aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius2/freeradius.inc
diff options
context:
space:
mode:
Diffstat (limited to 'config/freeradius2/freeradius.inc')
-rw-r--r--config/freeradius2/freeradius.inc122
1 files changed, 64 insertions, 58 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index a5f8d15f..ac65ed88 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -56,26 +56,15 @@ function freeradius_deinstall_command() {
function freeradius_install_command() {
global $config;
conf_mount_rw();
- /*
- $handle = opendir(RADDB);
- while (false != ($file = readdir($handle))) {
- if (false != ($pos = strpos($file, '.sample'))) {
- $newfile = substr($file, 0, $pos);
- if (copy(RADDB . "/$file", RADDB . "/$newfile"))
- unlink(RADDB . "/$file");
- }
- }
- closedir($handle);
- */
// We create here different folders for different counters.
- exec("chown -R root:wheel /usr/local/etc/raddb");
+ if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); }
+ if (!file_exists("/var/log/radacct/timecounter/")) { exec("mkdir /var/log/radacct/timecounter"); }
+
exec("mkdir /usr/local/etc/raddb/scripts");
- exec("chown -R root:wheel /usr/local/lib/freeradius-2.1.12");
- exec("touch /var/log/radutmp && touch /var/log/radwtmp");
- exec("mkdir /var/log/radacct/datacounter/daily" && "mkdir /var/log/radacct/datacounter/weekly" && "mkdir /var/log/radacct/datacounter/monthly" && "mkdir /var/log/radacct/datacounter/forever");
- exec("mkdir /var/log/radacct/timecounter");
- exec("chown -R root:wheel /var/log");
+ if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp"); }
+ if (!file_exists("/var/log/radwtmp")) { exec("touch /var/log/radwtmp"); }
+ exec("chown -R root:wheel /usr/local/etc/raddb && chown -R root:wheel /usr/local/lib/freeradius-2.1.12 && chown -R root:wheel /var/log/radacct");
// creating a backup file of the original policy.conf no matter if user checked this or not
if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) {
@@ -94,37 +83,38 @@ function freeradius_install_command() {
if (file_exists("/usr/local/etc/raddb/sites-enabled/inner-tunnel")) { unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); }
// We need some additional files in /usr/local/lib for the LDAP module. We fetch these files dependent on the architecture.
- // For i386 systems
- if (exec("uname -m") == "i386") {
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10");
- exec("chmod 0755 /usr/local/lib/libasn1.so.10");
- exec("chmod 0755 /usr/local/lib/libgssapi.so.10");
- exec("chmod 0755 /usr/local/lib/libheimntlm.so.10");
- exec("chmod 0755 /usr/local/lib/libhx509.so.10");
- exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10");
- exec("chmod 0755 /usr/local/lib/libroken.so.10");
- }
- // For amd64 systems
- else {
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10");
- exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10");
- exec("chmod 0755 /usr/local/lib/libasn1.so.10");
- exec("chmod 0755 /usr/local/lib/libgssapi.so.10");
- exec("chmod 0755 /usr/local/lib/libheimntlm.so.10");
- exec("chmod 0755 /usr/local/lib/libhx509.so.10");
- exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10");
- exec("chmod 0755 /usr/local/lib/libroken.so.10");
+ if (!file_exists("/usr/local/lib/libasn1.so.10") || !file_exists("/usr/local/lib/libgssapi.so.10") || !file_exists("/usr/local/lib/libheimntlm.so.10") || !file_exists("/usr/local/lib/libhx509.so.10") || !file_exists("/usr/local/lib/ldd/libkrb5.so.10") || !file_exists("/usr/local/lib/libroken.so.10")) {
+ // For i386 systems
+ if (exec("uname -m") == "i386") {
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10");
+ exec("chmod 0755 /usr/local/lib/libasn1.so.10");
+ exec("chmod 0755 /usr/local/lib/libgssapi.so.10");
+ exec("chmod 0755 /usr/local/lib/libheimntlm.so.10");
+ exec("chmod 0755 /usr/local/lib/libhx509.so.10");
+ exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10");
+ exec("chmod 0755 /usr/local/lib/libroken.so.10");
+ }
+ // For amd64 systems
+ else {
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10");
+ exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10");
+ exec("chmod 0755 /usr/local/lib/libasn1.so.10");
+ exec("chmod 0755 /usr/local/lib/libgssapi.so.10");
+ exec("chmod 0755 /usr/local/lib/libheimntlm.so.10");
+ exec("chmod 0755 /usr/local/lib/libhx509.so.10");
+ exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10");
+ exec("chmod 0755 /usr/local/lib/libroken.so.10");
+ }
}
-
// We run this here just to suppress some warnings on syslog if file doesn't exist
freeradius_authorizedmacs_resync();
@@ -789,6 +779,23 @@ function freeradius_clients_resync() {
$varrequiremessageauthenticator = $item['varrequiremessageauthenticator'];
$varclientnastype = $item['varclientnastype'];
$varclientmaxconnections = $item['varclientmaxconnections'];
+ $varclientlogininput = ($item['varclientlogininput']?$item['varclientlogininput']:'### login = !root ###');
+ $varclientpasswordinput = ($item['varclientpasswordinput']?$item['varclientpasswordinput']:'### password = someadminpass ###');
+
+ if ($item['varclientlogininput'] == '') {
+ $varclientlogin = '### login = !root ###';
+ }
+ else {
+ $varclientlogin = "login = $varclientlogininput";
+ }
+ if ($item['varclientpasswordinput'] == '') {
+ $varclientpassword = '### password = someadminpass ###';
+ }
+ else {
+ $varclientpassword = "password = $varclientpasswordinput";
+ }
+
+
$conf .= <<<EOD
client "$varclientshortname" {
@@ -799,10 +806,8 @@ client "$varclientshortname" {
max_connections = $varclientmaxconnections
shortname = $varclientshortname
nastype = $varclientnastype
- #login = !root
- #password = someadminpas
- #virtual_server = home1
- #coa_server = coa
+ $varclientlogin
+ $varclientpassword
}
EOD;
@@ -831,6 +836,8 @@ EOD;
function freeradius_eapconf_resync() {
global $config;
+ // We make this write enabled here because embedded systems need to write certs in ../raddb/certs/ folder
+ conf_mount_rw();
$conf = '';
$eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
@@ -1064,7 +1071,6 @@ else {
EOD;
$filename = RADDB . '/eap.conf';
- conf_mount_rw();
file_put_contents($filename, $conf);
chmod($filename, 0640);
conf_mount_ro();
@@ -2341,6 +2347,8 @@ EOD;
function freeradius_allcertcnf_resync() {
global $config;
+ // We need to make this write enabled for embedded systems to write certs
+ conf_mount_rw();
// Only proceed these steps if freeRADIUS Cert-Manager is activated. if pfSense cert manager is used skip this.
@@ -2448,6 +2456,8 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') {
else {
return;
}
+// Read-only because of embedded systems
+conf_mount_r0();
} //end of function
// ##### The following part is based on the code of pfblocker #####
@@ -3952,12 +3962,8 @@ function freeradius_modulesmotp_resync() {
$conf .= <<<EOD
exec motp {
wait = yes
- program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{User-Name} %{User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
- input_pairs = reply
- #output_pairs = config
- }
-
-
+ program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
+ }
EOD;
$filename = RADDB . '/modules/motp';
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-21 20:28:08 +0000