diff options
author | Jim P <jim@pingle.org> | 2012-01-10 13:55:37 -0800 |
---|---|---|
committer | Jim P <jim@pingle.org> | 2012-01-10 13:55:37 -0800 |
commit | fd2a759662f1f537c7fe7643e50ff7153b5f26e6 (patch) | |
tree | 1ca3d515dfe3712e756fe45ab0ae8a583bbf6af4 /config/freeradius2 | |
parent | 091cfe95ac215f6aeafb122581b68db6fd3910c7 (diff) | |
parent | 56cdc00f57c358f8141810da77ebef2d1d85679f (diff) | |
download | pfsense-packages-fd2a759662f1f537c7fe7643e50ff7153b5f26e6.tar.gz pfsense-packages-fd2a759662f1f537c7fe7643e50ff7153b5f26e6.tar.bz2 pfsense-packages-fd2a759662f1f537c7fe7643e50ff7153b5f26e6.zip |
Merge pull request #194 from Nachtfalkeaw/master
freeradius2 updates pkg v1.4.9
Diffstat (limited to 'config/freeradius2')
-rw-r--r-- | config/freeradius2/freeradius.inc | 429 | ||||
-rw-r--r-- | config/freeradius2/freeradiusmodulesldap.xml | 277 | ||||
-rw-r--r-- | config/freeradius2/freeradiussqlconf.xml | 284 |
3 files changed, 939 insertions, 51 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index a15aba8e..3be0faa0 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -170,17 +170,27 @@ function freeradius_settings_resync() { // For more details look at "freeradius_sqlconf_resync" $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; - $varsqlconfincludeenable = ($sqlconf['varsqlconfincludeenable']?$sqlconf['varsqlconfincludeenable']:'Disable'); - // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf - if ($sqlconf['varsqlconfincludeenable'] == 'Enable') { + // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf SQL SERVER 2 + if ($sqlconf['varsqlconf2includeenable'] == 'on') { + $varsqlconf2instantiate = 'sql2'; + } + else { + $varsqlconf2instantiate = '### sql2 DISABLED ###'; + } + + $varsqlconf2failover = ($varsettings['varsqlconf2failover']?$varsettings['varsqlconf2failover']:'redundant'); + + // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf SQL SERVER 1 + if ($sqlconf['varsqlconfincludeenable'] == 'on') { $varsqlconfinclude = '$INCLUDE sql.conf'; $varsqlconfincludecounter = '$INCLUDE sql/mysql/counter.conf'; - $varsqlconfinstantiate = 'sql'; + $varsqlconfinstantiate = "$varsqlconf2failover {" . "\n\t\tsql" . "\n\t\t$varsqlconf2instantiate" . "\n\t}"; } else { $varsqlconfinclude = '#$INCLUDE sql.conf'; $varsqlconfincludecounter = '#$INCLUDE sql/mysql/counter.conf'; + $varsqlconf2failover = ''; $varsqlconfinstantiate = '#sql'; } @@ -799,7 +809,7 @@ function freeradius_sqlconf_resync() { $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; - // Variables: SQL + // Variables: SQL DATABASE 1 $varsqlconfdatabase = ($sqlconf['varsqlconfdatabase']?$sqlconf['varsqlconfdatabase']:'mysql'); $varsqlconfserver = ($sqlconf['varsqlconfserver']?$sqlconf['varsqlconfserver']:'localhost'); $varsqlconfport = ($sqlconf['varsqlconfport']?$sqlconf['varsqlconfport']:'3306'); @@ -826,6 +836,34 @@ function freeradius_sqlconf_resync() { // Additional changes were made in "freeradius_settings_resync" + // Variables: SQL DATABASE 2 + $varsqlconf2database = ($sqlconf['varsqlconf2database']?$sqlconf['varsqlconf2database']:'mysql'); + $varsqlconf2server = ($sqlconf['varsqlconf2server']?$sqlconf['varsqlconf2server']:'localhost'); + $varsqlconf2port = ($sqlconf['varsqlconf2port']?$sqlconf['varsqlconf2port']:'3306'); + $varsqlconf2login = ($sqlconf['varsqlconf2login']?$sqlconf['varsqlconf2login']:'radius'); + $varsqlconf2password = ($sqlconf['varsqlconf2password']?$sqlconf['varsqlconf2password']:'radpass'); + $varsqlconf2radiusdb = ($sqlconf['varsqlconf2radiusdb']?$sqlconf['varsqlconf2radiusdb']:'radius'); + $varsqlconf2accttable1 = ($sqlconf['varsqlconf2accttable1']?$sqlconf['varsqlconf2accttable1']:'radacct'); + $varsqlconf2accttable2 = ($sqlconf['varsqlconf2accttable2']?$sqlconf['varsqlconf2accttable2']:'radacct'); + $varsqlconf2postauthtable = ($sqlconf['varsqlconf2postauthtable']?$sqlconf['varsqlconf2postauthtable']:'radpostauth'); + $varsqlconf2authchecktable = ($sqlconf['varsqlconf2authchecktable']?$sqlconf['varsqlconf2authchecktable']:'radcheck'); + $varsqlconf2authreplytable = ($sqlconf['varsqlconf2authreplytable']?$sqlconf['varsqlconf2authreplytable']:'radreply'); + $varsqlconf2groupchecktable = ($sqlconf['varsqlconf2groupchecktable']?$sqlconf['varsqlconf2groupchecktable']:'radgroupcheck'); + $varsqlconf2groupreplytable = ($sqlconf['varsqlconf2groupreplytable']?$sqlconf['varsqlconf2groupreplytable']:'radgroupreply'); + $varsqlconf2usergrouptable = ($sqlconf['varsqlconf2usergrouptable']?$sqlconf['varsqlconf2usergrouptable']:'radusergroup'); + $varsqlconf2readgroups = ($sqlconf['varsqlconf2readgroups']?$sqlconf['varsqlconf2readgroups']:'yes'); + $varsqlconf2deletestalesessions = ($sqlconf['varsqlconf2deletestalesessions']?$sqlconf['varsqlconf2deletestalesessions']:'yes'); + $varsqlconf2sqltrace = ($sqlconf['varsqlconf2sqltrace']?$sqlconf['varsqlconf2sqltrace']:'no'); + $varsqlconf2numsqlsocks = ($sqlconf['varsqlconf2numsqlsocks']?$sqlconf['varsqlconf2numsqlsocks']:'5'); + $varsqlconf2connectfailureretrydelay = ($sqlconf['varsqlconf2connectfailureretrydelay']?$sqlconf['varsqlconf2connectfailureretrydelay']:'60'); + $varsqlconf2lifetime = ($sqlconf['varsqlconf2lifetime']?$sqlconf['varsqlconf2lifetime']:'0'); + $varsqlconf2maxqueries = ($sqlconf['varsqlconf2maxqueries']?$sqlconf['varsqlconf2maxqueries']:'0'); + $varsqlconf2readclients = ($sqlconf['varsqlconf2readclients']?$sqlconf['varsqlconf2readclients']:'yes'); + $varsqlconf2nastable = ($sqlconf['varsqlconf2nastable']?$sqlconf['varsqlconf2nastable']:'nas'); + + // Additional changes were made in "freeradius_settings_resync" + + $conf .= <<<EOD sql { @@ -857,6 +895,35 @@ sql { \$INCLUDE sql/\${database}/dialup.conf } +sql sql2 { + database = "$varsqlconf2database" + driver = "rlm_sql_\${database}" + server = "$varsqlconf2server" + port = $varsqlconf2port + login = "$varsqlconf2login" + password = "$varsqlconf2password" + radius_db = "$varsqlconf2radiusdb" + acct_table1 = "$varsqlconf2accttable1" + acct_table2 = "$varsqlconf2accttable2" + postauth_table = "$varsqlconf2postauthtable" + authcheck_table = "$varsqlconf2authchecktable" + authreply_table = "$varsqlconf2authreplytable" + groupcheck_table = "$varsqlconf2groupchecktable" + groupreply_table = "$varsqlconf2groupreplytable" + usergroup_table = "$varsqlconf2usergrouptable" + read_groups = $varsqlconf2readgroups + deletestalesessions = $varsqlconf2deletestalesessions + sqltrace = $varsqlconf2sqltrace + sqltracefile = \${logdir}/sqltrace.sql + num_sql_socks = $varsqlconf2numsqlsocks + connect_failure_retry_delay = $varsqlconf2connectfailureretrydelay + lifetime = $varsqlconf2lifetime + max_queries = $varsqlconf2maxqueries + readclients = $varsqlconf2readclients + nas_table = "$varsqlconf2nastable" + \$INCLUDE sql/\${database}/dialup.conf +} + EOD; $filename = RADDB . '/sql.conf'; @@ -878,60 +945,123 @@ function freeradius_serverdefault_resync() { // Get Variables from freeradiusmodulesldap.xml $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0]; + // failover/loadbalancing mode + $varmodulesldap2failover = ($arrmodulesldap['varmodulesldap2failover']?$arrmodulesldap['varmodulesldap2failover']:'redundant'); + + // If unchecked then disable authorize ldap2 + if (!$arrmodulesldap['varmodulesldap2enableauthorize']) { + $varmodulesldap2enableauthorize = '### ldap2 disabled ###'; + } + else { + $varmodulesldap2enableauthorize = 'ldap2'; + } - // If unchecked then disable authorize + // If unchecked then disable authorize ldap1 if (!$arrmodulesldap['varmodulesldapenableauthorize']) { $varmodulesldapenableauthorize = '### ldap ###'; } else { - $varmodulesldapenableauthorize = 'ldap'; + $varmodulesldapenableauthorize = ''; + $varmodulesldapenableauthorize .= "$varmodulesldap2failover {"; + $varmodulesldapenableauthorize .= "\n\t\tldap"; + // this line adds ldap2 when activated + $varmodulesldapenableauthorize .= "\n\t\t$varmodulesldap2enableauthorize"; + $varmodulesldapenableauthorize .= "\n\t}"; } - // If unchecked then disable authenticate + // If unchecked then disable authenticate for ldap1 + if (!$arrmodulesldap['varmodulesldap2enableauthenticate']) { + $varmodulesldap2enableauthenticate = "### ldap2 disabled ###"; + } + else { + $varmodulesldap2enableauthenticate = "ldap2"; + } + + // If unchecked then disable authenticate ldap2 if (!$arrmodulesldap['varmodulesldapenableauthenticate']) { - $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t#}"; + $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t#}"; } else { - $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t}"; + $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t\t\t$varmodulesldap2enableauthenticate" . "\n\t}"; } - - // Get Variables from freeradiussqlconf.xml + + + + // Get Variables from freeradiussqlconf.xml for DATABASE 1 $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; $varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable'); $varsqlconfenableaccounting = ($sqlconf['varsqlconfenableaccounting']?$sqlconf['varsqlconfenableaccounting']:'Disable'); $varsqlconfenablesession = ($sqlconf['varsqlconfenablesession']?$sqlconf['varsqlconfenablesession']:'Disable'); - $varsqlconfenablepostauth = ($sqlconf['varsqlconfenablepostauth']?$sqlconf['varsqlconfenablepostauth']:'Disable'); + $varsqlconfenablepostauth = ($sqlconf['varsqlconfenablepostauth']?$sqlconf['varsqlconfenablepostauth']:'Disable'); + + // Get Variables from freeradiussqlconf.xml for DATABASE 2 + $varsqlconf2enableauthorize = ($sqlconf['varsqlconf2enableauthorize']?$sqlconf['varsqlconf2enableauthorize']:'Disable'); + $varsqlconf2enableaccounting = ($sqlconf['varsqlconf2enableaccounting']?$sqlconf['varsqlconf2enableaccounting']:'Disable'); + $varsqlconf2enablesession = ($sqlconf['varsqlconf2enablesession']?$sqlconf['varsqlconf2enablesession']:'Disable'); + $varsqlconf2enablepostauth = ($sqlconf['varsqlconf2enablepostauth']?$sqlconf['varsqlconf2enablepostauth']:'Disable'); + + // authorize section DATABASE 2 + if ($sqlconf['varsqlconf2enableauthorize'] == 'Enable') { + $varsqlconf2authorize = 'sql2'; + } + else { + $varsqlconf2authorize = '### sql2 DISABLED ###'; + } + // accounting section DATABASE 2 + if ($sqlconf['varsqlconf2enableaccounting'] == 'Enable') { + $varsqlconf2accounting = 'sql2'; + } + else { + $varsqlconf2accounting = '### sql2 DISABLED ###'; + } + // session section DATABASE 2 + if ($sqlconf['varsqlconf2enablesession'] == 'Enable') { + $varsqlconf2session = 'sql2'; + } + else { + $varsqlconf2session = '### sql2 DISABLED ###'; + } + // post-auth section DATABASE 2 + if ($sqlconf['varsqlconf2enablepostauth'] == 'Enable') { + $varsqlconf2postauth = 'sql2'; + } + else { + $varsqlconf2postauth = '### sql2 DISABLED ###'; + } + + // Failover mode + $varsqlconf2failover = ($sqlconf['varsqlconf2failover']?$sqlconf['varsqlconf2failover']:'redundant'); - // authorize section - if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenableauthorize'] == 'Enable')) { - $varsqlconfauthorize = 'sql'; + // authorize section DATABASE 1 + if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenableauthorize'] == 'Enable')) { + $varsqlconfauthorize = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2authorize" . "\n\t}"; } else { - $varsqlconfauthorize = '#sql'; + $varsqlconfauthorize = '### sql DISABLED ###'; } - // accounting section - if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenableaccounting'] == 'Enable')) { - $varsqlconfaccounting = 'sql'; + // accounting section DATABASE 1 + if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenableaccounting'] == 'Enable')) { + $varsqlconfaccounting = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2accounting" . "\n\t}"; } else { - $varsqlconfaccounting = '#sql'; + $varsqlconfaccounting = '### sql DISABLED ###'; } - // session section - if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenablesession'] == 'Enable')) { - $varsqlconfsession = 'sql'; + // session section DATABASE 1 + if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenablesession'] == 'Enable')) { + $varsqlconfsession = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2session" . "\n\t}"; } else { - $varsqlconfsession = 'radutmp'; + $varsqlconfsession = 'radutmp'; } - // post-auth section - if (($sqlconf['varsqlconfincludeenable'] == 'Enable') && ($sqlconf['varsqlconfenablepostauth'] == 'Enable')) { - $varsqlconfpostauth = 'sql'; + // post-auth section DATABASE 1 + if (($sqlconf['varsqlconfincludeenable'] == 'on') && ($sqlconf['varsqlconfenablepostauth'] == 'Enable')) { + $varsqlconfpostauth = "$varsqlconf2failover {" . "\n\t\t\tsql" . "\n\t\t\t$varsqlconf2postauth" . "\n\t}"; } else { - $varsqlconfpostauth = '#sql'; + $varsqlconfpostauth = '### sql DISABLED ###'; } // Changing authorize section for plain mac auth @@ -1161,6 +1291,7 @@ authorize { # # The ldap module will set Auth-Type to LDAP if it has not # already been set + $varmodulesldapenableauthorize # @@ -2404,9 +2535,10 @@ function freeradius_modulesldap_resync() { $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0]; // Enable and Disable LDAP for "authorize" and "authenticate" will be done in "freeradius_serverdefault_resync" + // redundatnt-load-balancing will there be done, too - // Variables for General Configuration + // Variables for General Configuration ldap1 $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain'); $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA'); $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass'); @@ -2418,10 +2550,22 @@ function freeradius_modulesldap_resync() { $varmodulesldaptimelimit = ($arrmodulesldap['varmodulesldaptimelimit']?$arrmodulesldap['varmodulesldaptimelimit']:'3'); $varmodulesldapnettimeout = ($arrmodulesldap['varmodulesldapnettimeout']?$arrmodulesldap['varmodulesldapnettimeout']:'1'); + // Variables for General Configuration ldap2 + $varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server']?$arrmodulesldap['varmodulesldap2server']:'ldap.your.domain'); + $varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity']?$arrmodulesldap['varmodulesldap2identity']:'cn=admin,o=My Org,c=UA'); + $varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password']?$arrmodulesldap['varmodulesldap2password']:'mypass'); + $varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn']?$arrmodulesldap['varmodulesldap2basedn']:'o=My Org,c=UA'); + $varmodulesldap2filter = ($arrmodulesldap['varmodulesldap2filter']?$arrmodulesldap['varmodulesldap2filter']:'(uid=%{%{Stripped-User-Name}:-%{User-Name}})'); + $varmodulesldap2basefilter = ($arrmodulesldap['varmodulesldap2basefilter']?$arrmodulesldap['varmodulesldap2basefilter']:'(objectclass=radiusprofile)'); + $varmodulesldap2ldapconnectionsnumber = ($arrmodulesldap['varmodulesldap2ldapconnectionsnumber']?$arrmodulesldap['varmodulesldap2ldapconnectionsnumber']:'5'); + $varmodulesldap2timeout = ($arrmodulesldap['varmodulesldap2timeout']?$arrmodulesldap['varmodulesldap2timeout']:'4'); + $varmodulesldap2timelimit = ($arrmodulesldap['varmodulesldap2timelimit']?$arrmodulesldap['varmodulesldap2timelimit']:'3'); + $varmodulesldap2nettimeout = ($arrmodulesldap['varmodulesldap2nettimeout']?$arrmodulesldap['varmodulesldap2nettimeout']:'1'); + // Variables for TLS / Certificates - will be added later - // Miscellaneous Configuration + MS Active Directory Compatibility + // Miscellaneous Configuration + MS Active Directory Compatibility ldap1 $varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable'); if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') { $varmodulesldapmsadcompatibility = '### MS Active Directory Compatibility is disabled ###'; @@ -2429,8 +2573,17 @@ function freeradius_modulesldap_resync() { else { $varmodulesldapmsadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes"; } + + // Miscellaneous Configuration + MS Active Directory Compatibility ldap2 + $varmodulesldap2msadcompatibilityenable = ($arrmodulesldap['varmodulesldap2msadcompatibilityenable']?$arrmodulesldap['varmodulesldap2msadcompatibilityenable']:'Disable'); + if ($arrmodulesldap['varmodulesldap2msadcompatibilityenable'] == 'Disable') { + $varmodulesldap2msadcompatibility = '### MS Active Directory Compatibility is disabled ###'; + } + else { + $varmodulesldap2msadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes"; + } - // When disabled we put this in the file but commented (#) like in the default installation + // When disabled we put this in the file but commented (#) like in the default installation ldap1 if (!$arrmodulesldap['varmodulesldapdmiscenable']) { $varmodulesldapdefaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###'; $varmodulesldapprofileattribute = '### profile_attribute = "radiusProfileDn" ###'; @@ -2446,8 +2599,24 @@ function freeradius_modulesldap_resync() { $varmodulesldapaccessattr = "access_attr = " . '"' . "$varmodulesldapaccessattr" . '"'; } + // When disabled we put this in the file but commented (#) like in the default installation ldap2 + if (!$arrmodulesldap['varmodulesldap2dmiscenable']) { + $varmodulesldap2defaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###'; + $varmodulesldap2profileattribute = '### profile_attribute = "radiusProfileDn" ###'; + $varmodulesldap2accessattr = '### access_attr = "dialupAccess" ###'; + } + // When enabled we put in the default values so there is no empty entry if there is not input from GUI + else { + $varmodulesldap2defaultprofile = ($arrmodulesldap['varmodulesldap2defaultprofile']?$arrmodulesldap['varmodulesldap2defaultprofile']:'cn=radprofile,ou=dialup,o=My Org,c=UA'); + $varmodulesldap2defaultprofile = "default_profile = " . '"' . "$varmodulesldap2defaultprofile" . '"'; + $varmodulesldap2profileattribute = ($arrmodulesldap['varmodulesldap2profileattribute']?$arrmodulesldap['varmodulesldap2profileattribute']:'radiusProfileDn'); + $varmodulesldap2profileattribute = "profile_attribute = " . '"' . "$varmodulesldap2profileattribute" . '"'; + $varmodulesldap2accessattr = ($arrmodulesldap['varmodulesldap2accessattr']?$arrmodulesldap['varmodulesldap2accessattr']:'dialupAccess'); + $varmodulesldap2accessattr = "access_attr = " . '"' . "$varmodulesldap2accessattr" . '"'; + } + // Group membership checking - // When disabled we put this in the file but commented (#) like in the default installation + // When disabled we put this in the file but commented (#) like in the default installation ldap1 if (!$arrmodulesldap['varmodulesldapgroupenable']) { $varmodulesldapgroupnameattribute = '### groupname_attribute = cn ###'; $varmodulesldapgroupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###'; @@ -2473,12 +2642,45 @@ function freeradius_modulesldap_resync() { $varmodulesldapaccessattrusedforallow = ($arrmodulesldap['varmodulesldapaccessattrusedforallow']?$arrmodulesldap['varmodulesldapaccessattrusedforallow']:'yes'); $varmodulesldapaccessattrusedforallow = "access_attr_used_for_allow = $varmodulesldapaccessattrusedforallow"; } + + // Group membership checking + // When disabled we put this in the file but commented (#) like in the default installation ldap2 + if (!$arrmodulesldap['varmodulesldap2groupenable']) { + $varmodulesldap2groupnameattribute = '### groupname_attribute = cn ###'; + $varmodulesldap2groupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###'; + $varmodulesldap2groupmembershipattribute = '### groupmembership_attribute = radiusGroupName ###'; + $varmodulesldap2comparecheckitems = '### compare_check_items = yes ###'; + $varmodulesldap2doxlat = '### do_xlat = yes ###'; + $varmodulesldap2accessattrusedforallow = '### access_attr_used_for_allow = yes ###'; + } - // Keepalive variables + // When enabled we put in the default values so there is no empty entry if there is not input from GUI + else { + $varmodulesldap2groupnameattribute = ($arrmodulesldap['varmodulesldap2groupnameattribute']?$arrmodulesldap['varmodulesldap2groupnameattribute']:'cn'); + $varmodulesldap2groupnameattribute = "groupname_attribute = $varmodulesldap2groupnameattribute"; + $varmodulesldap2groupmembershipfilter = ($arrmodulesldap['varmodulesldap2groupmembershipfilter']?$arrmodulesldap['varmodulesldap2groupmembershipfilter']:'(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))'); + $varmodulesldap2groupmembershipfilter = "groupmembership_filter = " . '"' . "$varmodulesldap2groupmembershipfilter" . '"'; + $varmodulesldap2groupmembershipattribute = ($arrmodulesldap['varmodulesldap2groupmembershipattribute']?$arrmodulesldap['varmodulesldap2groupmembershipattribute']:'radiusGroupName'); + $varmodulesldap2groupmembershipattribute = "groupmembership_attribute = $varmodulesldap2groupmembershipattribute"; + + $varmodulesldap2comparecheckitems = ($arrmodulesldap['varmodulesldap2comparecheckitems']?$arrmodulesldap['varmodulesldap2comparecheckitems']:'yes'); + $varmodulesldap2comparecheckitems = "compare_check_items = $varmodulesldap2comparecheckitems"; + $varmodulesldap2doxlat = ($arrmodulesldap['varmodulesldap2doxlat']?$arrmodulesldap['varmodulesldap2doxlat']:'yes'); + $varmodulesldap2doxlat = "do_xlat = $varmodulesldap2doxlat"; + $varmodulesldap2accessattrusedforallow = ($arrmodulesldap['varmodulesldap2accessattrusedforallow']?$arrmodulesldap['varmodulesldap2accessattrusedforallow']:'yes'); + $varmodulesldap2accessattrusedforallow = "access_attr_used_for_allow = $varmodulesldap2accessattrusedforallow"; + } + + // Keepalive variables ldap1 $varmodulesldapkeepaliveidle = ($arrmodulesldap['varmodulesldapkeepaliveidle']?$arrmodulesldap['varmodulesldapkeepaliveidle']:'60'); $varmodulesldapkeepaliveprobes = ($arrmodulesldap['varmodulesldapkeepaliveprobes']?$arrmodulesldap['varmodulesldapkeepaliveprobes']:'3'); $varmodulesldapkeepaliveinterval = ($arrmodulesldap['varmodulesldapkeepaliveinterval']?$arrmodulesldap['varmodulesldapkeepaliveinterval']:'3'); + // Keepalive variables ldap2 + $varmodulesldap2keepaliveidle = ($arrmodulesldap['varmodulesldap2keepaliveidle']?$arrmodulesldap['varmodulesldap2keepaliveidle']:'60'); + $varmodulesldap2keepaliveprobes = ($arrmodulesldap['varmodulesldap2keepaliveprobes']?$arrmodulesldap['varmodulesldap2keepaliveprobes']:'3'); + $varmodulesldap2keepaliveinterval = ($arrmodulesldap['varmodulesldap2keepaliveinterval']?$arrmodulesldap['varmodulesldap2keepaliveinterval']:'3'); + $conf .= <<<EOD # -*- text -*- @@ -2667,6 +2869,165 @@ ldap { interval = $varmodulesldapkeepaliveinterval } } + +ldap ldap2{ + # + # Note that this needs to match the name in the LDAP + # server certificate, if you're using ldaps. + server = "$varmodulesldap2server" + identity = "$varmodulesldap2identity" + password = $varmodulesldap2password + basedn = "$varmodulesldap2basedn" + filter = "$varmodulesldap2filter" + base_filter = "$varmodulesldap2basefilter" + + # How many connections to keep open to the LDAP server. + # This saves time over opening a new LDAP socket for + # every authentication request. + ldap_connections_number = $varmodulesldap2ldapconnectionsnumber + + # seconds to wait for LDAP query to finish. default: 20 + timeout = $varmodulesldap2timeout + + # seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = $varmodulesldap2timelimit + + # + # seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = $varmodulesldap2nettimeout + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the "tls_*" configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 689) connections + start_tls = no + + # cacertfile = /path/to/cacert.pem + # cacertdir = /path/to/ca/dir/ + # certfile = /path/to/radius.crt + # keyfile = /path/to/radius.key + # randfile = /path/to/rnd + + # Certificate Verification requirements. Can be: + # "never" (don't even bother trying) + # "allow" (try, but don't fail if the cerificate + # can't be verified) + # "demand" (fail if the certificate doesn't verify.) + # + # The default is "allow" + # require_cert = "demand" + } + + $varmodulesldap2defaultprofile + $varmodulesldap2profileattribute + $varmodulesldap2accessattr + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = \${confdir}/ldap.attrmap + ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# + # Set password_attribute = nspmPassword to get the + # user's password from a Novell eDirectory + # backend. This will work ONLY IF FreeRADIUS has been + # built with the --with-edir configure option. + # + # See also the following links: + # + # http://www.novell.com/coolsolutions/appnote/16745.html + # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html + # + # Novell may require TLS encrypted sessions before returning + # the user's password. + # + # password_attribute = userPassword + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + edir_account_policy_check = no + ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# + # + # Group membership checking. Disabled by default. + # + $varmodulesldap2groupnameattribute + $varmodulesldap2groupmembershipfilter + $varmodulesldap2groupmembershipattribute + + $varmodulesldap2comparecheckitems + $varmodulesldap2doxlat + $varmodulesldap2accessattrusedforallow + + # + # The following two configuration items are for Active Directory + # compatibility. If you see the helpful "operations error" + # being returned to the LDAP module, uncomment the next + # two lines. + # + + $varmodulesldap2msadcompatibility + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. + # + # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + #ldap_debug = 0x0028 + + # + # Keepalive configuration. This MAY NOT be supported by your + # LDAP library. If these configuration entries appear in the + # output of "radiusd -X", then they are supported. Otherwise, + # they are unsupported, and changing them will do nothing. + # + keepalive { + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = $varmodulesldap2keepaliveidle + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = $varmodulesldap2keepaliveprobes + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = $varmodulesldap2keepaliveinterval + } +} EOD; $filename = RADDB . '/modules/ldap'; diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index 06a990e7..cf7f5b33 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -98,7 +98,7 @@ </tabs> <fields> <field> - <name>ENABLE LDAP SUPPORT</name> + <name>ENABLE LDAP SUPPORT - SERVER 1</name> <type>listtopic</type> </field> <field> @@ -106,6 +106,7 @@ <fieldname>varmodulesldapenableauthorize</fieldname> <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description> <type>checkbox</type> + <enablefields>varmodulesldap2enableauthenticate,varmodulesldapkeepaliveinterval,varmodulesldapkeepaliveprobes,varmodulesldapkeepaliveidle,varmodulesldapmsadcompatibilityenable,varmodulesldapnettimeout,varmodulesldaptimelimit,varmodulesldaptimeout,varmodulesldapldapconnectionsnumber,varmodulesldapbasefilter,varmodulesldapfilter,varmodulesldapbasedn,varmodulesldappassword,varmodulesldapidentity,varmodulesldapserver,varmodulesldap2enableauthorize,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields> </field> <field> <fielddescr>Enable LDAP For Authentication</fielddescr> @@ -114,7 +115,7 @@ <type>checkbox</type> </field> <field> - <name>GENERAL CONFIGURATION</name> + <name>GENERAL CONFIGURATION - SERVER 1</name> <type>listtopic</type> </field> <field> @@ -198,7 +199,7 @@ <default_value>1</default_value> </field> <field> - <name>MISCELLANEOUS CONFIGURATION</name> + <name>MISCELLANEOUS CONFIGURATION - SERVER 1</name> <type>listtopic</type> </field> <field> @@ -213,7 +214,7 @@ </options> </field> <field> - <fielddescr>Enable Misc Configuration</fielddescr> + <fielddescr>Enable Misc Configuration - SERVER 1</fielddescr> <fieldname>varmodulesldapdmiscenable</fieldname> <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description> <type>checkbox</type> @@ -244,7 +245,7 @@ <default_value>dialupAccess</default_value> </field> <field> - <name>Group Membership Options</name> + <name>Group Membership Options - SERVER 1</name> <type>listtopic</type> </field> <field> @@ -312,7 +313,7 @@ </options> </field> <field> - <name>KEEPALIVE CONFIGURATION</name> + <name>KEEPALIVE CONFIGURATION - SERVER 1</name> <type>listtopic</type> </field> <field> @@ -339,6 +340,270 @@ <size>80</size> <default_value>3</default_value> </field> + + + <field> + <name>ENABLE REDUNDANT LDAP SERVER SUPPORT</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Choose Failover/Loadbalancing Mode</fielddescr> + <fieldname>varmodulesldap2failover</fieldname> + <description><![CDATA[Choose the interaction of the two LDAP servers: (Default: redundant)<br><br> + <b>redundant:</b> If server 1 fails failover to server 2<br> + <b>load-balance:</b> The load is balanced 50:50 to both servers<br> + <b>redundant-load-balance:</b> The load is balanced 50:50 to both servers. If one is down the other does 100%.]]></description> + <type>select</type> + <default_value>redundant</default_value> + <options> + <option><name>Redundant</name><value>redundant</value></option> + <option><name>Load-Balance</name><value>load-balance</value></option> + <option><name>Redundant-Load-Balance</name><value>redundant-load-balance</value></option> + </options> + </field> + <field> + <name>ENABLE LDAP SUPPORT - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable LDAP For Authorization</fielddescr> + <fieldname>varmodulesldap2enableauthorize</fieldname> + <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description> + <type>checkbox</type> + <enablefields>varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields> + </field> + <field> + <fielddescr>Enable LDAP For Authentication</fielddescr> + <fieldname>varmodulesldap2enableauthenticate</fieldname> + <description><![CDATA[This enables LDAP in authenticate section. Note that this means "check plain-text password against the ldap database", which means that EAP won't work, as it does not supply a plain-text password.]]></description> + <type>checkbox</type> + </field> + <field> + <name>GENERAL CONFIGURATION - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Server</fielddescr> + <fieldname>varmodulesldap2server</fieldname> + <description><![CDATA[No description. (Default: ldap.your.domain )]]></description> + <type>input</type> + <size>80</size> + <default_value>ldap.your.domain</default_value> + </field> + <field> + <fielddescr>Identity</fielddescr> + <fieldname>varmodulesldap2identity</fieldname> + <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[cn=admin,o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>varmodulesldap2password</fieldname> + <description><![CDATA[No description. (Default: mypass)]]></description> + <type>password</type> + <size>80</size> + <default_value>mypass</default_value> + </field> + <field> + <fielddescr>Basedn</fielddescr> + <fieldname>varmodulesldap2basedn</fieldname> + <description><![CDATA[No description (Default: o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Filter</fielddescr> + <fieldname>varmodulesldap2filter</fieldname> + <description><![CDATA[No description. (Default: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(uid=%{%{Stripped-User-Name}:-%{User-Name}})]]></default_value> + </field> + <field> + <fielddescr>Base Filter</fielddescr> + <fieldname>varmodulesldap2basefilter</fieldname> + <description><![CDATA[No description. (Default: (objectclass=radiusprofile) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(objectclass=radiusprofile)]]></default_value> + </field> + <field> + <fielddescr>LDAP Connections Number</fielddescr> + <fieldname>varmodulesldap2ldapconnectionsnumber</fieldname> + <description><![CDATA[How many connections to keep open to the LDAP server. This saves time over opening a new LDAP socket for every authentication request. (Default: 5)]]></description> + <type>input</type> + <size>80</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>varmodulesldap2timeout</fieldname> + <description><![CDATA[Seconds to wait for LDAP query to finish. (Default: 4)]]></description> + <type>input</type> + <size>80</size> + <default_value>4</default_value> + </field> + <field> + <fielddescr>Timelimit</fielddescr> + <fieldname>varmodulesldap2timelimit</fieldname> + <description><![CDATA[Seconds the LDAP server has to process the query (server-side time limit). (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + <field> + <fielddescr>Net Timeout</fielddescr> + <fieldname>varmodulesldap2nettimeout</fieldname> + <description><![CDATA[Seconds to wait for response of the server because of network failures. (Default: 1)]]></description> + <type>input</type> + <size>80</size> + <default_value>1</default_value> + </field> + <field> + <name>MISCELLANEOUS CONFIGURATION - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Active Directory Compatibility</fielddescr> + <fieldname>varmodulesldap2msadcompatibilityenable</fieldname> + <description><![CDATA[If you see the helpful "operations error" being returned to the LDAP module enable this. (Default: Disable)]]></description> + <type>select</type> + <default_value>Disable</default_value> + <options> + <option><name>Disable</name><value>Disable</value></option> + <option><name>Enable</name><value>Enable</value></option> + </options> + </field> + <field> + <fielddescr>Enable Misc Configuration</fielddescr> + <fieldname>varmodulesldap2dmiscenable</fieldname> + <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description> + <type>checkbox</type> + <enablefields>varmodulesldap2defaultprofile,varmodulesldap2profileattribute,varmodulesldap2accessattr</enablefields> + </field> + <field> + <fielddescr>Default Profile</fielddescr> + <fieldname>varmodulesldap2defaultprofile</fieldname> + <description><![CDATA[No description. (Default: cn=radprofile,ou=dialup,o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[cn=radprofile,ou=dialup,o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Profile Attribute</fielddescr> + <fieldname>varmodulesldap2profileattribute</fieldname> + <description><![CDATA[No description. (Default: radiusProfileDn)]]></description> + <type>input</type> + <size>80</size> + <default_value>radiusProfileDn</default_value> + </field> + <field> + <fielddescr>Access Attribute</fielddescr> + <fieldname>varmodulesldap2accessattr</fieldname> + <description><![CDATA[No description. (Default: dialupAccess)]]></description> + <type>input</type> + <size>80</size> + <default_value>dialupAccess</default_value> + </field> + <field> + <name>Group Membership Options - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Group Membership Options</fielddescr> + <fieldname>varmodulesldap2groupenable</fieldname> + <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description> + <type>checkbox</type> + <enablefields>varmodulesldap2accessattrusedforallow,varmodulesldap2doxlat,varmodulesldap2comparecheckitems,varmodulesldap2groupmembershipattribute,varmodulesldap2groupmembershipfilter,varmodulesldap2groupnameattribute</enablefields> + </field> + <field> + <fielddescr>Groupname Attribute</fielddescr> + <fieldname>varmodulesldap2groupnameattribute</fieldname> + <description><![CDATA[No description. (Default: cn)]]></description> + <type>input</type> + <size>80</size> + <default_value>cn</default_value> + </field> + <field> + <fielddescr>Groupmembership Filter</fielddescr> + <fieldname>varmodulesldap2groupmembershipfilter</fieldname> + <description><![CDATA[No description. (Default: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))]]></default_value> + </field> + <field> + <fielddescr>Groupmembership Attribute</fielddescr> + <fieldname>varmodulesldap2groupmembershipattribute</fieldname> + <description><![CDATA[No description. (Default: radiusGroupName)]]></description> + <type>input</type> + <size>80</size> + <default_value>radiusGroupName</default_value> + </field> + <field> + <fielddescr>Compare Check Items</fielddescr> + <fieldname>varmodulesldap2comparecheckitems</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Do XLAT</fielddescr> + <fieldname>varmodulesldap2doxlat</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Access Attribute Used For Allow</fielddescr> + <fieldname>varmodulesldap2accessattrusedforallow</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <name>KEEPALIVE CONFIGURATION - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE IDLE</fielddescr> + <fieldname>varmodulesldap2keepaliveidle</fieldname> + <description><![CDATA[No description. (Default: 60)]]></description> + <type>input</type> + <size>80</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE PROBES</fielddescr> + <fieldname>varmodulesldap2keepaliveprobes</fieldname> + <description><![CDATA[No description. (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE INTERVAL</fielddescr> + <fieldname>varmodulesldap2keepaliveinterval</fieldname> + <description><![CDATA[No description. (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> </fields> <custom_delete_php_command> freeradius_modulesldap_resync(); diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index a5bc4d2e..6851711c 100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -98,20 +98,16 @@ </tabs> <fields> <field> - <name>Enable SQL Database</name> + <name>ENABLE SQL DATABASE - SERVER 1</name> <type>listtopic</type> </field> <field> <fielddescr>Enable SQL Support</fielddescr> <fieldname>varsqlconfincludeenable</fieldname> - <description><![CDATA[Enable this if you like to connect freeRADIUS to a SQL database. (Default: Disable)<br> + <description><![CDATA[Enable this if you like to connect freeRADIUS to a SQL database. (Default: unchecked)<br> You <b>must enable at least</b> one of the following options: Authorization, Accounting, Session, Post-Auth.]]></description> - <type>select</type> - <default_value>Disable</default_value> - <options> - <option><name>Disbale</name><value>Disable</value></option> - <option><name>Enable</name><value>Enable</value></option> - </options> + <type>checkbox</type> + <enablefields>varsqlconf2failover,varsqlconf2includeenable,varsqlconfenableauthorize,varsqlconfenableaccounting,varsqlconfenablesession,varsqlconfenablepostauth,varsqlconfdatabase,varsqlconfserver,varsqlconfport,varsqlconflogin,varsqlconfpassword,varsqlconfradiusdb,varsqlconfaccttable1,varsqlconfaccttable2,varsqlconfpostauthtable,varsqlconfauthchecktable,varsqlconfauthreplytable,varsqlconfgroupchecktable,varsqlconfgroupreplytable,varsqlconfusergrouptable,varsqlconfreadgroups,varsqlconfdeletestalesessions,varsqlconfsqltrace,varsqlconfnumsqlsocks,varsqlconfconnectfailureretrydelay,varsqlconflifetime,varsqlconfmaxqueries,varsqlconfreadclients,varsqlconfnastable</enablefields> </field> <field> <fielddescr>Enable SQL Authorization</fielddescr> @@ -162,7 +158,7 @@ </options> </field> <field> - <name>SQL Database Configuration</name> + <name>SQL DATABASE CONFIGURATION - SERVER 1</name> <type>listtopic</type> </field> <field> @@ -173,8 +169,6 @@ <default_value>mysql</default_value> <options> <option><name>MySQL</name><value>mysql</value></option> - <option><name>MsSQL</name><value>mssql</value></option> - <option><name>Oracle</name><value>oracle</value></option> <option><name>PostgreSQL</name><value>postgresql</value></option> </options> </field> @@ -352,6 +346,274 @@ <type>input</type> <default_value>nas</default_value> </field> + <field> + <name>ENABLE REDUNDANT SQL DATABASE SUPPORT</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Choose Failover/Loadbalancing Mode</fielddescr> + <fieldname>varsqlconf2failover</fieldname> + <description><![CDATA[Choose the interaction of the two SQL databases: (Default: redundant)<br><br> + <b>redundant:</b> If server 1 fails failover to server 2<br> + <b>load-balance:</b> The load is balanced 50:50 to both databases<br> + <b>redundant-load-balance:</b> The load is balanced 50:50 to both databases. If one is down the other does 100%.]]></description> + <type>select</type> + <default_value>redundant</default_value> + <options> + <option><name>Redundant</name><value>redundant</value></option> + <option><name>Load-Balance</name><value>load-balance</value></option> + <option><name>Redundant-Load-Balance</name><value>redundant-load-balance</value></option> + </options> + </field> + <field> + <name>ENABLE SQL DATABASE - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable SQL Support</fielddescr> + <fieldname>varsqlconf2includeenable</fieldname> + <description><![CDATA[Enable this if you like to connect freeRADIUS to a SQL database. (Default: unchecked)<br> + You <b>must enable at least</b> one of the following options: Authorization, Accounting, Session, Post-Auth.]]></description> + <type>checkbox</type> + <enablefields>varsqlconf2enableauthorize,varsqlconf2enableaccounting,varsqlconf2enablesession,varsqlconf2enablepostauth,varsqlconf2database,varsqlconf2server,varsqlconf2port,varsqlconf2login,varsqlconf2password,varsqlconf2radiusdb,varsqlconf2accttable1,varsqlconf2accttable2,varsqlconf2postauthtable,varsqlconf2authchecktable,varsqlconf2authreplytable,varsqlconf2groupchecktable,varsqlconf2groupreplytable,varsqlconf2usergrouptable,varsqlconf2readgroups,varsqlconf2deletestalesessions,varsqlconf2sqltrace,varsqlconf2numsqlsocks,varsqlconf2connectfailureretrydelay,varsqlconf2lifetime,varsqlconf2maxqueries,varsqlconf2readclients,varsqlconf2nastable</enablefields> + </field> + <field> + <fielddescr>Enable SQL Authorization</fielddescr> + <fieldname>varsqlconf2enableauthorize</fieldname> + <description><![CDATA[Enable this if usernames and passwords are stored on a SQL database.<br> + SQL support must be enabled for this to work. (Default: Disable)]]></description> + <type>select</type> + <default_value>Disable</default_value> + <options> + <option><name>Disbale</name><value>Disable</value></option> + <option><name>Enable</name><value>Enable</value></option> + </options> + </field> + <field> + <fielddescr>Enable SQL Accounting</fielddescr> + <fieldname>varsqlconf2enableaccounting</fieldname> + <description><![CDATA[Enable this if accounting packets should be logged to a SQL database.<br> + SQL support must be enabled for this to work. (Default: Disable)]]></description> + <type>select</type> + <default_value>Disable</default_value> + <options> + <option><name>Disbale</name><value>Disable</value></option> + <option><name>Enable</name><value>Enable</value></option> + </options> + </field> + <field> + <fielddescr>Enable SQL Session</fielddescr> + <fieldname>varsqlconf2enablesession</fieldname> + <description><![CDATA[Enable this to use the "rlm_sql" module (fast) to check for simultaneous connections instead of "radutmp" (slow).<br> + SQL support must be enabled for this to work. (Default: Disable)]]></description> + <type>select</type> + <default_value>Disable</default_value> + <options> + <option><name>Disbale</name><value>Disable</value></option> + <option><name>Enable</name><value>Enable</value></option> + </options> + </field> + <field> + <fielddescr>Enable SQL Post-Auth</fielddescr> + <fieldname>varsqlconf2enablepostauth</fieldname> + <description><![CDATA[Enable this if you like to store post-authentication data on a SQL database.<br> + SQL support must be enabled for this to work. (Default: Disable)]]></description> + <type>select</type> + <default_value>Disable</default_value> + <options> + <option><name>Disbale</name><value>Disable</value></option> + <option><name>Enable</name><value>Enable</value></option> + </options> + </field> + <field> + <name>SQL DATABASE CONFIGURATION - SERVER 2</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Database Type</fielddescr> + <fieldname>varsqlconf2database</fieldname> + <description><![CDATA[Choose the database type. (Default: mysql)]]></description> + <type>select</type> + <default_value>mysql</default_value> + <options> + <option><name>MySQL</name><value>mysql</value></option> + <option><name>PostgreSQL</name><value>postgresql</value></option> + </options> + </field> + <field> + <fielddescr>Server IP Address</fielddescr> + <fieldname>varsqlconf2server</fieldname> + <description><![CDATA[Enter the IP address of the database server (Default: localhost)]]></description> + <type>input</type> + <default_value>localhost</default_value> + </field> + <field> + <fielddescr>Server Port Address</fielddescr> + <fieldname>varsqlconf2port</fieldname> + <description><![CDATA[Enter the port address of the database server (Default: 3306)]]></description> + <type>input</type> + <default_value>3306</default_value> + </field> + <field> + <fielddescr>Database Username</fielddescr> + <fieldname>varsqlconf2login</fieldname> + <description><![CDATA[Enter the username of the database server (Default: radius)]]></description> + <type>input</type> + <default_value>radius</default_value> + </field> + <field> + <fielddescr>Database Password</fielddescr> + <fieldname>varsqlconf2password</fieldname> + <description><![CDATA[Enter the password of the database server (Default: radpass)]]></description> + <type>password</type> + <default_value>radpass</default_value> + </field> + <field> + <fielddescr>Database Table Configuration</fielddescr> + <fieldname>varsqlconf2radiusdb</fieldname> + <description><![CDATA[Choose database table configuration: (Default: radius) <br> + For all <b>except</b> Oracle choose: <b>radius</b> <br> + For Oracle change and paste the following line according your environment:<br> + <b>(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))</b>]]></description> + <type>input</type> + <default_value>radius</default_value> + </field> + <field> + <fielddescr>Accounting Table 1 (Start)</fielddescr> + <fieldname>varsqlconf2accttable1</fieldname> + <description><![CDATA[This is the accounting "Start" table. If you want to log "Start" and "Stop" to the same table choose the same name for both. (Default: radacct)]]></description> + <type>input</type> + <default_value>radacct</default_value> + </field> + <field> + <fielddescr>Accounting Table 2 (Stop)</fielddescr> + <fieldname>varsqlconf2accttable2</fieldname> + <description><![CDATA[This is the accounting "Stop" table. If you want to log "Stop" and "Stop" to the same table choose the same name for both. (Default: radacct)]]></description> + <type>input</type> + <default_value>radacct</default_value> + </field> + <field> + <fielddescr>Post Auth Table</fielddescr> + <fieldname>varsqlconf2postauthtable</fieldname> + <description><![CDATA[Choose Post Auth Table. (Default: radpostauth)]]></description> + <type>input</type> + <default_value>radpostauth</default_value> + </field> + <field> + <fielddescr>Auth Check Table</fielddescr> + <fieldname>varsqlconf2authchecktable</fieldname> + <description><![CDATA[Choose Auth Check Table. (Default: radcheck)]]></description> + <type>input</type> + <default_value>radcheck</default_value> + </field> + <field> + <fielddescr>Auth Reply Table</fielddescr> + <fieldname>varsqlconf2authreplytable</fieldname> + <description><![CDATA[Choose Auth Reply Table. (Default: radreply)]]></description> + <type>input</type> + <default_value>radreply</default_value> + </field> + <field> + <fielddescr>Group Check Table</fielddescr> + <fieldname>varsqlconf2groupchecktable</fieldname> + <description><![CDATA[Choose Group Check Table. (Default: radgroupcheck)]]></description> + <type>input</type> + <default_value>radgroupcheck</default_value> + </field> + <field> + <fielddescr>Group Reply Table</fielddescr> + <fieldname>varsqlconf2groupreplytable</fieldname> + <description><![CDATA[Choose Group Check Table. (Default: radgroupreply)]]></description> + <type>input</type> + <default_value>radgroupreply</default_value> + </field> + <field> + <fielddescr>User Group Table</fielddescr> + <fieldname>varsqlconf2usergrouptable</fieldname> + <description><![CDATA[Choose Group Check Table. (Default: radusergroup)]]></description> + <type>input</type> + <default_value>radusergroup</default_value> + </field> + <field> + <fielddescr>Read the Group Tables</fielddescr> + <fieldname>varsqlconf2readgroups</fieldname> + <description><![CDATA[If set to <b>yes</b> (default) we read the group tables.<br> + If set to <b>no</b> the user <b>must</b> have Fall-Through = Yes in the radreply table]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Delete Stale Sessions</fielddescr> + <fieldname>varsqlconf2deletestalesessions</fieldname> + <description><![CDATA[Remove stale session if checkrad does not see a double login. (Default: yes)]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Print all SQL Statements</fielddescr> + <fieldname>varsqlconf2sqltrace</fieldname> + <description><![CDATA[Print all SQL statements when in debug mode. (Default: no)]]></description> + <type>select</type> + <default_value>no</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Number of SQL Connections</fielddescr> + <fieldname>varsqlconf2numsqlsocks</fieldname> + <description><![CDATA[Number of SQL connections to make to the server. (Default: 5)]]></description> + <type>input</type> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Failed Database Connection Delay</fielddescr> + <fieldname>varsqlconf2connectfailureretrydelay</fieldname> + <description><![CDATA[Number of seconds btween a retry after a failed database connection. (Default: 60)]]></description> + <type>input</type> + <default_value>60</default_value> + </field> + <field> + <fielddescr>SQL Socket Lifetime</fielddescr> + <fieldname>varsqlconf2lifetime</fieldname> + <description><![CDATA[If you are having network issues such as TCP sessions expiring, you may need to set the socket lifetime. If set to non-zero, any open connections will be closed X seconds after they were first opened. (Default: 0)]]></description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>SQL Socket Maximum Queries</fielddescr> + <fieldname>varsqlconf2maxqueries</fieldname> + <description><![CDATA[If you have issues with SQL sockets lasting too long, you can limit the number of queries performed over one socket. After X queries, the socket will be closed. Use 0 for no limit. (Default: 0)]]></description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Read Clients from Database</fielddescr> + <fieldname>varsqlconf2readclients</fieldname> + <description><![CDATA[Set to <b>yes</b> to read radius clients from the database ('nas' table). Clients will only be read on server startup. (Default: yes)]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>RADIUS Client Table</fielddescr> + <fieldname>varsqlconf2nastable</fieldname> + <description><![CDATA[Choose the table to keep RADIUS client info. (Default: nas)]]></description> + <type>input</type> + <default_value>nas</default_value> + </field> </fields> <custom_delete_php_command> freeradius_sqlconf_resync(); |