aboutsummaryrefslogtreecommitdiffstats
path: root/packages
diff options
context:
space:
mode:
authorFernando Lemos <fernandotcl@pfsense.org>2006-06-02 13:41:17 +0000
committerFernando Lemos <fernandotcl@pfsense.org>2006-06-02 13:41:17 +0000
commitc868bc5be8c9f7cc8b7ca91bbd36990a931d9875 (patch)
tree5bd31ed5427b8547222e5cfe496239c49a0aecac /packages
parent341ff9436ee8b6eb2c89365d3b05a00408eb0eb3 (diff)
downloadpfsense-packages-c868bc5be8c9f7cc8b7ca91bbd36990a931d9875.tar.gz
pfsense-packages-c868bc5be8c9f7cc8b7ca91bbd36990a931d9875.tar.bz2
pfsense-packages-c868bc5be8c9f7cc8b7ca91bbd36990a931d9875.zip
A working version of the FreeRADIUS package (this one writes the configuration to the right files ;)).
Diffstat (limited to 'packages')
-rw-r--r--packages/freeradius.inc438
-rw-r--r--packages/freeradius.xml105
-rw-r--r--packages/freeradiusclients.xml48
-rw-r--r--packages/freeradiussettings.xml46
4 files changed, 503 insertions, 134 deletions
diff --git a/packages/freeradius.inc b/packages/freeradius.inc
new file mode 100644
index 00000000..cdc7a422
--- /dev/null
+++ b/packages/freeradius.inc
@@ -0,0 +1,438 @@
+<?php
+require_once('config.inc');
+require_once('service-utils.inc');
+
+define('RADDB', '/usr/local/etc/raddb');
+
+function freeradius_install_command() {
+ global $config;
+
+ $handle = opendir(RADDB);
+ while (false != ($file = readdir($handle))) {
+ if (false != ($pos = strpos($file, '.sample'))) {
+ $newfile = substr($file, 0, $pos);
+ if (copy(RADDB . "/$file", RADDB . "/$newfile"))
+ unlink(RADDB . "/$file");
+ }
+ }
+ closedir($handle);
+
+ freeradius_settings_resync();
+
+ $rcfile = array();
+ $rcfile['file'] = 'radiusd.sh';
+ $rcfile['start'] = 'radiusd -s &';
+ $rcfile['stop'] = 'killall radiusd';
+ write_rcfile($rcfile);
+ start_service("freeradius");
+}
+
+function freeradius_settings_resync() {
+ global $config;
+
+ $settings = $config['installedpackages']['freeradiussettings']['config'][0];
+
+ $iface = ($settings['interface'] ? $settings['interface'] : 'LAN');
+ $iface = convert_friendly_interface_to_real_interface_name($iface);
+ $iface_ip = find_interface_ip($iface);
+ $port = ($settings['port'] != '' ? $settings['port'] : 0);
+
+ // FreeRADIUS's configuration is huge
+ // This is the standard default config file, trimmed down a bit. Somebody might want to implement more options. It should be as simple as editing this, then also providing the settings in each file that was included here (or maybe just put the config inlined here).
+ $conf = <<<EOD
+prefix = /usr/local
+exec_prefix = \${prefix}
+sysconfdir = \${prefix}/etc
+localstatedir = /var
+sbindir = \${exec_prefix}/sbin
+logdir = /var/log
+raddbdir = \${sysconfdir}/raddb
+radacctdir = \${logdir}/radacct
+confdir = \${raddbdir}
+run_dir = \${localstatedir}/run/radiusd
+log_file = \${logdir}/radius.log
+libdir = \${exec_prefix}/lib
+pidfile = \${run_dir}/radiusd.pid
+#user = nobody
+#group = nobody
+max_request_time = 30
+delete_blocked_requests = no
+cleanup_delay = 5
+max_requests = 1024
+bind_address = $iface_ip
+port = $port
+hostname_lookups = no
+allow_core_dumps = no
+regular_expressions = yes
+extended_expressions = yes
+log_stripped_names = no
+log_auth = no
+log_auth_badpass = no
+log_auth_goodpass = no
+usercollide = no
+lower_user = no
+lower_pass = no
+nospace_user = no
+nospace_pass = no
+checkrad = \${sbindir}/checkrad
+
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = no
+}
+
+proxy_requests = yes
+\$INCLUDE \${confdir}/proxy.conf
+
+\$INCLUDE \${confdir}/clients.conf
+
+snmp = no
+\$INCLUDE \${confdir}/snmp.conf
+
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+modules {
+ pap {
+ encryption_scheme = crypt
+ }
+
+ chap {
+ authtype = CHAP
+ }
+
+ pam {
+ pam_auth = radiusd
+ }
+
+ unix {
+ cache = no
+ cache_reload = 600
+ radwtmp = \${logdir}/radwtmp
+ }
+
+ \$INCLUDE \${confdir}/eap.conf
+
+ mschap {
+ authtype = MS-CHAP
+ #use_mppe = no
+ #require_encryption = yes
+ #require_strong = yes
+ #with_ntdomain_hack = no
+ #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+ }
+
+ ldap {
+ server = "ldap.your.domain"
+ basedn = "o=My Org,c=UA"
+ filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
+ #base_filter = "(objectclass=radiusprofile)"
+ start_tls = no
+ #tls_cacertfile = /path/to/cacert.pem
+ #tls_cacertdir = /path/to/ca/dir/
+ #tls_certfile = /path/to/radius.crt
+ #tls_keyfile = /path/to/radius.key
+ #tls_randfile = /path/to/rnd
+ #tls_require_cert = "demand"
+ access_attr = "dialupAccess"
+ dictionary_mapping = \${raddbdir}/ldap.attrmap
+ ldap_connections_number = 5
+ #groupname_attribute = cn
+ #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
+ #groupmembership_attribute = radiusGroupName
+ timeout = 4
+ timelimit = 3
+ net_timeout = 1
+ #compare_check_items = yes
+ #do_xlat = yes
+ #access_attr_used_for_allow = yes
+ }
+
+ realm IPASS {
+ format = prefix
+ delimiter = "/"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ realm suffix {
+ format = suffix
+ delimiter = "@"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ realm realmpercent {
+ format = suffix
+ delimiter = "%"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ realm ntdomain {
+ format = prefix
+ delimiter = "\\"
+ ignore_default = no
+ ignore_null = no
+ }
+
+ checkval {
+ item-name = Calling-Station-Id
+ check-name = Calling-Station-Id
+ data-type = string
+ #notfound-reject = no
+ }
+
+ preprocess {
+ huntgroups = \${confdir}/huntgroups
+ hints = \${confdir}/hints
+ with_ascend_hack = no
+ ascend_channels_per_line = 23
+ with_ntdomain_hack = no
+ with_specialix_jetstream_hack = no
+ with_cisco_vsa_hack = no
+ }
+
+ files {
+ usersfile = \${confdir}/users
+ acctusersfile = \${confdir}/acct_users
+ preproxy_usersfile = \${confdir}/preproxy_users
+ compat = no
+ }
+
+ detail {
+ detailfile = \${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
+ detailperm = 0600
+ }
+
+ acct_unique {
+ key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
+ }
+
+ \$INCLUDE \${confdir}/sql.conf
+
+ radutmp {
+ filename = \${logdir}/radutmp
+ username = %{User-Name}
+ case_sensitive = yes
+ check_with_nas = yes
+ perm = 0600
+ callerid = "yes"
+ }
+
+ radutmp sradutmp {
+ filename = \${logdir}/sradutmp
+ perm = 0644
+ callerid = "no"
+ }
+
+ attr_filter {
+ attrsfile = \${confdir}/attrs
+ }
+
+ counter daily {
+ filename = \${raddbdir}/db.daily
+ key = User-Name
+ count-attribute = Acct-Session-Time
+ reset = daily
+ counter-name = Daily-Session-Time
+ check-name = Max-Daily-Session
+ allowed-servicetype = Framed-User
+ cache-size = 5000
+ }
+
+ always fail {
+ rcode = fail
+ }
+ always reject {
+ rcode = reject
+ }
+ always ok {
+ rcode = ok
+ simulcount = 0
+ mpp = no
+ }
+
+ expr {
+ }
+
+ digest {
+ }
+
+ exec {
+ wait = yes
+ input_pairs = request
+ }
+
+ exec echo {
+ wait = yes
+ program = "/bin/echo %{User-Name}"
+ input_pairs = request
+ output_pairs = reply
+ #packet_type = Access-Accept
+ }
+
+ ippool main_pool {
+ range-start = 192.168.1.1
+ range-stop = 192.168.3.254
+ netmask = 255.255.255.0
+ cache-size = 800
+ session-db = \${raddbdir}/db.ippool
+ ip-index = \${raddbdir}/db.ipindex
+ override = no
+ maximum-timeout = 0
+ }
+}
+
+instantiate {
+ exec
+ expr
+ #daily
+}
+
+authorize {
+ preprocess
+ #auth_log
+ #attr_filter
+ chap
+ mschap
+ #digest
+ #IPASS
+ suffix
+ #ntdomain
+ eap
+ files
+ #sql
+ #etc_smbpasswd
+ #ldap
+ #daily
+ #checkval
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ #digest
+ #pam
+ unix
+ #Auth-Type LDAP {
+ # ldap
+ #}
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ #IPASS
+ suffix
+ #ntdomain
+ files
+}
+
+accounting {
+ detail
+ #daily
+ unix
+ radutmp
+ #sradutmp
+ #main_pool
+ #sql
+ #pgsql-voip
+}
+
+session {
+ radutmp
+ #sql
+}
+
+post-auth {
+ #main_pool
+ #reply_log
+ #sql
+ #ldap
+ #Post-Auth-Type REJECT {
+ # insert-module-name-here
+ #}
+}
+
+pre-proxy {
+ #attr_rewrite
+ #files
+ #pre_proxy_log
+}
+
+post-proxy {
+ #post_proxy_log
+ #attr_rewrite
+ #attr_filter
+ eap
+}
+
+EOD;
+ file_put_contents(RADDB . '/radiusd.conf', $conf);
+ restart_service("freeradius");
+}
+
+function freeradius_users_resync() {
+ global $config;
+
+ $conf = '';
+ $users = $config['installedpackages']['freeradius']['config'];
+ if (is_array($users)) {
+ foreach ($users as $user)
+ $conf .= "{$user['username']}\tUser-Password == \"{$user['password']}\"\n";
+ }
+ $filename = RADDB . '/users';
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+
+ restart_service('freeradius');
+}
+
+function freeradius_clients_resync() {
+ global $config;
+
+ $conf = '';
+ $clients = $config['installedpackages']['freeradiusclients']['config'];
+ if (is_array($clients) && !empty($clients)) {
+ foreach ($clients as $item) {
+ $client = $item['client'];
+ $secret = $item['sharedsecret'];
+ $shortname = $item['shortname'];
+ $conf .= <<<EOD
+client $client {
+ secret = $secret
+ shortname = $shortname
+}
+
+EOD;
+ }
+ }
+ else {
+ $conf .= <<<EOD
+client 127.0.0.1 {
+ secret = pfsense
+ shortname = localhost
+}
+
+EOD;
+ }
+
+ file_put_contents(RADDB . '/clients.conf', $conf);
+ restart_service("freeradius");
+}
+?>
diff --git a/packages/freeradius.xml b/packages/freeradius.xml
index 279ff469..0f4af220 100644
--- a/packages/freeradius.xml
+++ b/packages/freeradius.xml
@@ -1,18 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
<packagegui>
- <name>freeradius</name>
- <version>1.0.1</version>
- <title>FreeRADIUS: Users</title>
+ <include_file>freeradius.inc</include_file>
+
+ <!-- Installation -->
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/freeradiusclients.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/freeradiussettings.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/freeradius.inc</item>
+ </additional_files_needed>
+ <custom_php_install_command>
+ freeradius_install_command();
+ </custom_php_install_command>
<menu>
<name>FreeRADIUS</name>
<tooltiptext>Modify FreeRADIUS users, clients, and settings.</tooltiptext>
<section>Services</section>
- <configfile>freeradius.xml</configfile>
+ <url>/pkg.php?xml=freeradius.xml</url>
</menu>
<service>
<name>FreeRADIUS</name>
- <rcfile>freeradius.sh</rcfile>
+ <description>The FreeRADIUS daemon.</description>
+ <rcfile>radiusd.sh</rcfile>
<executable>radiusd</executable>
</service>
+
+ <!-- Interface -->
+ <name>freeradius</name>
+ <title>FreeRADIUS: Users</title>
<tabs>
<tab>
<text>Users</text>
@@ -28,16 +46,6 @@
<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
</tab>
</tabs>
- <additional_files_needed>
- <item>http://www.pfsense.com/packages/config/freeradiusclients.xml</item>
- </additional_files_needed>
- <additional_files_needed>
- <item>http://www.pfsense.com/packages/config/freeradiussettings.xml</item>
- </additional_files_needed>
- <additional_files_needed>
- <item>http://www.pfsense.com/packages/config/freeradiusconfig.tgz</item>
- </additional_files_needed>
- <configpath>installedpackages->package->$packagename->configuration->settings</configpath>
<adddeleteeditpagefields>
<columnitem>
<fielddescr>Username</fielddescr>
@@ -50,73 +58,30 @@
</adddeleteeditpagefields>
<fields>
<field>
- <fielddescr>Username</fielddescr>
<fieldname>username</fieldname>
- <description>Enter the username here</description>
+ <fielddescr>Username</fielddescr>
+ <description>Enter the username.</description>
+ <required/>
<type>input</type>
</field>
<field>
- <fielddescr>Password</fielddescr>
<fieldname>password</fieldname>
- <description>Enter the password here</description>
+ <fielddescr>Password</fielddescr>
+ <description>Enter the password for this username.</description>
+ <required/>
<type>password</type>
</field>
<field>
- <fielddescr>Username Description</fielddescr>
<fieldname>description</fieldname>
- <description>Enter the description of the user here</description>
+ <fielddescr>Description</fielddescr>
+ <description>You may enter a description here for your reference (not parsed).</description>
<type>input</type>
</field>
</fields>
- <custom_php_install_command>
- global $config;
- $fout = fopen("/usr/local/etc/raddb/clients.conf","w");
- fwrite($fout, "client 127.0.0.1" . "{\n" . "secret = pfsense\n" . "shortname = localhost\n}\n\n");
- fclose($fout);
- write_rcfile(array(
- "file" => "freeradius.sh",
- "start" => "/usr/local/sbin/radiusd -X -d /usr/local/etc/raddb &amp;",
- "stop" => "/usr/bin/killall radiusd"
- )
- );
- $fout = fopen("/usr/local/etc/radiusd.conf.dynamic","w");
- fwrite($fout, "{\nipaddr = 127.0.0.1\nport = 0\ntype = auth\n}\n\n");
- fclose($fout);
- start_service("freeradius");
- </custom_php_install_command>
- <custom_php_global_functions>
- function sync_package_freeradius() {
- conf_mount_rw();
- config_lock();
- global $config;
- $fout = fopen("/usr/local/etc/raddb/users","w");
- fwrite($fout, "# This file was automatically generated by the pfSense\n# package management system.\n\n");
- if($config['installedpackages']['freeradius']['config'] != "") {
- foreach($config['installedpackages']['freeradius']['config'] as $rowhelper) {
- fwrite($fout, $rowhelper['username'] . "\tUser-Password == \"" . $rowhelper['password'] . "\"\n");
- if ($rowhelper['bwrestriction'] == "on") {
- if (($rowhelper['uploadbw'] != "") and ($rowhelper['downloadbw'] != "")) {
- fwrite($fout, "\tNomadix-Bw-Up = " . $rowhelper['uploadbw'] . ",\n");
- fwrite($fout, "\tNomadix-Bw-Down = " . $rowhelper['downloadbw'] . "\n\n");
- } elseif ($rowhelper['uploadbw'] != "") {
- fwrite($fout, "\tNomadix-Bw-Up = " . $rowhelper['uploadbw'] . "\n\n");
- } elseif ($rowhelper['downloadbw'] != "") {
- fwrite($fout, "\tNomadix-Bw-Down = " . $rowhelper['downloadbw'] . "\n\n");
- }
- }
- }
- }
- fclose($fout);
- chmod("/usr/local/etc/raddb/users", 0600);
- conf_mount_ro();
- config_unlock();
- restart_service("freeradius");
- }
- </custom_php_global_functions>
+ <custom_delete_php_command>
+ freeradius_users_resync();
+ </custom_delete_php_command>
<custom_php_resync_config_command>
- sync_package_freeradius();
+ freeradius_users_resync();
</custom_php_resync_config_command>
- <custom_add_php_command>
- sync_package_freeradius();
- </custom_add_php_command>
</packagegui>
diff --git a/packages/freeradiusclients.xml b/packages/freeradiusclients.xml
index c24d01eb..d3dc95ec 100644
--- a/packages/freeradiusclients.xml
+++ b/packages/freeradiusclients.xml
@@ -1,6 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
<packagegui>
<name>freeradiusclients</name>
<title>FreeRADIUS: Clients</title>
+ <include_file>freeradius.inc</include_file>
<tabs>
<tab>
<text>Users</text>
@@ -16,7 +18,6 @@
<url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
</tab>
</tabs>
- <configpath>installedpackages->package->$packagename->configuration->settings</configpath>
<adddeleteeditpagefields>
<columnitem>
<fielddescr>Client</fielddescr>
@@ -33,52 +34,37 @@
</adddeleteeditpagefields>
<fields>
<field>
- <fielddescr>Client</fielddescr>
<fieldname>client</fieldname>
- <description>Enter the client's IP address here</description>
+ <fielddescr>Client</fielddescr>
+ <description>Enter the client's IP address.</description>
<type>input</type>
+ <required/>
</field>
<field>
- <fielddescr>Shortname</fielddescr>
<fieldname>shortname</fieldname>
- <description>Enter the client's shortname here</description>
+ <fielddescr>Shortname</fielddescr>
+ <description>Enter the client's shortname.</description>
<type>input</type>
+ <required/>
</field>
<field>
- <fielddescr>Shared Secret</fielddescr>
<fieldname>sharedsecret</fieldname>
+ <fielddescr>Shared Secret</fielddescr>
<description>Enter the client's shared secret here</description>
<type>password</type>
+ <required/>
</field>
<field>
- <fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
+ <fielddescr>Description</fielddescr>
<description>Enter the description of the user here</description>
<type>input</type>
</field>
</fields>
- <custom_php_command_before_form>
- function sync_package_freeradius_clients() {
- conf_mount_rw();
- config_lock();
- global $config;
- $fout = fopen("/usr/local/etc/raddb/clients.conf","w");
- fwrite($fout, "# This file was automatically generated by the pfSense\n# package management system.\n\n");
- fwrite($fout, "client 127.0.0.1" . "{\n" . "secret = pfsense\n" . "shortname = localhost\n}\n\n");
- if($config['installedpackages']['freeradiusclients']['config'] != "") {
- foreach($config['installedpackages']['freeradiusclients']['config'] as $rowhelper) {
- fwrite($fout, "client " . $rowhelper['client'] . "{\n" . "secret = " . $rowhelper['sharedsecret'] . "\nshortname = " . $rowhelper['shortname'] . "\n}\n\n");
- }
- }
- fclose($fout);
- conf_mount_ro();
- config_unlock();
- restart_service("freeradius");
- }
- sync_package_freeradius_clients();
- </custom_php_command_before_form>
- <custom_add_php_command>
- sync_package_freeradius_clients();
- </custom_add_php_command>
+ <custom_delete_php_command>
+ freeradius_clients_resync();
+ </custom_delete_php_command>
+ <custom_php_resync_config_command>
+ freeradius_clients_resync();
+ </custom_php_resync_config_command>
</packagegui>
-
diff --git a/packages/freeradiussettings.xml b/packages/freeradiussettings.xml
index 7db3402d..91c1cd63 100644
--- a/packages/freeradiussettings.xml
+++ b/packages/freeradiussettings.xml
@@ -1,6 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
<packagegui>
<name>freeradiussettings</name>
<title>FreeRADIUS: Settings</title>
+ <include_file>freeradius.inc</include_file>
<aftersaveredirect>pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</aftersaveredirect>
<tabs>
<tab>
@@ -17,47 +19,25 @@
<active/>
</tab>
</tabs>
- <configpath>installedpackages->package->$packagename->configuration->settings</configpath>
<fields>
<field>
- <fielddescr>Listening Interface(s)</fielddescr>
<fieldname>interface</fieldname>
- <description>Enter the desired listening interface here</description>
+ <fielddescr>Listening Interface(s)</fielddescr>
+ <description>Enter the desired listening interface here.</description>
<type>interfaces_selection</type>
+ <required/>
</field>
<field>
- <fielddescr>Port</fielddescr>
<fieldname>port</fieldname>
- <description>Enter the desired port here (default 1812)</description>
+ <fielddescr>Port</fielddescr>
+ <description>Enter the port the RADIUS server will listen on. Leave blank to default to the system default, i.e., 1892.</description>
<type>input</type>
</field>
</fields>
- <custom_php_command_before_form>
- function sync_package_freeradius_settings() {
- conf_mount_rw();
- config_lock();
- global $config;
- $fout = fopen("/usr/local/etc/raddb/radiusd.conf.dynamic","w");
- fwrite($fout, "# This file was automatically generated by the pfSense\n# package management system.\n\n");
- $int = convert_friendly_interface_to_real_interface_name($config['installedpackages']['freeradiussettings']['config']['0']['interface']);
- $int_ip = find_interface_ip($int);
- $port = $config['installedpackages']['freeradiussettings']['config'][0]['port'];
- fwrite($fout, "{\nipaddr = " . $int_ip);
- if($port != "") {
- fwrite($fout, "port = " . $port . "\n");
- } else {
- fwrite($fout, "port = 0\n");
- }
- fwrite($fout, "type = auth\n}\n\n");
- fwrite($fout, "{\nipaddr = 127.0.0.1\nport = 0\ntype = auth\n}\n\n");
- fclose($fout);
- conf_mount_ro();
- config_unlock();
- restart_service("freeradius");
- }
- </custom_php_command_before_form>
- <custom_add_php_command>
- sync_package_freeradius_settings();
- </custom_add_php_command>
+ <custom_delete_php_command>
+ freeradius_settings_resync();
+ </custom_delete_php_command>
+ <custom_php_resync_config_command>
+ freeradius_settings_resync();
+ </custom_php_resync_config_command>
</packagegui>
-