or don't handle Access-Challenge's, e.g. - # PPTP servers. Even though a challenge is presented, the user - # can still enter their synchronous passcode. - - # The following are MPPE settings. Note that MS-CHAP (v1) is - # strongly discouraged. All possible values are listed as - # {value = meaning}. Default values are first. - #mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden} - #mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40} - #mschap_mppe = {2 = required, 1 = optional, 0 = forbidden} - #mschap_mppe_bits = {2 = 128} -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam deleted file mode 100644 index a31dfda..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam +++ /dev/null @@ -1,26 +0,0 @@ -# -*- text -*- -# -# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $ - - -# Pluggable Authentication Modules -# -# For Linux, see: -# http://www.kernel.org/pub/linux/libs/pam/index.html -# -# WARNING: On many systems, the system PAM libraries have -# memory leaks! We STRONGLY SUGGEST that you do not -# use PAM for authentication, due to those memory leaks. -# -pam { - # - # The name to use for PAM authentication. - # PAM looks in /etc/pam.d/${pam_auth_name} - # for it's configuration. See 'redhat/radiusd-pam' - # for a sample PAM configuration file. - # - # Note that any Pam-Auth attribute set in the 'authorize' - # section will over-ride this one. - # - pam_auth = radiusd -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl deleted file mode 100644 index d3b0c99..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl +++ /dev/null @@ -1,94 +0,0 @@ -# -*- text -*- -# -# $Id: fa04cdabb71767050aaa0664da792fd6086adb19 $ - -# Persistent, embedded Perl interpreter. -# -perl { - # - # The Perl script to execute on authorize, authenticate, - # accounting, xlat, etc. This is very similar to using - # 'rlm_exec' module, but it is persistent, and therefore - # faster. - # - filename = ${modconfdir}/${.:instance}/example.pl - - # - # Options which are passed to the Perl interpreter. - # These are (mostly) the same options as are passed - # to the "perl" command line. - # - # The most useful flag is "-T". This sets tainting on. And - # as of 3.0.18, makes it impossible to leverage bad - # User-Names into local command execution. - # - perl_flags = "-T" - - # - # The following hashes are given to the module and - # filled with value-pairs (Attribute names and values) - # - # %RAD_CHECK Check items - # %RAD_REQUEST Attributes from the request - # %RAD_REPLY Attributes for the reply - # %RAD_REQUEST_PROXY Attributes from the proxied request - # %RAD_REQUEST_PROXY_REPLY Attributes from the proxy reply - # - # The interface between FreeRADIUS and Perl is strings. - # That is, attributes of type "octets" are converted to - # printable strings, such as "0xabcdef". If you want to - # access the binary values of the attributes, you should - # call the Perl "pack" function. Then to send any binary - # data back to FreeRADIUS, call the Perl "unpack" function, - # so that the contents of the hashes are printable strings. - # - # IP addresses are sent as strings, e.g. "192.0.2.25", and - # not as a 4-byte binary value. The same applies to other - # attribute data types. - # - # Attributes of type "string" are copied to Perl as-is. - # They are not escaped or interpreted. - # - # The return codes from functions in the perl_script - # are passed directly back to the server. These - # codes are defined in mods-config/example.pl - # - - # You can define configuration items (and nested sub-sections) in perl "config" section. - # These items will be accessible in the perl script through %RAD_PERLCONF hash. - # For instance: $RAD_PERLCONF{'name'} $RAD_PERLCONF{'sub-config'}->{'name'} - # - #config { - # name = "value" - # sub-config { - # name = "value of name from config.sub-config" - # } - #} - - # - # List of functions in the module to call. - # Uncomment and change if you want to use function - # names other than the defaults. - # - #func_authenticate = authenticate - #func_authorize = authorize - #func_preacct = preacct - #func_accounting = accounting - #func_checksimul = checksimul - #func_pre_proxy = pre_proxy - #func_post_proxy = post_proxy - #func_post_auth = post_auth - #func_recv_coa = recv_coa - #func_send_coa = send_coa - #func_xlat = xlat - #func_detach = detach - - # - # Uncomment the following lines if you wish - # to use separate functions for Start and Stop - # accounting packets. In that case, the - # func_accounting function is not called. - # - #func_start_accounting = accounting_start - #func_stop_accounting = accounting_stop -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python deleted file mode 100644 index 371a56d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python +++ /dev/null @@ -1,65 +0,0 @@ -# -# Make sure the PYTHONPATH environmental variable contains the -# directory(s) for the modules listed below. -# -# Uncomment any func_* which are included in your module. If -# rlm_python is called for a section which does not have -# a function defined, it will return NOOP. -# -python { - # Path to the python modules - # - # Note that due to limitations on Python, this configuration - # item is GLOBAL TO THE SERVER. That is, you cannot have two - # instances of the python module, each with a different path. - # -# python_path="${modconfdir}/${.:name}:/path/to/python/files:/another_path/to/python_files/" - - module = example - - # Pass all VPS lists as a 6-tuple to the callbacks - # (request, reply, config, state, proxy_req, proxy_reply) -# pass_all_vps = no - - # Pass all VPS lists as a dictionary to the callbacks - # Keys: "request", "reply", "config", "session-state", "proxy-request", - # "proxy-reply" - # This option prevales over "pass_all_vps" -# pass_all_vps_dict = no - -# mod_instantiate = ${.module} -# func_instantiate = instantiate - -# mod_detach = ${.module} -# func_detach = detach - -# mod_authorize = ${.module} -# func_authorize = authorize - -# mod_authenticate = ${.module} -# func_authenticate = authenticate - -# mod_preacct = ${.module} -# func_preacct = preacct - -# mod_accounting = ${.module} -# func_accounting = accounting - -# mod_checksimul = ${.module} -# func_checksimul = checksimul - -# mod_pre_proxy = ${.module} -# func_pre_proxy = pre_proxy - -# mod_post_proxy = ${.module} -# func_post_proxy = post_proxy - -# mod_post_auth = ${.module} -# func_post_auth = post_auth - -# mod_recv_coa = ${.module} -# func_recv_coa = recv_coa - -# mod_send_coa = ${.module} -# func_send_coa = send_coa -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 deleted file mode 100644 index f0e0424..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3 +++ /dev/null @@ -1,65 +0,0 @@ -# -# Make sure the PYTHONPATH environmental variable contains the -# directory(s) for the modules listed below. -# -# Uncomment any func_* which are included in your module. If -# rlm_python is called for a section which does not have -# a function defined, it will return NOOP. -# -python3 { - # Path to the python modules - # - # Note that due to limitations on Python, this configuration - # item is GLOBAL TO THE SERVER. That is, you cannot have two - # instances of the python module, each with a different path. - # -# python_path="${modconfdir}/${.:name}:/another_path/to/python_files" - - module = example - - # Pass all VPS lists as a 6-tuple to the callbacks - # (request, reply, config, state, proxy_req, proxy_reply) -# pass_all_vps = no - - # Pass all VPS lists as a dictionary to the callbacks - # Keys: "request", "reply", "config", "session-state", "proxy-request", - # "proxy-reply" - # This option prevales over "pass_all_vps" -# pass_all_vps_dict = no - -# mod_instantiate = ${.module} -# func_instantiate = instantiate - -# mod_detach = ${.module} -# func_detach = detach - -# mod_authorize = ${.module} -# func_authorize = authorize - -# mod_authenticate = ${.module} -# func_authenticate = authenticate - -# mod_preacct = ${.module} -# func_preacct = preacct - -# mod_accounting = ${.module} -# func_accounting = accounting - -# mod_checksimul = ${.module} -# func_checksimul = checksimul - -# mod_pre_proxy = ${.module} -# func_pre_proxy = pre_proxy - -# mod_post_proxy = ${.module} -# func_post_proxy = post_proxy - -# mod_post_auth = ${.module} -# func_post_auth = post_auth - -# mod_recv_coa = ${.module} -# func_recv_coa = recv_coa - -# mod_send_coa = ${.module} -# func_send_coa = send_coa -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis deleted file mode 100644 index 0b28c57..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis +++ /dev/null @@ -1,99 +0,0 @@ -# -*- text -*- -# -# $Id: 64789f58a7f937b7b9f4c7ff783153fb5194ba25 $ - -# -# Configuration file for the "redis" module. This module does nothing -# Other than provide connections to a redis database, and a %{redis: ...} -# expansion. -# -redis { - # Host where the redis server is located. - # We recommend using ONLY 127.0.0.1 ! - server = 127.0.0.1 - - # Select the Redis logical database having the specified zero-based numeric index. -# database = 0 - - # The default port. - port = 6379 - - # The password used to authenticate to the server. - # We recommend using a strong password. -# password = thisisreallysecretandhardtoguess - - # Set connection and query timeout for rlm_redis - query_timeout = 5 - - # - # Information for the connection pool. The configuration items - # below are the same for all modules which use the new - # connection pool. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # web service being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 86400 - - # The pool is checked for free connections every - # "cleanup_interval". If there are free connections, - # then one of them is closed. - cleanup_interval = 300 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 600 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho deleted file mode 100644 index 5f835e8..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho +++ /dev/null @@ -1,52 +0,0 @@ -# -*- text -*- -# -# $Id: d303550fa48460f9583c051795ad7f179fcbd36b $ - -# -# Configuration file for the "rediswho" module. -# -# This module tracks the last set of login sessions for a user. -# -rediswho { - # REDIS instance to use (from mods-available/redis) - # - # If you have multiple redis instances, such as "redis redis1 {...}", - # use the *instance* name here: redis1. -# redis_module_instance = redis - - # How many sessions to keep track of per user. - # If there are more than this number, older sessions are deleted. - trim_count = 15 - - # Expiry time in seconds. Any sessions which have not received - # an update in this time will be automatically expired. - expire_time = 86400 - - # - # Each subsection contains insert / trim / expire queries. - # The subsections are named after the contents of the - # Acct-Status-Type attribute. See dictionary.rfc2866 for names - # of the various Acct-Status-Type values, or look at the output - # of debug mode. - # - # This module supports *any* Acct-Status-Type. Just add a subsection - # of the appropriate name, along with insert / trim / expire queries. - # - Start { - insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - trim = "LTRIM %{User-Name} 0 ${..trim_count}" - expire = "EXPIRE %{User-Name} ${..expire_time}" - } - - Interim-Update { - insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - trim = "LTRIM %{User-Name} 0 ${..trim_count}" - expire = "EXPIRE %{User-Name} ${..expire_time}" - } - - Stop { - insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}" - trim = "LTRIM %{User-Name} 0 ${..trim_count}" - expire = "EXPIRE %{User-Name} ${..expire_time}" - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest deleted file mode 100644 index ac163f0..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest +++ /dev/null @@ -1,290 +0,0 @@ -rest { - # - # This subsection configures the tls related items - # that control how FreeRADIUS connects to a HTTPS - # server. - # - tls { - # Certificate Authorities: - # "ca_file" (libcurl option CURLOPT_ISSUERCERT). - # File containing a single CA, which is the issuer of the server - # certificate. - # "ca_info_file" (libcurl option CURLOPT_CAINFO). - # File containing a bundle of certificates, which allow to handle - # certificate chain validation. - # "ca_path" (libcurl option CURLOPT_CAPATH). - # Directory holding CA certificates to verify the peer with. -# ca_file = ${certdir}/cacert.pem -# ca_info_file = ${certdir}/cacert_bundle.pem -# ca_path = ${certdir} - -# certificate_file = /path/to/radius.crt -# private_key_file = /path/to/radius.key -# private_key_password = "supersecret" -# random_file = /dev/urandom - - # Server certificate verification requirements. Can be: - # "no" (don't even bother trying) - # "yes" (verify the cert was issued by one of the - # trusted CAs) - # - # The default is "yes" -# check_cert = yes - - # Server certificate CN verification requirements. Can be: - # "no" (don't even bother trying) - # "yes" (verify the CN in the certificate matches the host - # in the URI) - # - # The default is "yes" -# check_cert_cn = yes - } - - # rlm_rest will open a connection to the server specified in connect_uri - # to populate the connection cache, ready for the first request. - # The server will not start if the server specified is unreachable. - # - # If you wish to disable this pre-caching and reachability check, - # comment out the configuration item below. - connect_uri = "http://127.0.0.1/" - - # - # How long before new connection attempts timeout, defaults to 4.0 seconds. - # -# connect_timeout = 4.0 - - # - # Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto', - # '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION) - # -# http_negotiation = 1.1 - - # - # The following config items can be used in each of the sections. - # The sections themselves reflect the sections in the server. - # For example if you list rest in the authorize section of a virtual server, - # the settings from the authorize section here will be used. - # - # The following config items may be listed in any of the sections: - # uri - to send the request to. - # method - HTTP method to use, one of 'get', 'post', 'put', 'patch', - # 'delete' or any custom HTTP method. - # body - The format of the HTTP body sent to the remote server. - # May be 'none', 'post' or 'json', defaults to 'none'. - # attr_num - If true, the attribute number is supplied for each attribute. - # Defaults to false. - # raw_value - If true, enumerated attribute values are provided as numeric - # values. Defaults to false. - # data - Send custom freeform data in the HTTP body. Content-type - # may be specified with 'body'. Will be expanded. - # Values from expansion will not be escaped, this should be - # done using the appropriate xlat method e.g. %{urlencode:}. - # force_to - Force the response to be decoded with this decoder. - # May be 'plain' (creates reply:REST-HTTP-Body), 'post' - # or 'json'. - # tls - TLS settings for HTTPS. - # auth - HTTP auth method to use, one of 'none', 'srp', 'basic', - # 'digest', 'digest-ie', 'gss-negotiate', 'ntlm', - # 'ntlm-winbind', 'any', 'safe'. defaults to 'none'. - # username - User to authenticate as, will be expanded. - # password - Password to use for authentication, will be expanded. - # require_auth - Require HTTP authentication. - # timeout - HTTP request timeout in seconds, defaults to 4.0. - # chunk - Chunk size to use. If set, HTTP chunked encoding is used to - # send data to the REST server. Make sure that this is large - # enough to fit your largest attribute value's text - #  representation. - # A number like 8192 is good. - # - # Additional HTTP headers may be specified with control:REST-HTTP-Header. - # The values of those attributes should be in the format: - # - # control:REST-HTTP-Header := ": " - # - # The control:REST-HTTP-Header attributes will be consumed - # (i.e. deleted) after each call to the rest module, and each - # %{rest:} expansion. This is so that headers from one REST - # call do not affect headers from a different REST call. - # - # Body encodings are the same for requests and responses - # - # POST - All attributes and values are urlencoded - # [outer.][:]=&[outer.][:]= - # - # JSON - All attributes and values are escaped according to the JSON specification - # - attribute Name of the attribute. - # - attr_num Number of the attribute. Only available if the configuration item - # 'attr_num' is enabled. - # - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...). - # - value Attribute value, for enumerated attributes the human readable value is - # provided and not the numeric value (Depends on the 'raw_value' config item). - # { - # "":{ - # "attr_num":, - # "type":"", - # "value":[,,] - # }, - # "":{ - # "attr_num":, - # "type":"", - # "value":[...] - # }, - # "":{ - # "attr_num":, - # "type":"", - # "value":[...] - # }, - # } - # - # The response format adds three optional fields: - # - do_xlat If true, any values will be xlat expanded. Defaults to true. - # - is_json If true, any nested JSON data will be copied to the attribute - # in string form. Defaults to true. - # - op Controls how the attribute is inserted into the target list. - # Defaults to ':='. To create multiple attributes from multiple - # values, this should be set to '+=', otherwise only the last - # value will be used, and it will be assigned to a single - # attribute. - # { - # "":{ - # "is_json":, - # "do_xlat":, - # "op":"", - # "value":[,,] - # }, - # "":"value", - # "":{ - # "value":[,,], - # "op":"+=" - # } - # } - - # - # Module return codes are determined by HTTP response codes. These vary depending on the - # section. - # - # If the body is processed and found to be malformed or unsupported fail will be returned. - # If the body is processed and found to contain attribute updated will be returned, - # except in the case of a 401 code. - # - - # Authorize/Authenticate - # - # Code Meaning Process body Module code - # 404 not found no notfound - # 410 gone no notfound - # 403 forbidden no userlock - # 401 unauthorized yes reject - # 204 no content no ok - # 2xx successful yes ok/updated - # 5xx server error no fail - # xxx - no invalid - # - # The status code is held in %{reply:REST-HTTP-Status-Code}. - # - authorize { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize" - method = 'get' - tls = ${..tls} - } - authenticate { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate" - method = 'get' - tls = ${..tls} - } - - # Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy - # - # Code Meaning Process body Module code - # 204 no content no ok - # 2xx successful yes ok/updated - # 5xx server error no fail - # xxx - no invalid - preacct { - uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct" - method = 'post' - tls = ${..tls} - } - accounting { - uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting" - method = 'post' - tls = ${..tls} - } - post-auth { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth" - method = 'post' - tls = ${..tls} - } - pre-proxy { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy" - method = 'post' - tls = ${..tls} - } - post-proxy { - uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy" - method = 'post' - tls = ${..tls} - } - - # - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # web service being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd deleted file mode 100644 index de400ee..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd +++ /dev/null @@ -1,16 +0,0 @@ -# -*- text -*- -# -# $Id: d5ad2a06c767f07722dc9b9c4b13d00c26b5a280 $ - -# An example configuration for using /etc/smbpasswd. -# -# See the "passwd" file for documentation on the configuration items -# for this module. -# -passwd smbpasswd { - filename = /etc/smbpasswd - format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::" - hash_size = 100 - ignore_nislike = no - allow_multiple_keys = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp deleted file mode 100644 index 876931c..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp +++ /dev/null @@ -1,94 +0,0 @@ -# -*- text -*- -# -# $Id: 3be32b85f56a84725fe1a6bf508e459dbe6c4e02 $ - -# SMS One-time Password system. -# -# This module will extend FreeRadius with a socks interface to create and -# validate One-Time-Passwords. The program for that creates the socket -# and interacts with this module is not included here. -# -# The module does not check the User-Password, this should be done with -# the "pap" module. See the example below. -# -# The module must be used in the "authorize" section to set -# Auth-Type properly. The first time through, the module is called -# in the "authenticate" section to authenticate the user password, and -# to send the challenge. The second time through, it authenticates -# the response to the challenge. e.g.: -# -# authorize { -# ... -# smsotp -# ... -# } -# -# authenticate { -# ... -# Auth-Type smsotp { -# pap -# smsotp -# } -# -# Auth-Type smsotp-reply { -# smsotp -# } -# ... -# } -# -smsotp { - # The location of the socket. - socket = "/var/run/smsotp_socket" - - # Defines the challenge message that will be send to the - # NAS. Default is "Enter Mobile PIN" } - challenge_message = "Enter Mobile PIN:" - - # Defines the Auth-Type section that is run for the response to - # the challenge. Default is "smsotp-reply". - challenge_type = "smsotp-reply" - - # Control how many sockets are used to talk to the SMSOTPd - # - pool { - # Number of connections to start - start = 5 - - # Minimum number of connections to keep open - min = 4 - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - max = 10 - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. - spare = 3 - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes deleted file mode 100644 index 094426d..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes +++ /dev/null @@ -1,12 +0,0 @@ -# -*- text -*- -# -# $Id: 3a96622cc938f558b023e1110769a46861716a12 $ - -# -# The "sometimes" module is here for debugging purposes. Each instance -# randomly returns the configured result, or "noop". -# -# It is based on the "always" module. -sometimes { - rcode = fail -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql deleted file mode 100644 index 341cdf3..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql +++ /dev/null @@ -1,366 +0,0 @@ -# -*- text -*- -## -## mods-available/sql -- SQL modules -## -## $Id: cfeac63ea87c30fead8457af6d10f5c3a0f48aef $ - -###################################################################### -# -# Configuration for the SQL module -# -# The database schemas and queries are located in subdirectories: -# -# sql//main/schema.sql Schema -# sql//main/queries.conf Authorisation and Accounting queries -# -# Where "DB" is mysql, mssql, oracle, or postgresql. -# -# The name used to query SQL is sql_user_name, which is set in the file -# -# raddb/mods-config/sql/main/${dialect}/queries.conf -# -# If you are using realms, that configuration should be changed to use -# the Stripped-User-Name attribute. See the comments around sql_user_name -# for more information. -# - -sql { - # - # The dialect of SQL being used. - # - # Allowed dialects are: - # - # mssql - # mysql - # oracle - # postgresql - # sqlite - # mongo - # - dialect = "sqlite" - - # - # The driver module used to execute the queries. Since we - # don't know which SQL drivers are being used, the default is - # "rlm_sql_null", which just logs the queries to disk via the - # "logfile" directive, below. - # - # In order to talk to a real database, delete the next line, - # and uncomment the one after it. - # - # If the dialect is "mssql", then the driver should be set to - # one of the following values, depending on your system: - # - # rlm_sql_db2 - # rlm_sql_firebird - # rlm_sql_freetds - # rlm_sql_iodbc - # rlm_sql_unixodbc - # - driver = "rlm_sql_null" -# driver = "rlm_sql_${dialect}" - - # - # Driver-specific subsections. They will only be loaded and - # used if "driver" is something other than "rlm_sql_null". - # When a real driver is used, the relevant driver - # configuration section is loaded, and all other driver - # configuration sections are ignored. - # - sqlite { - # Path to the sqlite database - filename = "/tmp/freeradius.db" - - # How long to wait for write locks on the database to be - # released (in ms) before giving up. - busy_timeout = 200 - - # If the file above does not exist and bootstrap is set - # a new database file will be created, and the SQL statements - # contained within the bootstrap file will be executed. - bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" - } - - mysql { - # If any of the files below are set, TLS encryption is enabled - tls { - ca_file = "/etc/ssl/certs/my_ca.crt" - ca_path = "/etc/ssl/certs/" - certificate_file = "/etc/ssl/certs/private/client.crt" - private_key_file = "/etc/ssl/certs/private/client.key" - cipher = "DHE-RSA-AES256-SHA:AES128-SHA" - - tls_required = yes - tls_check_cert = no - tls_check_cert_cn = no - } - - # If yes, (or auto and libmysqlclient reports warnings are - # available), will retrieve and log additional warnings from - # the server if an error has occured. Defaults to 'auto' - warnings = auto - } - - postgresql { - - # unlike MySQL, which has a tls{} connection configuration, postgresql - # uses its connection parameters - see the radius_db option below in - # this file - - # Send application_name to the postgres server - # Only supported in PG 9.0 and greater. Defaults to no. - send_application_name = yes - } - - # - # Configuration for Mongo. - # - # Note that the Mongo driver is experimental. The FreeRADIUS developers - # are unable to help with the syntax of the Mongo queries. Please see - # the Mongo documentation for that syntax. - # - # The Mongo driver supports only the following methods: - # - # aggregate - # findAndModify - # findOne - # insert - # - # For examples, see the query files: - # - # raddb/mods-config/sql/main/mongo/queries.conf - # raddb/mods-config/sql/main/ippool/queries.conf - # - # In order to use findAndModify with an aggretation pipleline, make - # sure that you are running MongoDB version 4.2 or greater. FreeRADIUS - # assumes that the paramaters passed to the methods are supported by the - # version of MongoDB which it is connected to. - # - mongo { - # - # The application name to use. - # - appname = "freeradius" - - # - # The TLS parameters here map directly to the Mongo TLS configuration - # - tls { - certificate_file = /path/to/file - certificate_password = "password" - ca_file = /path/to/file - ca_dir = /path/to/directory - crl_file = /path/to/file - weak_cert_validation = false - allow_invalid_hostname = false - } - } - - # Connection info: - # -# server = "localhost" -# port = 3306 -# login = "radius" -# password = "radpass" - - # Connection info for Mongo - # Authentication Without SSL - # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false" - - # Authentication With SSL - # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true" - - # Authentication with Certificate - # Use this command for retrieve Derived username: - # openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253 - # server = mongodb://@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509 - - # Database table configuration for everything except Oracle - radius_db = "radius" - - # If you are using Oracle then use this instead -# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" - - # If you're using postgresql this can also be used instead of the connection info parameters -# radius_db = "dbname=radius host=localhost user=radius password=raddpass" - - # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to - # use SSL connections then use this form of connection info parameter -# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" - - # If you want both stop and start records logged to the - # same SQL table, leave this as is. If you want them in - # different tables, put the start table in acct_table1 - # and stop table in acct_table2 - acct_table1 = "radacct" - acct_table2 = "radacct" - - # Allow for storing data after authentication - postauth_table = "radpostauth" - - # Tables containing 'check' items - authcheck_table = "radcheck" - groupcheck_table = "radgroupcheck" - - # Tables containing 'reply' items - authreply_table = "radreply" - groupreply_table = "radgroupreply" - - # Table to keep group info - usergroup_table = "radusergroup" - - # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. - # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. -# read_groups = yes - - # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. - # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. -# read_profiles = yes - - # Remove stale session if checkrad does not see a double login - delete_stale_sessions = yes - - # Write SQL queries to a logfile. This is potentially useful for tracing - # issues with authorization queries. See also "logfile" directives in - # mods-config/sql/main/*/queries.conf. You can enable per-section logging - # by enabling "logfile" there, or global logging by enabling "logfile" here. - # - # Per-section logging can be disabled by setting "logfile = ''" -# logfile = ${logdir}/sqllog.sql - - # Set the maximum query duration and connection timeout - # for rlm_sql_mysql. -# query_timeout = 5 - - # As of version 3.0, the "pool" section has replaced the - # following configuration items: - # - # num_sql_socks - # connect_failure_retry_delay - # lifetime - # max_queries - - # - # The connection pool is new for 3.0, and will be used in many - # modules, for all kinds of connection-related activity. - # - # When the server is not threaded, the connection pool - # limits are ignored, and only one connection is used. - # - # If you want to have multiple SQL modules re-use the same - # connection pool, use "pool = name" instead of a "pool" - # section. e.g. - # - # sql sql1 { - # ... - # pool { - # ... - # } - # } - # - # # sql2 will use the connection pool from sql1 - # sql sql2 { - # ... - # pool = sql1 - # } - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # database being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Spare connections to be left idle - # - # NOTE: Idle connections WILL be closed if "idle_timeout" - # is set. This should be less than or equal to "max" above. - spare = ${thread[pool].max_spare_servers} - - # Number of uses before the connection is closed - # - # 0 means "infinite" - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - lifetime = 0 - - # idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - idle_timeout = 60 - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } - - # Set to 'yes' to read radius clients from the database ('nas' table) - # Clients will ONLY be read on server startup. - # - # A client can be link to a virtual server via the SQL - # module. This link is done via the following process: - # - # If there is no listener in a virtual server, SQL clients - # are added to the global list for that virtual server. - # - # If there is a listener, and the first listener does not - # have a "clients=..." configuration item, SQL clients are - # added to the global list. - # - # If there is a listener, and the first one does have a - # "clients=..." configuration item, SQL clients are added to - # that list. The client { ...} ` configured in that list are - # also added for that listener. - # - # The only issue is if you have multiple listeners in a - # virtual server, each with a different client list, then - # the SQL clients are added only to the first listener. - # -# read_clients = yes - - # Table to keep radius client info - client_table = "nas" - - # - # The group attribute specific to this instance of rlm_sql - # - - # This entry should be used for additional instances (sql foo {}) - # of the SQL module. -# group_attribute = "${.:instance}-SQL-Group" - - # This entry should be used for the default instance (sql {}) - # of the SQL module. - group_attribute = "SQL-Group" - - # Read database-specific queries - $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map deleted file mode 100644 index 93b2636..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map +++ /dev/null @@ -1,49 +0,0 @@ -# Configuration for the SQL based Map (rlm_sql_map) -sql_map { - # SQL instance to use (from mods-available/sql) - # - # If you have multiple sql instances, such as "sql sql1 {...}", - # use the *instance* name here: sql1. - sql_module_instance = "sql" - - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - - # Name of the check item attribute to be used as a key in the SQL queries - query = "SELECT ... FROM ... " - - # - # Mapping of SQL columns to RADIUS dictionary attributes. - # - - # WARNING: Although this format is almost identical to the unlang - # update section format, it does *NOT* mean that you can use other - # unlang constructs in module configuration files. - # - # Configuration items are in the format: - # - # - # Where: - # : Is the destination RADIUS attribute - # with any valid list and request qualifiers. - # : Is any assignment attribute (=, :=, +=, -=). - # : The column number (not name), starting from 0 - # - # Request and list qualifiers may also be placed after the 'update' - # section name to set defaults destination requests/lists - # for unqualified RADIUS attributes. - # - update { - control:Password-With-Header += 0 -# control:NT-Password := 1 -# reply:Reply-Message := 2 -# reply:Tunnel-Type := 3 -# reply:Tunnel-Medium-Type := 4 -# reply:Tunnel-Private-Group-ID := 5 - } - - # If the 'query' results in multiple rows, it creates the [*] array entry. -# multiple_rows = yes -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter deleted file mode 100644 index f616a80..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter +++ /dev/null @@ -1,115 +0,0 @@ -# Rather than maintaining separate (GDBM) databases of -# accounting info for each counter, this module uses the data -# stored in the raddacct table by the sql modules. This -# module NEVER does any database INSERTs or UPDATEs. It is -# totally dependent on the SQL module to process Accounting -# packets. -# -# The sql-module-instance' parameter holds the instance of the sql -# module to use when querying the SQL database. Normally it -# is just "sql". If you define more and one SQL module -# instance (usually for failover situations), you can -# specify which module has access to the Accounting Data -# (radacct table). -# -# The 'reset' parameter defines when the counters are all -# reset to zero. It can be hourly, daily, weekly, monthly or -# never. It can also be user defined. It should be of the -# form: -# num[hdwm] where: -# h: hours, d: days, w: weeks, m: months -# If the letter is ommited days will be assumed. In example: -# reset = 10h (reset every 10 hours) -# reset = 12 (reset every 12 days) -# -# The 'key' parameter specifies the unique identifier for the -# counter records (usually 'User-Name'). -# -# The 'query' parameter specifies the SQL query used to get -# the current Counter value from the database. There are 2 -# parameters that can be used in the query: -# %%b unix time value of beginning of reset period -# %%e unix time value of end of reset period -# -# The 'check_name' parameter is the name of the 'check' -# attribute to use to access the counter in the 'users' file -# or SQL radcheck or radgroupcheck tables. -# -# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject -# Reply-Message = "You've used up more than one hour today" -# -# The "dailycounter" (or any other sqlcounter module) should be added -# to "post-auth" section. It will then update the Session-Timeout -# attribute in the reply. If there is no Session-Timeout attribute, -# the module will add one. If there is an attribute, the sqlcounter -# module will make sure that the value is no higher than the limit. -# -sqlcounter dailycounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Daily-Session-Time - check_name = Max-Daily-Session - reply_name = Session-Timeout - - key = User-Name - reset = daily - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -sqlcounter weeklycounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Weekly-Session-Time - check_name = Max-Weekly-Session - reply_name = Session-Timeout - - key = User-Name - reset = weekly - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -sqlcounter monthlycounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Monthly-Session-Time - check_name = Max-Monthly-Session - reply_name = Session-Timeout - key = User-Name - reset = monthly - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -sqlcounter noresetcounter { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Max-All-Session-Time - check_name = Max-All-Session - key = User-Name - reset = never - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} - -# -# Set an account to expire T seconds after first login. -# Requires the Expire-After attribute to be set, in seconds. -# You may need to edit raddb/dictionary to add the Expire-After -# attribute. -sqlcounter expire_on_login { - sql_module_instance = sql - dialect = ${modules.sql.dialect} - - counter_name = Expire-After-Initial-Login - check_name = Expire-After - key = User-Name - reset = never - - $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool deleted file mode 100644 index 7d63a3b..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool +++ /dev/null @@ -1,115 +0,0 @@ -# Configuration for the SQL based IP Pool module (rlm_sqlippool) -# -# The database schemas are available at: -# -# raddb/mods-config/sql/ippool//schema.sql -# -# $Id: 3d98ca9e0fca4f8df2657d53a15a2c52756b45e1 $ - -sqlippool { - # SQL instance to use (from mods-available/sql) - # - # If you have multiple sql instances, such as "sql sql1 {...}", - # use the *instance* name here: sql1. - sql_module_instance = "sql" - - # This is duplicative of info available in the SQL module, but - # we have to list it here as we do not yet support nested - # reference expansions. - dialect = "mysql" - - # Name of the check item attribute to be used as a key in the SQL queries - pool_name = "Pool-Name" - - # SQL table to use for ippool range and lease info - ippool_table = "radippool" - - # IP lease duration. (Leases expire even if Acct Stop packet is lost) - # - # Note that you SHOULD also set Session-Timeout to this value! - # That way the NAS will automatically kick the user offline when the - # lease expires. - # - lease_duration = 3600 - - # - # Timeout between each consecutive 'allocate_clear' queries (default: 1s) - # This will avoid having too many deadlock issues, especially on MySQL backend. - # - allocate_clear_timeout = 1 - - # - # As of 3.0.16, the 'ipv6 = yes' configuration is deprecated. - # You should use the "attribute_name" configuration item - # below, instead. - # - - # - # The attribute to use for IP address assignment. The - # default is Framed-IP-Address. You can change this to any - # attribute which is IPv4 or IPv6. - # - # e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix. - # - # As of 3.0.16, all of the default queries have been updated to use - # this attribute_name. So you can do IPv6 address assignment simply - # by putting IPv6 addresses into the pool, and changing the following - # line to "Framed-IPv6-Prefix" - # - # Note that you MUST use separate pools for each attribute. i.e. one pool - # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc. - # - # This means configuring separate "sqlippool" instances, and different - # "ippool_table" in SQL. Then, populate the pool with addresses and - # it will all just work. - # - attribute_name = Framed-IP-Address - - # - # Assign the IP address, even if the above attribute already exists - # in the reply. - # -# allow_duplicates = no - - # The attribute in which an IP address hint may be supplied - req_attribute_name = Framed-IP-Address - - # Attribute which should be considered unique per NAS - # - # Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS) - # Using Calling-Station-Id works for NAS that send fixed NAS-Port - # ONLY change this if you know what you are doing! - pool_key = "%{NAS-Port}" - # pool_key = "%{Calling-Station-Id}" - - ################################################################ - # - # WARNING: MySQL (MyISAM) has certain limitations that means it can - # hand out the same IP address to 2 different users. - # - # We suggest using an SQL DB with proper transaction - # support, such as PostgreSQL, or using MySQL - # with InnoDB. - # - ################################################################ - - # These messages are added to the "control" items, as - # Module-Success-Message. They are not logged anywhere else, - # unlike previous versions. If you want to have them logged - # to a file, see the "linelog" module, and create an entry - # which writes Module-Success-Message message. - # - messages { - exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - success = "Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - clear = "Released IP %{request:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})" - - failed = "IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - - nopool = "No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" - } - - $INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound deleted file mode 100644 index 9fd9b1f..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound +++ /dev/null @@ -1,4 +0,0 @@ -unbound dns { - # filename = "${raddbdir}/mods-config/unbound/default.conf" - # timeout = 3000 -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax deleted file mode 100644 index 3add59e..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax +++ /dev/null @@ -1,165 +0,0 @@ -# -# The WiMAX module currently takes no configuration. -# -# ## Instructions for v1 and v2.0 WiMAX -# -# It should be listed in the "authorize" and "preacct" sections. -# This enables the module to fix the horrible binary version -# of Calling-Station-Id to the normal format, as specified in -# RFC 3580, Section 3.21. -# -# In order to calculate the various WiMAX keys, the module should -# be listed in the "post-auth" section. If EAP authentication -# has been used, AND the EAP method derives MSK and EMSK, then -# the various WiMAX keys can be calculated. -# -# Some useful things to remember: -# -# WiMAX-MSK = EAP MSK, but is 64 octets. -# -# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001) -# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002) -# MIP-RK = MIP-RK-1 | MIP-RK-2 -# -# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP") -# plus some magic... you've got to track *all* MIP-SPI's -# on your system! -# -# SPI-CMIP4 = MIP-SPI -# SPI-PMIP4 = MIP-SPI + 1 -# SPI-CMIP6 = MIP-SPI + 2 -# -# MN-NAI is the Mobile node NAI. You have to create it, and put -# it into the request or reply as something like: -# -# WiMAX-MN-NAI = "%{User-Name}" -# -# You will also have to have the appropriate IP address (v4 or v6) -# in order to calculate the keys below. -# -# Lifetimes are derived from Session-Timeout. It needs to be set -# to some useful number. -# -# The hash function below H() is HMAC-SHA1. -# -# -# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI) -# -# Where HA-IPv4 is WiMAX-hHA-IP-MIP4 -# or maybe WiMAX-vHA-IP-MIP4 -# -# Which goes into WiMAX-MN-hHA-MIP4-Key -# or maybe WiMAX-RRQ-MN-HA-Key -# or maybe even WiMAX-vHA-MIP4-Key -# -# The corresponding SPI is SPI-CMIP4, which is MIP-SPI, -# -# which goes into WiMAX-MN-hHA-MIP4-SPI -# or maybe WiMAX-RRQ-MN-HA-SPI -# or even WiMAX-MN-vHA-MIP4-SPI -# -# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI) -# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI) -# -# both with similar comments to above for MN-HA-CMIP4. -# -# In order to tell which one to use (CMIP4, PMIP4, or CMIP6), -# you have to set WiMAX-IP-Technology in the reply to one of -# the appropriate values. -# -# -# FA-RK = H(MIP-RK, "FA-RK") -# -# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI) -# -# Where does the FA-IP come from? No idea... -# -# -# The next two keys (HA-RK and FA-HA) are not generated -# for every authentication request, but only on demand. -# -# HA-RK = 160-bit random number assigned by the AAA server -# to a specific HA. -# -# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI) -# -# where HA-IPv4 is as above. -# and FA-CoAv4 address of the FA as seen by the HA -# and SPI is the relevant SPI for the HA-RK. -# -# DHCP-RK = 160-bit random number assigned by the AAA server -# to a specific DHCP server. vDHCP-RK is the same -# thing. -# -# -# -# ## Instructions for v2.1 (LTE) WiMAX: -# -# When called from the "authorize" this module will detect the -# presence of the following attributes: -# -# request:WiMAX-Re-synchronization-Info -# control:WiMAX-SIM-Ki -# control:WiMAX-SIM-OPc -# -# If all attributes are present, (i.e. a known SIM is requesting a -# resync) then the module will attempt to extract the new SQN and -# save it in control:WiMAX-SIM-SQN. It will also save a copy of -# RAND from the request in control:WiMAX-SIM-RAND. -# -# The resulting value of SQN can then be saved in a database -# e.g. via a call to the sql module using some unlang -# -# When called in the "post_auth" section it looks for: -# -# control:WiMAX-SIM-Ki -# control:WiMAX-SIM-OPc -# control:WiMAX-SIM-AMF -# control:WiMAX-SIM-SQN -# request:WiMAX-Visited-PLMN-ID -# -# If all these are present then it will attempt to generate the -# keys for EPS AKA. -# -# First it checks for the presence of control:WiMAX-SIM-RAND and -# if it is not present it generates a new RAND value which is -# stored in reply:WiMAX-E-UTRAN-Vector-RAND. If it is present then -# the value is simply copied to the reply attribute. -# -# Then it calls the Milenage algorithm to generate: -# -# reply:WiMAX-E-UTRAN-Vector-XRES -# reply:WiMAX-E-UTRAN-Vector-AUTN -# -# And finally generates KASME which is stored in: -# reply:WiMAX-E-UTRAN-Vector-KASME -# -# -# NOTE: It is up to the system administrator to make sure that all -# the necessary "control" attributes are populated with the -# required values. The IMSI is likely to be found in User-Name in -# the request and this can be used as the key to grab the values -# from a database. -# -# -wimax { - # - # Some WiMAX equipment requires that the MS-MPPE-*-Key - # attributes are sent in the Access-Accept, in addition to - # the WiMAX-MSK attribute. - # - # Other WiMAX equipment request that the MS-MPPE-*-Key - # attributes are NOT sent in the Access-Accept. - # - # By default, the EAP modules sends MS-MPPE-*-Key attributes. - # The default virtual server (raddb/sites-available/default) - # contains examples of adding the WiMAX-MSK. - # - # This configuration option makes the WiMAX module delete - # the MS-MPPE-*-Key attributes. The default is to leave - # them in place. - # - # If the keys are deleted (by setting this to "yes"), then - # the WiMAX-MSK attribute is automatically added to the reply. - delete_mppe_keys = no -} diff --git a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey b/pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey deleted file mode 100644 index 9ba61ef..0000000 --- a/pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey +++ /dev/null @@ -1,158 +0,0 @@ -# -# This module decrypts and validates Yubikey static and dynamic -# OTP tokens. -# -yubikey { - # - # The length (number of ASCII bytes) of the Public-ID portion - # of the OTP string. - # - # Yubikey defaults to a 6 byte ID (2 * 6 = 12) -# id_length = 12 - - # - # If true, the authorize method of rlm_yubikey will attempt to split the - # value of User-Password, into the user's password, and the OTP token. - # - # If enabled and successful, the value of &request:User-Password will be - # truncated and &request:Yubikey-OTP will be added. - # -# split = yes - - # - # Decrypt mode - Tokens will be decrypted and processed locally - # - # The module itself does not provide persistent storage as this - # would be duplicative of functionality already in the server. - # - # Yubikey authentication needs two attributes retrieved from - # persistent storage: - # * &control:Yubikey-Key - The AES key used to decrypt the OTP data. - # The Yubikey-Public-Id and/or User-Name - # attributes may be used to retrieve the key. - # * &control:Yubikey-Counter - This is compared with the counter in the OTP - # data and used to prevent replay attacks. - # This attribute will also be available in - # the request list after successful - # decryption. - # - # Yubikey-Counter isn't strictly required, but the server will - # generate warnings if it's not present when yubikey.authenticate - # is called. - # - # These attributes are available after authorization: - # * &request:Yubikey-Public-ID - The public portion of the OTP string. - # and additionally if 'split' is set: - # * &request:Yubikey-OTP - The OTP portion of User-Password. - # - # These attributes are available after authentication (if successful): - # * &request:Yubikey-Private-ID - The encrypted ID included in OTP data, - # must be verified if tokens share keys. - # * &request:Yubikey-Counter - The last counter value (should be recorded). - # * &request:Yubikey-Timestamp - Token's internal clock (mainly useful for - # debugging). - # * &request:Yubikey-Random - Randomly generated value from the token. - # - decrypt = no - - # - # Validation mode - Tokens will be validated against a Yubicloud server - # - validate = no - - # - # Settings for validation mode. - # - validation { - # - # URL of validation server, multiple URL config items may be used - # to list multiple servers. - # - # - %d is a placeholder for public ID of the token - # - %s is a placeholder for the token string itself - # - # If no URLs are listed, will default to the default URLs in the - # ykclient library, which point to the yubico validation servers. - servers { -# uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' -# uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' - } - - # - # API Client ID - # - # Must be set to your client id for the validation server. - # -# client_id = 00000 - - # - # API Secret key (Base64 encoded) - # - # Must be set to your API key for the validation server. - # -# api_key = '000000000000000000000000' - - # - # Connection pool parameters - # - pool { - # Connections to create during module instantiation. - # If the server cannot create specified number of - # connections during instantiation it will exit. - # Set to 0 to allow the server to start without the - # yubikey server being available. - start = ${thread[pool].start_servers} - - # Minimum number of connections to keep open - min = ${thread[pool].min_spare_servers} - - # Maximum number of connections - # - # If these connections are all in use and a new one - # is requested, the request will NOT get a connection. - # - # Setting 'max' to LESS than the number of threads means - # that some threads may starve, and you will see errors - # like 'No connections available and at max connection limit' - # - # Setting 'max' to MORE than the number of threads means - # that there are more connections than necessary. - max = ${thread[pool].max_servers} - - # Number of uses before the connection is closed - # - # NOTE: A setting of 0 means infinite (no limit). - uses = 0 - - # The number of seconds to wait after the server tries - # to open a connection, and fails. During this time, - # no new connections will be opened. - retry_delay = 30 - - # The lifetime (in seconds) of the connection - # - # NOTE: A setting of 0 means infinite (no limit). - lifetime = 0 - - # The idle timeout (in seconds). A connection which is - # unused for this length of time will be closed. - # - # NOTE: A setting of 0 means infinite (no timeout). - idle_timeout = 60 - - # Cycle over all connections in a pool instead of concentrating - # connection use on a few connections. - spread = yes - - # NOTE: All configuration settings are enforced. If a - # connection is closed because of "idle_timeout", - # "uses", or "lifetime", then the total number of - # connections MAY fall below "min". When that - # happens, it will open a new connection. It will - # also log a WARNING message. - # - # The solution is to either lower the "min" connections, - # or increase lifetime/idle_timeout. - } - } -}