diff options
23 files changed, 1451 insertions, 128 deletions
diff --git a/config/filer/filer.inc b/config/filer/filer.inc index 906928f2..b4512a49 100644 --- a/config/filer/filer.inc +++ b/config/filer/filer.inc @@ -54,7 +54,7 @@ function sync_package_filer() { if($config['installedpackages']['filer']['config']!="") { foreach($config['installedpackages']['filer']['config'] as $file) { $fname = $file['fullfile']; - $fdata = base64_decode($file['filedata']); + $fdata = str_replace("\r", "", base64_decode($file['filedata'])); if($file['mod']) { if(!preg_match("/0?[0-7]{3}/", $file['mod'])) $mod = 0700; @@ -62,9 +62,7 @@ function sync_package_filer() { $mod = octdec($file['mod']); } conf_mount_rw(); - $fhnd = fopen($fname, 'w'); - fwrite($fhnd, $fdata); - fclose($fhnd); + file_put_contents($fname, $fdata); if($mod) chmod($fname, $mod); conf_mount_ro(); diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 816eb984..ecf21a5e 100755..100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -70,10 +70,26 @@ function freeradius_install_command() { } } + closedir($handle); + exec("chown -R root:wheel /usr/local/etc/raddb"); exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12"); - closedir($handle); + // creating a backup file of the original policy.conf no matter if user checked this or not + if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/policy.conf.backup"); + copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup"); + } + + // creating a backup file of the original /modules/files no matter if user checked this or not + if (!file_exists("/usr/local/etc/raddb/files.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/files.backup"); + copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup"); + } + + // Disable virtual-server we do not need by default + unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); + unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; @@ -82,7 +98,7 @@ function freeradius_install_command() { conf_mount_rw(); write_rcfile($rcfile); conf_mount_ro(); - restart_service("freeradius"); + start_service("radiusd"); } function freeradius_settings_resync() { @@ -123,7 +139,6 @@ function freeradius_settings_resync() { $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; $varsqlconfincludeenable = ($sqlconf['varsqlconfincludeenable']?$sqlconf['varsqlconfincludeenable']:'Disable'); - // Dis-/Enable SQL in "instatiate" section in "freeradius_settings_resync" and radiusd.conf if ($sqlconf['varsqlconfincludeenable'] == 'Enable') { $varsqlconfinclude = '$INCLUDE sql.conf'; @@ -249,7 +264,7 @@ checkrad = \${sbindir}/checkrad security { max_attributes = $varsettingsmaxattributes reject_delay = $varsettingsrejectdelay - status_server = yes + status_server = no } ### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server @@ -301,11 +316,12 @@ EOD; conf_mount_ro(); // "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius. + freeradius_plainmacauth_resync(); freeradius_serverdefault_resync(); freeradius_modulescounter_resync(); freeradius_modulesmschap_resync(); freeradius_modulesrealm_resync(); - restart_service("freeradius"); + restart_service("radiusd"); } function freeradius_users_resync() { @@ -432,9 +448,42 @@ EOD; conf_mount_ro(); freeradius_sync_on_changes(); - restart_service('freeradius'); + restart_service('radiusd'); } + +function freeradius_authorizedmacs_resync() { +global $config; + +$conf = ''; + +$arrmacs = $config['installedpackages']['freeradiusauthorizedmacs']['config']; + +if (is_array($arrmacs) && !empty($arrmacs)) { + foreach ($arrmacs as $macs) { + + // Variables for macs file defined parameters + $varmacaddress = $macs['varmacaddress']; + $varmacaddress = "$varmacaddress" . "\n"; + + $conf .= <<<EOD +$varmacaddress +EOD; + } //end foreach +} // end if + + $filename = RADDB . '/authorized_macs'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + + freeradius_sync_on_changes(); + restart_service('radiusd'); +} + + + function freeradius_clients_resync() { global $config; @@ -485,7 +534,7 @@ EOD; conf_mount_ro(); freeradius_sync_on_changes(); - restart_service("freeradius"); + restart_service("radiusd"); } @@ -682,7 +731,7 @@ EOD; chmod($filename, 0600); conf_mount_ro(); - restart_service('freeradius'); + restart_service('radiusd'); } // Gets started from freeradiuseapconf.xml @@ -785,7 +834,7 @@ EOD; // We don't need a restart at this time because there are additional changes needed in: // "freeradius_settings_resync" and "freeradius_serverdefault_resync". - // restart_service('freeradius'); + // restart_service('radiusd'); freeradius_settings_resync(); } @@ -793,6 +842,26 @@ function freeradius_serverdefault_resync() { global $config; $conf = ''; + + // Get Variables from freeradiusmodulesldap.xml + $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0]; + + // If unchecked then disable authorize + if (!$arrmodulesldap['varmodulesldapenableauthorize']) { + $varmodulesldapenableauthorize = '### ldap ###'; + } + else { + $varmodulesldapenableauthorize = 'ldap'; + } + + // If unchecked then disable authenticate + if (!$arrmodulesldap['varmodulesldapenableauthenticate']) { + $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t#}"; + } + else { + $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t}"; + } + // Get Variables from freeradiussqlconf.xml $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; $varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable'); @@ -832,6 +901,36 @@ function freeradius_serverdefault_resync() { $varsqlconfpostauth = '#sql'; } + // Changing authorize section for plain mac auth + // Variables: If not using 802.1x, mac address must be known + $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; + + // If unchecked we need the normal EAP section. + if (!$varsettings['varsettingsenablemacauth']) { + $varplainmacauthenable = '##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####'; + + $varplainmacpreacctenable = '##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####'; + } + // If checked we need to check if it is plain mac or eap + else { + $varplainmacauthenable = ''; + $varplainmacauthenable .= "### FIRST check MAC address in authorized_macs and if that fails proceed with other checks below in else-section ###"; + $varplainmacauthenable .= "\n\t### if cleaning up the Calling-Station-Id...###"; + $varplainmacauthenable .= "\n\trewrite_calling_station_id"; + $varplainmacauthenable .= "\n\t"; + $varplainmacauthenable .= "\n\t# now check against the authorized_macs file"; + $varplainmacauthenable .= "\n\tauthorized_macs"; + $varplainmacauthenable .= "\n\tif (ok) {"; + $varplainmacauthenable .= "\n\t\t\tupdate control {"; + $varplainmacauthenable .= "\n\t\t\tAuth-Type := Accept"; + $varplainmacauthenable .= "\n\t\t}"; + $varplainmacauthenable .= "\n\t}"; + $varplainmacauthenable .= "\n\t### Here we have to place all other authorize modules which should be check when MAC fails ###"; + + $varplainmacpreacctenable = ''; + $varplainmacpreacctenable .= '##### ACCOUNTING FOR PLAIN MAC-AUTH ENABLED #####'; + $varplainmacpreacctenable .= "\n\trewrite_calling_station_id"; + } $conf .= <<<EOD @@ -923,7 +1022,11 @@ authorize { # It takes care of processing the 'raddb/hints' and the # 'raddb/huntgroups' files. preprocess - + + # + # + $varplainmacauthenable + # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' @@ -970,9 +1073,10 @@ authorize { # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. # + suffix ntdomain - + # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. @@ -990,10 +1094,12 @@ authorize { # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be reduced. # + # + eap { ok = return } - + # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want @@ -1022,7 +1128,7 @@ authorize { # # The ldap module will set Auth-Type to LDAP if it has not # already been set -# ldap + $varmodulesldapenableauthorize # # Enforce daily limits on time spent logged in. @@ -1050,7 +1156,7 @@ authorize { # get a chance to set Auth-Type for themselves. # pap - + # # If "status_server = yes", then Status-Server messages are passed # through the following section, and ONLY the following section. @@ -1141,9 +1247,7 @@ authenticate { # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. -# Auth-Type LDAP { -# ldap -# } + $varmodulesldapenableauthenticate # # Allow EAP authentication. @@ -1172,7 +1276,9 @@ authenticate { # preacct { preprocess - + + $varplainmacpreacctenable + # # Session start times are *implied* in RADIUS. # The NAS never sends a "start time". Instead, it sends @@ -1186,10 +1292,9 @@ preacct { # The start time is: NOW - delay - session_length # -# update request { -# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" -# } - + update request { + FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" + } # # Ensure that we have a semi-unique identifier for every @@ -1493,7 +1598,7 @@ EOD; conf_mount_ro(); // No need to restart here because the restart of the service will be done in "freeradius_settings_resync" - // restart_service('freeradius'); + // restart_service('radiusd'); } function freeradius_cacertcnf_resync() { @@ -1850,7 +1955,7 @@ function freeradius_allcertcnf_resync() { log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in /usr/local/etc/raddb/certs/client.tar"); // If there were changes on the certificates we need to restart freeradius - restart_service('freeradius'); + restart_service('radiusd'); } } @@ -1982,6 +2087,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password) { function freeradius_all_after_XMLRPC_resync() { freeradius_users_resync(); + freeradius_sync_on_changes(); freeradius_clients_resync(); log_error("freeRADIUS has finished XMLRPC process. It should be OK. For more information look at the host which started sync."); @@ -2258,4 +2364,604 @@ EOD; } +function freeradius_modulesldap_resync() { + global $config; + $conf = ''; + + $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0]; + + // Enable and Disable LDAP for "authorize" and "authenticate" will be done in "freeradius_serverdefault_resync" + + + // Variables for General Configuration + $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain'); + $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA'); + $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass'); + $varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA'); + $varmodulesldapfilter = ($arrmodulesldap['varmodulesldapfilter']?$arrmodulesldap['varmodulesldapfilter']:'(uid=%{%{Stripped-User-Name}:-%{User-Name}})'); + $varmodulesldapbasefilter = ($arrmodulesldap['varmodulesldapbasefilter']?$arrmodulesldap['varmodulesldapbasefilter']:'(objectclass=radiusprofile)'); + $varmodulesldapldapconnectionsnumber = ($arrmodulesldap['varmodulesldapldapconnectionsnumber']?$arrmodulesldap['varmodulesldapldapconnectionsnumber']:'5'); + $varmodulesldaptimeout = ($arrmodulesldap['varmodulesldaptimeout']?$arrmodulesldap['varmodulesldaptimeout']:'4'); + $varmodulesldaptimelimit = ($arrmodulesldap['varmodulesldaptimelimit']?$arrmodulesldap['varmodulesldaptimelimit']:'3'); + $varmodulesldapnettimeout = ($arrmodulesldap['varmodulesldapnettimeout']?$arrmodulesldap['varmodulesldapnettimeout']:'1'); + + // Variables for TLS / Certificates - will be added later + + + // Miscellaneous Configuration + MS Active Directory Compatibility + $varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable'); + if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') { + $varmodulesldapmsadcompatibility = '### MS Active Directory Compatibility is disabled ###'; + } + else { + $varmodulesldapmsadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes"; + } + + // When disabled we put this in the file but commented (#) like in the default installation + if (!$arrmodulesldap['varmodulesldapdmiscenable']) { + $varmodulesldapdefaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###'; + $varmodulesldapprofileattribute = '### profile_attribute = "radiusProfileDn" ###'; + $varmodulesldapaccessattr = '### access_attr = "dialupAccess" ###'; + } + // When enabled we put in the default values so there is no empty entry if there is not input from GUI + else { + $varmodulesldapdefaultprofile = ($arrmodulesldap['varmodulesldapdefaultprofile']?$arrmodulesldap['varmodulesldapdefaultprofile']:'cn=radprofile,ou=dialup,o=My Org,c=UA'); + $varmodulesldapdefaultprofile = "default_profile = " . '"' . "$varmodulesldapdefaultprofile" . '"'; + $varmodulesldapprofileattribute = ($arrmodulesldap['varmodulesldapprofileattribute']?$arrmodulesldap['varmodulesldapprofileattribute']:'radiusProfileDn'); + $varmodulesldapprofileattribute = "profile_attribute = " . '"' . "$varmodulesldapprofileattribute" . '"'; + $varmodulesldapaccessattr = ($arrmodulesldap['varmodulesldapaccessattr']?$arrmodulesldap['varmodulesldapaccessattr']:'dialupAccess'); + $varmodulesldapaccessattr = "access_attr = " . '"' . "$varmodulesldapaccessattr" . '"'; + } + + // Group membership checking + // When disabled we put this in the file but commented (#) like in the default installation + if (!$arrmodulesldap['varmodulesldapgroupenable']) { + $varmodulesldapgroupnameattribute = '### groupname_attribute = cn ###'; + $varmodulesldapgroupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###'; + $varmodulesldapgroupmembershipattribute = '### groupmembership_attribute = radiusGroupName ###'; + $varmodulesldapcomparecheckitems = '### compare_check_items = yes ###'; + $varmodulesldapdoxlat = '### do_xlat = yes ###'; + $varmodulesldapaccessattrusedforallow = '### access_attr_used_for_allow = yes ###'; + } + + // When enabled we put in the default values so there is no empty entry if there is not input from GUI + else { + $varmodulesldapgroupnameattribute = ($arrmodulesldap['varmodulesldapgroupnameattribute']?$arrmodulesldap['varmodulesldapgroupnameattribute']:'cn'); + $varmodulesldapgroupnameattribute = "groupname_attribute = $varmodulesldapgroupnameattribute"; + $varmodulesldapgroupmembershipfilter = ($arrmodulesldap['varmodulesldapgroupmembershipfilter']?$arrmodulesldap['varmodulesldapgroupmembershipfilter']:'(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))'); + $varmodulesldapgroupmembershipfilter = "groupmembership_filter = " . '"' . "$varmodulesldapgroupmembershipfilter" . '"'; + $varmodulesldapgroupmembershipattribute = ($arrmodulesldap['varmodulesldapgroupmembershipattribute']?$arrmodulesldap['varmodulesldapgroupmembershipattribute']:'radiusGroupName'); + $varmodulesldapgroupmembershipattribute = "groupmembership_attribute = $varmodulesldapgroupmembershipattribute"; + + $varmodulesldapcomparecheckitems = ($arrmodulesldap['varmodulesldapcomparecheckitems']?$arrmodulesldap['varmodulesldapcomparecheckitems']:'yes'); + $varmodulesldapcomparecheckitems = "compare_check_items = $varmodulesldapcomparecheckitems"; + $varmodulesldapdoxlat = ($arrmodulesldap['varmodulesldapdoxlat']?$arrmodulesldap['varmodulesldapdoxlat']:'yes'); + $varmodulesldapdoxlat = "do_xlat = $varmodulesldapdoxlat"; + $varmodulesldapaccessattrusedforallow = ($arrmodulesldap['varmodulesldapaccessattrusedforallow']?$arrmodulesldap['varmodulesldapaccessattrusedforallow']:'yes'); + $varmodulesldapaccessattrusedforallow = "access_attr_used_for_allow = $varmodulesldapaccessattrusedforallow"; + } + + // Keepalive variables + $varmodulesldapkeepaliveidle = ($arrmodulesldap['varmodulesldapkeepaliveidle']?$arrmodulesldap['varmodulesldapkeepaliveidle']:'60'); + $varmodulesldapkeepaliveprobes = ($arrmodulesldap['varmodulesldapkeepaliveprobes']?$arrmodulesldap['varmodulesldapkeepaliveprobes']:'3'); + $varmodulesldapkeepaliveinterval = ($arrmodulesldap['varmodulesldapkeepaliveinterval']?$arrmodulesldap['varmodulesldapkeepaliveinterval']:'3'); + +$conf .= <<<EOD + +# -*- text -*- +# +# $Id$ + +# Lightweight Directory Access Protocol (LDAP) +# +# This module definition allows you to use LDAP for +# authorization and authentication. +# +# See raddb/sites-available/default for reference to the +# ldap module in the authorize and authenticate sections. +# +# However, LDAP can be used for authentication ONLY when the +# Access-Request packet contains a clear-text User-Password +# attribute. LDAP authentication will NOT work for any other +# authentication method. +# +# This means that LDAP servers don't understand EAP. If you +# force "Auth-Type = LDAP", and then send the server a +# request containing EAP authentication, then authentication +# WILL NOT WORK. +# +# The solution is to use the default configuration, which does +# work. +# +# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We +# really can't emphasize this enough. +# +ldap { + # + # Note that this needs to match the name in the LDAP + # server certificate, if you're using ldaps. + server = "$varmodulesldapserver" + identity = "$varmodulesldapidentity" + password = $varmodulesldappassword + basedn = "$varmodulesldapbasedn" + filter = "$varmodulesldapfilter" + base_filter = "$varmodulesldapbasefilter" + + # How many connections to keep open to the LDAP server. + # This saves time over opening a new LDAP socket for + # every authentication request. + ldap_connections_number = $varmodulesldapldapconnectionsnumber + + # seconds to wait for LDAP query to finish. default: 20 + timeout = $varmodulesldaptimeout + + # seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = $varmodulesldaptimelimit + + # + # seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = $varmodulesldapnettimeout + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the "tls_*" configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 689) connections + start_tls = no + + # cacertfile = /path/to/cacert.pem + # cacertdir = /path/to/ca/dir/ + # certfile = /path/to/radius.crt + # keyfile = /path/to/radius.key + # randfile = /path/to/rnd + + # Certificate Verification requirements. Can be: + # "never" (don't even bother trying) + # "allow" (try, but don't fail if the cerificate + # can't be verified) + # "demand" (fail if the certificate doesn't verify.) + # + # The default is "allow" + # require_cert = "demand" + } + + $varmodulesldapdefaultprofile + $varmodulesldapprofileattribute + $varmodulesldapaccessattr + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = \${confdir}/ldap.attrmap + ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# + # Set password_attribute = nspmPassword to get the + # user's password from a Novell eDirectory + # backend. This will work ONLY IF FreeRADIUS has been + # built with the --with-edir configure option. + # + # See also the following links: + # + # http://www.novell.com/coolsolutions/appnote/16745.html + # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html + # + # Novell may require TLS encrypted sessions before returning + # the user's password. + # + # password_attribute = userPassword + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + edir_account_policy_check = no + ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# + # + # Group membership checking. Disabled by default. + # + $varmodulesldapgroupnameattribute + $varmodulesldapgroupmembershipfilter + $varmodulesldapgroupmembershipattribute + + $varmodulesldapcomparecheckitems + $varmodulesldapdoxlat + $varmodulesldapaccessattrusedforallow + + # + # The following two configuration items are for Active Directory + # compatibility. If you see the helpful "operations error" + # being returned to the LDAP module, uncomment the next + # two lines. + # + + $varmodulesldapmsadcompatibility + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. + # + # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + #ldap_debug = 0x0028 + + # + # Keepalive configuration. This MAY NOT be supported by your + # LDAP library. If these configuration entries appear in the + # output of "radiusd -X", then they are supported. Otherwise, + # they are unsupported, and changing them will do nothing. + # + keepalive { + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = $varmodulesldapkeepaliveidle + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = $varmodulesldapkeepaliveprobes + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = $varmodulesldapkeepaliveinterval + } +} +EOD; + + $filename = RADDB . '/modules/ldap'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + + // We need to rebuild "freeradius_serverdefault_resync" before restart service + // "freeradius_serverdefault_resync" needs to restart other dependencies so we are pointing directly to "freeradius_settings_resync()" + freeradius_settings_resync(); + +} + +function freeradius_plainmacauth_resync() { + global $config; + $conf = ''; + + // Variables: If not using 802.1x, mac address must be known + $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; + + // defining variables with filename path + $filepolicyconf = '/usr/local/etc/raddb/policy.conf'; + $filepolicyconfbackup = '/usr/local/etc/raddb/policy.conf.backup'; + $filemodulesfiles = '/usr/local/etc/raddb/modules/files'; + $filemodulesfilesbackup = '/usr/local/etc/raddb/files.backup'; + + // If unchecked then plain mac auth is disabled and backups of the original files will be restored + if (!$varsettings['varsettingsenablemacauth']) { + log_error("FreeRADIUS: Restoring the original file from {$filepolicyconfbackup} and {$filemodulesfilesbackup}"); + copy($filepolicyconfbackup, $filepolicyconf); + copy($filemodulesfilesbackup, $filemodulesfiles); + } + // If checked then plain mac auth is enabled + else { + freeradius_modulesfiles_resync(); + freeradius_policyconf_resync(); + } +} + +function freeradius_modulesfiles_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +# -*- text -*- +# +# \$Id\$ + +# Livingston-style 'users' file +# +files { + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + #key = "%{Stripped-User-Name:-%{User-Name}}" + + usersfile = \${confdir}/users + acctusersfile = \${confdir}/acct_users + preproxy_usersfile = \${confdir}/preproxy_users + + # If you want to use the old Cistron 'users' file + # with FreeRADIUS, you should change the next line + # to 'compat = cistron'. You can the copy your 'users' + # file from Cistron. + compat = no +} + +# An example which defines a second instance of the "files" module. +# This instance is named "second_files". In order for it to be used +# in a virtual server, it needs to be listed as "second_files" +# inside of the "authorize" section (or other section). If you just +# list "files", that will refer to the configuration defined above. +# + +# The two names here mean: +# "files" - this is a configuration for the "rlm_files" module +# "second_files" - this is a named configuration, which isn't +# the default configuration. +files authorized_macs { + # The default key attribute to use for matches. The content + # of this attribute is used to match the "name" of the + # entry. + key = "%{Calling-Station-ID}" + + usersfile = \${confdir}/authorized_macs + + # If you want to use the old Cistron 'users' file + # with FreeRADIUS, you should change the next line + # to 'compat = cistron'. You can the copy your 'users' + # file from Cistron. + compat = no +} +EOD; + + $filename = RADDB . '/modules/files'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + +function freeradius_policyconf_resync() { + global $config; + $conf = ''; + + $conf .= <<<EOD +# -*- text -*- +## +## policy.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## \$Id\$ +## + +# +# Policies are virtual modules, similar to those defined in the +# "instantate" section of radiusd.conf. +# +# Defining a policy here means that it can be referenced in multiple +# places as a *name*, rather than as a series of conditions to match, +# and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +policy { + # + # Forbid all EAP types. + # + forbid_eap { + if (EAP-Message) { + reject + } + } + + # + # Forbid all non-EAP types outside of an EAP tunnel. + # + permit_only_eap { + if (!EAP-Message) { + # We MAY be inside of a TTLS tunnel. + # PEAP and EAP-FAST require EAP inside of + # the tunnel, so this check is OK. + # If so, then there MUST be an outer EAP message. + if (!"%{outer.request:EAP-Message}") { + reject + } + } + } + + # + # Forbid all attempts to login via realms. + # + deny_realms { + if (User-Name =~ /@|\\\\/) { + reject + } + } + + # + # If you want the server to pretend that it is dead, + # then use the "do_not_respond" policy. + # + do_not_respond { + update control { + Response-Packet-Type := Do-Not-Respond + } + + handled + } + + # + # Force some sanity on User-Name. This helps to avoid issues + # issues where the back-end database is "forgiving" about + # what constitutes a user name. + # + filter_username { + # spaces at the start: reject + if (User-Name =~ /^ /) { + reject + } + + # spaces at the end: reject + if (User-Name =~ / \$\$/) { + reject + } + + # Mixed case: reject + if (User-Name != "%{tolower:%{User-Name}}") { + reject + } + } + + + # + # The following policies are for the Chargeable-User-Identity + # (CUI) configuration. + # + + # + # The client indicates it can do CUI by sending a CUI attribute + # containing one zero byte + # + cui_authorize { + update request { + Chargeable-User-Identity:='\\\\000' + } + } + + # + # Add a CUI attribute based on the User-Name, and a secret key + # known only to this server. + # + cui_postauth { + if (FreeRadius-Proxied-To == 127.0.0.1) { + if (outer.request:Chargeable-User-Identity) { + update outer.reply { + Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}" + } + } + } + else { + if (Chargeable-User-Identity) { + update reply { + Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}" + } + } + } + } + + # + # If there is a CUI attribute in the reply, add it to the DB. + # + cui_updatedb { + if (reply:Chargeable-User-Identity) { + cui + } + } + + # + # If we had stored a CUI for the User, add it to the request. + # + cui_accounting { + # + # If the CUI isn't in the packet, see if we can find it + # in the DB. + # + if (!Chargeable-User-Identity) { + update control { + Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" + } + } + + # + # If it exists now, then write out when we last saw + # this CUI. + # + if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { + cui + } + } + + # + # Normalize the MAC Addresses in the Calling/Called-Station-Id + # + mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) + + # Add "rewrite.called_station_id" in the "authorize" and "preacct" + # sections. + rewrite.called_station_id { + if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?\$/i) { + update request { + Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + + # SSID component? + if ("%{8}") { + update request { + Called-Station-Id := "%{Called-Station-Id}:%{8}" + } + } + updated + } + else { + noop + } + } + + # Add "rewrite.calling_station_id" in the "authorize" and "preacct" + # sections. + #rewrite.calling_station_id { + # if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}\$/i) { + # update request { + # Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + # } + # updated + # } + # else { + # noop + # } + #} + + ##### MODIFIED FOR http://wiki.freeradius.org/Mac-Auth#Mac-Auth+or+802.1x ##### + # Add "rewrite_calling_station_id" in the "authorize" and "preacct" + # sections. + rewrite_calling_station_id { + if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ + update request { + Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + } + } + else { + noop + } + } +} + +EOD; + + $filename = RADDB . '/policy.conf'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + +} + ?>
\ No newline at end of file diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index bcff9b17..2b31996a 100755..100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -65,7 +65,11 @@ <tab> <text>Users</text> <url>/pkg.php?xml=freeradius.xml</url> - <active/> + <active/> + </tab> + <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> </tab> <tab> <text>NAS / Clients</text> @@ -90,7 +94,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> @@ -101,6 +109,11 @@ </tab> </tabs> <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item> @@ -143,7 +156,12 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusauthorizedmacs.xml</item> </additional_files_needed> <adddeleteeditpagefields> <columnitem> @@ -328,10 +346,9 @@ freeradius_install_command(); freeradius_clients_resync(); freeradius_users_resync(); + freeradius_authorizedmacs_resync(); freeradius_eapconf_resync(); freeradius_sqlconf_resync(); - exec("rm -f /usr/local/etc/raddb/sites-enabled/control-socket"); - exec("rm -f /usr/local/etc/raddb/sites-enabled/inner-tunnel"); </custom_php_install_command> <custom_php_deinstall_command> freeradius_deinstall_command(); diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index 14e37455..6bda5f3e 100755..100644 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php @@ -37,11 +37,13 @@ function get_file($file){ $files['sql']="/usr/local/etc/raddb/sql.conf"; $files['clients']="/usr/local/etc/raddb/clients.conf"; $files['users']="/usr/local/etc/raddb/users"; + $files['macs']="/usr/local/etc/raddb/authorized_macs"; $files['virtual-server-default']="/usr/local/etc/raddb/sites-enabled/default"; $files['ca']="/usr/local/etc/raddb/certs/ca.cnf"; $files['server']="/usr/local/etc/raddb/certs/server.cnf"; $files['client']="/usr/local/etc/raddb/certs/client.cnf"; $files['index']="/usr/local/etc/raddb/certs/index.txt"; + $files['ldap']="/usr/local/etc/raddb/modules/ldap"; if ($files[$file]!="" && file_exists($files[$file])){ @@ -80,12 +82,14 @@ else{ <?php $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=freeradius.xml"); + $tab_array[] = array(gettext("MACs"), false, "/pkg.php?xml=freeradiusauthorizedmacs.xml"); $tab_array[] = array(gettext("NAS / Clients"), false, "/pkg.php?xml=freeradiusclients.xml"); $tab_array[] = array(gettext("Interfaces"), false, "/pkg.php?xml=freeradiusinterfaces.xml"); $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=freeradiussettings.xml&id=0"); $tab_array[] = array(gettext("EAP"), false, "/pkg_edit.php?xml=freeradiuseapconf.xml&id=0"); $tab_array[] = array(gettext("SQL"), false, "/pkg_edit.php?xml=freeradiussqlconf.xml&id=0"); $tab_array[] = array(gettext("Certificates"), false, "/pkg_edit.php?xml=freeradiuscerts.xml&id=0"); + $tab_array[] = array(gettext("LDAP"), false, "/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0"); $tab_array[] = array(gettext("View config"), true, "/freeradius_view_config.php"); $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=freeradiussync.xml&id=0"); display_top_tabs($tab_array); @@ -107,11 +111,13 @@ else{ <input type="button" onClick="get_freeradius_file('sql');" id='btn_sql' value="sql.conf"> <input type="button" onClick="get_freeradius_file('clients');" id='btn_clients' value="clients.conf"> <input type="button" onClick="get_freeradius_file('users');" id='btn_users' value="users"> + <input type="button" onClick="get_freeradius_file('macs');" id='btn_macs' value="macs"> <input type="button" onClick="get_freeradius_file('virtual-server-default');" id='btn_virtual-server-default' value="virtual-server-default"> <input type="button" onClick="get_freeradius_file('ca');" id='btn_ca' value="ca.cnf"> <input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf"> <input type="button" onClick="get_freeradius_file('client');" id='btn_client' value="client.cnf"> <input type="button" onClick="get_freeradius_file('index');" id='btn_index' value="index.txt"> + <input type="button" onClick="get_freeradius_file('ldap');" id='btn_ldap' value="ldap"> </td> </tr> <tr> @@ -147,11 +153,13 @@ else{ $('btn_sql').value="sql.conf"; $('btn_clients').value="clients.conf"; $('btn_users').value="users"; + $('btn_macs').value="macs"; $('btn_virtual').value="virtual-server-default"; $('btn_ca').value="ca.cnf"; $('btn_server').value="server.cnf"; $('btn_client').value="client.cnf"; $('btn_index').value="index.txt"; + $('btn_ldap').value="ldap"; scroll(0,0); } </script> diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml new file mode 100644 index 00000000..021f8772 --- /dev/null +++ b/config/freeradius2/freeradiusauthorizedmacs.xml @@ -0,0 +1,201 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + freeradius.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +]]> </copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>freeradiusauthorizedmacs</name> + <version>2.1.12</version> + <title>FreeRADIUS: MACs</title> + <include_file>/usr/local/pkg/freeradius.inc</include_file> + <menu> + <name>FreeRADIUS</name> + <tooltiptext>Modify FreeRADIUS macs, clients, and settings.</tooltiptext> + <section>Services</section> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </menu> + <service> + <name>radiusd</name> + <rcfile>radiusd.sh</rcfile> + <executable>radiusd</executable> + <description><![CDATA[FreeRADIUS Server]]></description> + </service> + + <tabs> + <tab> + <text>Users</text> + <url>/pkg.php?xml=freeradius.xml</url> + </tab> + <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + <active/> + </tab> + <tab> + <text>NAS / Clients</text> + <url>/pkg.php?xml=freeradiusclients.xml</url> + </tab> + <tab> + <text>Interfaces</text> + <url>/pkg.php?xml=freeradiusinterfaces.xml</url> + </tab> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> + </tab> + <tab> + <text>EAP</text> + <url>/pkg_edit.php?xml=freeradiuseapconf.xml&id=0</url> + </tab> + <tab> + <text>SQL</text> + <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> + </tab> + <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> + <tab> + <text>View config</text> + <url>/freeradius_view_config.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> + </tab> + </tabs> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusclients.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussettings.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuseapconf.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussqlconf.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusinterfaces.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiuscerts.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiussync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusauthorizedmacs.xml</item> + </additional_files_needed> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>MAC Address</fielddescr> + <fieldname>varmacaddress</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>GENERAL CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>MAC Address</fielddescr> + <fieldname>varmacaddress</fieldname> + <description><![CDATA[Enther the MAC Address of the host. Format is: 00-11-22-33-44-55]]></description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Enter any description for this MAC you like.]]></description> + <type>input</type> + </field> + </fields> + <custom_delete_php_command> + freeradius_authorizedmacs_resync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + freeradius_authorizedmacs_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 34ab5a03..e3f6365d 100755..100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -78,7 +82,11 @@ <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> <active/> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index 8e5e6b5b..be066937 100755..100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -54,6 +54,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> <active/> @@ -77,7 +81,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> @@ -86,7 +94,7 @@ <text>XMLRPC Sync</text> <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> </tab> -</tabs> + </tabs> <adddeleteeditpagefields> <columnitem> <fielddescr>Client IP Address</fielddescr> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index dd70a959..309066f0 100755..100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -78,7 +82,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index 3819908e..fd51f800 100755..100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -54,6 +54,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -77,7 +81,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml new file mode 100644 index 00000000..06a990e7 --- /dev/null +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -0,0 +1,349 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + freeradiusmodulesldap.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +]]> </copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>freeradiusmodulesldap</name> + <version>none</version> + <title>FreeRADIUS: LDAP</title> + <aftersaveredirect>pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/freeradius.inc</include_file> + <tabs> + <tab> + <text>Users</text> + <url>/pkg.php?xml=freeradius.xml</url> + </tab> + <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> + <text>NAS / Clients</text> + <url>/pkg.php?xml=freeradiusclients.xml</url> + </tab> + <tab> + <text>Interfaces</text> + <url>/pkg.php?xml=freeradiusinterfaces.xml</url> + </tab> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> + </tab> + <tab> + <text>EAP</text> + <url>/pkg_edit.php?xml=freeradiuseapconf.xml&id=0</url> + </tab> + <tab> + <text>SQL</text> + <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> + </tab> + <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + <active/> + </tab> + <tab> + <text>View config</text> + <url>/freeradius_view_config.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> + </tab> + </tabs> + <fields> + <field> + <name>ENABLE LDAP SUPPORT</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable LDAP For Authorization</fielddescr> + <fieldname>varmodulesldapenableauthorize</fieldname> + <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable LDAP For Authentication</fielddescr> + <fieldname>varmodulesldapenableauthenticate</fieldname> + <description><![CDATA[This enables LDAP in authenticate section. Note that this means "check plain-text password against the ldap database", which means that EAP won't work, as it does not supply a plain-text password.]]></description> + <type>checkbox</type> + </field> + <field> + <name>GENERAL CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Server</fielddescr> + <fieldname>varmodulesldapserver</fieldname> + <description><![CDATA[No description. (Default: ldap.your.domain )]]></description> + <type>input</type> + <size>80</size> + <default_value>ldap.your.domain</default_value> + </field> + <field> + <fielddescr>Identity</fielddescr> + <fieldname>varmodulesldapidentity</fieldname> + <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[cn=admin,o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>varmodulesldappassword</fieldname> + <description><![CDATA[No description. (Default: mypass)]]></description> + <type>password</type> + <size>80</size> + <default_value>mypass</default_value> + </field> + <field> + <fielddescr>Basedn</fielddescr> + <fieldname>varmodulesldapbasedn</fieldname> + <description><![CDATA[No description (Default: o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Filter</fielddescr> + <fieldname>varmodulesldapfilter</fieldname> + <description><![CDATA[No description. (Default: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(uid=%{%{Stripped-User-Name}:-%{User-Name}})]]></default_value> + </field> + <field> + <fielddescr>Base Filter</fielddescr> + <fieldname>varmodulesldapbasefilter</fieldname> + <description><![CDATA[No description. (Default: (objectclass=radiusprofile) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(objectclass=radiusprofile)]]></default_value> + </field> + <field> + <fielddescr>LDAP Connections Number</fielddescr> + <fieldname>varmodulesldapldapconnectionsnumber</fieldname> + <description><![CDATA[How many connections to keep open to the LDAP server. This saves time over opening a new LDAP socket for every authentication request. (Default: 5)]]></description> + <type>input</type> + <size>80</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>varmodulesldaptimeout</fieldname> + <description><![CDATA[Seconds to wait for LDAP query to finish. (Default: 4)]]></description> + <type>input</type> + <size>80</size> + <default_value>4</default_value> + </field> + <field> + <fielddescr>Timelimit</fielddescr> + <fieldname>varmodulesldaptimelimit</fieldname> + <description><![CDATA[Seconds the LDAP server has to process the query (server-side time limit). (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + <field> + <fielddescr>Net Timeout</fielddescr> + <fieldname>varmodulesldapnettimeout</fieldname> + <description><![CDATA[Seconds to wait for response of the server because of network failures. (Default: 1)]]></description> + <type>input</type> + <size>80</size> + <default_value>1</default_value> + </field> + <field> + <name>MISCELLANEOUS CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Active Directory Compatibility</fielddescr> + <fieldname>varmodulesldapmsadcompatibilityenable</fieldname> + <description><![CDATA[If you see the helpful "operations error" being returned to the LDAP module enable this. (Default: Disable)]]></description> + <type>select</type> + <default_value>Disable</default_value> + <options> + <option><name>Disable</name><value>Disable</value></option> + <option><name>Enable</name><value>Enable</value></option> + </options> + </field> + <field> + <fielddescr>Enable Misc Configuration</fielddescr> + <fieldname>varmodulesldapdmiscenable</fieldname> + <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description> + <type>checkbox</type> + <enablefields>varmodulesldapdefaultprofile,varmodulesldapprofileattribute,varmodulesldapaccessattr</enablefields> + </field> + <field> + <fielddescr>Default Profile</fielddescr> + <fieldname>varmodulesldapdefaultprofile</fieldname> + <description><![CDATA[No description. (Default: cn=radprofile,ou=dialup,o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[cn=radprofile,ou=dialup,o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Profile Attribute</fielddescr> + <fieldname>varmodulesldapprofileattribute</fieldname> + <description><![CDATA[No description. (Default: radiusProfileDn)]]></description> + <type>input</type> + <size>80</size> + <default_value>radiusProfileDn</default_value> + </field> + <field> + <fielddescr>Access Attribute</fielddescr> + <fieldname>varmodulesldapaccessattr</fieldname> + <description><![CDATA[No description. (Default: dialupAccess)]]></description> + <type>input</type> + <size>80</size> + <default_value>dialupAccess</default_value> + </field> + <field> + <name>Group Membership Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Group Membership Options</fielddescr> + <fieldname>varmodulesldapgroupenable</fieldname> + <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description> + <type>checkbox</type> + <enablefields>varmodulesldapaccessattrusedforallow,varmodulesldapdoxlat,varmodulesldapcomparecheckitems,varmodulesldapgroupmembershipattribute,varmodulesldapgroupmembershipfilter,varmodulesldapgroupnameattribute</enablefields> + </field> + <field> + <fielddescr>Groupname Attribute</fielddescr> + <fieldname>varmodulesldapgroupnameattribute</fieldname> + <description><![CDATA[No description. (Default: cn)]]></description> + <type>input</type> + <size>80</size> + <default_value>cn</default_value> + </field> + <field> + <fielddescr>Groupmembership Filter</fielddescr> + <fieldname>varmodulesldapgroupmembershipfilter</fieldname> + <description><![CDATA[No description. (Default: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))]]></default_value> + </field> + <field> + <fielddescr>Groupmembership Attribute</fielddescr> + <fieldname>varmodulesldapgroupmembershipattribute</fieldname> + <description><![CDATA[No description. (Default: radiusGroupName)]]></description> + <type>input</type> + <size>80</size> + <default_value>radiusGroupName</default_value> + </field> + <field> + <fielddescr>Compare Check Items</fielddescr> + <fieldname>varmodulesldapcomparecheckitems</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Do XLAT</fielddescr> + <fieldname>varmodulesldapdoxlat</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Access Attribute Used For Allow</fielddescr> + <fieldname>varmodulesldapaccessattrusedforallow</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <name>KEEPALIVE CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE IDLE</fielddescr> + <fieldname>varmodulesldapkeepaliveidle</fieldname> + <description><![CDATA[No description. (Default: 60)]]></description> + <type>input</type> + <size>80</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE PROBES</fielddescr> + <fieldname>varmodulesldapkeepaliveprobes</fieldname> + <description><![CDATA[No description. (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE INTERVAL</fielddescr> + <fieldname>varmodulesldapkeepaliveinterval</fieldname> + <description><![CDATA[No description. (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + </fields> + <custom_delete_php_command> + freeradius_modulesldap_resync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + freeradius_modulesldap_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index e49aee1a..ea7366fc 100755..100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -78,7 +82,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> @@ -90,6 +98,16 @@ </tabs> <fields> <field> + <name>PLAIN MAC AUTHORIZATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Plain MAC Auth</fielddescr> + <fieldname>varsettingsenablemacauth</fieldname> + <description><![CDATA[This enables plain MAC auth. The Calling-Station-Id in an Access-Request is first checked against an authorized_macs list before all other authorization methods. If your NAS is not able to convert the MAC in a 802.1X format then you could enable this. If you do not need this leave this disabled. (Default: unchecked)]]></description> + <type>checkbox</type> + </field> + <field> <name>GENERAL CONFIGURATION</name> <type>listtopic</type> </field> @@ -154,20 +172,18 @@ <field> <fielddescr>Logging Destination of RADIUS</fielddescr> <fieldname>varsettingslogdir</fieldname> - <description><![CDATA[Choose the destination where freeRADIUS should log. Logging must be enabled.(Default: radius.log)]]></description> + <description><![CDATA[Choose the destination where freeRADIUS should log. This will log if service started or failed but no authentication information. (Default: radius.log)]]></description> <type>select</type> <default_value>syslog</default_value> <options> <option><name>/var/log/radius.log</name><value>files</value></option> <option><name>System Logs -> System</name><value>syslog</value></option> - <option><name>stdout</name><value>stdout</value></option> - <option><name>stderr</name><value>stderr</value></option> </options> </field> <field> <fielddescr>RADIUS Logging</fielddescr> <fieldname>varsettingsauth</fieldname> - <description><![CDATA[Choose if you want to enable logging. (Default: Disabled)]]></description> + <description><![CDATA[This enables logging if an authentication is accepted or rejected. (Default: Disabled)]]></description> <type>select</type> <default_value>yes</default_value> <options> @@ -178,7 +194,7 @@ <field> <fielddescr>Log Bad Authentication Attempts</fielddescr> <fieldname>varsettingsauthbadpass</fieldname> - <description><![CDATA[Choose if you want to log bad authentication attempts. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[If an authentication fails then it will log the username and <b>wrong</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -189,7 +205,7 @@ <field> <fielddescr>Log good authentication attempts?</fielddescr> <fieldname>varsettingsauthgoodpass</fieldname> - <description><![CDATA[Choose if you want to log good authentication attempts. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[If an authentication succeeds then it will log the username and <b>correct</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -200,7 +216,7 @@ <field> <fielddescr>Log Stripped Names</fielddescr> <fieldname>varsettingsstrippednames</fieldname> - <description><![CDATA[Choose if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[Choose this if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -282,7 +298,7 @@ <description><![CDATA[You should only change this if you encounter memory leaks while running RADIUS. (Default: 0)]]></description> <type>input</type> <default_value>0</default_value> - </field> + </field> </fields> <custom_delete_php_command> freeradius_settings_resync(); diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index bce593fe..a5bc4d2e 100755..100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -55,6 +55,10 @@ <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -78,7 +82,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index 4a15c8d2..27f4fe80 100755..100644 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml @@ -68,6 +68,10 @@ POSSIBILITY OF SUCH DAMAGE. <url>/pkg.php?xml=freeradius.xml</url> </tab> <tab> + <text>MACs</text> + <url>/pkg.php?xml=freeradiusauthorizedmacs.xml</url> + </tab> + <tab> <text>NAS / Clients</text> <url>/pkg.php?xml=freeradiusclients.xml</url> </tab> @@ -90,7 +94,11 @@ POSSIBILITY OF SUCH DAMAGE. <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> @@ -110,7 +118,7 @@ POSSIBILITY OF SUCH DAMAGE. <fielddescr>Automatically sync freeRADIUS configuration changes?</fielddescr> <fieldname>varsyncenablexmlrpc</fieldname> <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> - <b>Important:</b> Only <b>Users</b> and <b>NAS / Clients</b> will be synced.]]></description> + <b>Important:</b> Only <b>Users</b>, <b>MACs</b> and <b>NAS / Clients</b> will be synced.]]></description> <type>checkbox</type> </field> <field> diff --git a/config/mailscanner/mailscanner.inc b/config/mailscanner/mailscanner.inc index 82ce84e7..1a4f284d 100644 --- a/config/mailscanner/mailscanner.inc +++ b/config/mailscanner/mailscanner.inc @@ -938,9 +938,12 @@ EOF; unlink_if_exists($libexec_dir.'clamav-wrapper'); } else{ - chown('/var/run/clamav/', 'postfix'); - chown('/var/log/clamav/', 'postfix'); - chown('/var/db/clamav/', 'postfix'); + if (file_exists('/var/run/clamav/')) + chown('/var/run/clamav/', 'postfix'); + if (file_exists('/var/log/clamav/')) + chown('/var/log/clamav/', 'postfix'); + if (file_exists('/var/db/clamav/')) + chown('/var/db/clamav/', 'postfix'); if (file_exists('/var/db/clamav/bytecode.cld')) chown('/var/db/clamav/bytecode.cld', 'postfix'); if (file_exists('/var/db/clamav/daily.cld')) @@ -987,14 +990,21 @@ EOF; } #clamd script file $script='/usr/local/etc/rc.d/clamav-clamd'; - $script_file=file_get_contents($script); - if (preg_match('/NO/',$script_file)){ - $script_file=preg_replace("/NO/","YES",$script_file); - file_put_contents($script, $script_file, LOCK_EX); - chmod ($script,0755); + $script_file=file($script); + foreach ($script_file as $script_line){ + if(preg_match("/command=/",$script_line)){ + $new_clamav_startup.= "/bin/mkdir /var/run/clamav\n"; + $new_clamav_startup.= "chown postfix /var/run/clamav\n"; + $new_clamav_startup.=$script_line; + } + elseif(!preg_match("/(mkdir|chown|sleep|mailscanner)/",$script_line)) { + $new_clamav_startup.=preg_replace("/NO/","YES",$script_line); + } } - mwexec_bg("$script fastrestart"); - + file_put_contents($script, $new_clamav_startup, LOCK_EX); + chmod ($script,0755); + mwexec("$script stop"); + mwexec_bg("$script start"); } } else{ @@ -1010,7 +1020,6 @@ EOF; file_put_contents($script, $script_file, LOCK_EX); chmod ($script,0755); } - mwexec_bg("$script fastrestart"); #check dcc config file $script='/usr/local/dcc/dcc_conf'; $script_file=file_get_contents($script); @@ -1018,7 +1027,9 @@ EOF; $script_file=preg_replace("/DCCIFD_ENABLE=off/","DCCIFD_ENABLE=on",$script_file); file_put_contents($script, $script_file, LOCK_EX); } - + mwexec("$script stop"); + mwexec_bg("$script start"); + $script='/usr/local/etc/rc.d/mailscanner'; #fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/mailscanner @@ -1037,13 +1048,16 @@ EOF; $script_file=file_get_contents($script); if (preg_match('/NO/',$script_file)){ - $script_file=preg_replace("/NO/","YES",$script_file); - file_put_contents($script, $script_file, LOCK_EX); - } + $script_file=preg_replace("/NO/","YES",$script_file); + file_put_contents($script, $script_file, LOCK_EX); + chmod ($script,0755); + } if($config['installedpackages']['mailscanner']['config'][0]['enable']){ log_error("Reload mailscanner"); chmod ($script,0755); - mwexec_bg("$script fastrestart"); + mwexec("$script stop"); + sleep(2); + mwexec_bg("$script start"); } else{ log_error("Stopping mailscanner if running"); @@ -1196,4 +1210,4 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { } } -?>
\ No newline at end of file +?> diff --git a/config/mailscanner/mailscanner.xml b/config/mailscanner/mailscanner.xml index d7b7dab4..cf00023d 100644 --- a/config/mailscanner/mailscanner.xml +++ b/config/mailscanner/mailscanner.xml @@ -54,7 +54,7 @@ <service> <name>mailscanner</name> <rcfile>mailscanner</rcfile> - <executable>MailScanner</executable> + <executable>perl5.12.4</executable> <description>MailScanner</description> </service> <additional_files_needed> diff --git a/config/nut/nut.inc b/config/nut/nut.inc index 6b7b02ac..28ff3999 100644 --- a/config/nut/nut.inc +++ b/config/nut/nut.inc @@ -94,18 +94,26 @@ function before_form_nut($pkg) { /* return available serial ports */ - $handle = popen('dmesg | grep \'^sio[0-9]: type\'','r'); - $read = fread($handle, 2096); - pclose($handle); - /* explode at the newlines */ - $read = explode("\n",$read); - - /* parse resulting text */ - foreach($read as $line) { - if($line!= '') { - $names[] = 'ttyd'.$line{3}.' (COM'.($line{3}+1).')'; - $values[] = '/dev/ttyd'.$line{3}; + $serial_types = array("sio", "cua", "tty"); + $ignore_files = array(".lock", ".init"); + + foreach($serial_types as $st) { + $devices = glob("/dev/{$st}*"); + foreach($devices as $line) { + if($line != '') { + $ignore = false; + foreach($ignore_files as $if) { + if(strstr($line, $if)) { + $ignore = true; + continue; + } + } + if($ignore == false) { + $names[] = str_replace("/dev/", "", $line); + $values[] = $line; + } + } } } diff --git a/config/squid/squid_auth.xml b/config/squid/squid_auth.xml index c8e34553..d28beb02 100644 --- a/config/squid/squid_auth.xml +++ b/config/squid/squid_auth.xml @@ -48,7 +48,7 @@ <name>squidauth</name> <version>none</version> <title>Proxy server: Authentication</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> diff --git a/config/squid/squid_cache.xml b/config/squid/squid_cache.xml index 55a1ca59..35c9a934 100644 --- a/config/squid/squid_cache.xml +++ b/config/squid/squid_cache.xml @@ -48,7 +48,7 @@ <name>squidcache</name> <version>none</version> <title>Proxy server: Cache management</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> diff --git a/config/squid/squid_nac.xml b/config/squid/squid_nac.xml index 401426a6..4ad3800c 100644 --- a/config/squid/squid_nac.xml +++ b/config/squid/squid_nac.xml @@ -48,7 +48,7 @@ <name>squidnac</name> <version>none</version> <title>Proxy server: Access control</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> diff --git a/config/squid/squid_traffic.xml b/config/squid/squid_traffic.xml index d560a7ad..c660a1ea 100644 --- a/config/squid/squid_traffic.xml +++ b/config/squid/squid_traffic.xml @@ -48,7 +48,7 @@ <name>squidtraffic</name> <version>none</version> <title>Proxy server: Traffic management</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> diff --git a/config/squid/squid_upstream.xml b/config/squid/squid_upstream.xml index ad494524..cd87edef 100644 --- a/config/squid/squid_upstream.xml +++ b/config/squid/squid_upstream.xml @@ -48,7 +48,7 @@ <name>squidupstream</name> <version>none</version> <title>Proxy server: Upstream proxy settings</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> diff --git a/config/squid/squid_users.xml b/config/squid/squid_users.xml index eef6389f..272e53f8 100644 --- a/config/squid/squid_users.xml +++ b/config/squid/squid_users.xml @@ -48,7 +48,7 @@ <name>squidusers</name> <version>none</version> <title>Proxy server: Local users</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <delete_string>A proxy server user has been deleted.</delete_string> <addedit_string>A proxy server user has been created/modified.</addedit_string> <tabs> diff --git a/config/tinydns/tinydns.inc b/config/tinydns/tinydns.inc index bf0cb4b8..ef6513ee 100644 --- a/config/tinydns/tinydns.inc +++ b/config/tinydns/tinydns.inc @@ -235,9 +235,6 @@ function tinydns_custom_php_changeip_command() { if(!empty($config['installedpackages']['tinydns']['config'][0]['enableforwarding'])) { $interfaces = explode(",", $config['installedpackages']['tinydns']['config'][0]['interface']); - exec("/bin/cp {$g['varetc_path']}/resolv.conf {$g['varetc_path']}/resolv.conf.original"); - exec("/bin/cp {$g['varetc_path']}/resolv.conf {$g['varetc_path']}/resolv.conf.dnscache"); - exec("echo domain {$config['system']['domain']} > {$g['varetc_path']}/resolv.conf"); exec("rm -rf {$g['varetc_path']}/dnscache* {$g['varrun_path']}/service/dnscache*"); foreach ($interfaces as $dnsidx => $dnsif) { $dnscacheif = convert_friendly_interface_to_real_interface_name($dnsif); @@ -269,12 +266,9 @@ function tinydns_custom_php_changeip_command() { exec("/bin/mkdir -p {$g['varetc_path']}/dnscache{$dnsidx}/root/ip"); exec("/usr/bin/touch {$g['varetc_path']}/dnscache{$dnsidx}/root/ip/{$dnsuserip}"); tinydns_create_soa_domain_list($dnsserverip, $dnsidx); - exec("echo nameserver {$dnscacheip} >> {$g['varetc_path']}/resolv.conf"); } exec("/usr/bin/killall -9 dnscache"); } else { - if(file_exists("{$g['varetc_path']}/resolv.conf.original")) - exec("/bin/cp {$g['varetc_path']}/resolv.conf.original {$g['varetc_path']}/resolv.conf"); $interfaces = explode(",", $$config['installedpackages']['tinydns']['config'][0]['interface']); foreach ($interfaces as $dnsidx => $dnsif) { if(is_dir("{$g['varetc_path']}/dnscache{$dnsidx}")) @@ -1188,42 +1182,6 @@ function tinydns_create_soa_domain_list($dnsserverip, $index = 0) { } } -/* This function is not called */ -/* At the moment there is no tagging of DNSroute to a WAN port. It needs to be added */ -function tinydns_register_forwarding_servers() { - global $g; - - $fr = fopen("{$g['varetc_path']}/resolv.conf", "r"); - if (! $fr) { - printf("Error: cannot open resolv.conf in tinydns_register_forwarding_servers().\n"); - return 1; - } - $lip = strlen("nameserver") + 1; - $j = 0; - $nsrecords = ""; - $arecords = ""; - while (!feof($fr)) { - $routers = fgets($fr, 4096); - $discard = ($routers[0] == "\n"); - if(!$discard) { - if ($routerip = strstr($routers,"nameserver")) { - $routerip = substr($routerip,$lip); - if($routerip) { - $j += 1; - $routerfqdn = "DNSroute-{$j}.wan{$j}"; - $routerns = "&::{$routerfqdn}"; - $routera = "={$routerfqdn}:{$routerip}"; - $nsrecords .= $routerns . "\n"; - $arecords .= $routera; - } - } - } - } - fclose($fr); - $dnsroutes ="{$nsrecords}{$arecords}"; - return $dnsroutes; -} - function tinydns_register_root_servers() { $rootservers =<<<EOD &::a.root-servers.net @@ -1306,4 +1264,4 @@ function tinydns_cleanup_addedit_form_record() { } } -?> +?>
\ No newline at end of file |