diff options
Diffstat (limited to 'config/freeradius2')
-rwxr-xr-x | config/freeradius2/freeradius.inc | 312 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradius.xml | 15 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradius_view_config.php | 4 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradiuscerts.xml | 6 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradiusclients.xml | 8 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradiuseapconf.xml | 6 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradiusinterfaces.xml | 6 | ||||
-rw-r--r-- | config/freeradius2/freeradiusmodulesldap.xml | 345 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradiussettings.xml | 18 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradiussqlconf.xml | 6 | ||||
-rw-r--r--[-rwxr-xr-x] | config/freeradius2/freeradiussync.xml | 6 |
11 files changed, 709 insertions, 23 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 816eb984..36e91128 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -249,7 +249,7 @@ checkrad = \${sbindir}/checkrad security { max_attributes = $varsettingsmaxattributes reject_delay = $varsettingsrejectdelay - status_server = yes + status_server = no } ### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server @@ -793,6 +793,26 @@ function freeradius_serverdefault_resync() { global $config; $conf = ''; + + // Get Variables from freeradiusmodulesldap.xml + $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0]; + + // If unchecked then disable authorize + if (!$arrmodulesldap['varmodulesldapenableauthorize']) { + $varmodulesldapenableauthorize = '### ldap ###'; + } + else { + $varmodulesldapenableauthorize = 'ldap'; + } + + // If unchecked then disable authenticate + if (!$arrmodulesldap['varmodulesldapenableauthenticate']) { + $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t#}"; + } + else { + $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t}"; + } + // Get Variables from freeradiussqlconf.xml $sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0]; $varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable'); @@ -1022,7 +1042,7 @@ authorize { # # The ldap module will set Auth-Type to LDAP if it has not # already been set -# ldap + $varmodulesldapenableauthorize # # Enforce daily limits on time spent logged in. @@ -1141,9 +1161,7 @@ authenticate { # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. -# Auth-Type LDAP { -# ldap -# } + $varmodulesldapenableauthenticate # # Allow EAP authentication. @@ -2258,4 +2276,288 @@ EOD; } +function freeradius_modulesldap_resync() { + global $config; + $conf = ''; + + $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0]; + + // Enable and Disable LDAP for "authorize" and "authenticate" will be done in "freeradius_serverdefault_resync" + + + // Variables for General Configuration + $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain'); + $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA'); + $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass'); + $varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA'); + $varmodulesldapfilter = ($arrmodulesldap['varmodulesldapfilter']?$arrmodulesldap['varmodulesldapfilter']:'(uid=%{%{Stripped-User-Name}:-%{User-Name}})'); + $varmodulesldapbasefilter = ($arrmodulesldap['varmodulesldapbasefilter']?$arrmodulesldap['varmodulesldapbasefilter']:'(objectclass=radiusprofile)'); + $varmodulesldapldapconnectionsnumber = ($arrmodulesldap['varmodulesldapldapconnectionsnumber']?$arrmodulesldap['varmodulesldapldapconnectionsnumber']:'5'); + $varmodulesldaptimeout = ($arrmodulesldap['varmodulesldaptimeout']?$arrmodulesldap['varmodulesldaptimeout']:'4'); + $varmodulesldaptimelimit = ($arrmodulesldap['varmodulesldaptimelimit']?$arrmodulesldap['varmodulesldaptimelimit']:'3'); + $varmodulesldapnettimeout = ($arrmodulesldap['varmodulesldapnettimeout']?$arrmodulesldap['varmodulesldapnettimeout']:'1'); + + // Variables for TLS / Certificates - will be added later + + + // Miscellaneous Configuration + MS Active Directory Compatibility + $varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable'); + if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') { + $varmodulesldapmsadcompatibility = '### MS Active Directory Compatibility is disabled ###'; + } + else { + $varmodulesldapmsadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes"; + } + + // When disabled we put this in the file but commented (#) like in the default installation + if (!$arrmodulesldap['varmodulesldapdmiscenable']) { + $varmodulesldapdefaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###'; + $varmodulesldapprofileattribute = '### profile_attribute = "radiusProfileDn" ###'; + $varmodulesldapaccessattr = '### access_attr = "dialupAccess" ###'; + } + // When enabled we put in the default values so there is no empty entry if there is not input from GUI + else { + $varmodulesldapdefaultprofile = ($arrmodulesldap['varmodulesldapdefaultprofile']?$arrmodulesldap['varmodulesldapdefaultprofile']:'cn=radprofile,ou=dialup,o=My Org,c=UA'); + $varmodulesldapdefaultprofile = "default_profile = " . '"' . "$varmodulesldapdefaultprofile" . '"'; + $varmodulesldapprofileattribute = ($arrmodulesldap['varmodulesldapprofileattribute']?$arrmodulesldap['varmodulesldapprofileattribute']:'radiusProfileDn'); + $varmodulesldapprofileattribute = "profile_attribute = " . '"' . "$varmodulesldapprofileattribute" . '"'; + $varmodulesldapaccessattr = ($arrmodulesldap['varmodulesldapaccessattr']?$arrmodulesldap['varmodulesldapaccessattr']:'dialupAccess'); + $varmodulesldapaccessattr = "access_attr = " . '"' . "$varmodulesldapaccessattr" . '"'; + } + + // Group membership checking + // When disabled we put this in the file but commented (#) like in the default installation + if (!$arrmodulesldap['varmodulesldapgroupenable']) { + $varmodulesldapgroupnameattribute = '### groupname_attribute = cn ###'; + $varmodulesldapgroupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###'; + $varmodulesldapgroupmembershipattribute = '### groupmembership_attribute = radiusGroupName ###'; + $varmodulesldapcomparecheckitems = '### compare_check_items = yes ###'; + $varmodulesldapdoxlat = '### do_xlat = yes ###'; + $varmodulesldapaccessattrusedforallow = '### access_attr_used_for_allow = yes ###'; + } + + // When enabled we put in the default values so there is no empty entry if there is not input from GUI + else { + $varmodulesldapgroupnameattribute = ($arrmodulesldap['varmodulesldapgroupnameattribute']?$arrmodulesldap['varmodulesldapgroupnameattribute']:'cn'); + $varmodulesldapgroupnameattribute = "groupname_attribute = $varmodulesldapgroupnameattribute"; + $varmodulesldapgroupmembershipfilter = ($arrmodulesldap['varmodulesldapgroupmembershipfilter']?$arrmodulesldap['varmodulesldapgroupmembershipfilter']:'(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))'); + $varmodulesldapgroupmembershipfilter = "groupmembership_filter = " . '"' . "$varmodulesldapgroupmembershipfilter" . '"'; + $varmodulesldapgroupmembershipattribute = ($arrmodulesldap['varmodulesldapgroupmembershipattribute']?$arrmodulesldap['varmodulesldapgroupmembershipattribute']:'radiusGroupName'); + $varmodulesldapgroupmembershipattribute = "groupmembership_attribute = $varmodulesldapgroupmembershipattribute"; + + $varmodulesldapcomparecheckitems = ($arrmodulesldap['varmodulesldapcomparecheckitems']?$arrmodulesldap['varmodulesldapcomparecheckitems']:'yes'); + $varmodulesldapcomparecheckitems = "compare_check_items = $varmodulesldapcomparecheckitems"; + $varmodulesldapdoxlat = ($arrmodulesldap['varmodulesldapdoxlat']?$arrmodulesldap['varmodulesldapdoxlat']:'yes'); + $varmodulesldapdoxlat = "do_xlat = $varmodulesldapdoxlat"; + $varmodulesldapaccessattrusedforallow = ($arrmodulesldap['varmodulesldapaccessattrusedforallow']?$arrmodulesldap['varmodulesldapaccessattrusedforallow']:'yes'); + $varmodulesldapaccessattrusedforallow = "access_attr_used_for_allow = $varmodulesldapaccessattrusedforallow"; + } + + // Keepalive variables + $varmodulesldapkeepaliveidle = ($arrmodulesldap['varmodulesldapkeepaliveidle']?$arrmodulesldap['varmodulesldapkeepaliveidle']:'60'); + $varmodulesldapkeepaliveprobes = ($arrmodulesldap['varmodulesldapkeepaliveprobes']?$arrmodulesldap['varmodulesldapkeepaliveprobes']:'3'); + $varmodulesldapkeepaliveinterval = ($arrmodulesldap['varmodulesldapkeepaliveinterval']?$arrmodulesldap['varmodulesldapkeepaliveinterval']:'3'); + +$conf .= <<<EOD + +# -*- text -*- +# +# $Id$ + +# Lightweight Directory Access Protocol (LDAP) +# +# This module definition allows you to use LDAP for +# authorization and authentication. +# +# See raddb/sites-available/default for reference to the +# ldap module in the authorize and authenticate sections. +# +# However, LDAP can be used for authentication ONLY when the +# Access-Request packet contains a clear-text User-Password +# attribute. LDAP authentication will NOT work for any other +# authentication method. +# +# This means that LDAP servers don't understand EAP. If you +# force "Auth-Type = LDAP", and then send the server a +# request containing EAP authentication, then authentication +# WILL NOT WORK. +# +# The solution is to use the default configuration, which does +# work. +# +# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We +# really can't emphasize this enough. +# +ldap { + # + # Note that this needs to match the name in the LDAP + # server certificate, if you're using ldaps. + server = "$varmodulesldapserver" + identity = "$varmodulesldapidentity" + password = $varmodulesldappassword + basedn = "$varmodulesldapbasedn" + filter = "$varmodulesldapfilter" + base_filter = "$varmodulesldapbasefilter" + + # How many connections to keep open to the LDAP server. + # This saves time over opening a new LDAP socket for + # every authentication request. + ldap_connections_number = $varmodulesldapldapconnectionsnumber + + # seconds to wait for LDAP query to finish. default: 20 + timeout = $varmodulesldaptimeout + + # seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = $varmodulesldaptimelimit + + # + # seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = $varmodulesldapnettimeout + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the "tls_*" configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 689) connections + start_tls = no + + # cacertfile = /path/to/cacert.pem + # cacertdir = /path/to/ca/dir/ + # certfile = /path/to/radius.crt + # keyfile = /path/to/radius.key + # randfile = /path/to/rnd + + # Certificate Verification requirements. Can be: + # "never" (don't even bother trying) + # "allow" (try, but don't fail if the cerificate + # can't be verified) + # "demand" (fail if the certificate doesn't verify.) + # + # The default is "allow" + # require_cert = "demand" + } + + $varmodulesldapdefaultprofile + $varmodulesldapprofileattribute + $varmodulesldapaccessattr + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = ${confdir}/ldap.attrmap + ################## THE BELOW IS NOT COMPILED WITH FREERADIUS ################################# + # Set password_attribute = nspmPassword to get the + # user's password from a Novell eDirectory + # backend. This will work ONLY IF FreeRADIUS has been + # built with the --with-edir configure option. + # + # See also the following links: + # + # http://www.novell.com/coolsolutions/appnote/16745.html + # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html + # + # Novell may require TLS encrypted sessions before returning + # the user's password. + # + # password_attribute = userPassword + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + edir_account_policy_check = no + ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS ################################# + # + # Group membership checking. Disabled by default. + # + $varmodulesldapgroupnameattribute + $varmodulesldapgroupmembershipfilter + $varmodulesldapgroupmembershipattribute + + $varmodulesldapcomparecheckitems + $varmodulesldapdoxlat + $varmodulesldapaccessattrusedforallow + + # + # The following two configuration items are for Active Directory + # compatibility. If you see the helpful "operations error" + # being returned to the LDAP module, uncomment the next + # two lines. + # + + $varmodulesldapmsadcompatibility + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. + # + # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + #ldap_debug = 0x0028 + + # + # Keepalive configuration. This MAY NOT be supported by your + # LDAP library. If these configuration entries appear in the + # output of "radiusd -X", then they are supported. Otherwise, + # they are unsupported, and changing them will do nothing. + # + keepalive { + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = $varmodulesldapkeepaliveidle + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = $varmodulesldapkeepaliveprobes + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = $varmodulesldapkeepaliveinterval + } +} +EOD; + + $filename = RADDB . '/modules/ldap'; + conf_mount_rw(); + file_put_contents($filename, $conf); + chmod($filename, 0600); + conf_mount_ro(); + + // We need to rebuild "freeradius_serverdefault_resync" before restart service + // "freeradius_serverdefault_resync" needs to restart other dependencies so we are pointing directly to "freeradius_settings_resync()" + freeradius_settings_resync(); + +} + ?>
\ No newline at end of file diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index bcff9b17..f2cd3dcf 100755..100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -65,7 +65,7 @@ <tab> <text>Users</text> <url>/pkg.php?xml=freeradius.xml</url> - <active/> + <active/> </tab> <tab> <text>NAS / Clients</text> @@ -90,7 +90,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> @@ -101,6 +105,11 @@ </tab> </tabs> <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item> @@ -143,7 +152,7 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item> + <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item> </additional_files_needed> <adddeleteeditpagefields> <columnitem> diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index 14e37455..218a9abb 100755..100644 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php @@ -42,6 +42,7 @@ function get_file($file){ $files['server']="/usr/local/etc/raddb/certs/server.cnf"; $files['client']="/usr/local/etc/raddb/certs/client.cnf"; $files['index']="/usr/local/etc/raddb/certs/index.txt"; + $files['ldap']="/usr/local/etc/raddb/modules/ldap"; if ($files[$file]!="" && file_exists($files[$file])){ @@ -86,6 +87,7 @@ else{ $tab_array[] = array(gettext("EAP"), false, "/pkg_edit.php?xml=freeradiuseapconf.xml&id=0"); $tab_array[] = array(gettext("SQL"), false, "/pkg_edit.php?xml=freeradiussqlconf.xml&id=0"); $tab_array[] = array(gettext("Certificates"), false, "/pkg_edit.php?xml=freeradiuscerts.xml&id=0"); + $tab_array[] = array(gettext("LDAP"), false, "/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0"); $tab_array[] = array(gettext("View config"), true, "/freeradius_view_config.php"); $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=freeradiussync.xml&id=0"); display_top_tabs($tab_array); @@ -112,6 +114,7 @@ else{ <input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf"> <input type="button" onClick="get_freeradius_file('client');" id='btn_client' value="client.cnf"> <input type="button" onClick="get_freeradius_file('index');" id='btn_index' value="index.txt"> + <input type="button" onClick="get_freeradius_file('ldap');" id='btn_ldap' value="ldap"> </td> </tr> <tr> @@ -152,6 +155,7 @@ else{ $('btn_server').value="server.cnf"; $('btn_client').value="client.cnf"; $('btn_index').value="index.txt"; + $('btn_ldap').value="ldap"; scroll(0,0); } </script> diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 34ab5a03..1393dea8 100755..100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -78,7 +78,11 @@ <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> <active/> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index 8e5e6b5b..57ad1b7d 100755..100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -77,7 +77,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> @@ -86,7 +90,7 @@ <text>XMLRPC Sync</text> <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> </tab> -</tabs> + </tabs> <adddeleteeditpagefields> <columnitem> <fielddescr>Client IP Address</fielddescr> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index dd70a959..b319f198 100755..100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -78,7 +78,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index 3819908e..f15e998f 100755..100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -77,7 +77,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml new file mode 100644 index 00000000..317054d2 --- /dev/null +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -0,0 +1,345 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + freeradiusmodulesldap.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +]]> </copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>freeradiusmodulesldap</name> + <version>none</version> + <title>FreeRADIUS: LDAP</title> + <aftersaveredirect>pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/freeradius.inc</include_file> + <tabs> + <tab> + <text>Users</text> + <url>/pkg.php?xml=freeradius.xml</url> + </tab> + <tab> + <text>NAS / Clients</text> + <url>/pkg.php?xml=freeradiusclients.xml</url> + </tab> + <tab> + <text>Interfaces</text> + <url>/pkg.php?xml=freeradiusinterfaces.xml</url> + </tab> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=freeradiussettings.xml&id=0</url> + </tab> + <tab> + <text>EAP</text> + <url>/pkg_edit.php?xml=freeradiuseapconf.xml&id=0</url> + </tab> + <tab> + <text>SQL</text> + <url>/pkg_edit.php?xml=freeradiussqlconf.xml&id=0</url> + </tab> + <tab> + <text>Certificates</text> + <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + <active/> + </tab> + <tab> + <text>View config</text> + <url>/freeradius_view_config.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=freeradiussync.xml&id=0</url> + </tab> + </tabs> + <fields> + <field> + <name>ENABLE LDAP SUPPORT</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable LDAP For Authorization</fielddescr> + <fieldname>varmodulesldapenableauthorize</fieldname> + <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable LDAP For Authentication</fielddescr> + <fieldname>varmodulesldapenableauthenticate</fieldname> + <description><![CDATA[This enables LDAP in authenticate section. Note that this means "check plain-text password against the ldap database", which means that EAP won't work, as it does not supply a plain-text password.]]></description> + <type>checkbox</type> + </field> + <field> + <name>GENERAL CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Server</fielddescr> + <fieldname>varmodulesldapserver</fieldname> + <description><![CDATA[No description. (Default: ldap.your.domain )]]></description> + <type>input</type> + <size>80</size> + <default_value>ldap.your.domain</default_value> + </field> + <field> + <fielddescr>Identity</fielddescr> + <fieldname>varmodulesldapidentity</fieldname> + <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[cn=admin,o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>varmodulesldappassword</fieldname> + <description><![CDATA[No description. (Default: mypass)]]></description> + <type>password</type> + <size>80</size> + <default_value>mypass</default_value> + </field> + <field> + <fielddescr>Basedn</fielddescr> + <fieldname>varmodulesldapbasedn</fieldname> + <description><![CDATA[No description (Default: o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Filter</fielddescr> + <fieldname>varmodulesldapfilter</fieldname> + <description><![CDATA[No description. (Default: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(uid=%{%{Stripped-User-Name}:-%{User-Name}})]]></default_value> + </field> + <field> + <fielddescr>Base Filter</fielddescr> + <fieldname>varmodulesldapbasefilter</fieldname> + <description><![CDATA[No description. (Default: (objectclass=radiusprofile) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(objectclass=radiusprofile)]]></default_value> + </field> + <field> + <fielddescr>LDAP Connections Number</fielddescr> + <fieldname>varmodulesldapldapconnectionsnumber</fieldname> + <description><![CDATA[How many connections to keep open to the LDAP server. This saves time over opening a new LDAP socket for every authentication request. (Default: 5)]]></description> + <type>input</type> + <size>80</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>varmodulesldaptimeout</fieldname> + <description><![CDATA[Seconds to wait for LDAP query to finish. (Default: 4)]]></description> + <type>input</type> + <size>80</size> + <default_value>4</default_value> + </field> + <field> + <fielddescr>Timelimit</fielddescr> + <fieldname>varmodulesldaptimelimit</fieldname> + <description><![CDATA[Seconds the LDAP server has to process the query (server-side time limit). (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + <field> + <fielddescr>Net Timeout</fielddescr> + <fieldname>varmodulesldapnettimeout</fieldname> + <description><![CDATA[Seconds to wait for response of the server because of network failures. (Default: 1)]]></description> + <type>input</type> + <size>80</size> + <default_value>1</default_value> + </field> + <field> + <name>MISCELLANEOUS CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Active Directory Compatibility</fielddescr> + <fieldname>varmodulesldapmsadcompatibilityenable</fieldname> + <description><![CDATA[If you see the helpful "operations error" being returned to the LDAP module enable this. (Default: Disable)]]></description> + <type>select</type> + <default_value>Disable</default_value> + <options> + <option><name>Disable</name><value>Disable</value></option> + <option><name>Enable</name><value>Enable</value></option> + </options> + </field> + <field> + <fielddescr>Enable Misc Configuration</fielddescr> + <fieldname>varmodulesldapdmiscenable</fieldname> + <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description> + <type>checkbox</type> + <enablefields>varmodulesldapdefaultprofile,varmodulesldapprofileattribute,varmodulesldapaccessattr</enablefields> + </field> + <field> + <fielddescr>Default Profile</fielddescr> + <fieldname>varmodulesldapdefaultprofile</fieldname> + <description><![CDATA[No description. (Default: cn=radprofile,ou=dialup,o=My Org,c=UA )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[cn=radprofile,ou=dialup,o=My Org,c=UA]]></default_value> + </field> + <field> + <fielddescr>Profile Attribute</fielddescr> + <fieldname>varmodulesldapprofileattribute</fieldname> + <description><![CDATA[No description. (Default: radiusProfileDn)]]></description> + <type>input</type> + <size>80</size> + <default_value>radiusProfileDn</default_value> + </field> + <field> + <fielddescr>Access Attribute</fielddescr> + <fieldname>varmodulesldapaccessattr</fieldname> + <description><![CDATA[No description. (Default: dialupAccess)]]></description> + <type>input</type> + <size>80</size> + <default_value>dialupAccess</default_value> + </field> + <field> + <name>Group Membership Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Group Membership Options</fielddescr> + <fieldname>varmodulesldapgroupenable</fieldname> + <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description> + <type>checkbox</type> + <enablefields>varmodulesldapaccessattrusedforallow,varmodulesldapdoxlat,varmodulesldapcomparecheckitems,varmodulesldapgroupmembershipattribute,varmodulesldapgroupmembershipfilter,varmodulesldapgroupnameattribute</enablefields> + </field> + <field> + <fielddescr>Groupname Attribute</fielddescr> + <fieldname>varmodulesldapgroupnameattribute</fieldname> + <description><![CDATA[No description. (Default: cn)]]></description> + <type>input</type> + <size>80</size> + <default_value>cn</default_value> + </field> + <field> + <fielddescr>Groupmembership Filter</fielddescr> + <fieldname>varmodulesldapgroupmembershipfilter</fieldname> + <description><![CDATA[No description. (Default: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) )]]></description> + <type>input</type> + <size>80</size> + <default_value><![CDATA[(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))]]></default_value> + </field> + <field> + <fielddescr>Groupmembership Attribute</fielddescr> + <fieldname>varmodulesldapgroupmembershipattribute</fieldname> + <description><![CDATA[No description. (Default: radiusGroupName)]]></description> + <type>input</type> + <size>80</size> + <default_value>radiusGroupName</default_value> + </field> + <field> + <fielddescr>Compare Check Items</fielddescr> + <fieldname>varmodulesldapcomparecheckitems</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Do XLAT</fielddescr> + <fieldname>varmodulesldapdoxlat</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr>Access Attribute Used For Allow</fielddescr> + <fieldname>varmodulesldapaccessattrusedforallow</fieldname> + <description><![CDATA[No description. (Default: Yes)]]></description> + <type>select</type> + <default_value>Yes</default_value> + <options> + <option><name>Yes</name><value>yes</value></option> + <option><name>No</name><value>no</value></option> + </options> + </field> + <field> + <name>KEEPALIVE CONFIGURATION</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE IDLE</fielddescr> + <fieldname>varmodulesldapkeepaliveidle</fieldname> + <description><![CDATA[No description. (Default: 60)]]></description> + <type>input</type> + <size>80</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE PROBES</fielddescr> + <fieldname>varmodulesldapkeepaliveprobes</fieldname> + <description><![CDATA[No description. (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + <field> + <fielddescr>LDAP OPT X KEEPALIVE INTERVAL</fielddescr> + <fieldname>varmodulesldapkeepaliveinterval</fieldname> + <description><![CDATA[No description. (Default: 3)]]></description> + <type>input</type> + <size>80</size> + <default_value>3</default_value> + </field> + </fields> + <custom_delete_php_command> + freeradius_modulesldap_resync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + freeradius_modulesldap_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index e49aee1a..8115945a 100755..100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -78,7 +78,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> @@ -154,20 +158,18 @@ <field> <fielddescr>Logging Destination of RADIUS</fielddescr> <fieldname>varsettingslogdir</fieldname> - <description><![CDATA[Choose the destination where freeRADIUS should log. Logging must be enabled.(Default: radius.log)]]></description> + <description><![CDATA[Choose the destination where freeRADIUS should log. This will log if service started or failed but no authentication information. (Default: radius.log)]]></description> <type>select</type> <default_value>syslog</default_value> <options> <option><name>/var/log/radius.log</name><value>files</value></option> <option><name>System Logs -> System</name><value>syslog</value></option> - <option><name>stdout</name><value>stdout</value></option> - <option><name>stderr</name><value>stderr</value></option> </options> </field> <field> <fielddescr>RADIUS Logging</fielddescr> <fieldname>varsettingsauth</fieldname> - <description><![CDATA[Choose if you want to enable logging. (Default: Disabled)]]></description> + <description><![CDATA[This enables logging if an authentication is accepted or rejected. (Default: Disabled)]]></description> <type>select</type> <default_value>yes</default_value> <options> @@ -178,7 +180,7 @@ <field> <fielddescr>Log Bad Authentication Attempts</fielddescr> <fieldname>varsettingsauthbadpass</fieldname> - <description><![CDATA[Choose if you want to log bad authentication attempts. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[If an authentication fails then it will log the username and <b>wrong</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -189,7 +191,7 @@ <field> <fielddescr>Log good authentication attempts?</fielddescr> <fieldname>varsettingsauthgoodpass</fieldname> - <description><![CDATA[Choose if you want to log good authentication attempts. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[If an authentication succeeds then it will log the username and <b>correct</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> @@ -200,7 +202,7 @@ <field> <fielddescr>Log Stripped Names</fielddescr> <fieldname>varsettingsstrippednames</fieldname> - <description><![CDATA[Choose if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)]]></description> + <description><![CDATA[Choose this if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)]]></description> <type>select</type> <default_value>no</default_value> <options> diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index bce593fe..538ad45d 100755..100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -78,7 +78,11 @@ <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index 4a15c8d2..66a2701f 100755..100644 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml @@ -90,7 +90,11 @@ POSSIBILITY OF SUCH DAMAGE. <tab> <text>Certificates</text> <url>/pkg_edit.php?xml=freeradiuscerts.xml&id=0</url> - </tab> + </tab> + <tab> + <text>LDAP</text> + <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</url> + </tab> <tab> <text>View config</text> <url>/freeradius_view_config.php</url> |