aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius2
diff options
context:
space:
mode:
authorJim P <jim@pingle.org>2012-01-10 13:55:37 -0800
committerJim P <jim@pingle.org>2012-01-10 13:55:37 -0800
commitfd2a759662f1f537c7fe7643e50ff7153b5f26e6 (patch)
tree1ca3d515dfe3712e756fe45ab0ae8a583bbf6af4 /config/freeradius2
parent091cfe95ac215f6aeafb122581b68db6fd3910c7 (diff)
parent56cdc00f57c358f8141810da77ebef2d1d85679f (diff)
downloadpfsense-packages-fd2a759662f1f537c7fe7643e50ff7153b5f26e6.tar.gz
pfsense-packages-fd2a759662f1f537c7fe7643e50ff7153b5f26e6.tar.bz2
pfsense-packages-fd2a759662f1f537c7fe7643e50ff7153b5f26e6.zip
Merge pull request #194 from Nachtfalkeaw/master
freeradius2 updates pkg v1.4.9
Diffstat (limited to 'config/freeradius2')
-rw-r--r--config/freeradius2/freeradius.inc429
-rw-r--r--config/freeradius2/freeradiusmodulesldap.xml277
-rw-r--r--config/freeradius2/freeradiussqlconf.xml284
3 files changed, 939 insertions, 51 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index a15aba8e..3be0faa0 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -170,17 +170,27 @@ function freeradius_settings_resync() {
// For more details look at "freeradius_sqlconf_resync"
$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
- $varsqlconfincludeenable = ($sqlconf['varsqlconfincludeenable']?$sqlconf['varsqlconfincludeenable']:'Disable');
- // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf
- if ($sqlconf['varsqlconfincludeenable'] == 'Enable') {
+ // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf SQL SERVER 2
+ if ($sqlconf['varsqlconf2includeenable'] == 'on') {
+ $varsqlconf2instantiate = 'sql2';
+ }
+ else {
+ $varsqlconf2instantiate = '### sql2 DISABLED ###';
+ }
+
+ $varsqlconf2failover = ($varsettings['varsqlconf2failover']?$varsettings['varsqlconf2failover']:'redundant');
+
+ // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf SQL SERVER 1
+ if ($sqlconf['varsqlconfincludeenable'] == 'on') {
$varsqlconfinclude = '$INCLUDE sql.conf';
$varsqlconfincludecounter = '$INCLUDE sql/mysql/counter.conf';
- $varsqlconfinstantiate = 'sql';
+ $varsqlconfinstantiate = "$varsqlconf2failover {" . "\n\t\tsql" . "\n\t\t$varsqlconf2instantiate" . "\n\t}";
}
else {
$varsqlconfinclude = '#$INCLUDE sql.conf';
$varsqlconfincludecounter = '#$INCLUDE sql/mysql/counter.conf';
+ $varsqlconf2failover = '';
$varsqlconfinstantiate = '#sql';
}
@@ -799,7 +809,7 @@ function freeradius_sqlconf_resync() {
$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
- // Variables: SQL
+ // Variables: SQL DATABASE 1
$varsqlconfdatabase = ($sqlconf['varsqlconfdatabase']?$sqlconf['varsqlconfdatabase']:'mysql');
$varsqlconfserver = ($sqlconf['varsqlconfserver']?$sqlconf['varsqlconfserver']:'localhost');
$varsqlconfport = ($sqlconf['varsqlconfport']?$sqlconf['varsqlconfport']:'3306');
@@ -826,6 +836,34 @@ function freeradius_sqlconf_resync() {
// Additional changes were made in "freeradius_settings_resync"
+ // Variables: SQL DATABASE 2
+ $varsqlconf2database = ($sqlconf['varsqlconf2database']?$sqlconf['varsqlconf2database']:'mysql');
+ $varsqlconf2server = ($sqlconf['varsqlconf2server']?$sqlconf['varsqlconf2server']:'localhost');
+ $varsqlconf2port = ($sqlconf['varsqlconf2port']?$sqlconf['varsqlconf2port']:'3306');
+ $varsqlconf2login = ($sqlconf['varsqlconf2login']?$sqlconf['varsqlconf2login']:'radius');
+ $varsqlconf2password = ($sqlconf['varsqlconf2password']?$sqlconf['varsqlconf2password']:'radpass');
+ $varsqlconf2radiusdb = ($sqlconf['varsqlconf2radiusdb']?$sqlconf['varsqlconf2radiusdb']:'radius');
+ $varsqlconf2accttable1 = ($sqlconf['varsqlconf2accttable1']?$sqlconf['varsqlconf2accttable1']:'radacct');
+ $varsqlconf2accttable2 = ($sqlconf['varsqlconf2accttable2']?$sqlconf['varsqlconf2accttable2']:'radacct');
+ $varsqlconf2postauthtable = ($sqlconf['varsqlconf2postauthtable']?$sqlconf['varsqlconf2postauthtable']:'radpostauth');
+ $varsqlconf2authchecktable = ($sqlconf['varsqlconf2authchecktable']?$sqlconf['varsqlconf2authchecktable']:'radcheck');
+ $varsqlconf2authreplytable = ($sqlconf['varsqlconf2authreplytable']?$sqlconf['varsqlconf2authreplytable']:'radreply');
+ $varsqlconf2groupchecktable = ($sqlconf['varsqlconf2groupchecktable']?$sqlconf['varsqlconf2groupchecktable']:'radgroupcheck');
+ $varsqlconf2groupreplytable = ($sqlconf['varsqlconf2groupreplytable']?$sqlconf['varsqlconf2groupreplytable']:'radgroupreply');
+ $varsqlconf2usergrouptable = ($sqlconf['varsqlconf2usergrouptable']?$sqlconf['varsqlconf2usergrouptable']:'radusergroup');
+ $varsqlconf2readgroups = ($sqlconf['varsqlconf2readgroups']?$sqlconf['varsqlconf2readgroups']:'yes');
+ $varsqlconf2deletestalesessions = ($sqlconf['varsqlconf2deletestalesessions']?$sqlconf['varsqlconf2deletestalesessions']:'yes');
+ $varsqlconf2sqltrace = ($sqlconf['varsqlconf2sqltrace']?$sqlconf['varsqlconf2sqltrace']:'no');
+ $varsqlconf2numsqlsocks = ($sqlconf['varsqlconf2numsqlsocks']?$sqlconf['varsqlconf2numsqlsocks']:'5');
+ $varsqlconf2connectfailureretrydelay = ($sqlconf['varsqlconf2connectfailureretrydelay']?$sqlconf['varsqlconf2connectfailureretrydelay']:'60');
+ $varsqlconf2lifetime = ($sqlconf['varsqlconf2lifetime']?$sqlconf['varsqlconf2lifetime']:'0');
+ $varsqlconf2maxqueries = ($sqlconf['varsqlconf2maxqueries']?$sqlconf['varsqlconf2maxqueries']:'0');
+ $varsqlconf2readclients = ($sqlconf['varsqlconf2readclients']?$sqlconf['varsqlconf2readclients']:'yes');
+ $varsqlconf2nastable = ($sqlconf['varsqlconf2nastable']?$sqlconf['varsqlconf2nastable']:'nas');
+
+ // Additional changes were made in "freeradius_settings_resync"
+
+
$conf .= <<<EOD
sql {
@@ -857,6 +895,35 @@ sql {
\$INCLUDE sql/\${database}/dialup.conf
}
+sql sql2 {
+ database = "$varsqlconf2database"
+ driver = "rlm_sql_\${database}"
+ server = "$varsqlconf2server"
+ port = $varsqlconf2port
+ login = "$varsqlconf2login"
+ password = "$varsqlconf2password"
+ radius_db = "$varsqlconf2radiusdb"
+ acct_table1 = "$varsqlconf2accttable1"
+ acct_table2 = "$varsqlconf2accttable2"
+ postauth_table = "$varsqlconf2postauthtable"
+ authcheck_table = "$varsqlconf2authchecktable"
+ authreply_table = "$varsqlconf2authreplytable"
+ groupcheck_table = "$varsqlconf2groupchecktable"
+ groupreply_table = "$varsqlconf2groupreplytable"
+ usergroup_table = "$varsqlconf2usergrouptable"
+ read_groups = $varsqlconf2readgroups
+ deletestalesessions = $varsqlconf2deletestalesessions
+ sqltrace = $varsqlconf2sqltrace
+ sqltracefile = \${logdir}/sqltrace.sql
+ num_sql_socks = $varsqlconf2numsqlsocks
+ connect_failure_retry_delay = $varsqlconf2connectfailureretrydelay
+ lifetime = $varsqlconf2lifetime
+ max_queries = $varsqlconf2maxqueries
+ readclients = $varsqlconf2readclients
+ nas_table = "$varsqlconf2nastable"
+ \$INCLUDE sql/\${database}/dialup.conf
+}
+
EOD;
$filename = RADDB . '/sql.conf';
@@ -878,60 +945,123 @@ function freeradius_serverdefault_resync() {
// Get Variables from freeradiusmodulesldap.xml
$arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0];
+ // failover/loadbalancing mode
+ $varmodulesldap2failover = ($arrmodulesldap['varmodulesldap2failover']?$arrmodulesldap['varmodulesldap2failover']:'redundant');
+
+ // If unchecked then disable authorize ldap2
+ if (!$arrmodulesldap['varmodulesldap2enableauthorize']) {
+ $varmodulesldap2enableauthorize = '### ldap2 disabled ###';
+ }
+ else {
+ $varmodulesldap2enableauthorize = 'ldap2';
+ }
- // If unchecked then disable authorize
+ // If unchecked then disable authorize ldap1
if (!$arrmodulesldap['varmodulesldapenableauthorize']) {
$varmodulesldapenableauthorize = '### ldap ###';
}
else {
- $varmodulesldapenableauthorize = 'ldap';
+ $varmodulesldapenableauthorize = '';
+ $varmodulesldapenableauthorize .= "$varmodulesldap2failover {";
+ $varmodulesldapenableauthorize .= "\n\t\tldap";
+ // this line adds ldap2 when activated
+ $varmodulesldapenableauthorize .= "\n\t\t$varmodulesldap2enableauthorize";
+ $varmodulesldapenableauthorize .= "\n\t}";
}
- // If unchecked then disable authenticate
+ // If unchecked then disable authenticate for ldap1
+ if (!$arrmodulesldap['varmodulesldap2enableauthenticate']) {
+ $varmodulesldap2enableauthenticate = "### ldap2 disabled ###";
+ }
+ else {
+ $varmodulesldap2enableauthenticate = "ldap2";
+ }
+
+ // If unchecked then disable authenticate ldap2
if (!$arrmodulesldap['varmodulesldapenableauthenticate']) {
- $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t#}";
+ $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t#}";
}
else {
- $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t}";
+ $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}";
}
-
- // Get Variables from freeradiussqlconf.xml
+
+
+
+ // Get Variables from freeradiussqlconf.xml for DATABASE 1
$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
$varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable');
$varsqlconfenableaccounting = ($sqlconf['varsqlconfenableaccounting']?$sqlconf['varsqlconfenableaccounting']:'Disable');
$varsqlconfenablesession = ($sqlconf['varsqlconfenablesession']?$sqlconf['varsqlconfenablesession']:'Disable');
- $varsqlconfenablepostauth = ($sqlconf['varsqlconfenablepostauth']?$sqlconf['varsqlconfenablepostauth']:'Disable');
+ $varsqlconfenablepostauth = ($sqlconf['varsqlconfenablepostauth']?$sqlconf['varsqlconfenablepostauth']:'Disable');
+
+ // Get Variables from freeradiussqlconf.xml for DATABASE 2
+ $varsqlconf2enableauthorize = ($sqlconf['varsqlconf2enableauthorize']?$sqlconf['varsqlconf2enableauthorize']:'Disable');
+ $varsqlconf2enableaccounting = ($sqlconf['varsqlconf2enableaccounting']?$sqlconf['varsqlconf2enableaccounting']:'Disable');
+ $varsqlconf2enablesession = ($sqlconf['varsqlconf2enablesession']?$sqlconf['varsqlconf2enablesession']:'Disable');
+ $varsqlconf2enablepostauth = ($sqlconf['varsqlconf2enablepostauth']?$sqlconf['varsqlconf2enablepostauth']:'Disable');
+
+ // authorize section DATABASE 2
+ if ($sqlconf['varsqlconf2enableauthorize'] == 'Enable') {
+ $varsqlconf2authorize = 'sql2';
+ }
+ else {
+ $varsqlconf2authorize = '### sql2 DISABLED ###';
+ }
+ // accounting section DATABASE 2
+ if ($sqlconf['varsqlconf2enableaccounting'] == 'Enable') {
+ $varsqlconf2accounting = 'sql2';
+ }
+ else {
+ $varsqlconf2accounting = '### sql2 DISABLED ###';
+ }
+ // session section DATABASE 2
+ if ($sqlconf['varsqlconf2enablesession'] == 'Enable') {
+ $varsqlconf2session = 'sql2';
+ }
+ else {
+ $varsqlconf2session = '### sql2 DISABLED ###';
+ }
+ // post-auth section DATABASE 2
+ if ($sqlconf['varsqlconf2enablepostauth'] == 'Enable') {
+ $varsqlconf2postauth = 'sql2';
+ }
+ else {
+ $varsqlconf2postauth = '### sql2 DISABLED ###';
+ }
+
+ // Failover mode
+ $varsqlconf2failover = ($sqlconf['varsqlconf2failover']?$sqlconf['varsqlconf2failover']:'redundant');
- // authorize section
- if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenableauthorize'] == 'Enable')) {
- $varsqlconfauthorize = 'sql';
+ // authorize section DATABASE 1
+ if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenableauthorize'] == 'Enable')) {
+ $varsqlconfauthorize = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2authorize" . "\n\t}";
}
else {
- $varsqlconfauthorize = '#sql';
+ $varsqlconfauthorize = '### sql DISABLED ###';
}
- // accounting section
- if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenableaccounting'] == 'Enable')) {
- $varsqlconfaccounting = 'sql';
+ // accounting section DATABASE 1
+ if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenableaccounting'] == 'Enable')) {
+ $varsqlconfaccounting = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2accounting" . "\n\t}";
}
else {
- $varsqlconfaccounting = '#sql';
+ $varsqlconfaccounting = '### sql DISABLED ###';
}
- // session section
- if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenablesession'] == 'Enable')) {
- $varsqlconfsession = 'sql';
+ // session section DATABASE 1
+ if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenablesession'] == 'Enable')) {
+ $varsqlconfsession = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2session" . "\n\t}";
}
else {
- $varsqlconfsession = 'radutmp';
+ $varsqlconfsession = 'radutmp';
}
- // post-auth section
- if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenablepostauth'] == 'Enable')) {
- $varsqlconfpostauth = 'sql';
+ // post-auth section DATABASE 1
+ if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenablepostauth'] == 'Enable')) {
+ $varsqlconfpostauth = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2postauth" . "\n\t}";
}
else {
- $varsqlconfpostauth = '#sql';
+ $varsqlconfpostauth = '### sql DISABLED ###';
}
// Changing authorize section for plain mac auth
@@ -1161,6 +1291,7 @@ authorize {
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
+
$varmodulesldapenableauthorize
#
@@ -2404,9 +2535,10 @@ function freeradius_modulesldap_resync() {
$arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0];
// Enable and Disable LDAP for "authorize" and "authenticate" will be done in "freeradius_serverdefault_resync"
+ // redundatnt-load-balancing will there be done, too
- // Variables for General Configuration
+ // Variables for General Configuration ldap1
$varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain');
$varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA');
$varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass');
@@ -2418,10 +2550,22 @@ function freeradius_modulesldap_resync() {
$varmodulesldaptimelimit = ($arrmodulesldap['varmodulesldaptimelimit']?$arrmodulesldap['varmodulesldaptimelimit']:'3');
$varmodulesldapnettimeout = ($arrmodulesldap['varmodulesldapnettimeout']?$arrmodulesldap['varmodulesldapnettimeout']:'1');
+ // Variables for General Configuration ldap2
+ $varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server']?$arrmodulesldap['varmodulesldap2server']:'ldap.your.domain');
+ $varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity']?$arrmodulesldap['varmodulesldap2identity']:'cn=admin,o=My Org,c=UA');
+ $varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password']?$arrmodulesldap['varmodulesldap2password']:'mypass');
+ $varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn']?$arrmodulesldap['varmodulesldap2basedn']:'o=My Org,c=UA');
+ $varmodulesldap2filter = ($arrmodulesldap['varmodulesldap2filter']?$arrmodulesldap['varmodulesldap2filter']:'(uid=%{%{Stripped-User-Name}:-%{User-Name}})');
+ $varmodulesldap2basefilter = ($arrmodulesldap['varmodulesldap2basefilter']?$arrmodulesldap['varmodulesldap2basefilter']:'(objectclass=radiusprofile)');
+ $varmodulesldap2ldapconnectionsnumber = ($arrmodulesldap['varmodulesldap2ldapconnectionsnumber']?$arrmodulesldap['varmodulesldap2ldapconnectionsnumber']:'5');
+ $varmodulesldap2timeout = ($arrmodulesldap['varmodulesldap2timeout']?$arrmodulesldap['varmodulesldap2timeout']:'4');
+ $varmodulesldap2timelimit = ($arrmodulesldap['varmodulesldap2timelimit']?$arrmodulesldap['varmodulesldap2timelimit']:'3');
+ $varmodulesldap2nettimeout = ($arrmodulesldap['varmodulesldap2nettimeout']?$arrmodulesldap['varmodulesldap2nettimeout']:'1');
+
// Variables for TLS / Certificates - will be added later
- // Miscellaneous Configuration + MS Active Directory Compatibility
+ // Miscellaneous Configuration + MS Active Directory Compatibility ldap1
$varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable');
if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') {
$varmodulesldapmsadcompatibility = '### MS Active Directory Compatibility is disabled ###';
@@ -2429,8 +2573,17 @@ function freeradius_modulesldap_resync() {
else {
$varmodulesldapmsadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes";
}
+
+ // Miscellaneous Configuration + MS Active Directory Compatibility ldap2
+ $varmodulesldap2msadcompatibilityenable = ($arrmodulesldap['varmodulesldap2msadcompatibilityenable']?$arrmodulesldap['varmodulesldap2msadcompatibilityenable']:'Disable');
+ if ($arrmodulesldap['varmodulesldap2msadcompatibilityenable'] == 'Disable') {
+ $varmodulesldap2msadcompatibility = '### MS Active Directory Compatibility is disabled ###';
+ }
+ else {
+ $varmodulesldap2msadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes";
+ }
- // When disabled we put this in the file but commented (#) like in the default installation
+ // When disabled we put this in the file but commented (#) like in the default installation ldap1
if (!$arrmodulesldap['varmodulesldapdmiscenable']) {
$varmodulesldapdefaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###';
$varmodulesldapprofileattribute = '### profile_attribute = "radiusProfileDn" ###';
@@ -2446,8 +2599,24 @@ function freeradius_modulesldap_resync() {
$varmodulesldapaccessattr = "access_attr = " . '"' . "$varmodulesldapaccessattr" . '"';
}
+ // When disabled we put this in the file but commented (#) like in the default installation ldap2
+ if (!$arrmodulesldap['varmodulesldap2dmiscenable']) {
+ $varmodulesldap2defaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###';
+ $varmodulesldap2profileattribute = '### profile_attribute = "radiusProfileDn" ###';
+ $varmodulesldap2accessattr = '### access_attr = "dialupAccess" ###';
+ }
+ // When enabled we put in the default values so there is no empty entry if there is not input from GUI
+ else {
+ $varmodulesldap2defaultprofile = ($arrmodulesldap['varmodulesldap2defaultprofile']?$arrmodulesldap['varmodulesldap2defaultprofile']:'cn=radprofile,ou=dialup,o=My Org,c=UA');
+ $varmodulesldap2defaultprofile = "default_profile = " . '"' . "$varmodulesldap2defaultprofile" . '"';
+ $varmodulesldap2profileattribute = ($arrmodulesldap['varmodulesldap2profileattribute']?$arrmodulesldap['varmodulesldap2profileattribute']:'radiusProfileDn');
+ $varmodulesldap2profileattribute = "profile_attribute = " . '"' . "$varmodulesldap2profileattribute" . '"';
+ $varmodulesldap2accessattr = ($arrmodulesldap['varmodulesldap2accessattr']?$arrmodulesldap['varmodulesldap2accessattr']:'dialupAccess');
+ $varmodulesldap2accessattr = "access_attr = " . '"' . "$varmodulesldap2accessattr" . '"';
+ }
+
// Group membership checking
- // When disabled we put this in the file but commented (#) like in the default installation
+ // When disabled we put this in the file but commented (#) like in the default installation ldap1
if (!$arrmodulesldap['varmodulesldapgroupenable']) {
$varmodulesldapgroupnameattribute = '### groupname_attribute = cn ###';
$varmodulesldapgroupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###';
@@ -2473,12 +2642,45 @@ function freeradius_modulesldap_resync() {
$varmodulesldapaccessattrusedforallow = ($arrmodulesldap['varmodulesldapaccessattrusedforallow']?$arrmodulesldap['varmodulesldapaccessattrusedforallow']:'yes');
$varmodulesldapaccessattrusedforallow = "access_attr_used_for_allow = $varmodulesldapaccessattrusedforallow";
}
+
+ // Group membership checking
+ // When disabled we put this in the file but commented (#) like in the default installation ldap2
+ if (!$arrmodulesldap['varmodulesldap2groupenable']) {
+ $varmodulesldap2groupnameattribute = '### groupname_attribute = cn ###';
+ $varmodulesldap2groupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###';
+ $varmodulesldap2groupmembershipattribute = '### groupmembership_attribute = radiusGroupName ###';
+ $varmodulesldap2comparecheckitems = '### compare_check_items = yes ###';
+ $varmodulesldap2doxlat = '### do_xlat = yes ###';
+ $varmodulesldap2accessattrusedforallow = '### access_attr_used_for_allow = yes ###';
+ }
- // Keepalive variables
+ // When enabled we put in the default values so there is no empty entry if there is not input from GUI
+ else {
+ $varmodulesldap2groupnameattribute = ($arrmodulesldap['varmodulesldap2groupnameattribute']?$arrmodulesldap['varmodulesldap2groupnameattribute']:'cn');
+ $varmodulesldap2groupnameattribute = "groupname_attribute = $varmodulesldap2groupnameattribute";
+ $varmodulesldap2groupmembershipfilter = ($arrmodulesldap['varmodulesldap2groupmembershipfilter']?$arrmodulesldap['varmodulesldap2groupmembershipfilter']:'(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))');
+ $varmodulesldap2groupmembershipfilter = "groupmembership_filter = " . '"' . "$varmodulesldap2groupmembershipfilter" . '"';
+ $varmodulesldap2groupmembershipattribute = ($arrmodulesldap['varmodulesldap2groupmembershipattribute']?$arrmodulesldap['varmodulesldap2groupmembershipattribute']:'radiusGroupName');
+ $varmodulesldap2groupmembershipattribute = "groupmembership_attribute = $varmodulesldap2groupmembershipattribute";
+
+ $varmodulesldap2comparecheckitems = ($arrmodulesldap['varmodulesldap2comparecheckitems']?$arrmodulesldap['varmodulesldap2comparecheckitems']:'yes');
+ $varmodulesldap2comparecheckitems = "compare_check_items = $varmodulesldap2comparecheckitems";
+ $varmodulesldap2doxlat = ($arrmodulesldap['varmodulesldap2doxlat']?$arrmodulesldap['varmodulesldap2doxlat']:'yes');
+ $varmodulesldap2doxlat = "do_xlat = $varmodulesldap2doxlat";
+ $varmodulesldap2accessattrusedforallow = ($arrmodulesldap['varmodulesldap2accessattrusedforallow']?$arrmodulesldap['varmodulesldap2accessattrusedforallow']:'yes');
+ $varmodulesldap2accessattrusedforallow = "access_attr_used_for_allow = $varmodulesldap2accessattrusedforallow";
+ }
+
+ // Keepalive variables ldap1
$varmodulesldapkeepaliveidle = ($arrmodulesldap['varmodulesldapkeepaliveidle']?$arrmodulesldap['varmodulesldapkeepaliveidle']:'60');
$varmodulesldapkeepaliveprobes = ($arrmodulesldap['varmodulesldapkeepaliveprobes']?$arrmodulesldap['varmodulesldapkeepaliveprobes']:'3');
$varmodulesldapkeepaliveinterval = ($arrmodulesldap['varmodulesldapkeepaliveinterval']?$arrmodulesldap['varmodulesldapkeepaliveinterval']:'3');
+ // Keepalive variables ldap2
+ $varmodulesldap2keepaliveidle = ($arrmodulesldap['varmodulesldap2keepaliveidle']?$arrmodulesldap['varmodulesldap2keepaliveidle']:'60');
+ $varmodulesldap2keepaliveprobes = ($arrmodulesldap['varmodulesldap2keepaliveprobes']?$arrmodulesldap['varmodulesldap2keepaliveprobes']:'3');
+ $varmodulesldap2keepaliveinterval = ($arrmodulesldap['varmodulesldap2keepaliveinterval']?$arrmodulesldap['varmodulesldap2keepaliveinterval']:'3');
+
$conf .= <<<EOD
# -*- text -*-
@@ -2667,6 +2869,165 @@ ldap {
interval = $varmodulesldapkeepaliveinterval
}
}
+
+ldap ldap2{
+ #
+ # Note that this needs to match the name in the LDAP
+ # server certificate, if you're using ldaps.
+ server = "$varmodulesldap2server"
+ identity = "$varmodulesldap2identity"
+ password = $varmodulesldap2password
+ basedn = "$varmodulesldap2basedn"
+ filter = "$varmodulesldap2filter"
+ base_filter = "$varmodulesldap2basefilter"
+
+ # How many connections to keep open to the LDAP server.
+ # This saves time over opening a new LDAP socket for
+ # every authentication request.
+ ldap_connections_number = $varmodulesldap2ldapconnectionsnumber
+
+ # seconds to wait for LDAP query to finish. default: 20
+ timeout = $varmodulesldap2timeout
+
+ # seconds LDAP server has to process the query (server-side
+ # time limit). default: 20
+ #
+ # LDAP_OPT_TIMELIMIT is set to this value.
+ timelimit = $varmodulesldap2timelimit
+
+ #
+ # seconds to wait for response of the server. (network
+ # failures) default: 10
+ #
+ # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
+ net_timeout = $varmodulesldap2nettimeout
+
+ #
+ # This subsection configures the tls related items
+ # that control how FreeRADIUS connects to an LDAP
+ # server. It contains all of the "tls_*" configuration
+ # entries used in older versions of FreeRADIUS. Those
+ # configuration entries can still be used, but we recommend
+ # using these.
+ #
+ tls {
+ # Set this to 'yes' to use TLS encrypted connections
+ # to the LDAP database by using the StartTLS extended
+ # operation.
+ #
+ # The StartTLS operation is supposed to be
+ # used with normal ldap connections instead of
+ # using ldaps (port 689) connections
+ start_tls = no
+
+ # cacertfile = /path/to/cacert.pem
+ # cacertdir = /path/to/ca/dir/
+ # certfile = /path/to/radius.crt
+ # keyfile = /path/to/radius.key
+ # randfile = /path/to/rnd
+
+ # Certificate Verification requirements. Can be:
+ # "never" (don't even bother trying)
+ # "allow" (try, but don't fail if the cerificate
+ # can't be verified)
+ # "demand" (fail if the certificate doesn't verify.)
+ #
+ # The default is "allow"
+ # require_cert = "demand"
+ }
+
+ $varmodulesldap2defaultprofile
+ $varmodulesldap2profileattribute
+ $varmodulesldap2accessattr
+
+ # Mapping of RADIUS dictionary attributes to LDAP
+ # directory attributes.
+ dictionary_mapping = \${confdir}/ldap.attrmap
+ ################## THE BELOW IS NOT COMPILED WITH FREERADIUS #################################
+ # Set password_attribute = nspmPassword to get the
+ # user's password from a Novell eDirectory
+ # backend. This will work ONLY IF FreeRADIUS has been
+ # built with the --with-edir configure option.
+ #
+ # See also the following links:
+ #
+ # http://www.novell.com/coolsolutions/appnote/16745.html
+ # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
+ #
+ # Novell may require TLS encrypted sessions before returning
+ # the user's password.
+ #
+ # password_attribute = userPassword
+
+ # Un-comment the following to disable Novell
+ # eDirectory account policy check and intruder
+ # detection. This will work *only if* FreeRADIUS is
+ # configured to build with --with-edir option.
+ #
+ edir_account_policy_check = no
+ ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS #################################
+ #
+ # Group membership checking. Disabled by default.
+ #
+ $varmodulesldap2groupnameattribute
+ $varmodulesldap2groupmembershipfilter
+ $varmodulesldap2groupmembershipattribute
+
+ $varmodulesldap2comparecheckitems
+ $varmodulesldap2doxlat
+ $varmodulesldap2accessattrusedforallow
+
+ #
+ # The following two configuration items are for Active Directory
+ # compatibility. If you see the helpful "operations error"
+ # being returned to the LDAP module, uncomment the next
+ # two lines.
+ #
+
+ $varmodulesldap2msadcompatibility
+
+ #
+ # By default, if the packet contains a User-Password,
+ # and no other module is configured to handle the
+ # authentication, the LDAP module sets itself to do
+ # LDAP bind for authentication.
+ #
+ # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
+ #
+ # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
+ #
+ # You can disable this behavior by setting the following
+ # configuration entry to "no".
+ #
+ # allowed values: {no, yes}
+ # set_auth_type = yes
+
+ # ldap_debug: debug flag for LDAP SDK
+ # (see OpenLDAP documentation). Set this to enable
+ # huge amounts of LDAP debugging on the screen.
+ # You should only use this if you are an LDAP expert.
+ #
+ # default: 0x0000 (no debugging messages)
+ # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
+ #ldap_debug = 0x0028
+
+ #
+ # Keepalive configuration. This MAY NOT be supported by your
+ # LDAP library. If these configuration entries appear in the
+ # output of "radiusd -X", then they are supported. Otherwise,
+ # they are unsupported, and changing them will do nothing.
+ #
+ keepalive {
+ # LDAP_OPT_X_KEEPALIVE_IDLE
+ idle = $varmodulesldap2keepaliveidle
+
+ # LDAP_OPT_X_KEEPALIVE_PROBES
+ probes = $varmodulesldap2keepaliveprobes
+
+ # LDAP_OPT_X_KEEPALIVE_INTERVAL
+ interval = $varmodulesldap2keepaliveinterval
+ }
+}
EOD;
$filename = RADDB . '/modules/ldap';
diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml
index 06a990e7..cf7f5b33 100644
--- a/config/freeradius2/freeradiusmodulesldap.xml
+++ b/config/freeradius2/freeradiusmodulesldap.xml
@@ -98,7 +98,7 @@
</tabs>
<fields>
<field>
- <name>ENABLE LDAP SUPPORT</name>
+ <name>ENABLE LDAP SUPPORT - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -106,6 +106,7 @@
<fieldname>varmodulesldapenableauthorize</fieldname>
<description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description>
<type>checkbox</type>
+ <enablefields>varmodulesldap2enableauthenticate,varmodulesldapkeepaliveinterval,varmodulesldapkeepaliveprobes,varmodulesldapkeepaliveidle,varmodulesldapmsadcompatibilityenable,varmodulesldapnettimeout,varmodulesldaptimelimit,varmodulesldaptimeout,varmodulesldapldapconnectionsnumber,varmodulesldapbasefilter,varmodulesldapfilter,varmodulesldapbasedn,varmodulesldappassword,varmodulesldapidentity,varmodulesldapserver,varmodulesldap2enableauthorize,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields>
</field>
<field>
<fielddescr>Enable LDAP For Authentication</fielddescr>
@@ -114,7 +115,7 @@
<type>checkbox</type>
</field>
<field>
- <name>GENERAL CONFIGURATION</name>
+ <name>GENERAL CONFIGURATION - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -198,7 +199,7 @@
<default_value>1</default_value>
</field>
<field>
- <name>MISCELLANEOUS CONFIGURATION</name>
+ <name>MISCELLANEOUS CONFIGURATION - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -213,7 +214,7 @@
</options>
</field>
<field>
- <fielddescr>Enable Misc Configuration</fielddescr>
+ <fielddescr>Enable Misc Configuration - SERVER 1</fielddescr>
<fieldname>varmodulesldapdmiscenable</fieldname>
<description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description>
<type>checkbox</type>
@@ -244,7 +245,7 @@
<default_value>dialupAccess</default_value>
</field>
<field>
- <name>Group Membership Options</name>
+ <name>Group Membership Options - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -312,7 +313,7 @@
</options>
</field>
<field>
- <name>KEEPALIVE CONFIGURATION</name>
+ <name>KEEPALIVE CONFIGURATION - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -339,6 +340,270 @@
<size>80</size>
<default_value>3</default_value>
</field>
+
+
+ <field>
+ <name>ENABLE REDUNDANT LDAP SERVER SUPPORT</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Choose Failover/Loadbalancing Mode</fielddescr>
+ <fieldname>varmodulesldap2failover</fieldname>
+ <description><![CDATA[Choose the interaction of the two LDAP servers: (Default: redundant)<br><br>
+ <b>redundant:</b> If server 1 fails failover to server 2<br>
+ <b>load-balance:</b> The load is balanced 50:50 to both servers<br>
+ <b>redundant-load-balance:</b> The load is balanced 50:50 to both servers. If one is down the other does 100%.]]></description>
+ <type>select</type>
+ <default_value>redundant</default_value>
+ <options>
+ <option><name>Redundant</name><value>redundant</value></option>
+ <option><name>Load-Balance</name><value>load-balance</value></option>
+ <option><name>Redundant-Load-Balance</name><value>redundant-load-balance</value></option>
+ </options>
+ </field>
+ <field>
+ <name>ENABLE LDAP SUPPORT - SERVER 2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable LDAP For Authorization</fielddescr>
+ <fieldname>varmodulesldap2enableauthorize</fieldname>
+ <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description>
+ <type>checkbox</type>
+ <enablefields>varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields>
+ </field>
+ <field>
+ <fielddescr>Enable LDAP For Authentication</fielddescr>
+ <fieldname>varmodulesldap2enableauthenticate</fieldname>
+ <description><![CDATA[This enables LDAP in authenticate section. Note that this means "check plain-text password against the ldap database", which means that EAP won't work, as it does not supply a plain-text password.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>GENERAL CONFIGURATION - SERVER 2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Server</fielddescr>
+ <fieldname>varmodulesldap2server</fieldname>
+ <description><![CDATA[No description. (Default: ldap.your.domain )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>ldap.your.domain</default_value>
+ </field>
+ <field>
+ <fielddescr>Identity</fielddescr>
+ <fieldname>varmodulesldap2identity</fieldname>
+ <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[cn=admin,o=My Org,c=UA]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Password</fielddescr>
+ <fieldname>varmodulesldap2password</fieldname>
+ <description><![CDATA[No description. (Default: mypass)]]></description>
+ <type>password</type>
+ <size>80</size>
+ <default_value>mypass</default_value>
+ </field>
+ <field>
+ <fielddescr>Basedn</fielddescr>
+ <fieldname>varmodulesldap2basedn</fieldname>
+ <description><![CDATA[No description (Default: o=My Org,c=UA )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[o=My Org,c=UA]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Filter</fielddescr>
+ <fieldname>varmodulesldap2filter</fieldname>
+ <description><![CDATA[No description. (Default: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[(uid=%{%{Stripped-User-Name}:-%{User-Name}})]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Base Filter</fielddescr>
+ <fieldname>varmodulesldap2basefilter</fieldname>
+ <description><![CDATA[No description. (Default: (objectclass=radiusprofile) )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[(objectclass=radiusprofile)]]></default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP Connections Number</fielddescr>
+ <fieldname>varmodulesldap2ldapconnectionsnumber</fieldname>
+ <description><![CDATA[How many connections to keep open to the LDAP server. This saves time over opening a new LDAP socket for every authentication request. (Default: 5)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Timeout</fielddescr>
+ <fieldname>varmodulesldap2timeout</fieldname>
+ <description><![CDATA[Seconds to wait for LDAP query to finish. (Default: 4)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>4</default_value>
+ </field>
+ <field>
+ <fielddescr>Timelimit</fielddescr>
+ <fieldname>varmodulesldap2timelimit</fieldname>
+ <description><![CDATA[Seconds the LDAP server has to process the query (server-side time limit). (Default: 3)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>3</default_value>
+ </field>
+ <field>
+ <fielddescr>Net Timeout</fielddescr>
+ <fieldname>varmodulesldap2nettimeout</fieldname>
+ <description><![CDATA[Seconds to wait for response of the server because of network failures. (Default: 1)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>1</default_value>
+ </field>
+ <field>
+ <name>MISCELLANEOUS CONFIGURATION - SERVER 2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Active Directory Compatibility</fielddescr>
+ <fieldname>varmodulesldap2msadcompatibilityenable</fieldname>
+ <description><![CDATA[If you see the helpful "operations error" being returned to the LDAP module enable this. (Default: Disable)]]></description>
+ <type>select</type>
+ <default_value>Disable</default_value>
+ <options>
+ <option><name>Disable</name><value>Disable</value></option>
+ <option><name>Enable</name><value>Enable</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Enable Misc Configuration</fielddescr>
+ <fieldname>varmodulesldap2dmiscenable</fieldname>
+ <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description>
+ <type>checkbox</type>
+ <enablefields>varmodulesldap2defaultprofile,varmodulesldap2profileattribute,varmodulesldap2accessattr</enablefields>
+ </field>
+ <field>
+ <fielddescr>Default Profile</fielddescr>
+ <fieldname>varmodulesldap2defaultprofile</fieldname>
+ <description><![CDATA[No description. (Default: cn=radprofile,ou=dialup,o=My Org,c=UA )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[cn=radprofile,ou=dialup,o=My Org,c=UA]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Profile Attribute</fielddescr>
+ <fieldname>varmodulesldap2profileattribute</fieldname>
+ <description><![CDATA[No description. (Default: radiusProfileDn)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>radiusProfileDn</default_value>
+ </field>
+ <field>
+ <fielddescr>Access Attribute</fielddescr>
+ <fieldname>varmodulesldap2accessattr</fieldname>
+ <description><![CDATA[No description. (Default: dialupAccess)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>dialupAccess</default_value>
+ </field>
+ <field>
+ <name>Group Membership Options - SERVER 2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable Group Membership Options</fielddescr>
+ <fieldname>varmodulesldap2groupenable</fieldname>
+ <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description>
+ <type>checkbox</type>
+ <enablefields>varmodulesldap2accessattrusedforallow,varmodulesldap2doxlat,varmodulesldap2comparecheckitems,varmodulesldap2groupmembershipattribute,varmodulesldap2groupmembershipfilter,varmodulesldap2groupnameattribute</enablefields>
+ </field>
+ <field>
+ <fielddescr>Groupname Attribute</fielddescr>
+ <fieldname>varmodulesldap2groupnameattribute</fieldname>
+ <description><![CDATA[No description. (Default: cn)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>cn</default_value>
+ </field>
+ <field>
+ <fielddescr>Groupmembership Filter</fielddescr>
+ <fieldname>varmodulesldap2groupmembershipfilter</fieldname>
+ <description><![CDATA[No description. (Default: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Groupmembership Attribute</fielddescr>
+ <fieldname>varmodulesldap2groupmembershipattribute</fieldname>
+ <description><![CDATA[No description. (Default: radiusGroupName)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>radiusGroupName</default_value>
+ </field>
+ <field>
+ <fielddescr>Compare Check Items</fielddescr>
+ <fieldname>varmodulesldap2comparecheckitems</fieldname>
+ <description><![CDATA[No description. (Default: Yes)]]></description>
+ <type>select</type>
+ <default_value>Yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Do XLAT</fielddescr>
+ <fieldname>varmodulesldap2doxlat</fieldname>
+ <description><![CDATA[No description. (Default: Yes)]]></description>
+ <type>select</type>
+ <default_value>Yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Access Attribute Used For Allow</fielddescr>
+ <fieldname>varmodulesldap2accessattrusedforallow</fieldname>
+ <description><![CDATA[No description. (Default: Yes)]]></description>
+ <type>select</type>
+ <default_value>Yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <name>KEEPALIVE CONFIGURATION - SERVER 2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>LDAP OPT X KEEPALIVE IDLE</fielddescr>
+ <fieldname>varmodulesldap2keepaliveidle</fieldname>
+ <description><![CDATA[No description. (Default: 60)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>60</default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP OPT X KEEPALIVE PROBES</fielddescr>
+ <fieldname>varmodulesldap2keepaliveprobes</fieldname>
+ <description><![CDATA[No description. (Default: 3)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>3</default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP OPT X KEEPALIVE INTERVAL</fielddescr>
+ <fieldname>varmodulesldap2keepaliveinterval</fieldname>
+ <description><![CDATA[No description. (Default: 3)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>3</default_value>
+ </field>
</fields>
<custom_delete_php_command>
freeradius_modulesldap_resync();
diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml
index a5bc4d2e..6851711c 100644
--- a/config/freeradius2/freeradiussqlconf.xml
+++ b/config/freeradius2/freeradiussqlconf.xml
@@ -98,20 +98,16 @@
</tabs>
<fields>
<field>
- <name>Enable SQL Database</name>
+ <name>ENABLE SQL DATABASE - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Enable SQL Support</fielddescr>
<fieldname>varsqlconfincludeenable</fieldname>
- <description><![CDATA[Enable this if you like to connect freeRADIUS to a SQL database. (Default: Disable)<br>
+ <description><![CDATA[Enable this if you like to connect freeRADIUS to a SQL database. (Default: unchecked)<br>
You <b>must enable at least</b> one of the following options: Authorization, Accounting, Session, Post-Auth.]]></description>
- <type>select</type>
- <default_value>Disable</default_value>
- <options>
- <option><name>Disbale</name><value>Disable</value></option>
- <option><name>Enable</name><value>Enable</value></option>
- </options>
+ <type>checkbox</type>
+ <enablefields>varsqlconf2failover,varsqlconf2includeenable,varsqlconfenableauthorize,varsqlconfenableaccounting,varsqlconfenablesession,varsqlconfenablepostauth,varsqlconfdatabase,varsqlconfserver,varsqlconfport,varsqlconflogin,varsqlconfpassword,varsqlconfradiusdb,varsqlconfaccttable1,varsqlconfaccttable2,varsqlconfpostauthtable,varsqlconfauthchecktable,varsqlconfauthreplytable,varsqlconfgroupchecktable,varsqlconfgroupreplytable,varsqlconfusergrouptable,varsqlconfreadgroups,varsqlconfdeletestalesessions,varsqlconfsqltrace,varsqlconfnumsqlsocks,varsqlconfconnectfailureretrydelay,varsqlconflifetime,varsqlconfmaxqueries,varsqlconfreadclients,varsqlconfnastable</enablefields>
</field>
<field>
<fielddescr>Enable SQL Authorization</fielddescr>
@@ -162,7 +158,7 @@
</options>
</field>
<field>
- <name>SQL Database Configuration</name>
+ <name>SQL DATABASE CONFIGURATION - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -173,8 +169,6 @@
<default_value>mysql</default_value>
<options>
<option><name>MySQL</name><value>mysql</value></option>
- <option><name>MsSQL</name><value>mssql</value></option>
- <option><name>Oracle</name><value>oracle</value></option>
<option><name>PostgreSQL</name><value>postgresql</value></option>
</options>
</field>
@@ -352,6 +346,274 @@
<type>input</type>
<default_value>nas</default_value>
</field>
+ <field>
+ <name>ENABLE REDUNDANT SQL DATABASE SUPPORT</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Choose Failover/Loadbalancing Mode</fielddescr>
+ <fieldname>varsqlconf2failover</fieldname>
+ <description><![CDATA[Choose the interaction of the two SQL databases: (Default: redundant)<br><br>
+ <b>redundant:</b> If server 1 fails failover to server 2<br>
+ <b>load-balance:</b> The load is balanced 50:50 to both databases<br>
+ <b>redundant-load-balance:</b> The load is balanced 50:50 to both databases. If one is down the other does 100%.]]></description>
+ <type>select</type>
+ <default_value>redundant</default_value>
+ <options>
+ <option><name>Redundant</name><value>redundant</value></option>
+ <option><name>Load-Balance</name><value>load-balance</value></option>
+ <option><name>Redundant-Load-Balance</name><value>redundant-load-balance</value></option>
+ </options>
+ </field>
+ <field>
+ <name>ENABLE SQL DATABASE - SERVER 2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable SQL Support</fielddescr>
+ <fieldname>varsqlconf2includeenable</fieldname>
+ <description><![CDATA[Enable this if you like to connect freeRADIUS to a SQL database. (Default: unchecked)<br>
+ You <b>must enable at least</b> one of the following options: Authorization, Accounting, Session, Post-Auth.]]></description>
+ <type>checkbox</type>
+ <enablefields>varsqlconf2enableauthorize,varsqlconf2enableaccounting,varsqlconf2enablesession,varsqlconf2enablepostauth,varsqlconf2database,varsqlconf2server,varsqlconf2port,varsqlconf2login,varsqlconf2password,varsqlconf2radiusdb,varsqlconf2accttable1,varsqlconf2accttable2,varsqlconf2postauthtable,varsqlconf2authchecktable,varsqlconf2authreplytable,varsqlconf2groupchecktable,varsqlconf2groupreplytable,varsqlconf2usergrouptable,varsqlconf2readgroups,varsqlconf2deletestalesessions,varsqlconf2sqltrace,varsqlconf2numsqlsocks,varsqlconf2connectfailureretrydelay,varsqlconf2lifetime,varsqlconf2maxqueries,varsqlconf2readclients,varsqlconf2nastable</enablefields>
+ </field>
+ <field>
+ <fielddescr>Enable SQL Authorization</fielddescr>
+ <fieldname>varsqlconf2enableauthorize</fieldname>
+ <description><![CDATA[Enable this if usernames and passwords are stored on a SQL database.<br>
+ SQL support must be enabled for this to work. (Default: Disable)]]></description>
+ <type>select</type>
+ <default_value>Disable</default_value>
+ <options>
+ <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Enable</name><value>Enable</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Enable SQL Accounting</fielddescr>
+ <fieldname>varsqlconf2enableaccounting</fieldname>
+ <description><![CDATA[Enable this if accounting packets should be logged to a SQL database.<br>
+ SQL support must be enabled for this to work. (Default: Disable)]]></description>
+ <type>select</type>
+ <default_value>Disable</default_value>
+ <options>
+ <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Enable</name><value>Enable</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Enable SQL Session</fielddescr>
+ <fieldname>varsqlconf2enablesession</fieldname>
+ <description><![CDATA[Enable this to use the "rlm_sql" module (fast) to check for simultaneous connections instead of "radutmp" (slow).<br>
+ SQL support must be enabled for this to work. (Default: Disable)]]></description>
+ <type>select</type>
+ <default_value>Disable</default_value>
+ <options>
+ <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Enable</name><value>Enable</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Enable SQL Post-Auth</fielddescr>
+ <fieldname>varsqlconf2enablepostauth</fieldname>
+ <description><![CDATA[Enable this if you like to store post-authentication data on a SQL database.<br>
+ SQL support must be enabled for this to work. (Default: Disable)]]></description>
+ <type>select</type>
+ <default_value>Disable</default_value>
+ <options>
+ <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Enable</name><value>Enable</value></option>
+ </options>
+ </field>
+ <field>
+ <name>SQL DATABASE CONFIGURATION - SERVER 2</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Database Type</fielddescr>
+ <fieldname>varsqlconf2database</fieldname>
+ <description><![CDATA[Choose the database type. (Default: mysql)]]></description>
+ <type>select</type>
+ <default_value>mysql</default_value>
+ <options>
+ <option><name>MySQL</name><value>mysql</value></option>
+ <option><name>PostgreSQL</name><value>postgresql</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Server IP Address</fielddescr>
+ <fieldname>varsqlconf2server</fieldname>
+ <description><![CDATA[Enter the IP address of the database server (Default: localhost)]]></description>
+ <type>input</type>
+ <default_value>localhost</default_value>
+ </field>
+ <field>
+ <fielddescr>Server Port Address</fielddescr>
+ <fieldname>varsqlconf2port</fieldname>
+ <description><![CDATA[Enter the port address of the database server (Default: 3306)]]></description>
+ <type>input</type>
+ <default_value>3306</default_value>
+ </field>
+ <field>
+ <fielddescr>Database Username</fielddescr>
+ <fieldname>varsqlconf2login</fieldname>
+ <description><![CDATA[Enter the username of the database server (Default: radius)]]></description>
+ <type>input</type>
+ <default_value>radius</default_value>
+ </field>
+ <field>
+ <fielddescr>Database Password</fielddescr>
+ <fieldname>varsqlconf2password</fieldname>
+ <description><![CDATA[Enter the password of the database server (Default: radpass)]]></description>
+ <type>password</type>
+ <default_value>radpass</default_value>
+ </field>
+ <field>
+ <fielddescr>Database Table Configuration</fielddescr>
+ <fieldname>varsqlconf2radiusdb</fieldname>
+ <description><![CDATA[Choose database table configuration: (Default: radius) <br>
+ For all <b>except</b> Oracle choose: <b>radius</b> <br>
+ For Oracle change and paste the following line according your environment:<br>
+ <b>(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))</b>]]></description>
+ <type>input</type>
+ <default_value>radius</default_value>
+ </field>
+ <field>
+ <fielddescr>Accounting Table 1 (Start)</fielddescr>
+ <fieldname>varsqlconf2accttable1</fieldname>
+ <description><![CDATA[This is the accounting "Start" table. If you want to log "Start" and "Stop" to the same table choose the same name for both. (Default: radacct)]]></description>
+ <type>input</type>
+ <default_value>radacct</default_value>
+ </field>
+ <field>
+ <fielddescr>Accounting Table 2 (Stop)</fielddescr>
+ <fieldname>varsqlconf2accttable2</fieldname>
+ <description><![CDATA[This is the accounting "Stop" table. If you want to log "Stop" and "Stop" to the same table choose the same name for both. (Default: radacct)]]></description>
+ <type>input</type>
+ <default_value>radacct</default_value>
+ </field>
+ <field>
+ <fielddescr>Post Auth Table</fielddescr>
+ <fieldname>varsqlconf2postauthtable</fieldname>
+ <description><![CDATA[Choose Post Auth Table. (Default: radpostauth)]]></description>
+ <type>input</type>
+ <default_value>radpostauth</default_value>
+ </field>
+ <field>
+ <fielddescr>Auth Check Table</fielddescr>
+ <fieldname>varsqlconf2authchecktable</fieldname>
+ <description><![CDATA[Choose Auth Check Table. (Default: radcheck)]]></description>
+ <type>input</type>
+ <default_value>radcheck</default_value>
+ </field>
+ <field>
+ <fielddescr>Auth Reply Table</fielddescr>
+ <fieldname>varsqlconf2authreplytable</fieldname>
+ <description><![CDATA[Choose Auth Reply Table. (Default: radreply)]]></description>
+ <type>input</type>
+ <default_value>radreply</default_value>
+ </field>
+ <field>
+ <fielddescr>Group Check Table</fielddescr>
+ <fieldname>varsqlconf2groupchecktable</fieldname>
+ <description><![CDATA[Choose Group Check Table. (Default: radgroupcheck)]]></description>
+ <type>input</type>
+ <default_value>radgroupcheck</default_value>
+ </field>
+ <field>
+ <fielddescr>Group Reply Table</fielddescr>
+ <fieldname>varsqlconf2groupreplytable</fieldname>
+ <description><![CDATA[Choose Group Check Table. (Default: radgroupreply)]]></description>
+ <type>input</type>
+ <default_value>radgroupreply</default_value>
+ </field>
+ <field>
+ <fielddescr>User Group Table</fielddescr>
+ <fieldname>varsqlconf2usergrouptable</fieldname>
+ <description><![CDATA[Choose Group Check Table. (Default: radusergroup)]]></description>
+ <type>input</type>
+ <default_value>radusergroup</default_value>
+ </field>
+ <field>
+ <fielddescr>Read the Group Tables</fielddescr>
+ <fieldname>varsqlconf2readgroups</fieldname>
+ <description><![CDATA[If set to <b>yes</b> (default) we read the group tables.<br>
+ If set to <b>no</b> the user <b>must</b> have Fall-Through = Yes in the radreply table]]></description>
+ <type>select</type>
+ <default_value>yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Delete Stale Sessions</fielddescr>
+ <fieldname>varsqlconf2deletestalesessions</fieldname>
+ <description><![CDATA[Remove stale session if checkrad does not see a double login. (Default: yes)]]></description>
+ <type>select</type>
+ <default_value>yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Print all SQL Statements</fielddescr>
+ <fieldname>varsqlconf2sqltrace</fieldname>
+ <description><![CDATA[Print all SQL statements when in debug mode. (Default: no)]]></description>
+ <type>select</type>
+ <default_value>no</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Number of SQL Connections</fielddescr>
+ <fieldname>varsqlconf2numsqlsocks</fieldname>
+ <description><![CDATA[Number of SQL connections to make to the server. (Default: 5)]]></description>
+ <type>input</type>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Failed Database Connection Delay</fielddescr>
+ <fieldname>varsqlconf2connectfailureretrydelay</fieldname>
+ <description><![CDATA[Number of seconds btween a retry after a failed database connection. (Default: 60)]]></description>
+ <type>input</type>
+ <default_value>60</default_value>
+ </field>
+ <field>
+ <fielddescr>SQL Socket Lifetime</fielddescr>
+ <fieldname>varsqlconf2lifetime</fieldname>
+ <description><![CDATA[If you are having network issues such as TCP sessions expiring, you may need to set the socket lifetime. If set to non-zero, any open connections will be closed X seconds after they were first opened. (Default: 0)]]></description>
+ <type>input</type>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>SQL Socket Maximum Queries</fielddescr>
+ <fieldname>varsqlconf2maxqueries</fieldname>
+ <description><![CDATA[If you have issues with SQL sockets lasting too long, you can limit the number of queries performed over one socket. After X queries, the socket will be closed. Use 0 for no limit. (Default: 0)]]></description>
+ <type>input</type>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Read Clients from Database</fielddescr>
+ <fieldname>varsqlconf2readclients</fieldname>
+ <description><![CDATA[Set to <b>yes</b> to read radius clients from the database ('nas' table). Clients will only be read on server startup. (Default: yes)]]></description>
+ <type>select</type>
+ <default_value>yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>RADIUS Client Table</fielddescr>
+ <fieldname>varsqlconf2nastable</fieldname>
+ <description><![CDATA[Choose the table to keep RADIUS client info. (Default: nas)]]></description>
+ <type>input</type>
+ <default_value>nas</default_value>
+ </field>
</fields>
<custom_delete_php_command>
freeradius_sqlconf_resync();