fablab-nea/nix-gscheits
1
0
Fork 0
Code Issues 7 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Remove unused modules

Browse source
This commit is contained in:
Jakob Lechner 2022-08-04 03:02:35 +00:00
parent 48ec7a731a
commit 2c13e0d224
No known key found for this signature in database
GPG key ID: 996082EFB5906C10
40 changed files with 0 additions and 3881 deletions
Download patch file Download diff file Expand all files Collapse all files

116
pkgs/fablab/freeradius-anon-access/raddb/mods-available/README.rst
View file

@ -1,116 +0,0 @@
Modules in Version 3
====================
As of Version 3, all of the modules have been placed in the
"mods-available/" directory. This practice follows that used by other
servers such as Nginx, Apache, etc. The "modules" directory should
not be used.
Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
This will enable module "foo". Be sure that you have configured the
module correctly before enabling it, otherwise the server will not
start. You can verify the server configuration by running
"radiusd -XC".
A large number of modules are enabled by default. This allows the
server to work with the largest number of authentication protocols.
Please be careful when disabling modules. You will likely need to
edit the "sites-enabled/" files to remove references to any disabled
modules.
Conditional Modules
-------------------
Version 3 allows modules to be conditionally loaded. This is useful
when you want to have a virtual server which references a module, but
does not require it. Instead of editing the virtual server file, you
can just conditionally enable the module.
Modules are conditionally enabled by adding a "-" before their name in
a virtual server. For example, you can do::
server {
authorize {
...
ldap
-sql
...
}
}
This says "require the LDAP module, but use the SQL module only if it
is configured."
This feature is not very useful for production configurations. It is,
however, very useful for the default examples that ship with the
server.
Ignoring module
---------------
If you see this message::
Ignoring module (see raddb/mods-available/README.rst)
Then you are in the right place. Most of the time this message can be
ignored. The message can be fixed by finding the references to "-module"
in the virtual server, and deleting them.
Another way to fix it is to configure the module, as described above.
Simplification
--------------
Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS. This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.
Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server. Then, enable the module via the soft-link
method described above.
Once the module is enabled, it will automatically be used in the
default configuration.
Multiple Instances
------------------
It is sometimes necessary to have the same module do two different
things. The server supports this functionality via "instances" of
modules.
Normally, a module configuration looks like this:
sql {
... sql stuff ...
}
This module is then refereed to as the "sql" module.
But what happens if you want to connect to two different SQL
databases? The solution is simple; copy the "sql" module
configuration, and add an instance name after the "sql" string:
sql mysql1 {
... configuration for connecting to mysql11 ...
}
sql mysql2 {
... configuration for connecting to mysql12 ...
}
This configuration says "load the SQL module, but create two copies of
it, with different configurations". The different configurations can
be referred to by name, as "mysql1" and "mysql2". That is, anywhere
you would normally use "sql", you could use either "mysql1" or
"mysql2".
For further examples of using module instances, see the "attr_filter"
module configuration in this directory.

15
pkgs/fablab/freeradius-anon-access/raddb/mods-available/abfab_psk_sql
View file

@ -1,15 +0,0 @@
# -*- text -*-
##
## Module for PSK authorizations from ABFAB trust router
##
## $Id: d75130da8a9faeb9712619bf49e68afadc30b73a $
sql psksql {
driver = "rlm_sql_sqlite"
sqlite {
filename = "/var/lib/trust_router/keys"
}
}

132
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cache
View file

@ -1,132 +0,0 @@
# -*- text -*-
#
# $Id: 8bd4730cf570fdfedc9c516dc6974eab39981600 $
#
# A module to cache attributes. The idea is that you can look
# up information in a database, and then cache it. Repeated
# requests for the same information will then have the cached
# values added to the request.
#
# The module can cache a fixed set of attributes per key.
# It can be listed in "authorize", "post-auth", "pre-proxy"
# and "post-proxy".
#
# If you want different things cached for authorize and post-auth,
# you will need to define two instances of the "cache" module.
#
# The module returns "ok" if it found or created a cache entry.
# The module returns "updated" if it merged a cached entry.
# The module returns "noop" if it did nothing.
# The module returns "fail" on error.
#
cache {
# The backend datastore used to store the cache entries.
# Current datastores are
# rlm_cache_rbtree - An in memory, non persistent rbtree based datastore.
# Useful for caching data locally.
# rlm_cache_memcached - A non persistent "webscale" distributed datastore.
# Useful if the cached data need to be shared between
# a cluster of RADIUS servers.
# driver = "rlm_cache_rbtree"
#
# Some drivers accept specific options, to set them a
# config section with the the name as the driver should be added
# to the cache instance.
#
# Driver specific options are:
#
# memcached {
# # Memcached configuration options, as documented here:
# # http://docs.libmemcached.org/libmemcached_configuration.html#memcached
# options = "--SERVER=localhost"
#
# pool {
# start = ${thread[pool].start_servers}
# min = ${thread[pool].min_spare_servers}
# max = ${thread[pool].max_servers}
# spare = ${thread[pool].max_spare_servers}
# uses = 0
# lifetime = 0
# idle_timeout = 60
# }
# }
# The key used to index the cache. It is dynamically expanded
# at run time.
key = "%{User-Name}"
# The TTL of cache entries, in seconds. Entries older than this
# will be expired.
#
# This value should be between 10 and 86400.
ttl = 10
# If yes the following attributes will be added to the request:
# * &request:Cache-Entry-Hits - The number of times this entry
# has been retrieved.
#
# Note: Not supported by the rlm_cache_memcached module.
add_stats = no
#
# The list of attributes to cache for a particular key.
#
# Each key gets the same set of cached attributes. The attributes
# are dynamically expanded at run time.
#
# The semantics of this construct are identical to an unlang
# update block, except the left hand side of the expression
# represents the cache entry. see man unlang for more information
# on update blocks.
#
# Note: Only request, reply, control and session-state lists
# are available in cache entries. Attempting to store attributes
# in other lists will raise an error during config validation.
#
update {
# <list>:<attribute> <op> <value>
# Cache all instances of Reply-Message in the reply list
&reply:Reply-Message += &reply:Reply-Message[*]
# Add our own to show when the cache was last updated
&reply:Reply-Message += "Cache last updated at %t"
&reply:Class := "%{randstr:ssssssssssssssssssssssssssssssss}"
}
# This module supports a number of runtime configuration parameters
# represented by attributes in the &control: list.
#
# &control:Cache-TTL - Sets the TTL of an entry to be created, or
# modifies the TTL of an existing entry.
# - Setting a Cache-TTL of > 0 means set the TTL of the entry to
# the new value (and reset the expiry timer).
# - Setting a Cache-TTL of < 0 means expire the existing entry
# (without merging) and create a new one with TTL set to
# value * -1.
# - Setting a Cache-TTL of 0 means expire the existing entry
# (without merging) and don't create a new one.
#
# &control:Cache-Status-Only - If present and set to 'yes' will
# prevent a new entry from being created, and existing entries from
# being merged. It will also alter the module's return codes.
# - The module will return "ok" if a cache entry was found.
# - The module will return "notfound" if no cache entry was found.
#
# &control:Cache-Read-Only - If present and set to 'yes' will
# prevent a new entry from being created, but will allow existing
# entries to be merged. It will also alter the module's return codes.
# - The module will return "updated" if a cache entry was found.
# - The module will return "notfound" if no cache was found.
#
# &control:Cache-Merge - If present and set to 'yes' will merge new
# cache entries into the current request. Useful if results
# of execs or expansions are stored directly in the cache.
#
# All runtime configuration attributes will be removed from the
# &control: list after the cache module is called.
}

205
pkgs/fablab/freeradius-anon-access/raddb/mods-available/couchbase
View file

@ -1,205 +0,0 @@
couchbase {
#
# List of Couchbase hosts (hosts may be space, tab, comma or semi-colon separated).
# Ports are optional if servers are listening on the standard port.
# Complete pool urls are preferred.
#
server = "http://cb01.blargs.com:8091/pools/ http://cb04.blargs.com:8091/pools/"
# Couchbase bucket name
bucket = "radius"
# Couchbase bucket password (optional)
#password = "password"
# Couchbase accounting document key (unlang supported)
acct_key = "radacct_%{%{Acct-Unique-Session-Id}:-%{Acct-Session-Id}}"
# Value for the 'docType' element in the json body for accounting documents
doctype = "radacct"
## Accounting document expire time in seconds (0 = never)
expire = 2592000
#
# Map attribute names to json element names for accounting.
#
# Configuration items are in the format:
# <radius attribute> = '<element name>'
#
# Element names should be single quoted.
#
# Note: Attributes not in this map will not be recorded.
#
update {
Acct-Session-Id = 'sessionId'
Acct-Unique-Session-Id = 'uniqueId'
Acct-Status-Type = 'lastStatus'
Acct-Authentic = 'authentic'
User-Name = 'userName'
Stripped-User-Name = 'strippedUserName'
Stripped-User-Domain = 'strippedUserDomain'
Realm = 'realm'
NAS-IP-Address = 'nasIpAddress'
NAS-Identifier = 'nasIdentifier'
NAS-Port = 'nasPort'
Called-Station-Id = 'calledStationId'
Called-Station-SSID = 'calledStationSSID'
Calling-Station-Id = 'callingStationId'
Framed-Protocol = 'framedProtocol'
Framed-IP-Address = 'framedIpAddress'
NAS-Port-Type = 'nasPortType'
Connect-Info = 'connectInfo'
Acct-Session-Time = 'sessionTime'
Acct-Input-Packets = 'inputPackets'
Acct-Output-Packets = 'outputPackets'
Acct-Input-Octets = 'inputOctets'
Acct-Output-Octets = 'outputOctets'
Acct-Input-Gigawords = 'inputGigawords'
Acct-Output-Gigawords = 'outputGigawords'
Event-Timestamp = 'lastUpdated'
}
# Couchbase document key for user documents (unlang supported)
user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}"
# Set to 'yes' to read radius clients from the Couchbase view specified below.
# NOTE: Clients will ONLY be read on server startup.
#read_clients = no
#
# Map attribute names to json element names when loading clients.
#
# Configuration follows the same rules as the accounting map above.
#
client {
# Couchbase view that should return all available client documents.
view = "_design/client/_view/by_id"
#
# Sets default values (not obtained from couchbase) for new client entries
#
template {
# login = 'test'
# password = 'test'
# proto = tcp
# require_message_authenticator = yes
# Uncomment to add a home_server with the same
# attributes as the client.
# coa_server {
# response_window = 2.0
# }
}
#
# Client mappings are in the format:
# <client attribute> = '<element name>'
#
# Element names should be single quoted.
#
# The following attributes are required:
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
# * secret - RADIUS shared secret.
#
# All attributes usually supported in a client
# definition are also supported here.
#
attribute {
ipaddr = 'clientIdentifier'
secret = 'clientSecret'
shortname = 'clientShortname'
nas_type = 'nasType'
virtual_server = 'virtualServer'
require_message_authenticator = 'requireMessageAuthenticator'
limit {
max_connections = 'maxConnections'
lifetime = 'clientLifetime'
idle_timeout = 'idleTimeout'
}
}
}
# Set to 'yes' to enable simultaneous use checking (multiple logins).
# NOTE: This will cause the execution of a view request on every check
# and may be a performance penalty.
# check_simul = no
# Couchbase view that should return all account documents keyed by username.
# simul_view = "_design/acct/_view/by_user"
# The key to the above view.
# NOTE: This will need to match EXACTLY what you emit from your view.
# simul_vkey = "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}"
# Set to 'yes' to enable verification of the results returned from the above view.
# NOTE: This may be an additional performance penalty to the actual check and
# should be avoided unless absolutely neccessary.
# verify_simul = no
# Remove stale session if checkrad does not see a double login.
# NOTE: This will only be executed if both check_simul and verify_simul
# are set to 'yes' above.
# delete_stale_sessions = yes
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# couchbase being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 1200
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

82
pkgs/fablab/freeradius-anon-access/raddb/mods-available/counter
View file

@ -1,82 +0,0 @@
# -*- text -*-
#
# $Id: a5ac1e60ef117a2c59ace1a9d061d8f70d1da538 $
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add
# the value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is omitted days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check_name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check_name before the files
# module reads the users file.
#
# If check_name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
#
# If the count attribute is Acct-Session-Time then on each
# login we send back the remaining online time as a
# Session-Timeout attribute ELSE and if the reply_name is
# set, we send back that attribute. The reply_name attribute
# MUST be of an integer type.
#
# The counter-name can also be used instead of using the check_name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed_service_type attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check_name' attribute.
#
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count_attribute = Acct-Session-Time
reset = daily
counter_name = Daily-Session-Time
check_name = Max-Daily-Session
reply_name = Session-Timeout
allowed_service_type = Framed-User
cache_size = 5000
}

53
pkgs/fablab/freeradius-anon-access/raddb/mods-available/cui
View file

@ -1,53 +0,0 @@
# -*- text -*-
#
# $Id: 54842d4106800babe8db1d58d2e8b7a5cad017db $
#
# Write Chargeable-User-Identity to the database.
#
# Schema raddb/mods-config/sql/cui/<DB>/schema.sql
# Queries raddb/mods-config/sql/cui/<DB>/queries.conf
#
sql cuisql {
# The dialect of SQL you want to use, this should usually match
# the driver below.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "sqlite"
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# There are CUI queries available for:
# * rlm_sql_mysql
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_${dialect}"
sqlite {
filename = ${radacctdir}/cui.sqlite
bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
}
# Write CUI queries to a logfile. Useful for debugging.
# logfile = ${logdir}/cuilog.sql
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
cui_table = "cui"
sql_user_name = "%{User-Name}"
$INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf
}

27
pkgs/fablab/freeradius-anon-access/raddb/mods-available/detail.example.com
View file

@ -1,27 +0,0 @@
# -*- text -*-
#
# Detail file writer, used in the following examples:
#
# raddb/sites-available/robust-proxy-accounting
# raddb/sites-available/decoupled-accounting
#
# Note that this module can write detail files that are read by
# only ONE "listen" section. If you use BOTH of the examples
# above, you will need to define TWO "detail" modules.
#
# e.g. detail1.example.com && detail2.example.com
#
#
# We write *multiple* detail files here. They will be processed by
# the detail "listen" section in the order that they were created.
# The directory containing these files should NOT be used for any
# other purposes. i.e. It should have NO other files in it.
#
# Writing multiple detail enables the server to process the pieces
# in smaller chunks. This helps in certain catastrophic corner cases.
#
# $Id: 827cdf57e70dc2ff2252016194f4bb846eecead2 $
#
detail detail.example.com {
filename = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H:%G
}

19
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp
View file

@ -1,19 +0,0 @@
# -*- text -*-
#
# $Id: a4316335d7f73b37ec5aa9278de91d37dd28eddc $
#
# This module is useful only for 'xlat'. To use it,
# put 'dhcp' into the 'instantiate' section.
#
# %{dhcp_options:<Attribute-ref>} may be used to decode
# DHCP options data included in RADIUS packets by vendors
# of DHCP to RADIUS gateways.
#
# This is known to work with the following VSAs:
# * Juniper - ERX-Dhcp-Options
# * Alcatel lucent SR - Alc-ToServer-Dhcp-Options
# - Alc-ToClient-Dhcp-Options
#
dhcp {
}

56
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_files
View file

@ -1,56 +0,0 @@
# -*- text -*-
#
# $Id: 243a241a8d28d8de9696e5364c59e25558789219 $
# Instances of the "files" module for managing DHCP options
#
files dhcp_network {
# The file containing network-specific DHCP options mapping
filename = ${modconfdir}/files/dhcp
# For network lookups we use a fixed key. Matching
# actual networks is done by additional filtering within
# the file
key = "network"
}
files dhcp_subnet {
# The file containing subnet-specific DHCP options mapping
filename = ${modconfdir}/files/dhcp
# For subnet lookups we use a fixed key. Matching
# actual subnets is done by additional filtering within
# the file
key = "subnet"
}
files dhcp_set_group_options {
# An example of looking up DHCP group options. This
# is designed to be called from a policy configured in
# policy.d/dhcp.
#
# If clients are never members of more than one group,
# then this could be simplified such that DHCP-Group-Name
# is used here in place of Foreach-Variable-0 and this
# module instance called directly rather than the policy
# Use the same file as for subnets - could be split
# for large, complex installations
filename = ${modconfdir}/files/dhcp
# The key is a temporary string populated by the calling policy
# which uses a foreach loop.
key = "%{Foreach-Variable-0}"
}
files dhcp_hosts {
# An example of a DHCP host mapping for option setting
# Use the same file as for subnets - could be split
# for large, complex installations
filename = ${modconfdir}/files/dhcp
# If a different identifier is needed for looking up
# host specific entries then amend this key.
key = "host-%{DHCP-Client-Hardware-Address}"
}

20
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_passwd
View file

@ -1,20 +0,0 @@
# -*- text -*-
#
# $Id: 7884a00298935db8e33fd9f850c2619e61d9b5a9 $
# An instance of the passwd module designed for looking up
# DHCP client membership. This example is based on hardware
# address.
# The "groups" file should be of the format:
# <group name>|<hardware address>,<hardware address>,<hardware address>
# <group name>|<hardware address>,<hardware address>,<hardware address>
#
# See the passwd module for more details.
passwd dhcp_group_membership {
filename = "${modconfdir}/files/dhcp_groups"
format = "~DHCP-Group-Name:*,DHCP-Client-Hardware-Address"
hash_size = 100
allow_multiple_keys = yes
delimiter = "|"
}

92
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sql
View file

@ -1,92 +0,0 @@
# -*- text -*-
##
## mods-available/sql -- SQL modules
##
## $Id: 20dbe3a35be942acaaec8ee0ced7e85786fc46a7 $
######################################################################
#
# Configuration for the DHCP-specific instance of the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/dhcp/<DB>/schema.sql Schema
# sql/dhcp/<DB>/queries.conf Reply options lookup queries
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
#
# See raddb/mods-available/sql for a description of the configuration items
# for the sql module.
#
sql dhcp_sql {
dialect = "sqlite"
driver = "rlm_sql_null"
# driver = "rlm_sql_${dialect}"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/dhcp/sqlite/schema.sql"
}
mysql {
tls {
ca_file = "/etc/ssl/certs/my_ca.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
tls_required = yes
tls_check_cert = no
tls_check_cert_cn = no
}
warnings = auto
}
postgresql {
send_application_name = yes
}
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
# server = "localhost"
# port = 3306
# login = "radius"
# password = "radpass"
radius_db = "radius"
dhcpreply_table = "dhcpreply"
groupreply_table = "dhcpgroupreply"
dhcpgroup_table = "dhcpgroup"
read_groups = no
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
group_attribute = "${.:instance}-SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/dhcp/${dialect}/queries.conf
}

101
pkgs/fablab/freeradius-anon-access/raddb/mods-available/dhcp_sqlippool
View file

@ -1,101 +0,0 @@
# Configuration for DHCP for the SQL based IP Pools module (rlm_sqlippool).
#
# See raddb/mods-available/sqlippool for common configuration explanation
#
# See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows
# the RADIUS based "sqlippool" module to be used for DHCP.
#
# See raddb/sites-available/dhcp for instructions on how to configure
# the DHCP server.
#
# The database schemas are available at:
#
# raddb/mods-config/sql/ippool-dhcp/<DB>/schema.sql
#
# $Id: 909b93c7ebcbbeb16b123ca38e696790b5771dda $
sqlippool dhcp_sqlippool {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "dhcp_sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
pool_name = "Pool-Name"
# SQL table to use for ippool range and lease info
ippool_table = "dhcpippool"
# The duration for which a lease is reserved whilst under offer
offer_duration = 10
# IP lease duration. (Leases expire even if no DHCP-Release packet is received)
# Either use the value to be sent to the client or a hard coded one.
lease_duration = "%{reply:DHCP-IP-Address-Lease-Time}"
#lease_duration = 7200
# The attribute in which the IP address is returned in the reply
attribute_name = "DHCP-Your-IP-Address"
# Assign the IP address, even if the above attribute already exists in
# the reply.
#
# allow_duplicates = no
# The attribute in which an IP address hint may be supplied
req_attribute_name = "DHCP-Requested-IP-Address"
#
# RFC 2132 allows the DHCP client to supply a unique
# identifier ("uid") using Option 61 (DHCP-Client-Identifier)
# in which case it must be used as the lookup key for
# configuration data.
#
pool_key = "%{%{DHCP-Client-Identifier}:-%{DHCP-Client-Hardware-Address}}"
#
# The "uid" is generated by the OS which means that clients
# whose BMC piggybacks on the main interface (sharing its MAC,
# but generating a distinct uid) and dual-booting clients can
# be allocated multiple IPs, consuming more pool entries. To
# avoid this you can ignore the RFCs and key the configuration
# data based only on the client MAC address.
#
# pool_key = "%{DHCP-Client-Hardware-Address}"
################################################################
#
# WARNING: MySQL (MyISAM) has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
# These messages are added to the "control" items, as
# Module-Success-Message. They are not logged anywhere else,
# unlike previous versions. If you want to have them logged
# to a file, see the "linelog" module, and create an entry
# which writes Module-Success-Message message.
#
messages {
exists = "DHCP: Existing IP: %{reply:${..attribute_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
success = "DHCP: Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
clear = "DHCP: Released IP %{DHCP-Client-IP-Address} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
nopool = "DHCP: No ${..pool_name} defined (cid %{DHCP-Client-Identifier} chaddr %{DHCP-Client-Hardware-Address} giaddr %{DHCP-Gateway-IP-Address})"
}
$INCLUDE ${modconfdir}/sql/ippool-dhcp/${dialect}/queries.conf
}

28
pkgs/fablab/freeradius-anon-access/raddb/mods-available/etc_group
View file

@ -1,28 +0,0 @@
# -*- text -*-
#
# $Id: f58b72f560ba067991d67295b546691bcd992d44 $
# "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
# attribute for every group that the user is member of.
#
# You will have to define the Etc-Group-Name in the 'dictionary' file
# as a 'string' type.
#
# The Group and Group-Name attributes are automatically created by
# the Unix module, and do checking against /etc/group automatically.
# This means that you CANNOT use Group or Group-Name to do any other
# kind of grouping in the server. You MUST define a new group
# attribute.
#
# i.e. this module should NOT be used as-is, but should be edited to
# point to a different group file.
#
passwd etc_group {
filename = /etc/group
format = "=Etc-Group-Name:::*,User-Name"
hash_size = 50
ignore_nislike = yes
allow_multiple_keys = yes
delimiter = ":"
}

28
pkgs/fablab/freeradius-anon-access/raddb/mods-available/idn
View file

@ -1,28 +0,0 @@
# -*- text -*-
#
# $Id: 534054077d52a7bb0bf8e02c1e861e5c86b76df9 $
#
# Internationalised domain names.
#
# The expansion string: %{idn: example.com} results in an ASCII
# punycode version of the domain name. That version can then be used
# for name comparisons. Using an i18n version of the name is NOT
# RECOMMENDED, as that version is not canonical.
#
# i.e. the "same" domain name can be represented in many, many,
# different ways. Only the idn version has *one* representation.
#
idn {
#
# Allow use of unassigned Unicode code points.
#
allow_unassigned = no
#
# Prohibit underscores and other invalid characters in domain
# names.
use_std3_ascii_rules = yes
}

107
pkgs/fablab/freeradius-anon-access/raddb/mods-available/inner-eap
View file

@ -1,107 +0,0 @@
# -*- text -*-
#
# $Id: 576eb7739ebf18ca6323cb740a7d4278ff6d6ea2 $
#
# Sample configuration for an EAP module that occurs *inside*
# of a tunneled method. It is used to limit the EAP types that
# can occur inside of the inner tunnel.
#
# See also raddb/sites-available/inner-tunnel
#
# See raddb/mods-available/eap for full documentation on the meaning of these
# configuration entries.
#
eap inner-eap {
# This is the best choice for PEAP.
default_eap_type = mschapv2
timer_expire = 60
# This should be the same as the outer eap "max sessions"
max_sessions = 2048
# Supported EAP-types
md5 {
}
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
auth_type = PAP
}
mschapv2 {
# See eap for documentation
# send_error = no
}
# No TTLS or PEAP configuration should be listed here.
## EAP-TLS
#
# You SHOULD use different certificates than are used
# for the outer EAP configuration!
#
# You can create the "inner-server.pem" file by doing:
#
# cd raddb/certs
# vi inner-server.cnf
# make inner-server
#
# The certificate MUST be different from the "server.cnf"
# file.
#
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
# It might work, or it might not.
#
tls {
private_key_password = whatever
private_key_file = ${certdir}/inner-server.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/inner-server.pem
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
cipher_list = "DEFAULT"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
# outer EAP-TLS protocol.
#
# Try values and see if they work...
# fragment_size = 1024
# Other needful things
dh_file = ${certdir}/dh
random_file = /dev/urandom
# CRL and OCSP things go here. See the main "eap"
# file for details.
# check_crl = yes
# ca_path = /path/to/directory/with/ca_certs/and/crls/
# Accept an expired Certificate Revocation List
#
# allow_expired_crl = no
#
# The session resumption / fast re-authentication
# cache CANNOT be used for inner sessions.
#
}
}

66
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ippool
View file

@ -1,66 +0,0 @@
# -*- text -*-
#
# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existence of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# Note: If you change the range parameters you must then erase the
# db files.
#
ippool main_pool {
# The main db file used to allocate addresses.
filename = ${db_dir}/db.ippool
# The start and end ip addresses for this pool.
range_start = 192.0.2.1
range_stop = 192.0.2.254
# The network mask used for this pool.
netmask = 255.255.255.0
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache_size = 800
# Helper db index file used in multilink
ip_index = ${db_dir}/db.ipindex
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = no
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = 0
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
# key = "%{NAS-IP-Address} %{NAS-Port}"
}

82
pkgs/fablab/freeradius-anon-access/raddb/mods-available/krb5
View file

@ -1,82 +0,0 @@
# -*- text -*-
#
# $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5 {
#
# The keytab file MUST be owned by the UID/GID used by the server.
# The keytab file MUST be writable by the server.
# The keytab file MUST NOT be readable by other users on the system.
# The keytab file MUST exist before the server is started.
#
keytab = ${localstatedir}/lib/radiusd/keytab
service_principal = name_of_principle
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# KDC being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

666
pkgs/fablab/freeradius-anon-access/raddb/mods-available/ldap
View file

@ -1,666 +0,0 @@
# -*- text -*-
#
# $Id: 015ae6907b8113771691ae3a3c1d53b05756d143 $
#
# Lightweight Directory Access Protocol (LDAP)
#
ldap {
# Note that this needs to match the name(s) in the LDAP server
# certificate, if you're using ldaps. See OpenLDAP documentation
# for the behavioral semantics of specifying more than one host.
#
# Depending on the libldap in use, server may be an LDAP URI.
# In the case of OpenLDAP this allows additional the following
# additional schemes:
# - ldaps:// (LDAP over SSL)
# - ldapi:// (LDAP over Unix socket)
# - ldapc:// (Connectionless LDAP)
server = 'localhost'
# server = 'ldap.rrdns.example.org'
# server = 'ldap.rrdns.example.org'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
# port = 389
# Administrator account for searching and possibly modifying.
# If using SASL + KRB5 these should be commented out.
# identity = 'cn=admin,dc=example,dc=org'
# password = mypass
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = 'dc=example,dc=org'
#
# You can run the 'ldapsearch' command line tool using the
# parameters from this module's configuration.
#
# ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
#
# That will give you the LDAP information for 'user'.
#
# Group membership can be queried by using the above "ldapsearch" string,
# and adding "memberof" qualifiers. For ActiveDirectory, use:
#
# ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
#
# Where 'user' is the user as above, and 'group' is the group you are querying for.
#
#
# SASL parameters to use for admin binds
#
# When we're prompted by the SASL library, these control
# the responses given, as well as the identity and password
# directives above.
#
# If any directive is commented out, a NULL response will be
# provided to cyrus-sasl.
#
# Unfortunately the only way to control Keberos here is through
# environmental variables, as cyrus-sasl provides no API to
# set the krb5 config directly.
#
# Full documentation for MIT krb5 can be found here:
#
# http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html
#
# At a minimum you probably want to set KRB5_CLIENT_KTNAME.
#
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = 'autz_id'
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
#
# Generic valuepair attribute
#
# If set, this will attribute will be retrieved in addition to any
# mapped attributes.
#
# Values should be in the format:
# <radius attr> <op> <value>
#
# Where:
# <radius attr>: Is the attribute you wish to create
# with any valid list and request qualifiers.
# <op>: Is any assignment operator (=, :=, +=, -=).
# <value>: Is the value to parse into the new valuepair.
# If the value is wrapped in double quotes it
# will be xlat expanded.
# valuepair_attribute = 'radiusAttribute'
#
# Mapping of LDAP directory attributes to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <ldap attr>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <ldap attr>: Is the attribute associated with user or
# profile objects in the LDAP directory.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
# Note: LDAP attribute names should be single quoted unless you want
# the name value to be derived from an xlat expansion, or an
# attribute ref.
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
# Set to yes if you have eDirectory and want to use the universal
# password mechanism.
# edir = no
# Set to yes if you want to bind as the user after retrieving the
# Cleartext-Password. This will consume the login grace, and
# verify user authorization.
# edir_autz = no
# Note: set_auth_type was removed in v3.x.x
#
# Equivalent functionality can be achieved by adding the
# following "if" statement to the authorize {} section of
# the virtual server, after the "ldap" module. For example:
#
# ...
# ldap
# if ((ok || updated) && User-Password && !control:Auth-Type) {
# update {
# control:Auth-Type := ldap
# }
# }
# ...
#
# You will also need to uncomment the "Auth-Type LDAP" block in the
# "authenticate" section.
#
#
# Name of the attribute that contains the user DN.
# The default name is LDAP-UserDn.
#
# If you have multiple LDAP instances, you should
# change this configuration item to:
#
# ${.:instance}-LDAP-UserDn
#
# That change allows the modules to set their own
# User DN, and to not conflict with each other.
#
user_dn = "LDAP-UserDn"
#
# User object identification.
#
user {
# Where to start searching in the tree for users
base_dn = "${..base_dn}"
# Filter for user objects, should be specific enough
# to identify a single user object.
#
# For Active Directory, you should use
# "samaccountname=" instead of "uid="
#
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# For Active Directory nested group, you should comment out the previous 'filter = ...'
# and use the below. Where 'group' is the group you are querying for.
#
# NOTE: The string '1.2.840.113556.1.4.1941' specifies LDAP_MATCHING_RULE_IN_CHAIN.
# This applies only to DN attributes. This is an extended match operator that walks
# the chain of ancestry in objects all the way to the root until it finds a match.
# This reveals group nesting. It is available only on domain controllers with
# Windows Server 2003 SP2 or Windows Server 2008 (or above).
#
# See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
#
# filter = "(&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
# SASL parameters to use for user binds
#
# When we're prompted by the SASL library, these control
# the responses given.
#
# Any of the config items below may be an attribute ref
# or and expansion, so different SASL mechs, proxy IDs
# and realms may be used for different users.
sasl {
# SASL mechanism
# mech = 'PLAIN'
# SASL authorisation identity to proxy.
# proxy = &User-Name
# SASL realm. Used for kerberos.
# realm = 'example.org'
}
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Server side result sorting
#
# A list of space delimited attributes to order the result
# set by, if the filter matches multiple objects.
# Only the first result in the set will be processed.
#
# If the attribute name is prefixed with a hyphen '-' the
# sorting order will be reversed for that attribute.
#
# If sort_by is set, and the server does not support sorting
# the search will fail.
# sort_by = '-uid'
# If this is undefined, anyone is authorised.
# If it is defined, the contents of this attribute
# determine whether or not the user is authorised
# access_attribute = 'dialupAccess'
# Control whether the presence of 'access_attribute'
# allows access, or denys access.
#
# If 'yes', and the access_attribute is present, or
# 'no' and the access_attribute is absent then access
# will be allowed.
#
# If 'yes', and the access_attribute is absent, or
# 'no' and the access_attribute is present, then
# access will not be allowed.
#
# If the value of the access_attribute is 'false', it
# will negate the result.
#
# e.g.
# access_positive = yes
# access_attribute = userAccessAllowed
#
# With an LDAP object containing:
# userAccessAllowed: false
#
# Will result in the user being locked out.
# access_positive = yes
}
#
# User membership checking.
#
group {
# Where to start searching in the tree for groups
base_dn = "${..base_dn}"
# Filter for group objects, should match all available
# group objects a user might be a member of.
#
# If using Active Directory you are likely to need "group"
# instead of "posixGroup".
filter = '(objectClass=posixGroup)'
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Attribute that uniquely identifies a group.
# Is used when converting group DNs to group
# names.
# name_attribute = cn
# Filter to find all group objects a user is a member of.
# That is, group objects with attributes that
# identify members (the inverse of membership_attribute).
#
# Note that this configuration references the "user_dn"
# configuration defined above.
#
# membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
# The attribute, in user objects, which contain the names
# or DNs of groups a user is a member of.
#
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
#
# If the LDAP server does not support the "memberOf"
# attribute (or equivalent), then you will need to use the
# membership_filter option above instead. If you can't see
# the memberOf attribute then it is also possible that the
# LDAP bind user does not have the correct permissions to
# view it.
membership_attribute = 'memberOf'
# If cacheable_name or cacheable_dn are enabled,
# all group information for the user will be
# retrieved from the directory and written to LDAP-Group
# attributes appropriate for the instance of rlm_ldap.
#
# For group comparisons these attributes will be checked
# instead of querying the LDAP directory directly.
#
# This feature is intended to be used with rlm_cache.
#
# If you wish to use this feature, you should enable
# the type that matches the format of your check items
# i.e. if your groups are specified as DNs then enable
# cacheable_dn else enable cacheable_name.
# cacheable_name = 'no'
# cacheable_dn = 'no'
# Override the normal cache attribute (<inst>-LDAP-Group or
# LDAP-Group if using the default instance) and create a
# custom attribute. This can help if multiple module instances
# are used in fail-over.
# cache_attribute = 'LDAP-Cached-Membership'
# If the group being checked is specified as a name, but
# the user's groups are referenced by DN, and one of those
# group DNs is invalid, the whole group check is treated as
# invalid, and a negative result will be returned.
# When set to 'yes', this option ignores invalid DN
# references.
# allow_dangling_group_ref = 'no'
}
#
# User profiles. RADIUS profile objects contain sets of attributes
# to insert into the request. These attributes are mapped using
# the same mapping scheme applied to user objects (the update section above).
#
profile {
# Filter for RADIUS profile objects
# filter = '(objectclass=radiusprofile)'
# The default profile. This may be a DN or an attribute
# reference.
# To get old v2.2.x style behaviour, or to use the
# &User-Profile attribute to specify the default profile,
# set this to &control:User-Profile.
# default = 'cn=radprofile,dc=example,dc=org'
# The LDAP attribute containing profile DNs to apply
# in addition to the default profile above. These are
# retrieved from the user object, at the same time as the
# attributes from the update section, are are applied
# if authorization is successful.
# attribute = 'radiusProfileDn'
}
#
# Bulk load clients from the directory
#
client {
# Where to start searching in the tree for clients
base_dn = "${..base_dn}"
#
# Filter to match client objects
#
filter = '(objectClass=radiusClient)'
# Search scope, may be 'base', 'one', 'sub' or 'children'
# scope = 'sub'
#
# Sets default values (not obtained from LDAP) for new client entries
#
template {
# login = 'test'
# password = 'test'
# proto = tcp
# require_message_authenticator = yes
# Uncomment to add a home_server with the same
# attributes as the client.
# coa_server {
# response_window = 2.0
# }
}
#
# Client attribute mappings are in the format:
# <client attribute> = <ldap attribute>
#
# The following attributes are required:
# * ipaddr | ipv4addr | ipv6addr - Client IP Address.
# * secret - RADIUS shared secret.
#
# All other attributes usually supported in a client
# definition are also supported here.
#
# Schemas are available in doc/schemas/ldap for openldap and eDirectory
#
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
# shortname = 'radiusClientShortname'
# nas_type = 'radiusClientType'
# virtual_server = 'radiusClientVirtualServer'
# require_message_authenticator = 'radiusClientRequireMa'
}
}
# Load clients on startup
# read_clients = no
#
# Modify user object on receiving Accounting-Request
#
# Useful for recording things like the last time the user logged
# in, or the Acct-Session-ID for CoA/DM.
#
# LDAP modification items are in the format:
# <ldap attr> <op> <value>
#
# Where:
# <ldap attr>: The LDAP attribute to add modify or delete.
# <op>: One of the assignment operators:
# (:=, +=, -=, ++).
# Note: '=' is *not* supported.
# <value>: The value to add modify or delete.
#
# WARNING: If using the ':=' operator with a multi-valued LDAP
# attribute, all instances of the attribute will be removed and
# replaced with a single attribute.
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
#
# Post-Auth can modify LDAP objects too
#
post-auth {
update {
description := "Authenticated at %S"
}
}
#
# LDAP connection-specific options.
#
# These options set timeouts, keep-alives, etc. for the connections.
#
options {
# Control under which situations aliases are followed.
# May be one of 'never', 'searching', 'finding' or 'always'
# default: libldap's default which is usually 'never'.
#
# LDAP_OPT_DEREF is set to this value.
# dereference = 'always'
#
# The following two configuration items control whether the
# server follows references returned by LDAP directory.
# They are mostly for Active Directory compatibility.
# If you set these to 'no', then searches will likely return
# 'operations error', instead of a useful result.
#
chase_referrals = yes
rebind = yes
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
# Note - uncomment when using GSS-API sasl mechanism along with TLS
# encryption against Active-Directory LDAP servers (this disables
# sealing and signing at the GSS level as required by AD).
#sasl_secprops = 'noanonymous,noplain,maxssf=0'
# Seconds to wait for LDAP query to finish. default: 20
res_timeout = 10
# Seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
srv_timelimit = 3
# Seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
}
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the 'tls_*' configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
# start_tls = yes
# ca_file = ${certdir}/cacert.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
# 'never' (do not even bother trying)
# 'allow' (try, but don't fail if the certificate
# cannot be verified)
# 'demand' (fail if the certificate does not verify)
# 'hard' (similar to 'demand' but fails if TLS
# cannot negotiate)
#
# The default is libldap's default, which varies based
# on the contents of ldap.conf.
# require_cert = 'demand'
#
# Minimum TLS version to accept. We STRONGLY recommend
# setting this to "1.2"
#
# tls_min_version = "1.2"
}
# As of version 3.0, the 'pool' section has replaced the
# following configuration items:
#
# ldap_connections_number
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# directory being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# Idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of 'idle_timeout',
# 'uses', or 'lifetime', then the total number of
# connections MAY fall below 'min'. When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the 'min' connections,
# or increase lifetime/idle_timeout.
}
}

25
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2ip
View file

@ -1,25 +0,0 @@
# -*- text -*-
#
# $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $
######################################################################
#
# This next section is a sample configuration for the "passwd"
# module, that reads flat-text files.
#
# The file is in the format <mac>,<ip>
#
# 00:01:02:03:04:05,192.0.2.100
# 01:01:02:03:04:05,192.0.2.101
# 02:01:02:03:04:05,192.0.2.102
#
# This lets you perform simple static IP assignments from a flat-text
# file. You will have to define lease times yourself.
#
######################################################################
passwd mac2ip {
filename = ${modconfdir}/${.:name}/${.:instance}
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
delimiter = ","
}

18
pkgs/fablab/freeradius-anon-access/raddb/mods-available/mac2vlan
View file

@ -1,18 +0,0 @@
# -*- text -*-
#
# $Id: a1db803a71cddbb98daeeeda515cff2fc77ea318 $
# A simple file to map a MAC address to a VLAN.
#
# The file should be in the format MAC,VLAN
# the VLAN name cannot have spaces in it, for example:
#
# 00:01:02:03:04:05,VLAN1
# 03:04:05:06:07:08,VLAN2
# ...
#
passwd mac2vlan {
filename = ${modconfdir}/${.:name}/${.:instance}
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}

57
pkgs/fablab/freeradius-anon-access/raddb/mods-available/moonshot-targeted-ids
View file

@ -1,57 +0,0 @@
# -*- text -*-
#
# $Id: 1b27b44b5a2d82e23d67c07ba19f0ef3293960d2 $
#
# Write Moonshot-*-TargetedId (MSTID) to the database.
#
# Schema raddb/mods-config/sql/moonshot-targeted-ids/<DB>/schema.sql
# Queries raddb/mods-config/sql/moonshot-targeted-ids/<DB>/queries.conf
#
sql moonshot_tid_sql {
# The dialect of SQL you want to use, this should usually match
# the driver below.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
dialect = "sqlite"
# The sub-module to use to execute queries. This should match
# the database you're attempting to connect to.
#
# There are MSTID queries available for:
# * rlm_sql_mysql
# * rlm_sql_postgresql
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
driver = "rlm_sql_${dialect}"
sqlite {
filename = ${radacctdir}/moonshot-targeted-ids.sqlite
bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql
}
# Write MSTID queries to a logfile. Useful for debugging.
# logfile = ${logdir}/moonshot-targeted-id-log.sql
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
# If you adjust the table name here, you must also modify the table name in
# the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids
# and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree.
#
moonshot_tid_table = "moonshot_targeted_ids"
sql_user_name = "%{User-Name}"
$INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf
}

26
pkgs/fablab/freeradius-anon-access/raddb/mods-available/opendirectory
View file

@ -1,26 +0,0 @@
# -*- text -*-
#
# $Id: 443d74dc08f19ddb59ea342f756c90066623e1c6 $
# This module is only used when the server is running on the same
# system as OpenDirectory. The configuration of the module is hard-coded
# by Apple, and cannot be changed here.
#
# There are no configuration entries for this module.
#
# The MS-CHAP module will automatically talk to OpenDirectory, if the
# server is built on an OSX machine. However, you must also set
# dsAttrTypeNative:apple-enabled-auth-mech attribute in the
# /config/dirserv OpenDirectory record. You will probably also need
# to change the user passwords in order to re-generate the
# appropriate hashes.
#
# Complete OSX configuration information is available on Apple's web site:
#
# https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf
#
# See also https://discussions.apple.com/thread/6053980?tstart=0
#
opendirectory {
}

75
pkgs/fablab/freeradius-anon-access/raddb/mods-available/otp
View file

@ -1,75 +0,0 @@
#
# Configuration for the OTP module.
#
# This module allows you to use various handheld OTP tokens
# for authentication (Auth-Type := otp). These tokens are
# available from various vendors.
#
# It works in conjunction with otpd, which implements token
# management and OTP verification functions; and lsmd or gsmd,
# which implements synchronous state management functions.
# You must list this module in BOTH the authorize and authenticate
# sections in order to use it.
otp {
# otpd rendezvous point.
# (default: /var/run/otpd/socket)
#otpd_rp = /var/run/otpd/socket
# Text to use for the challenge.
# Default "Challenge: %{reply:OTP-Challenge}\n Response: "
challenge_prompt = "Challenge: %{reply:OTP-Challenge} \n Response: "
# Length of the challenge. Most tokens probably support a
# max of 8 digits. (range: 5-32 digits, default 6)
#challenge_length = 6
# Maximum time, in seconds, that a challenge is valid.
# (The user must respond to a challenge within this time.)
# It is also the minimal time between consecutive async mode
# authentications, a necessary restriction due to an inherent
# weakness of the RADIUS protocol which allows replay attacks.
# (default: 30)
#challenge_delay = 30
# Whether or not to allow asynchronous ("pure" challenge/
# response) mode authentication. Since sync mode is much more
# usable, and all reasonable tokens support it, the typical
# use of async mode is to allow re-sync of event based tokens.
# But because of the vulnerability of async mode with some tokens,
# you probably want to disable this and require that out-of-sync
# users re-sync from specifically secured terminals.
# See the otpd docs for more info.
# (default: no)
#allow_async = no
# Whether or not to allow synchronous mode authentication.
# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
# that if your OTP users can authenticate to multiple RADIUS
# servers, this must be "yes" for the primary/default server,
# and "no" for the others. This is because lsmd does not
# share state information across multiple servers. Using "yes"
# on all your RADIUS servers would allow replay attacks!
# Also, for event based tokens, the user will be out of sync
# on the "other" servers. In order to use "yes" on all your
# servers, you must either use gsmd, which synchronises state
# globally, or implement your own state synchronisation method.
# (default: yes)
#allow_sync = yes
# If both allow_async and allow_sync are "yes", a challenge is
# always presented to the user. This is incompatible with NAS
# that can't present or don't handle Access-Challenge's, e.g.
# PPTP servers. Even though a challenge is presented, the user
# can still enter their synchronous passcode.
# The following are MPPE settings. Note that MS-CHAP (v1) is
# strongly discouraged. All possible values are listed as
# {value = meaning}. Default values are first.
#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
#mschap_mppe_bits = {2 = 128}
}

26
pkgs/fablab/freeradius-anon-access/raddb/mods-available/pam
View file

@ -1,26 +0,0 @@
# -*- text -*-
#
# $Id: f4a91a948637bb2f42f613ed9faa6f9ae9ae6099 $
# Pluggable Authentication Modules
#
# For Linux, see:
# http://www.kernel.org/pub/linux/libs/pam/index.html
#
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
#
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration. See 'redhat/radiusd-pam'
# for a sample PAM configuration file.
#
# Note that any Pam-Auth attribute set in the 'authorize'
# section will over-ride this one.
#
pam_auth = radiusd
}

94
pkgs/fablab/freeradius-anon-access/raddb/mods-available/perl
View file

@ -1,94 +0,0 @@
# -*- text -*-
#
# $Id: fa04cdabb71767050aaa0664da792fd6086adb19 $
# Persistent, embedded Perl interpreter.
#
perl {
#
# The Perl script to execute on authorize, authenticate,
# accounting, xlat, etc. This is very similar to using
# 'rlm_exec' module, but it is persistent, and therefore
# faster.
#
filename = ${modconfdir}/${.:instance}/example.pl
#
# Options which are passed to the Perl interpreter.
# These are (mostly) the same options as are passed
# to the "perl" command line.
#
# The most useful flag is "-T". This sets tainting on. And
# as of 3.0.18, makes it impossible to leverage bad
# User-Names into local command execution.
#
perl_flags = "-T"
#
# The following hashes are given to the module and
# filled with value-pairs (Attribute names and values)
#
# %RAD_CHECK Check items
# %RAD_REQUEST Attributes from the request
# %RAD_REPLY Attributes for the reply
# %RAD_REQUEST_PROXY Attributes from the proxied request
# %RAD_REQUEST_PROXY_REPLY Attributes from the proxy reply
#
# The interface between FreeRADIUS and Perl is strings.
# That is, attributes of type "octets" are converted to
# printable strings, such as "0xabcdef". If you want to
# access the binary values of the attributes, you should
# call the Perl "pack" function. Then to send any binary
# data back to FreeRADIUS, call the Perl "unpack" function,
# so that the contents of the hashes are printable strings.
#
# IP addresses are sent as strings, e.g. "192.0.2.25", and
# not as a 4-byte binary value. The same applies to other
# attribute data types.
#
# Attributes of type "string" are copied to Perl as-is.
# They are not escaped or interpreted.
#
# The return codes from functions in the perl_script
# are passed directly back to the server. These
# codes are defined in mods-config/example.pl
#
# You can define configuration items (and nested sub-sections) in perl "config" section.
# These items will be accessible in the perl script through %RAD_PERLCONF hash.
# For instance: $RAD_PERLCONF{'name'} $RAD_PERLCONF{'sub-config'}->{'name'}
#
#config {
# name = "value"
# sub-config {
# name = "value of name from config.sub-config"
# }
#}
#
# List of functions in the module to call.
# Uncomment and change if you want to use function
# names other than the defaults.
#
#func_authenticate = authenticate
#func_authorize = authorize
#func_preacct = preacct
#func_accounting = accounting
#func_checksimul = checksimul
#func_pre_proxy = pre_proxy
#func_post_proxy = post_proxy
#func_post_auth = post_auth
#func_recv_coa = recv_coa
#func_send_coa = send_coa
#func_xlat = xlat
#func_detach = detach
#
# Uncomment the following lines if you wish
# to use separate functions for Start and Stop
# accounting packets. In that case, the
# func_accounting function is not called.
#
#func_start_accounting = accounting_start
#func_stop_accounting = accounting_stop
}

65
pkgs/fablab/freeradius-anon-access/raddb/mods-available/python
View file

@ -1,65 +0,0 @@
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python {
# Path to the python modules
#
# Note that due to limitations on Python, this configuration
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
# python_path="${modconfdir}/${.:name}:/path/to/python/files:/another_path/to/python_files/"
module = example
# Pass all VPS lists as a 6-tuple to the callbacks
# (request, reply, config, state, proxy_req, proxy_reply)
# pass_all_vps = no
# Pass all VPS lists as a dictionary to the callbacks
# Keys: "request", "reply", "config", "session-state", "proxy-request",
# "proxy-reply"
# This option prevales over "pass_all_vps"
# pass_all_vps_dict = no
# mod_instantiate = ${.module}
# func_instantiate = instantiate
# mod_detach = ${.module}
# func_detach = detach
# mod_authorize = ${.module}
# func_authorize = authorize
# mod_authenticate = ${.module}
# func_authenticate = authenticate
# mod_preacct = ${.module}
# func_preacct = preacct
# mod_accounting = ${.module}
# func_accounting = accounting
# mod_checksimul = ${.module}
# func_checksimul = checksimul
# mod_pre_proxy = ${.module}
# func_pre_proxy = pre_proxy
# mod_post_proxy = ${.module}
# func_post_proxy = post_proxy
# mod_post_auth = ${.module}
# func_post_auth = post_auth
# mod_recv_coa = ${.module}
# func_recv_coa = recv_coa
# mod_send_coa = ${.module}
# func_send_coa = send_coa
}

65
pkgs/fablab/freeradius-anon-access/raddb/mods-available/python3
View file

@ -1,65 +0,0 @@
#
# Make sure the PYTHONPATH environmental variable contains the
# directory(s) for the modules listed below.
#
# Uncomment any func_* which are included in your module. If
# rlm_python is called for a section which does not have
# a function defined, it will return NOOP.
#
python3 {
# Path to the python modules
#
# Note that due to limitations on Python, this configuration
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
# python_path="${modconfdir}/${.:name}:/another_path/to/python_files"
module = example
# Pass all VPS lists as a 6-tuple to the callbacks
# (request, reply, config, state, proxy_req, proxy_reply)
# pass_all_vps = no
# Pass all VPS lists as a dictionary to the callbacks
# Keys: "request", "reply", "config", "session-state", "proxy-request",
# "proxy-reply"
# This option prevales over "pass_all_vps"
# pass_all_vps_dict = no
# mod_instantiate = ${.module}
# func_instantiate = instantiate
# mod_detach = ${.module}
# func_detach = detach
# mod_authorize = ${.module}
# func_authorize = authorize
# mod_authenticate = ${.module}
# func_authenticate = authenticate
# mod_preacct = ${.module}
# func_preacct = preacct
# mod_accounting = ${.module}
# func_accounting = accounting
# mod_checksimul = ${.module}
# func_checksimul = checksimul
# mod_pre_proxy = ${.module}
# func_pre_proxy = pre_proxy
# mod_post_proxy = ${.module}
# func_post_proxy = post_proxy
# mod_post_auth = ${.module}
# func_post_auth = post_auth
# mod_recv_coa = ${.module}
# func_recv_coa = recv_coa
# mod_send_coa = ${.module}
# func_send_coa = send_coa
}

99
pkgs/fablab/freeradius-anon-access/raddb/mods-available/redis
View file

@ -1,99 +0,0 @@
# -*- text -*-
#
# $Id: 64789f58a7f937b7b9f4c7ff783153fb5194ba25 $
#
# Configuration file for the "redis" module. This module does nothing
# Other than provide connections to a redis database, and a %{redis: ...}
# expansion.
#
redis {
# Host where the redis server is located.
# We recommend using ONLY 127.0.0.1 !
server = 127.0.0.1
# Select the Redis logical database having the specified zero-based numeric index.
# database = 0
# The default port.
port = 6379
# The password used to authenticate to the server.
# We recommend using a strong password.
# password = thisisreallysecretandhardtoguess
# Set connection and query timeout for rlm_redis
query_timeout = 5
#
# Information for the connection pool. The configuration items
# below are the same for all modules which use the new
# connection pool.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 86400
# The pool is checked for free connections every
# "cleanup_interval". If there are free connections,
# then one of them is closed.
cleanup_interval = 300
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 600
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

52
pkgs/fablab/freeradius-anon-access/raddb/mods-available/rediswho
View file

@ -1,52 +0,0 @@
# -*- text -*-
#
# $Id: d303550fa48460f9583c051795ad7f179fcbd36b $
#
# Configuration file for the "rediswho" module.
#
# This module tracks the last set of login sessions for a user.
#
rediswho {
# REDIS instance to use (from mods-available/redis)
#
# If you have multiple redis instances, such as "redis redis1 {...}",
# use the *instance* name here: redis1.
# redis_module_instance = redis
# How many sessions to keep track of per user.
# If there are more than this number, older sessions are deleted.
trim_count = 15
# Expiry time in seconds. Any sessions which have not received
# an update in this time will be automatically expired.
expire_time = 86400
#
# Each subsection contains insert / trim / expire queries.
# The subsections are named after the contents of the
# Acct-Status-Type attribute. See dictionary.rfc2866 for names
# of the various Acct-Status-Type values, or look at the output
# of debug mode.
#
# This module supports *any* Acct-Status-Type. Just add a subsection
# of the appropriate name, along with insert / trim / expire queries.
#
Start {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
Interim-Update {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
Stop {
insert = "LPUSH %{User-Name} %l,%{Acct-Session-Id},%{NAS-IP-Address},%{Acct-Session-Time},%{Framed-IP-Address},%{%{Acct-Input-Gigawords}:-0},%{%{Acct-Output-Gigawords}:-0},%{%{Acct-Input-Octets}:-0},%{%{Acct-Output-Octets}:-0}"
trim = "LTRIM %{User-Name} 0 ${..trim_count}"
expire = "EXPIRE %{User-Name} ${..expire_time}"
}
}

290
pkgs/fablab/freeradius-anon-access/raddb/mods-available/rest
View file

@ -1,290 +0,0 @@
rest {
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to a HTTPS
# server.
#
tls {
# Certificate Authorities:
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
# File containing a single CA, which is the issuer of the server
# certificate.
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
# File containing a bundle of certificates, which allow to handle
# certificate chain validation.
# "ca_path" (libcurl option CURLOPT_CAPATH).
# Directory holding CA certificates to verify the peer with.
# ca_file = ${certdir}/cacert.pem
# ca_info_file = ${certdir}/cacert_bundle.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# private_key_password = "supersecret"
# random_file = /dev/urandom
# Server certificate verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the cert was issued by one of the
# trusted CAs)
#
# The default is "yes"
# check_cert = yes
# Server certificate CN verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the CN in the certificate matches the host
# in the URI)
#
# The default is "yes"
# check_cert_cn = yes
}
# rlm_rest will open a connection to the server specified in connect_uri
# to populate the connection cache, ready for the first request.
# The server will not start if the server specified is unreachable.
#
# If you wish to disable this pre-caching and reachability check,
# comment out the configuration item below.
connect_uri = "http://127.0.0.1/"
#
# How long before new connection attempts timeout, defaults to 4.0 seconds.
#
# connect_timeout = 4.0
#
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
#
# http_negotiation = 1.1
#
# The following config items can be used in each of the sections.
# The sections themselves reflect the sections in the server.
# For example if you list rest in the authorize section of a virtual server,
# the settings from the authorize section here will be used.
#
# The following config items may be listed in any of the sections:
# uri - to send the request to.
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
# 'delete' or any custom HTTP method.
# body - The format of the HTTP body sent to the remote server.
# May be 'none', 'post' or 'json', defaults to 'none'.
# attr_num - If true, the attribute number is supplied for each attribute.
# Defaults to false.
# raw_value - If true, enumerated attribute values are provided as numeric
# values. Defaults to false.
# data - Send custom freeform data in the HTTP body. Content-type
# may be specified with 'body'. Will be expanded.
# Values from expansion will not be escaped, this should be
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
# force_to - Force the response to be decoded with this decoder.
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
# or 'json'.
# tls - TLS settings for HTTPS.
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
# username - User to authenticate as, will be expanded.
# password - Password to use for authentication, will be expanded.
# require_auth - Require HTTP authentication.
# timeout - HTTP request timeout in seconds, defaults to 4.0.
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
# send data to the REST server. Make sure that this is large
# enough to fit your largest attribute value's text
#  representation.
# A number like 8192 is good.
#
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
# The values of those attributes should be in the format:
#
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
#
# The control:REST-HTTP-Header attributes will be consumed
# (i.e. deleted) after each call to the rest module, and each
# %{rest:} expansion. This is so that headers from one REST
# call do not affect headers from a different REST call.
#
# Body encodings are the same for requests and responses
#
# POST - All attributes and values are urlencoded
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
#
# JSON - All attributes and values are escaped according to the JSON specification
# - attribute Name of the attribute.
# - attr_num Number of the attribute. Only available if the configuration item
# 'attr_num' is enabled.
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
# - value Attribute value, for enumerated attributes the human readable value is
# provided and not the numeric value (Depends on the 'raw_value' config item).
# {
# "<attribute0>":{
# "attr_num":<attr_num0>,
# "type":"<type0>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":{
# "attr_num":<attr_num1>,
# "type":"<type1>",
# "value":[...]
# },
# "<attributeN>":{
# "attr_num":<attr_numN>,
# "type":"<typeN>",
# "value":[...]
# },
# }
#
# The response format adds three optional fields:
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
# - is_json If true, any nested JSON data will be copied to the attribute
# in string form. Defaults to true.
# - op Controls how the attribute is inserted into the target list.
# Defaults to ':='. To create multiple attributes from multiple
# values, this should be set to '+=', otherwise only the last
# value will be used, and it will be assigned to a single
# attribute.
# {
# "<attribute0>":{
# "is_json":<bool>,
# "do_xlat":<bool>,
# "op":"<operator>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":"value",
# "<attributeN>":{
# "value":[<value0>,<value1>,<valueN>],
# "op":"+="
# }
# }
#
# Module return codes are determined by HTTP response codes. These vary depending on the
# section.
#
# If the body is processed and found to be malformed or unsupported fail will be returned.
# If the body is processed and found to contain attribute updated will be returned,
# except in the case of a 401 code.
#
# Authorize/Authenticate
#
# Code Meaning Process body Module code
# 404 not found no notfound
# 410 gone no notfound
# 403 forbidden no userlock
# 401 unauthorized yes reject
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
#
# The status code is held in %{reply:REST-HTTP-Status-Code}.
#
authorize {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
method = 'get'
tls = ${..tls}
}
authenticate {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
method = 'get'
tls = ${..tls}
}
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
#
# Code Meaning Process body Module code
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
preacct {
uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
method = 'post'
tls = ${..tls}
}
accounting {
uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
method = 'post'
tls = ${..tls}
}
post-auth {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
method = 'post'
tls = ${..tls}
}
pre-proxy {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
method = 'post'
tls = ${..tls}
}
post-proxy {
uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
method = 'post'
tls = ${..tls}
}
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

16
pkgs/fablab/freeradius-anon-access/raddb/mods-available/smbpasswd
View file

@ -1,16 +0,0 @@
# -*- text -*-
#
# $Id: d5ad2a06c767f07722dc9b9c4b13d00c26b5a280 $
# An example configuration for using /etc/smbpasswd.
#
# See the "passwd" file for documentation on the configuration items
# for this module.
#
passwd smbpasswd {
filename = /etc/smbpasswd
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}

94
pkgs/fablab/freeradius-anon-access/raddb/mods-available/smsotp
View file

@ -1,94 +0,0 @@
# -*- text -*-
#
# $Id: 3be32b85f56a84725fe1a6bf508e459dbe6c4e02 $
# SMS One-time Password system.
#
# This module will extend FreeRadius with a socks interface to create and
# validate One-Time-Passwords. The program for that creates the socket
# and interacts with this module is not included here.
#
# The module does not check the User-Password, this should be done with
# the "pap" module. See the example below.
#
# The module must be used in the "authorize" section to set
# Auth-Type properly. The first time through, the module is called
# in the "authenticate" section to authenticate the user password, and
# to send the challenge. The second time through, it authenticates
# the response to the challenge. e.g.:
#
# authorize {
# ...
# smsotp
# ...
# }
#
# authenticate {
# ...
# Auth-Type smsotp {
# pap
# smsotp
# }
#
# Auth-Type smsotp-reply {
# smsotp
# }
# ...
# }
#
smsotp {
# The location of the socket.
socket = "/var/run/smsotp_socket"
# Defines the challenge message that will be send to the
# NAS. Default is "Enter Mobile PIN" }
challenge_message = "Enter Mobile PIN:"
# Defines the Auth-Type section that is run for the response to
# the challenge. Default is "smsotp-reply".
challenge_type = "smsotp-reply"
# Control how many sockets are used to talk to the SMSOTPd
#
pool {
# Number of connections to start
start = 5
# Minimum number of connections to keep open
min = 4
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
max = 10
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set.
spare = 3
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}

12
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sometimes
View file

@ -1,12 +0,0 @@
# -*- text -*-
#
# $Id: 3a96622cc938f558b023e1110769a46861716a12 $
#
# The "sometimes" module is here for debugging purposes. Each instance
# randomly returns the configured result, or "noop".
#
# It is based on the "always" module.
sometimes {
rcode = fail
}

366
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql
View file

@ -1,366 +0,0 @@
# -*- text -*-
##
## mods-available/sql -- SQL modules
##
## $Id: cfeac63ea87c30fead8457af6d10f5c3a0f48aef $
######################################################################
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/<DB>/main/schema.sql Schema
# sql/<DB>/main/queries.conf Authorisation and Accounting queries
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
# The name used to query SQL is sql_user_name, which is set in the file
#
# raddb/mods-config/sql/main/${dialect}/queries.conf
#
# If you are using realms, that configuration should be changed to use
# the Stripped-User-Name attribute. See the comments around sql_user_name
# for more information.
#
sql {
#
# The dialect of SQL being used.
#
# Allowed dialects are:
#
# mssql
# mysql
# oracle
# postgresql
# sqlite
# mongo
#
dialect = "sqlite"
#
# The driver module used to execute the queries. Since we
# don't know which SQL drivers are being used, the default is
# "rlm_sql_null", which just logs the queries to disk via the
# "logfile" directive, below.
#
# In order to talk to a real database, delete the next line,
# and uncomment the one after it.
#
# If the dialect is "mssql", then the driver should be set to
# one of the following values, depending on your system:
#
# rlm_sql_db2
# rlm_sql_firebird
# rlm_sql_freetds
# rlm_sql_iodbc
# rlm_sql_unixodbc
#
driver = "rlm_sql_null"
# driver = "rlm_sql_${dialect}"
#
# Driver-specific subsections. They will only be loaded and
# used if "driver" is something other than "rlm_sql_null".
# When a real driver is used, the relevant driver
# configuration section is loaded, and all other driver
# configuration sections are ignored.
#
sqlite {
# Path to the sqlite database
filename = "/tmp/freeradius.db"
# How long to wait for write locks on the database to be
# released (in ms) before giving up.
busy_timeout = 200
# If the file above does not exist and bootstrap is set
# a new database file will be created, and the SQL statements
# contained within the bootstrap file will be executed.
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
# If any of the files below are set, TLS encryption is enabled
tls {
ca_file = "/etc/ssl/certs/my_ca.crt"
ca_path = "/etc/ssl/certs/"
certificate_file = "/etc/ssl/certs/private/client.crt"
private_key_file = "/etc/ssl/certs/private/client.key"
cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
tls_required = yes
tls_check_cert = no
tls_check_cert_cn = no
}
# If yes, (or auto and libmysqlclient reports warnings are
# available), will retrieve and log additional warnings from
# the server if an error has occured. Defaults to 'auto'
warnings = auto
}
postgresql {
# unlike MySQL, which has a tls{} connection configuration, postgresql
# uses its connection parameters - see the radius_db option below in
# this file
# Send application_name to the postgres server
# Only supported in PG 9.0 and greater. Defaults to no.
send_application_name = yes
}
#
# Configuration for Mongo.
#
# Note that the Mongo driver is experimental. The FreeRADIUS developers
# are unable to help with the syntax of the Mongo queries. Please see
# the Mongo documentation for that syntax.
#
# The Mongo driver supports only the following methods:
#
# aggregate
# findAndModify
# findOne
# insert
#
# For examples, see the query files:
#
# raddb/mods-config/sql/main/mongo/queries.conf
# raddb/mods-config/sql/main/ippool/queries.conf
#
# In order to use findAndModify with an aggretation pipleline, make
# sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
# assumes that the paramaters passed to the methods are supported by the
# version of MongoDB which it is connected to.
#
mongo {
#
# The application name to use.
#
appname = "freeradius"
#
# The TLS parameters here map directly to the Mongo TLS configuration
#
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
}
}
# Connection info:
#
# server = "localhost"
# port = 3306
# login = "radius"
# password = "radpass"
# Connection info for Mongo
# Authentication Without SSL
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
# Authentication With SSL
# server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
# Authentication with Certificate
# Use this command for retrieve Derived username:
# openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
# server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
# Database table configuration for everything except Oracle
radius_db = "radius"
# If you are using Oracle then use this instead
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you're using postgresql this can also be used instead of the connection info parameters
# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
# use SSL connections then use this form of connection info parameter
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
# Tables containing 'check' items
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
# Tables containing 'reply' items
authreply_table = "radreply"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "radusergroup"
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
# read_groups = yes
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
# read_profiles = yes
# Remove stale session if checkrad does not see a double login
delete_stale_sessions = yes
# Write SQL queries to a logfile. This is potentially useful for tracing
# issues with authorization queries. See also "logfile" directives in
# mods-config/sql/main/*/queries.conf. You can enable per-section logging
# by enabling "logfile" there, or global logging by enabling "logfile" here.
#
# Per-section logging can be disabled by setting "logfile = ''"
# logfile = ${logdir}/sqllog.sql
# Set the maximum query duration and connection timeout
# for rlm_sql_mysql.
# query_timeout = 5
# As of version 3.0, the "pool" section has replaced the
# following configuration items:
#
# num_sql_socks
# connect_failure_retry_delay
# lifetime
# max_queries
#
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
#
# If you want to have multiple SQL modules re-use the same
# connection pool, use "pool = name" instead of a "pool"
# section. e.g.
#
# sql sql1 {
# ...
# pool {
# ...
# }
# }
#
# # sql2 will use the connection pool from sql1
# sql sql2 {
# ...
# pool = sql1
# }
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# database being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup.
#
# A client can be link to a virtual server via the SQL
# module. This link is done via the following process:
#
# If there is no listener in a virtual server, SQL clients
# are added to the global list for that virtual server.
#
# If there is a listener, and the first listener does not
# have a "clients=..." configuration item, SQL clients are
# added to the global list.
#
# If there is a listener, and the first one does have a
# "clients=..." configuration item, SQL clients are added to
# that list. The client { ...} ` configured in that list are
# also added for that listener.
#
# The only issue is if you have multiple listeners in a
# virtual server, each with a different client list, then
# the SQL clients are added only to the first listener.
#
# read_clients = yes
# Table to keep radius client info
client_table = "nas"
#
# The group attribute specific to this instance of rlm_sql
#
# This entry should be used for additional instances (sql foo {})
# of the SQL module.
# group_attribute = "${.:instance}-SQL-Group"
# This entry should be used for the default instance (sql {})
# of the SQL module.
group_attribute = "SQL-Group"
# Read database-specific queries
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}

49
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sql_map
View file

@ -1,49 +0,0 @@
# Configuration for the SQL based Map (rlm_sql_map)
sql_map {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
query = "SELECT ... FROM ... "
#
# Mapping of SQL columns to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <sql column number>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <column num>: The column number (not name), starting from 0
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
update {
control:Password-With-Header += 0
# control:NT-Password := 1
# reply:Reply-Message := 2
# reply:Tunnel-Type := 3
# reply:Tunnel-Medium-Type := 4
# reply:Tunnel-Private-Group-ID := 5
}
# If the 'query' results in multiple rows, it creates the <radius attr>[*] array entry.
# multiple_rows = yes
}

115
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlcounter
View file

@ -1,115 +0,0 @@
# Rather than maintaining separate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# The sql-module-instance' parameter holds the instance of the sql
# module to use when querying the SQL database. Normally it
# is just "sql". If you define more and one SQL module
# instance (usually for failover situations), you can
# specify which module has access to the Accounting Data
# (radacct table).
#
# The 'reset' parameter defines when the counters are all
# reset to zero. It can be hourly, daily, weekly, monthly or
# never. It can also be user defined. It should be of the
# form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
# The 'key' parameter specifies the unique identifier for the
# counter records (usually 'User-Name').
#
# The 'query' parameter specifies the SQL query used to get
# the current Counter value from the database. There are 2
# parameters that can be used in the query:
# %%b unix time value of beginning of reset period
# %%e unix time value of end of reset period
#
# The 'check_name' parameter is the name of the 'check'
# attribute to use to access the counter in the 'users' file
# or SQL radcheck or radgroupcheck tables.
#
# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The "dailycounter" (or any other sqlcounter module) should be added
# to "post-auth" section. It will then update the Session-Timeout
# attribute in the reply. If there is no Session-Timeout attribute,
# the module will add one. If there is an attribute, the sqlcounter
# module will make sure that the value is no higher than the limit.
#
sqlcounter dailycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Daily-Session-Time
check_name = Max-Daily-Session
reply_name = Session-Timeout
key = User-Name
reset = daily
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter weeklycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Weekly-Session-Time
check_name = Max-Weekly-Session
reply_name = Session-Timeout
key = User-Name
reset = weekly
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter monthlycounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Monthly-Session-Time
check_name = Max-Monthly-Session
reply_name = Session-Timeout
key = User-Name
reset = monthly
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
sqlcounter noresetcounter {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Max-All-Session-Time
check_name = Max-All-Session
key = User-Name
reset = never
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}
#
# Set an account to expire T seconds after first login.
# Requires the Expire-After attribute to be set, in seconds.
# You may need to edit raddb/dictionary to add the Expire-After
# attribute.
sqlcounter expire_on_login {
sql_module_instance = sql
dialect = ${modules.sql.dialect}
counter_name = Expire-After-Initial-Login
check_name = Expire-After
key = User-Name
reset = never
$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
}

115
pkgs/fablab/freeradius-anon-access/raddb/mods-available/sqlippool
View file

@ -1,115 +0,0 @@
# Configuration for the SQL based IP Pool module (rlm_sqlippool)
#
# The database schemas are available at:
#
# raddb/mods-config/sql/ippool/<DB>/schema.sql
#
# $Id: 3d98ca9e0fca4f8df2657d53a15a2c52756b45e1 $
sqlippool {
# SQL instance to use (from mods-available/sql)
#
# If you have multiple sql instances, such as "sql sql1 {...}",
# use the *instance* name here: sql1.
sql_module_instance = "sql"
# This is duplicative of info available in the SQL module, but
# we have to list it here as we do not yet support nested
# reference expansions.
dialect = "mysql"
# Name of the check item attribute to be used as a key in the SQL queries
pool_name = "Pool-Name"
# SQL table to use for ippool range and lease info
ippool_table = "radippool"
# IP lease duration. (Leases expire even if Acct Stop packet is lost)
#
# Note that you SHOULD also set Session-Timeout to this value!
# That way the NAS will automatically kick the user offline when the
# lease expires.
#
lease_duration = 3600
#
# Timeout between each consecutive 'allocate_clear' queries (default: 1s)
# This will avoid having too many deadlock issues, especially on MySQL backend.
#
allocate_clear_timeout = 1
#
# As of 3.0.16, the 'ipv6 = yes' configuration is deprecated.
# You should use the "attribute_name" configuration item
# below, instead.
#
#
# The attribute to use for IP address assignment. The
# default is Framed-IP-Address. You can change this to any
# attribute which is IPv4 or IPv6.
#
# e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix.
#
# As of 3.0.16, all of the default queries have been updated to use
# this attribute_name. So you can do IPv6 address assignment simply
# by putting IPv6 addresses into the pool, and changing the following
# line to "Framed-IPv6-Prefix"
#
# Note that you MUST use separate pools for each attribute. i.e. one pool
# for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc.
#
# This means configuring separate "sqlippool" instances, and different
# "ippool_table" in SQL. Then, populate the pool with addresses and
# it will all just work.
#
attribute_name = Framed-IP-Address
#
# Assign the IP address, even if the above attribute already exists
# in the reply.
#
# allow_duplicates = no
# The attribute in which an IP address hint may be supplied
req_attribute_name = Framed-IP-Address
# Attribute which should be considered unique per NAS
#
# Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
# Using Calling-Station-Id works for NAS that send fixed NAS-Port
# ONLY change this if you know what you are doing!
pool_key = "%{NAS-Port}"
# pool_key = "%{Calling-Station-Id}"
################################################################
#
# WARNING: MySQL (MyISAM) has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
# These messages are added to the "control" items, as
# Module-Success-Message. They are not logged anywhere else,
# unlike previous versions. If you want to have them logged
# to a file, see the "linelog" module, and create an entry
# which writes Module-Success-Message message.
#
messages {
exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{request:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
$INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf
}

4
pkgs/fablab/freeradius-anon-access/raddb/mods-available/unbound
View file

@ -1,4 +0,0 @@
unbound dns {
# filename = "${raddbdir}/mods-config/unbound/default.conf"
# timeout = 3000
}

165
pkgs/fablab/freeradius-anon-access/raddb/mods-available/wimax
View file

@ -1,165 +0,0 @@
#
# The WiMAX module currently takes no configuration.
#
# ## Instructions for v1 and v2.0 WiMAX
#
# It should be listed in the "authorize" and "preacct" sections.
# This enables the module to fix the horrible binary version
# of Calling-Station-Id to the normal format, as specified in
# RFC 3580, Section 3.21.
#
# In order to calculate the various WiMAX keys, the module should
# be listed in the "post-auth" section. If EAP authentication
# has been used, AND the EAP method derives MSK and EMSK, then
# the various WiMAX keys can be calculated.
#
# Some useful things to remember:
#
# WiMAX-MSK = EAP MSK, but is 64 octets.
#
# MIP-RK-1 = HMAC-SHA256(ESMK, "miprk@wimaxforum.org" | 0x00020001)
# MIP-RK-2 = HMAC-SHA256(ESMK, MIP-RK-1 | "miprk@wimaxforum.org" | 0x00020002)
# MIP-RK = MIP-RK-1 | MIP-RK-2
#
# MIP-SPI = first 4 octets of HMAC-SHA256(MIP-RK, "SPI CMIP PMIP")
# plus some magic... you've got to track *all* MIP-SPI's
# on your system!
#
# SPI-CMIP4 = MIP-SPI
# SPI-PMIP4 = MIP-SPI + 1
# SPI-CMIP6 = MIP-SPI + 2
#
# MN-NAI is the Mobile node NAI. You have to create it, and put
# it into the request or reply as something like:
#
# WiMAX-MN-NAI = "%{User-Name}"
#
# You will also have to have the appropriate IP address (v4 or v6)
# in order to calculate the keys below.
#
# Lifetimes are derived from Session-Timeout. It needs to be set
# to some useful number.
#
# The hash function below H() is HMAC-SHA1.
#
#
# MN-HA-CMIP4 = H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI)
#
# Where HA-IPv4 is WiMAX-hHA-IP-MIP4
# or maybe WiMAX-vHA-IP-MIP4
#
# Which goes into WiMAX-MN-hHA-MIP4-Key
# or maybe WiMAX-RRQ-MN-HA-Key
# or maybe even WiMAX-vHA-MIP4-Key
#
# The corresponding SPI is SPI-CMIP4, which is MIP-SPI,
#
# which goes into WiMAX-MN-hHA-MIP4-SPI
# or maybe WiMAX-RRQ-MN-HA-SPI
# or even WiMAX-MN-vHA-MIP4-SPI
#
# MN-HA-PMIP4 = H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI)
# MN-HA-CMIP6 = H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI)
#
# both with similar comments to above for MN-HA-CMIP4.
#
# In order to tell which one to use (CMIP4, PMIP4, or CMIP6),
# you have to set WiMAX-IP-Technology in the reply to one of
# the appropriate values.
#
#
# FA-RK = H(MIP-RK, "FA-RK")
#
# MN-FA = H(FA-RK, "MN FA" | FA-IP | MN-NAI)
#
# Where does the FA-IP come from? No idea...
#
#
# The next two keys (HA-RK and FA-HA) are not generated
# for every authentication request, but only on demand.
#
# HA-RK = 160-bit random number assigned by the AAA server
# to a specific HA.
#
# FA-HA = H(HA-RK, "FA-HA" | HA-IPv4 | FA-CoAv4 | SPI)
#
# where HA-IPv4 is as above.
# and FA-CoAv4 address of the FA as seen by the HA
# and SPI is the relevant SPI for the HA-RK.
#
# DHCP-RK = 160-bit random number assigned by the AAA server
# to a specific DHCP server. vDHCP-RK is the same
# thing.
#
#
#
# ## Instructions for v2.1 (LTE) WiMAX:
#
# When called from the "authorize" this module will detect the
# presence of the following attributes:
#
# request:WiMAX-Re-synchronization-Info
# control:WiMAX-SIM-Ki
# control:WiMAX-SIM-OPc
#
# If all attributes are present, (i.e. a known SIM is requesting a
# resync) then the module will attempt to extract the new SQN and
# save it in control:WiMAX-SIM-SQN. It will also save a copy of
# RAND from the request in control:WiMAX-SIM-RAND.
#
# The resulting value of SQN can then be saved in a database
# e.g. via a call to the sql module using some unlang
#
# When called in the "post_auth" section it looks for:
#
# control:WiMAX-SIM-Ki
# control:WiMAX-SIM-OPc
# control:WiMAX-SIM-AMF
# control:WiMAX-SIM-SQN
# request:WiMAX-Visited-PLMN-ID
#
# If all these are present then it will attempt to generate the
# keys for EPS AKA.
#
# First it checks for the presence of control:WiMAX-SIM-RAND and
# if it is not present it generates a new RAND value which is
# stored in reply:WiMAX-E-UTRAN-Vector-RAND. If it is present then
# the value is simply copied to the reply attribute.
#
# Then it calls the Milenage algorithm to generate:
#
# reply:WiMAX-E-UTRAN-Vector-XRES
# reply:WiMAX-E-UTRAN-Vector-AUTN
#
# And finally generates KASME which is stored in:
# reply:WiMAX-E-UTRAN-Vector-KASME
#
#
# NOTE: It is up to the system administrator to make sure that all
# the necessary "control" attributes are populated with the
# required values. The IMSI is likely to be found in User-Name in
# the request and this can be used as the key to grab the values
# from a database.
#
#
wimax {
#
# Some WiMAX equipment requires that the MS-MPPE-*-Key
# attributes are sent in the Access-Accept, in addition to
# the WiMAX-MSK attribute.
#
# Other WiMAX equipment request that the MS-MPPE-*-Key
# attributes are NOT sent in the Access-Accept.
#
# By default, the EAP modules sends MS-MPPE-*-Key attributes.
# The default virtual server (raddb/sites-available/default)
# contains examples of adding the WiMAX-MSK.
#
# This configuration option makes the WiMAX module delete
# the MS-MPPE-*-Key attributes. The default is to leave
# them in place.
#
# If the keys are deleted (by setting this to "yes"), then
# the WiMAX-MSK attribute is automatically added to the reply.
delete_mppe_keys = no
}

158
pkgs/fablab/freeradius-anon-access/raddb/mods-available/yubikey
View file

@ -1,158 +0,0 @@
#
# This module decrypts and validates Yubikey static and dynamic
# OTP tokens.
#
yubikey {
#
# The length (number of ASCII bytes) of the Public-ID portion
# of the OTP string.
#
# Yubikey defaults to a 6 byte ID (2 * 6 = 12)
# id_length = 12
#
# If true, the authorize method of rlm_yubikey will attempt to split the
# value of User-Password, into the user's password, and the OTP token.
#
# If enabled and successful, the value of &request:User-Password will be
# truncated and &request:Yubikey-OTP will be added.
#
# split = yes
#
# Decrypt mode - Tokens will be decrypted and processed locally
#
# The module itself does not provide persistent storage as this
# would be duplicative of functionality already in the server.
#
# Yubikey authentication needs two attributes retrieved from
# persistent storage:
# * &control:Yubikey-Key - The AES key used to decrypt the OTP data.
# The Yubikey-Public-Id and/or User-Name
# attributes may be used to retrieve the key.
# * &control:Yubikey-Counter - This is compared with the counter in the OTP
# data and used to prevent replay attacks.
# This attribute will also be available in
# the request list after successful
# decryption.
#
# Yubikey-Counter isn't strictly required, but the server will
# generate warnings if it's not present when yubikey.authenticate
# is called.
#
# These attributes are available after authorization:
# * &request:Yubikey-Public-ID - The public portion of the OTP string.
# and additionally if 'split' is set:
# * &request:Yubikey-OTP - The OTP portion of User-Password.
#
# These attributes are available after authentication (if successful):
# * &request:Yubikey-Private-ID - The encrypted ID included in OTP data,
# must be verified if tokens share keys.
# * &request:Yubikey-Counter - The last counter value (should be recorded).
# * &request:Yubikey-Timestamp - Token's internal clock (mainly useful for
# debugging).
# * &request:Yubikey-Random - Randomly generated value from the token.
#
decrypt = no
#
# Validation mode - Tokens will be validated against a Yubicloud server
#
validate = no
#
# Settings for validation mode.
#
validation {
#
# URL of validation server, multiple URL config items may be used
# to list multiple servers.
#
# - %d is a placeholder for public ID of the token
# - %s is a placeholder for the token string itself
#
# If no URLs are listed, will default to the default URLs in the
# ykclient library, which point to the yubico validation servers.
servers {
# uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
# uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
}
#
# API Client ID
#
# Must be set to your client id for the validation server.
#
# client_id = 00000
#
# API Secret key (Base64 encoded)
#
# Must be set to your API key for the validation server.
#
# api_key = '000000000000000000000000'
#
# Connection pool parameters
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# yubikey server being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 60
# Cycle over all connections in a pool instead of concentrating
# connection use on a few connections.
spread = yes
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
}