diff options
Diffstat (limited to 'config/freeradius2/freeradius.inc')
-rw-r--r-- | config/freeradius2/freeradius.inc | 445 |
1 files changed, 240 insertions, 205 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 35566e22..60ccbdf4 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -45,76 +45,58 @@ require_once("globals.inc"); require_once("filter.inc"); require_once("services.inc"); -define('RADDB', '/usr/local/etc/raddb'); +// Check pfSense version +$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); +switch ($pfs_version) { + case "1.2": + case "2.0": + define('FREERADIUS_BASE', '/usr/local'); + break; + default: + define('FREERADIUS_BASE', '/usr/pbi/freeradius-' . php_uname("m")); +} +// End: Check pfSense version function freeradius_deinstall_command() { - exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`"); - exec("rm -rf /usr/local/etc/raddb/"); - exec("rm -rf /var/run/radiusd/"); + if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") { + exec("cd /var/db/pkg && pkg_delete `ls | grep freeradius`"); + exec("rm -rf " . FREERADIUS_BASE . "/etc/raddb"); + exec("rm -rf /var/run/radiusd/"); + } } function freeradius_install_command() { global $config; conf_mount_rw(); + // put the constant to a variable + $varFREERADIUS_BASE = FREERADIUS_BASE; + // We create here different folders for different counters. if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); } if (!file_exists("/var/log/radacct/timecounter/")) { exec("mkdir /var/log/radacct/timecounter"); } - exec("mkdir /usr/local/etc/raddb/scripts"); + exec("mkdir " . FREERADIUS_BASE . "/etc/raddb/scripts"); if (!file_exists("/var/log/radutmp")) { exec("touch /var/log/radutmp"); } if (!file_exists("/var/log/radwtmp")) { exec("touch /var/log/radwtmp"); } - exec("chown -R root:wheel /usr/local/etc/raddb && chown -R root:wheel /usr/local/lib/freeradius-2.1.12 && chown -R root:wheel /var/log/radacct"); + exec("chown -R root:wheel " . FREERADIUS_BASE . "/etc/raddb && chown -R root:wheel " . FREERADIUS_BASE . "/lib/freeradius-2.1.12 && chown -R root:wheel /var/log/radacct"); // creating a backup file of the original policy.conf no matter if user checked this or not - if (!file_exists("/usr/local/etc/raddb/policy.conf.backup")) { - log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/policy.conf.backup"); - copy("/usr/local/etc/raddb/policy.conf", "/usr/local/etc/raddb/policy.conf.backup"); + if (!file_exists(FREERADIUS_BASE . "/etc/raddb/policy.conf.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_BASE . "/etc/raddb/policy.conf.backup"); + copy(FREERADIUS_BASE . "/etc/raddb/policy.conf", FREERADIUS_BASE . "/etc/raddb/policy.conf.backup"); } // creating a backup file of the original /modules/files no matter if user checked this or not - if (!file_exists("/usr/local/etc/raddb/files.backup")) { - log_error("FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/files.backup"); - copy("/usr/local/etc/raddb/modules/files", "/usr/local/etc/raddb/files.backup"); + if (!file_exists(FREERADIUS_BASE . "/etc/raddb/files.backup")) { + log_error("FreeRADIUS: Creating backup of the original file to " . FREERADIUS_BASE . "/etc/raddb/files.backup"); + copy(FREERADIUS_BASE . "/etc/raddb/modules/files", FREERADIUS_BASE . "/etc/raddb/files.backup"); } // Disable virtual-server we do not need by default - if (file_exists("/usr/local/etc/raddb/sites-enabled/control-socket")) { unlink("/usr/local/etc/raddb/sites-enabled/control-socket"); } - if (file_exists("/usr/local/etc/raddb/sites-enabled/inner-tunnel")) { unlink("/usr/local/etc/raddb/sites-enabled/inner-tunnel"); } - - // We need some additional files in /usr/local/lib for the LDAP module. We fetch these files dependent on the architecture. - if (!file_exists("/usr/local/lib/libasn1.so.10") || !file_exists("/usr/local/lib/libgssapi.so.10") || !file_exists("/usr/local/lib/libheimntlm.so.10") || !file_exists("/usr/local/lib/libhx509.so.10") || !file_exists("/usr/local/lib/ldd/libkrb5.so.10") || !file_exists("/usr/local/lib/libroken.so.10")) { - // For i386 systems - if (exec("uname -m") == "i386") { - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libasn1.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libgssapi.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libheimntlm.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libhx509.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libkrb5.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/All/ldd/libroken.so.10"); - exec("chmod 0755 /usr/local/lib/libasn1.so.10"); - exec("chmod 0755 /usr/local/lib/libgssapi.so.10"); - exec("chmod 0755 /usr/local/lib/libheimntlm.so.10"); - exec("chmod 0755 /usr/local/lib/libhx509.so.10"); - exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); - exec("chmod 0755 /usr/local/lib/libroken.so.10"); - } - // For amd64 systems - else { - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10"); - exec("cd /usr/local/lib/ && fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10"); - exec("chmod 0755 /usr/local/lib/libasn1.so.10"); - exec("chmod 0755 /usr/local/lib/libgssapi.so.10"); - exec("chmod 0755 /usr/local/lib/libheimntlm.so.10"); - exec("chmod 0755 /usr/local/lib/libhx509.so.10"); - exec("chmod 0755 /usr/local/lib/ldd/libkrb5.so.10"); - exec("chmod 0755 /usr/local/lib/libroken.so.10"); - } - } + if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/control-socket")) { unlink(FREERADIUS_BASE . "/etc/raddb/sites-enabled/control-socket"); } + if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/inner-tunnel")) { unlink(FREERADIUS_BASE . "/etc/raddb/sites-enabled/inner-tunnel"); } + // We run this here just to suppress some warnings on syslog if file doesn't exist freeradius_authorizedmacs_resync(); @@ -139,8 +121,8 @@ function freeradius_install_command() { $rcfile = array(); $rcfile['file'] = 'radiusd.sh'; - $rcfile['start'] = '/usr/local/etc/rc.d/radiusd onestart'; - $rcfile['stop'] = '/usr/local/etc/rc.d/radiusd onestop'; + $rcfile['start'] = "$varFREERADIUS_BASE" . '/etc/rc.d/radiusd onestart'; + $rcfile['stop'] = "$varFREERADIUS_BASE" . '/etc/rc.d/radiusd onestop'; write_rcfile($rcfile); conf_mount_ro(); start_service("radiusd"); @@ -150,6 +132,9 @@ function freeradius_settings_resync() { global $config; $conf = ''; + // put the constant to a variable + $varFREERADIUS_BASE = FREERADIUS_BASE; + // We do some checks of some folders which will be deleted after reboot on nanobsd systems if (!file_exists("/var/log/radacct/")) { exec("mkdir /var/log/radacct"); } if (!file_exists("/var/log/radacct/datacounter/")) { exec("mkdir /var/log/radacct/datacounter && mkdir /var/log/radacct/datacounter/daily && mkdir /var/log/radacct/datacounter/weekly && mkdir /var/log/radacct/datacounter/monthly && mkdir /var/log/radacct/datacounter/forever"); } @@ -218,7 +203,7 @@ function freeradius_settings_resync() { $conf .= <<<EOD -prefix = /usr/local +prefix = $varFREERADIUS_BASE exec_prefix = \${prefix} sysconfdir = \${prefix}/etc localstatedir = /var @@ -257,7 +242,7 @@ extended_expressions = $varsettingsextendedexpressions EOD; // Deletes virtual-server coa by default. Will be re-enabled if there is an interface-type "coa" -exec("rm -f /usr/local/etc/raddb/sites-enabled/coa"); +exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/coa"); $arrinterfaces = $config['installedpackages']['freeradiusinterfaces']['config']; if (is_array($arrinterfaces) && !empty($arrinterfaces)) { @@ -284,7 +269,7 @@ EOD; // Begin "if" for interface-type = coa if ($item['varinterfacetype'] == 'coa') { // Enables virtual-server coa because interface-type is coa - exec("ln -s /usr/local/etc/raddb/sites-available/coa /usr/local/etc/raddb/sites-enabled/"); + exec("ln -s " . FREERADIUS_BASE . "/etc/raddb/sites-available/coa " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/"); $conf .= <<<EOD listen { type = $varinterfacetype @@ -375,7 +360,7 @@ instantiate { EOD; conf_mount_rw(); - file_put_contents(RADDB . '/radiusd.conf', $conf); + file_put_contents(FREERADIUS_BASE . '/etc/raddb/radiusd.conf', $conf); conf_mount_ro(); // "freeradius_sqlconf_resync" is pointing to this function because we need to run "freeradius_serverdefault_resync" and after that restart freeradius. @@ -405,6 +390,18 @@ if (is_array($arrusers) && !empty($arrusers)) { $varusersusername = $users['varusersusername']; $varuserspassword = $users['varuserspassword']; + + // Check password encryption + $varuserspasswordencryption = ($users['varuserspasswordencryption']?$users['varuserspasswordencryption']:'Cleartext-Password'); + switch ($varuserspasswordencryption) { + case "MD5-Password": + $varuserspassword = md5($varuserspassword); + break; + default: + $varuserspassword = $users['varuserspassword']; + } + + $varusersmotpinitsecret = $users['varusersmotpinitsecret']; $varusersmotppin = $users['varusersmotppin']; $varusersmotpoffset = ($users['varusersmotpoffset']?$users['varusersmotpoffset']:'0'); @@ -482,7 +479,7 @@ if (is_array($arrusers) && !empty($arrusers)) { } else { // Add the user attributes to each user. - $varuserscheckitem = '"' . $varusersusername . '"' . " Cleartext-Password := " . '"' . $varuserspassword .'"'; + $varuserscheckitem = '"' . $varusersusername . '"' . " $varuserspasswordencryption := " . '"' . $varuserspassword .'"'; } } // end of check if otp is enabled @@ -553,7 +550,7 @@ if (is_array($arrusers) && !empty($arrusers)) { if ($varusersmaxtotaloctets != '') { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } //create exec script - $varusersreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varusersusername $varusersmaxtotaloctetstimerange" . '"'; + $varusersreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_auth.sh ' . "$varusersusername $varusersmaxtotaloctetstimerange" . '"'; // create limit file - will be always overwritten so we can increase limit from GUI exec("`echo $varusersmaxtotaloctets > /var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername`"); // if used-octets file exist we do NOT overwrite this file!!! @@ -581,7 +578,7 @@ EOD; } //end foreach } // end if - $filename = RADDB . '/users'; + $filename = FREERADIUS_BASE . '/etc/raddb/users'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -734,7 +731,7 @@ if (is_array($arrmacs) && !empty($arrmacs)) { if ($varmacsmaxtotaloctets != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } //create exec script - $varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"'; + $varmacsreplyitem .= "\n\tExec-Program-Wait = " . '"/bin/sh ' . FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_auth.sh ' . "$varmacsaddress $varmacsmaxtotaloctetstimerange" . '"'; // create limit file - will be always overwritten so we can increase limit from GUI exec("`echo $varmacsmaxtotaloctets > /var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress`"); // if used-octets file exist we do NOT overwrite this file!!! @@ -762,7 +759,7 @@ EOD; } //end foreach } // end if - $filename = RADDB . '/authorized_macs'; + $filename = FREERADIUS_BASE . '/etc/raddb/authorized_macs'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -833,7 +830,7 @@ EOD; } conf_mount_rw(); - file_put_contents(RADDB . '/clients.conf', $conf); + file_put_contents(FREERADIUS_BASE . '/etc/raddb/clients.conf', $conf); conf_mount_ro(); freeradius_sync_on_changes(); @@ -901,12 +898,12 @@ function freeradius_eapconf_resync() { // This is for enable/disbable MS SoH in EAP-PEAP and the virtuial-server "soh-server" if ($eapconf['vareapconfpeapsohenable'] == 'Enable') { $vareapconfpeapsoh = 'soh = yes' . "\n\t\t\tsoh_virtual_server = " . '"' . "soh-server" . '"'; - exec("ln -s /usr/local/etc/raddb/sites-available/soh /usr/local/etc/raddb/sites-enabled/"); + exec("ln -s " . FREERADIUS_BASE . "/etc/raddb/sites-available/soh " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/"); } else { $vareapconfpeapsoh = '### MS SoH Server is disabled ###'; - if (file_exists("/usr/local/etc/raddb/sites-enabled/soh")) { - exec("rm -f /usr/local/etc/raddb/sites-enabled/soh"); + if (file_exists(FREERADIUS_BASE . "/etc/raddb/sites-enabled/soh")) { + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/sites-enabled/soh"); } } @@ -920,33 +917,33 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $ca_cert = lookup_ca($eapconf["ssl_ca_cert"]); if ($ca_cert != false) { if(base64_decode($ca_cert['prv'])) { - file_put_contents(RADDB . "/certs/ca_key.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_key.pem", base64_decode($ca_cert['prv'])); - $conf['ssl_ca_key'] = RADDB . '/certs/ca_key.pem'; + $conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_key.pem'; } if(base64_decode($ca_cert['crt'])) { - file_put_contents(RADDB . "/certs/ca_cert.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem", base64_decode($ca_cert['crt'])); - $conf['ssl_ca_cert'] = RADDB . "/certs/ca_cert.pem"; + $conf['ssl_ca_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem"; } $svr_cert = lookup_cert($eapconf["ssl_server_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(RADDB . "/certs/server_key.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/server_key.pem", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = RADDB . '/certs/server_key.pem'; + $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/server_key.pem'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(RADDB . "/certs/server_cert.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/server_cert.pem", base64_decode($svr_cert['crt'])); - $conf['ssl_server_cert'] = RADDB . "/certs/server_cert.pem"; + $conf['ssl_server_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/server_cert.pem"; } @@ -954,23 +951,23 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { $svr_cert = lookup_cert($eapconf["ssl_client_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(RADDB . "/certs/client_key.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/client_key.pem", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = RADDB . '/certs/client_key.pem'; + $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/client_key.pem'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(RADDB . "/certs/client_cert.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem", base64_decode($svr_cert['crt'])); - $conf['ssl_client_cert'] = RADDB . "/certs/client_cert.pem"; + $conf['ssl_client_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem"; } - exec("openssl pkcs12 -export -in /usr/local/etc/raddb/certs/client_cert.pem -inkey /usr/local/etc/raddb/certs/client_key.pem -out /usr/local/etc/raddb/certs/client_cert.p12 -passout pass\:"); + exec("openssl pkcs12 -export -in " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.pem -inkey " . FREERADIUS_BASE . "/etc/raddb/certs/client_key.pem -out " . FREERADIUS_BASE . "/etc/raddb/certs/client_cert.p12 -passout pass\:"); } - $conf['ssl_cert_dir'] = RADDB . '/certs'; + $conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs'; } $vareapconfprivatekeyfile = 'server_key.pem'; @@ -979,11 +976,11 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { // generate new DH and RANDOM file // We create a single empty file just to check if there is really a change from one to another cert manager to avoid building ne DH and random files - if (!file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) { - log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in /usr/local/etc/raddb/certs"); - exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); - exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); - exec("touch /usr/local/etc/raddb/certs/pfsense_cert_mgr"); + if (!file_exists(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr")) { + log_error("freeRADIUS: Switched to pfSense Cert-Manager. Creating new DH and random file in " . FREERADIUS_BASE . "/etc/raddb/certs"); + exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && openssl dhparam -out dh 1024"); + exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); + exec("touch " . FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr"); } } @@ -1078,7 +1075,7 @@ else { } EOD; - $filename = RADDB . '/eap.conf'; + $filename = FREERADIUS_BASE . '/etc/raddb/eap.conf'; file_put_contents($filename, $conf); chmod($filename, 0640); conf_mount_ro(); @@ -1232,7 +1229,7 @@ sql sql2 { } EOD; - $filename = RADDB . '/sql.conf'; + $filename = FREERADIUS_BASE . '/etc/raddb/sql.conf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2080,7 +2077,7 @@ post-proxy { } EOD; - $filename = RADDB . '/sites-available/default'; + $filename = FREERADIUS_BASE . '/etc/raddb/sites-available/default'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2175,7 +2172,7 @@ authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true EOD; - $filename = RADDB . '/certs/ca.cnf'; + $filename = FREERADIUS_BASE . '/etc/raddb/certs/ca.cnf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2260,7 +2257,7 @@ emailAddress = $varcertsserveremailaddress commonName = "$varcertsservercommonname" EOD; - $filename = RADDB . '/certs/server.cnf'; + $filename = FREERADIUS_BASE . '/etc/raddb/certs/server.cnf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2345,7 +2342,7 @@ emailAddress = $varcertsclientemailaddress commonName = "$varcertsclientcommonname" EOD; - $filename = RADDB . '/certs/client.cnf'; + $filename = FREERADIUS_BASE . '/etc/raddb/certs/client.cnf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2378,12 +2375,12 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { if ($arrcerts['varcertscreateclient'] == 'yes') { // delete all old certificates and keys - log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in /usr/local/etc/raddb/certs"); - exec("rm -f /usr/local/etc/raddb/certs/client.csr"); - exec("rm -f /usr/local/etc/raddb/certs/client.crt"); - exec("rm -f /usr/local/etc/raddb/certs/client.key"); - exec("rm -f /usr/local/etc/raddb/certs/client.pem"); - exec("rm -f /usr/local/etc/raddb/certs/client.tar"); + log_error("freeRADIUS: deleting all client.csr .crt .key .pem .tar in " . FREERADIUS_BASE . "/etc/raddb/certs"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.csr"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.crt"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.key"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); // run fuction to create ONLY new client.cnf files based on user input from freeradiuscert.xml @@ -2391,21 +2388,21 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { // make bootstrap executable and run to create cert based on client.cnf files - exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); - exec("/usr/local/etc/raddb/certs/bootstrap"); + exec("chmod 0770 " . FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); + exec(FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); // rename client generated XX.pem to client.pem // use regex to replace spaces and so on. - $varserial = preg_replace("/\s/","",file_get_contents('/usr/local/etc/raddb/certs/serial.old')); - if (file_exists("/usr/local/etc/raddb/certs/$varserial.pem")) - rename("/usr/local/etc/raddb/certs/$varserial.pem","/usr/local/etc/raddb/certs/client.pem"); + $varserial = preg_replace("/\s/","",file_get_contents(FREERADIUS_BASE . '/etc/raddb/certs/serial.old')); + if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/$varserial.pem")) + rename(FREERADIUS_BASE . "/etc/raddb/certs/$varserial.pem",FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); // tar client-cert files - exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); + exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); // Make all files in certs folder read/write only for root - exec("chmod -R 0600 /usr/local/etc/raddb/certs/"); - log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in /usr/local/etc/raddb/certs/client.tar"); + exec("chmod -R 0600 " . FREERADIUS_BASE . "/etc/raddb/certs/"); + log_error("freeRADIUS: Created new client.csr .crt .key .pem and added them together with ca.der in " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); } } else { @@ -2413,18 +2410,18 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { if ($arrcerts['varcertsdeleteall'] == 'yes') { // delete all old certificates and keys - deletes certs from pfsense cert-manager IN THIS FOLDER, too. - log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in /usr/local/etc/raddb/certs"); - exec("rm -f /usr/local/etc/raddb/certs/ca.pem && rm -f /usr/local/etc/raddb/certs/server.pem && rm -f /usr/local/etc/raddb/certs/client.pem"); - exec("rm -f /usr/local/etc/raddb/certs/ca.der && rm -f /usr/local/etc/raddb/certs/server.der && rm -f /usr/local/etc/raddb/certs/client.der"); - exec("rm -f /usr/local/etc/raddb/certs/ca.csr && rm -f /usr/local/etc/raddb/certs/server.csr && rm -f /usr/local/etc/raddb/certs/client.csr"); - exec("rm -f /usr/local/etc/raddb/certs/ca.crt && rm -f /usr/local/etc/raddb/certs/server.crt && rm -f /usr/local/etc/raddb/certs/client.crt"); - exec("rm -f /usr/local/etc/raddb/certs/ca.key && rm -f /usr/local/etc/raddb/certs/server.key && rm -f /usr/local/etc/raddb/certs/client.key"); - exec("rm -f /usr/local/etc/raddb/certs/ca.p12 && rm -f /usr/local/etc/raddb/certs/server.p12 && rm -f /usr/local/etc/raddb/certs/client.p12"); - exec("rm -f /usr/local/etc/raddb/certs/serial*"); - exec("rm -f /usr/local/etc/raddb/certs/index*"); - exec("rm -f /usr/local/etc/raddb/certs/dh"); - exec("rm -f /usr/local/etc/raddb/certs/random"); - exec("rm -f /usr/local/etc/raddb/certs/client.tar"); + log_error("freeRADIUS: deleting all CA, Server and Client certs, DH, random and database files in " . FREERADIUS_BASE . "/etc/raddb/certs"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.pem && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.pem && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.der && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.der && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.der"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.csr && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.csr && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.csr"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.crt && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.crt && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.crt"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.key && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.key && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.key"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/ca.p12 && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/server.p12 && rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.p12"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/serial*"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/index*"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/dh"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/random"); + exec("rm -f " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); // run fuctions to create new .cnf files based on user input from freeradiuscert.xml @@ -2433,28 +2430,28 @@ if ($eapconf['vareapconfchoosecertmanager'] == '') { freeradius_clientcertcnf_resync(); // this command deletes the pfsense_cert_mgr checkfile so when we change back to pfsense cert manager a new DH + random file will be created - if (file_exists("/usr/local/etc/raddb/certs/pfsense_cert_mgr")) { - unlink("/usr/local/etc/raddb/certs/pfsense_cert_mgr"); + if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr")) { + unlink(FREERADIUS_BASE . "/etc/raddb/certs/pfsense_cert_mgr"); } // generate new DH and RANDOM file - log_error("freeRADIUS: Creating new DH and random file in /usr/local/etc/raddb/certs"); - exec("cd /usr/local/etc/raddb/certs && openssl dhparam -out dh 1024"); - exec("cd /usr/local/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); + log_error("freeRADIUS: Creating new DH and random file in " . FREERADIUS_BASE . "/etc/raddb/certs"); + exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && openssl dhparam -out dh 1024"); + exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && dd if=/dev/urandom of=./random count=10"); - log_error("freeRADIUS: Creating new CA, Server and Client certs in /usr/local/etc/raddb/certs"); + log_error("freeRADIUS: Creating new CA, Server and Client certs in " . FREERADIUS_BASE . "/etc/raddb/certs"); // make bootstrap executable and run to create certs based on .cnf files - exec("chmod 0770 /usr/local/etc/raddb/certs/bootstrap"); - exec("/usr/local/etc/raddb/certs/bootstrap"); + exec("chmod 0770 " . FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); + exec(FREERADIUS_BASE . "/etc/raddb/certs/bootstrap"); // rename client generated 02.pem to client.pem - if (file_exists("/usr/local/etc/raddb/certs/02.pem")) - rename("/usr/local/etc/raddb/certs/02.pem","/usr/local/etc/raddb/certs/client.pem"); + if (file_exists(FREERADIUS_BASE . "/etc/raddb/certs/02.pem")) + rename(FREERADIUS_BASE . "/etc/raddb/certs/02.pem",FREERADIUS_BASE . "/etc/raddb/certs/client.pem"); // tar client-cert files - exec("cd /usr/local/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); - exec("chmod -R 0600 /usr/local/etc/raddb/certs/"); - log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in /usr/local/etc/raddb/certs/client.tar"); + exec("cd " . FREERADIUS_BASE . "/etc/raddb/certs && tar -cf client.tar client.crt client.csr client.key ca.der client.pem"); + exec("chmod -R 0600 " . FREERADIUS_BASE . "/etc/raddb/certs/"); + log_error("freeRADIUS: Added client.csr .crt .key .pem together with ca.der in " . FREERADIUS_BASE . "/etc/raddb/certs/client.tar"); // If there were changes on the certificates we need to restart freeradius restart_service('radiusd'); @@ -2473,24 +2470,36 @@ conf_mount_ro(); /* Uses XMLRPC to synchronize the changes to a remote node */ function freeradius_sync_on_changes() { global $config, $g; - $varsyncenablexmlrpc = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc']; - + $varsyncenablexmlrpc = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc']; + $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; + // if checkbox is NOT checked do nothing if(!$varsyncenablexmlrpc) { return; } - - log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync)."); + + log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds."); // if checkbox is checked get IP and password of the destination hosts foreach ($config['installedpackages']['freeradiussync']['config'] as $rs ){ foreach($rs['row'] as $sh){ - $varsyncprotocol = $sh['varsyncprotocol']; - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $varsyncport = $sh['varsyncport']; - if($password && $sync_to_ip && $varsyncport && $varsyncprotocol) - freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol); + // if checkbox is NOT checked do nothing + if($sh['varsyncdestinenable']) { + $varsyncprotocol = $sh['varsyncprotocol']; + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + $varsyncport = $sh['varsyncport']; + // check if all credentials are complete for this host + if($password && $sync_to_ip && $varsyncport && $varsyncprotocol) { + freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol); + } + else { + log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + } + } + else { + log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + } } } log_error("FreeRADIUS: Finished XMLRPC process (freeradius_do_xmlrpc_sync)."); @@ -2500,6 +2509,14 @@ function freeradius_sync_on_changes() { function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol) { global $config, $g; + $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; + + if($varsynctimeout == '' || $varsynctimeout == 0) { + $varsynctimeout = 150; + } + + // log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds."); + if(!$password) return; @@ -2539,15 +2556,15 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn $cli->setCredentials('admin', $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 150 seconds */ - $resp = $cli->send($msg, "150"); + /* send our XMLRPC message and timeout after $varsynctimeout seconds */ + $resp = $cli->send($msg, $varsynctimeout); if(!$resp) { $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}."; log_error("FreeRADIUS: $error"); file_notice("sync_settings", $error, "freeradius Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "150"); + $resp = $cli->send($msg, $varsynctimeout); $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error("FreeRADIUS: $error"); file_notice("sync_settings", $error, "freeradius Settings Sync", ""); @@ -2571,14 +2588,14 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "150"); + $resp = $cli->send($msg, $varsynctimeout); if(!$resp) { $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; log_error($error); file_notice("sync_settings", $error, "freeradius Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "150"); + $resp = $cli->send($msg, $varsynctimeout); $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "freeradius Settings Sync", ""); @@ -2600,7 +2617,7 @@ function freeradius_all_after_XMLRPC_resync() { log_error("FreeRADIUS: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); - exec("/usr/local/etc/rc.d/radiusd onerestart"); + exec(FREERADIUS_BASE . "/etc/rc.d/radiusd onerestart"); } function freeradius_modulescounter_resync() { @@ -2723,7 +2740,7 @@ counter forever { } EOD; - $filename = RADDB . '/modules/counter'; + $filename = FREERADIUS_BASE . '/etc/raddb/modules/counter'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2817,7 +2834,7 @@ nt-response=%{%{mschap:NT-Response}:-00}" } EOD; - $filename = RADDB . '/modules/mschap'; + $filename = FREERADIUS_BASE . '/etc/raddb/modules/mschap'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2862,7 +2879,7 @@ realm ntdomain { } EOD; - $filename = RADDB . '/modules/realm'; + $filename = FREERADIUS_BASE . '/etc/raddb/modules/realm'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -2913,37 +2930,37 @@ if($arrmodulesldap['varmodulesldapenabletlssupport'] == 'on') { $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert1"]); if ($ca_cert != false) { if(base64_decode($ca_cert['prv'])) { - file_put_contents(RADDB . "/certs/ca_ldap1_key.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_key.pem", base64_decode($ca_cert['prv'])); - $conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap1_key.pem'; + $conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_ldap1_key.pem'; } if(base64_decode($ca_cert['crt'])) { - file_put_contents(RADDB . "/certs/ca_ldap1_cert.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_cert.pem", base64_decode($ca_cert['crt'])); - $conf['ssl_ca_cert1'] = RADDB . "/certs/ca_ldap1_cert.pem"; + $conf['ssl_ca_cert1'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap1_cert.pem"; } $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert1"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(RADDB . "/certs/radius_ldap1_cert.key", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.key", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = RADDB . '/certs/radius_ldap1_cert.key'; + $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/radius_ldap1_cert.key'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(RADDB . "/certs/radius_ldap1_cert.crt", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.crt", base64_decode($svr_cert['crt'])); - $conf['ssl_server_cert1'] = RADDB . "/certs/radius_ldap1_cert.crt"; + $conf['ssl_server_cert1'] = FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap1_cert.crt"; } - $conf['ssl_cert_dir'] = RADDB . '/certs'; + $conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs'; } $varmodulesldapstarttls = "yes"; } @@ -2960,37 +2977,37 @@ if($arrmodulesldap['varmodulesldap2enabletlssupport'] == 'on') { $ca_cert = lookup_ca($arrmodulesldap["ssl_ca_cert2"]); if ($ca_cert != false) { if(base64_decode($ca_cert['prv'])) { - file_put_contents(RADDB . "/certs/ca_ldap2_key.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_key.pem", base64_decode($ca_cert['prv'])); - $conf['ssl_ca_key'] = RADDB . '/certs/ca_ldap2_key.pem'; + $conf['ssl_ca_key'] = FREERADIUS_BASE . '/etc/raddb/certs/ca_ldap2_key.pem'; } if(base64_decode($ca_cert['crt'])) { - file_put_contents(RADDB . "/certs/ca_ldap2_cert.pem", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_cert.pem", base64_decode($ca_cert['crt'])); - $conf['ssl_ca_cert2'] = RADDB . "/certs/ca_ldap2_cert.pem"; + $conf['ssl_ca_cert2'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_ldap2_cert.pem"; } $svr_cert = lookup_cert($arrmodulesldap["ssl_server_cert2"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents(RADDB . "/certs/radius_ldap2_cert.key", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.key", base64_decode($svr_cert['prv'])); - $conf['ssl_key'] = RADDB . '/certs/radius_ldap2_cert.key'; + $conf['ssl_key'] = FREERADIUS_BASE . '/etc/raddb/certs/radius_ldap2_cert.key'; } } if(base64_decode($svr_cert['crt'])) { - file_put_contents(RADDB . "/certs/radius_ldap2_cert.crt", + file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.crt", base64_decode($svr_cert['crt'])); - $conf['ssl_server_cert2'] = RADDB . "/certs/radius_ldap2_cert.crt"; + $conf['ssl_server_cert2'] = FREERADIUS_BASE . "/etc/raddb/certs/radius_ldap2_cert.crt"; } - $conf['ssl_cert_dir'] = RADDB . '/certs'; + $conf['ssl_cert_dir'] = FREERADIUS_BASE . '/etc/raddb/certs'; } $varmodulesldap2starttls = "yes"; } @@ -3113,7 +3130,7 @@ else { $varmodulesldap2keepaliveidle = ($arrmodulesldap['varmodulesldap2keepaliveidle']?$arrmodulesldap['varmodulesldap2keepaliveidle']:'60'); $varmodulesldap2keepaliveprobes = ($arrmodulesldap['varmodulesldap2keepaliveprobes']?$arrmodulesldap['varmodulesldap2keepaliveprobes']:'3'); $varmodulesldap2keepaliveinterval = ($arrmodulesldap['varmodulesldap2keepaliveinterval']?$arrmodulesldap['varmodulesldap2keepaliveinterval']:'3'); - +$raddb = FREERADIUS_BASE . '/etc/raddb'; $conf .= <<<EOD # -*- text -*- # @@ -3193,11 +3210,11 @@ ldap { # using ldaps (port 689) connections start_tls = $varmodulesldapstarttls - cacertfile = /usr/local/etc/raddb/certs/ca_ldap1_cert.pem - cacertdir = /usr/local/etc/raddb/certs/ - certfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.crt - keyfile = /usr/local/etc/raddb/certs/radius_ldap1_cert.key - randfile = /usr/local/etc/raddb/certs/random + cacertfile = {$raddb}/certs/ca_ldap1_cert.pem + cacertdir = {$raddb}/certs/ + certfile = {$raddb}/certs/radius_ldap1_cert.crt + keyfile = {$raddb}/certs/radius_ldap1_cert.key + randfile = {$raddb}/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) @@ -3352,11 +3369,11 @@ ldap ldap2{ # using ldaps (port 689) connections start_tls = $varmodulesldap2starttls - cacertfile = /usr/local/etc/raddb/certs/ca_ldap2_cert.pem - cacertdir = /usr/local/etc/raddb/certs/ - certfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.crt - keyfile = /usr/local/etc/raddb/certs/radius_ldap2_cert.key - randfile = /usr/local/etc/raddb/certs/random + cacertfile = {$raddb}/certs/ca_ldap2_cert.pem + cacertdir = {$raddb}/certs/ + certfile = {$raddb}/certs/radius_ldap2_cert.crt + keyfile = {$raddb}/certs/radius_ldap2_cert.key + randfile = {$raddb}/certs/random # Certificate Verification requirements. Can be: # "never" (don't even bother trying) @@ -3462,7 +3479,7 @@ ldap ldap2{ } EOD; - $filename = RADDB . '/modules/ldap'; + $filename = FREERADIUS_BASE . '/etc/raddb/modules/ldap'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -3483,29 +3500,29 @@ function freeradius_plainmacauth_resync() { $varsettings = $config['installedpackages']['freeradiussettings']['config'][0]; // defining variables with filename path - $filepolicyconf = '/usr/local/etc/raddb/policy.conf'; - $filepolicyconfbackup = '/usr/local/etc/raddb/policy.conf.backup'; - $filemodulesfiles = '/usr/local/etc/raddb/modules/files'; - $filemodulesfilesbackup = '/usr/local/etc/raddb/files.backup'; + $filepolicyconf = FREERADIUS_BASE . '/etc/raddb/policy.conf'; + $filepolicyconfbackup = FREERADIUS_BASE . '/etc/raddb/policy.conf.backup'; + $filemodulesfiles = FREERADIUS_BASE . '/etc/raddb/modules/files'; + $filemodulesfilesbackup = FREERADIUS_BASE . '/etc/raddb/files.backup'; // If unchecked then plain mac auth is disabled and backups of the original files will be restored if ($varsettings['varsettingsenablemacauth'] == '') { // This is a check - only restore files if they aren't already - if (file_exists("/usr/local/etc/raddb/plain_macauth_enabled")) { + if (file_exists(FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled")) { log_error("FreeRADIUS: Plain-MAC-Auth disabled. Restoring the original file from {$filepolicyconfbackup} and {$filemodulesfilesbackup}"); copy($filepolicyconfbackup, $filepolicyconf); copy($filemodulesfilesbackup, $filemodulesfiles); - unlink("/usr/local/etc/raddb/plain_macauth_enabled"); + unlink(FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled"); freeradius_serverdefault_resync(); } } // If checked then plain mac auth is enabled else { // This is a check - only modify files if they aren't already - if (!file_exists("/usr/local/etc/raddb/plain_macauth_enabled")) { + if (!file_exists(FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled")) { freeradius_modulesfiles_resync(); freeradius_policyconf_resync(); - exec("cd /usr/local/etc/raddb/ && touch /usr/local/etc/raddb/plain_macauth_enabled"); + exec("cd " . FREERADIUS_BASE . "/etc/raddb && touch " . FREERADIUS_BASE . "/etc/raddb/plain_macauth_enabled"); log_error("FreeRADIUS: Plain-MAC-Auth enabled. Modified {$filepolicyconf} and {$filemodulesfiles}"); freeradius_serverdefault_resync(); } @@ -3567,7 +3584,7 @@ files authorized_macs { } EOD; - $filename = RADDB . '/modules/files'; + $filename = FREERADIUS_BASE . '/etc/raddb/modules/files'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -3793,7 +3810,7 @@ policy { } EOD; - $filename = RADDB . '/policy.conf'; + $filename = FREERADIUS_BASE . '/etc/raddb/policy.conf'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -3816,21 +3833,33 @@ function freeradius_motp_resync() { // check if disabled then we delete bash und otpverify.sh script if ($varsettings['varsettingsmotpenable'] == '') { - if (file_exists("/usr/local/etc/raddb/scripts/otpverify.sh")) { - unlink("/usr/local/etc/raddb/scripts/otpverify.sh"); + if (file_exists(FREERADIUS_BASE . "/etc/raddb/scripts/otpverify.sh")) { + unlink(FREERADIUS_BASE . "/etc/raddb/scripts/otpverify.sh"); } if (exec("cd /var/db/pkg && ls | grep bash") == "bash-4.1.7") { exec("cd /var/db/pkg && pkg_delete `ls | grep bash`"); log_error('FreeRADIUS: Uninstalling package "bash-4.1.7" which comes with Mobile-One-Time-Password (motp).'); } + if (exec("cd /var/db/pkg && ls | grep bash") == "bash-4.2.20") { + exec("cd /var/db/pkg && pkg_delete `ls | grep bash`"); + log_error('FreeRADIUS: Uninstalling package "bash-4.2.20" which comes with Mobile-One-Time-Password (motp).'); + } } // check if enabled then we need to download "bash" else { - if (exec("cd /var/db/pkg && ls | grep bash") != "bash-4.1.7") { - log_error('FreeRADIUS: Downloading and installing package "bash-4.1.7" to use Mobile-One-Time-Password (motp).'); - exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`uname -m`/packages-8.1-release/All/bash-4.1.7.tbz"); + if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") { + if (exec("cd /var/db/pkg && ls | grep bash") != "bash-4.1.7") { + log_error('FreeRADIUS: Downloading and installing package "bash-4.1.7" to use Mobile-One-Time-Password (motp).'); + exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/`uname -m`/packages-8.1-release/All/bash-4.1.7.tbz"); + } + } else { + if (exec("cd /var/db/pkg && ls | grep bash") != "bash-4.2.20") { + log_error('FreeRADIUS: Downloading and installing package "bash-4.2.20" to use Mobile-One-Time-Password (motp).'); + exec("pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD/ports/`uname -m`/packages-8.3-release/All/bash-4.2.20.tbz"); + } } + $conf .= <<<EOD #!/bin/bash @@ -3950,7 +3979,7 @@ exit 11 EOD; - $filename = RADDB . '/scripts/otpverify.sh'; + $filename = FREERADIUS_BASE . '/etc/raddb/scripts/otpverify.sh'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0750); @@ -3965,14 +3994,17 @@ function freeradius_modulesmotp_resync() { global $config; $conf = ''; + // put the constant to a variable + $varFREERADIUS_BASE = FREERADIUS_BASE; + $conf .= <<<EOD exec motp { wait = yes - program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" + program = "/usr/local/bin/bash $varFREERADIUS_BASE/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" } EOD; - $filename = RADDB . '/modules/motp'; + $filename = FREERADIUS_BASE . '/etc/raddb/modules/motp'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -3984,26 +4016,29 @@ function freeradius_modulesdatacounter_resync() { global $config; $conf = ''; + // put the constant to a variable + $varFREERADIUS_BASE = FREERADIUS_BASE; + $conf .= <<<EOD exec datacounterdaily { wait = yes - program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } exec datacounterweekly { wait = yes - program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } exec datacountermonthly { wait = yes - program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } exec datacounterforever { wait = yes - program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + program = "/bin/sh $varFREERADIUS_BASE/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" } EOD; - $filename = RADDB . '/modules/datacounter_acct'; + $filename = FREERADIUS_BASE . '/etc/raddb/modules/datacounter_acct'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -4034,15 +4069,15 @@ USEDOCTETSUSERNAMEMB=$((`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octe ### We check if MAX-OCTETS-USERNAME is greater than USED-OCTETS-USERNAME and accept or reject the user if [ `cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"` -gt `cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"` ]; then - logger -f /var/log/system.log "FreeRADIUS: Used amount of \$TIMERANGE traffic by \$USERNAME is \$USEDOCTETSUSERNAMEMB of \$MAXOCTETSUSERNAMEMB MB! The user was accepted!!!" + logger -f /var/log/system.log "FreeRADIUS: Used amount of \$TIMERANGE traffic by \$USERNAME is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was accepted!!!" exit 0 else - logger -f /var/log/system.log "FreeRADIUS: Credentials are probably correct but the user \$USERNAME has reached the \$TIMERANGE Amount of Upload and Download Traffic which is \$USEDOCTETSUSERNAMEMB of \$MAXOCTETSUSERNAMEMB MB! The user was rejected!!!" + logger -f /var/log/system.log "FreeRADIUS: Credentials are probably correct but the user \$USERNAME has reached the \$TIMERANGE Amount of Upload and Download Traffic which is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was rejected!!!" exit 99 fi EOD; - $filename = RADDB . '/scripts/datacounter_auth.sh'; + $filename = FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_auth.sh'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0750); @@ -4090,7 +4125,7 @@ fi EOD; - $filename = RADDB . '/scripts/datacounter_acct.sh'; + $filename = FREERADIUS_BASE . '/etc/raddb/scripts/datacounter_acct.sh'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0750); @@ -4158,7 +4193,7 @@ ATTRIBUTE MOTP-Offset 902 string EOD; - $filename = RADDB . '/dictionary'; + $filename = FREERADIUS_BASE . '/etc/raddb/dictionary'; conf_mount_rw(); file_put_contents($filename, $conf); chmod($filename, 0640); @@ -4166,4 +4201,4 @@ EOD; } -?>
\ No newline at end of file +?> |