aboutsummaryrefslogtreecommitdiffstats
path: root/config/freeradius2
diff options
context:
space:
mode:
Diffstat (limited to 'config/freeradius2')
-rwxr-xr-xconfig/freeradius2/freeradius.inc318
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradius.xml15
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradius_view_config.php4
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiuscerts.xml6
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiusclients.xml8
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiuseapconf.xml6
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiusinterfaces.xml6
-rw-r--r--config/freeradius2/freeradiusmodulesldap.xml345
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiussettings.xml18
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiussqlconf.xml6
-rw-r--r--[-rwxr-xr-x]config/freeradius2/freeradiussync.xml6
11 files changed, 712 insertions, 26 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index 816eb984..6c64a615 100755
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -82,7 +82,7 @@ function freeradius_install_command() {
conf_mount_rw();
write_rcfile($rcfile);
conf_mount_ro();
- restart_service("freeradius");
+ start_service("radiusd");
}
function freeradius_settings_resync() {
@@ -249,7 +249,7 @@ checkrad = \${sbindir}/checkrad
security {
max_attributes = $varsettingsmaxattributes
reject_delay = $varsettingsrejectdelay
- status_server = yes
+ status_server = no
}
### disbale proxy module. In most environments we do not need to proxy requests to another RADIUS PROXY server
@@ -305,7 +305,7 @@ EOD;
freeradius_modulescounter_resync();
freeradius_modulesmschap_resync();
freeradius_modulesrealm_resync();
- restart_service("freeradius");
+ restart_service("radiusd");
}
function freeradius_users_resync() {
@@ -485,7 +485,7 @@ EOD;
conf_mount_ro();
freeradius_sync_on_changes();
- restart_service("freeradius");
+ restart_service("radiusd");
}
@@ -793,6 +793,26 @@ function freeradius_serverdefault_resync() {
global $config;
$conf = '';
+
+ // Get Variables from freeradiusmodulesldap.xml
+ $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0];
+
+ // If unchecked then disable authorize
+ if (!$arrmodulesldap['varmodulesldapenableauthorize']) {
+ $varmodulesldapenableauthorize = '### ldap ###';
+ }
+ else {
+ $varmodulesldapenableauthorize = 'ldap';
+ }
+
+ // If unchecked then disable authenticate
+ if (!$arrmodulesldap['varmodulesldapenableauthenticate']) {
+ $varmodulesldapenableauthenticate = "#Auth-Type LDAP {" . "\n\t\t\t#ldap" . "\n\t#}";
+ }
+ else {
+ $varmodulesldapenableauthenticate = "Auth-Type LDAP {" . "\n\t\t\tldap" . "\n\t}";
+ }
+
// Get Variables from freeradiussqlconf.xml
$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
$varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize']?$sqlconf['varsqlconfenableauthorize']:'Disable');
@@ -1022,7 +1042,7 @@ authorize {
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
-# ldap
+ $varmodulesldapenableauthorize
#
# Enforce daily limits on time spent logged in.
@@ -1141,9 +1161,7 @@ authenticate {
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
-# Auth-Type LDAP {
-# ldap
-# }
+ $varmodulesldapenableauthenticate
#
# Allow EAP authentication.
@@ -2258,4 +2276,288 @@ EOD;
}
+function freeradius_modulesldap_resync() {
+ global $config;
+ $conf = '';
+
+ $arrmodulesldap = $config['installedpackages']['freeradiusmodulesldap']['config'][0];
+
+ // Enable and Disable LDAP for "authorize" and "authenticate" will be done in "freeradius_serverdefault_resync"
+
+
+ // Variables for General Configuration
+ $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain');
+ $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA');
+ $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass');
+ $varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA');
+ $varmodulesldapfilter = ($arrmodulesldap['varmodulesldapfilter']?$arrmodulesldap['varmodulesldapfilter']:'(uid=%{%{Stripped-User-Name}:-%{User-Name}})');
+ $varmodulesldapbasefilter = ($arrmodulesldap['varmodulesldapbasefilter']?$arrmodulesldap['varmodulesldapbasefilter']:'(objectclass=radiusprofile)');
+ $varmodulesldapldapconnectionsnumber = ($arrmodulesldap['varmodulesldapldapconnectionsnumber']?$arrmodulesldap['varmodulesldapldapconnectionsnumber']:'5');
+ $varmodulesldaptimeout = ($arrmodulesldap['varmodulesldaptimeout']?$arrmodulesldap['varmodulesldaptimeout']:'4');
+ $varmodulesldaptimelimit = ($arrmodulesldap['varmodulesldaptimelimit']?$arrmodulesldap['varmodulesldaptimelimit']:'3');
+ $varmodulesldapnettimeout = ($arrmodulesldap['varmodulesldapnettimeout']?$arrmodulesldap['varmodulesldapnettimeout']:'1');
+
+ // Variables for TLS / Certificates - will be added later
+
+
+ // Miscellaneous Configuration + MS Active Directory Compatibility
+ $varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable']?$arrmodulesldap['varmodulesldapmsadcompatibilityenable']:'Disable');
+ if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') {
+ $varmodulesldapmsadcompatibility = '### MS Active Directory Compatibility is disabled ###';
+ }
+ else {
+ $varmodulesldapmsadcompatibility = 'chase_referrals = yes' . "\n\trebind = yes";
+ }
+
+ // When disabled we put this in the file but commented (#) like in the default installation
+ if (!$arrmodulesldap['varmodulesldapdmiscenable']) {
+ $varmodulesldapdefaultprofile = '### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###';
+ $varmodulesldapprofileattribute = '### profile_attribute = "radiusProfileDn" ###';
+ $varmodulesldapaccessattr = '### access_attr = "dialupAccess" ###';
+ }
+ // When enabled we put in the default values so there is no empty entry if there is not input from GUI
+ else {
+ $varmodulesldapdefaultprofile = ($arrmodulesldap['varmodulesldapdefaultprofile']?$arrmodulesldap['varmodulesldapdefaultprofile']:'cn=radprofile,ou=dialup,o=My Org,c=UA');
+ $varmodulesldapdefaultprofile = "default_profile = " . '"' . "$varmodulesldapdefaultprofile" . '"';
+ $varmodulesldapprofileattribute = ($arrmodulesldap['varmodulesldapprofileattribute']?$arrmodulesldap['varmodulesldapprofileattribute']:'radiusProfileDn');
+ $varmodulesldapprofileattribute = "profile_attribute = " . '"' . "$varmodulesldapprofileattribute" . '"';
+ $varmodulesldapaccessattr = ($arrmodulesldap['varmodulesldapaccessattr']?$arrmodulesldap['varmodulesldapaccessattr']:'dialupAccess');
+ $varmodulesldapaccessattr = "access_attr = " . '"' . "$varmodulesldapaccessattr" . '"';
+ }
+
+ // Group membership checking
+ // When disabled we put this in the file but commented (#) like in the default installation
+ if (!$arrmodulesldap['varmodulesldapgroupenable']) {
+ $varmodulesldapgroupnameattribute = '### groupname_attribute = cn ###';
+ $varmodulesldapgroupmembershipfilter = '### groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" ###';
+ $varmodulesldapgroupmembershipattribute = '### groupmembership_attribute = radiusGroupName ###';
+ $varmodulesldapcomparecheckitems = '### compare_check_items = yes ###';
+ $varmodulesldapdoxlat = '### do_xlat = yes ###';
+ $varmodulesldapaccessattrusedforallow = '### access_attr_used_for_allow = yes ###';
+ }
+
+ // When enabled we put in the default values so there is no empty entry if there is not input from GUI
+ else {
+ $varmodulesldapgroupnameattribute = ($arrmodulesldap['varmodulesldapgroupnameattribute']?$arrmodulesldap['varmodulesldapgroupnameattribute']:'cn');
+ $varmodulesldapgroupnameattribute = "groupname_attribute = $varmodulesldapgroupnameattribute";
+ $varmodulesldapgroupmembershipfilter = ($arrmodulesldap['varmodulesldapgroupmembershipfilter']?$arrmodulesldap['varmodulesldapgroupmembershipfilter']:'(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))');
+ $varmodulesldapgroupmembershipfilter = "groupmembership_filter = " . '"' . "$varmodulesldapgroupmembershipfilter" . '"';
+ $varmodulesldapgroupmembershipattribute = ($arrmodulesldap['varmodulesldapgroupmembershipattribute']?$arrmodulesldap['varmodulesldapgroupmembershipattribute']:'radiusGroupName');
+ $varmodulesldapgroupmembershipattribute = "groupmembership_attribute = $varmodulesldapgroupmembershipattribute";
+
+ $varmodulesldapcomparecheckitems = ($arrmodulesldap['varmodulesldapcomparecheckitems']?$arrmodulesldap['varmodulesldapcomparecheckitems']:'yes');
+ $varmodulesldapcomparecheckitems = "compare_check_items = $varmodulesldapcomparecheckitems";
+ $varmodulesldapdoxlat = ($arrmodulesldap['varmodulesldapdoxlat']?$arrmodulesldap['varmodulesldapdoxlat']:'yes');
+ $varmodulesldapdoxlat = "do_xlat = $varmodulesldapdoxlat";
+ $varmodulesldapaccessattrusedforallow = ($arrmodulesldap['varmodulesldapaccessattrusedforallow']?$arrmodulesldap['varmodulesldapaccessattrusedforallow']:'yes');
+ $varmodulesldapaccessattrusedforallow = "access_attr_used_for_allow = $varmodulesldapaccessattrusedforallow";
+ }
+
+ // Keepalive variables
+ $varmodulesldapkeepaliveidle = ($arrmodulesldap['varmodulesldapkeepaliveidle']?$arrmodulesldap['varmodulesldapkeepaliveidle']:'60');
+ $varmodulesldapkeepaliveprobes = ($arrmodulesldap['varmodulesldapkeepaliveprobes']?$arrmodulesldap['varmodulesldapkeepaliveprobes']:'3');
+ $varmodulesldapkeepaliveinterval = ($arrmodulesldap['varmodulesldapkeepaliveinterval']?$arrmodulesldap['varmodulesldapkeepaliveinterval']:'3');
+
+$conf .= <<<EOD
+
+# -*- text -*-
+#
+# $Id$
+
+# Lightweight Directory Access Protocol (LDAP)
+#
+# This module definition allows you to use LDAP for
+# authorization and authentication.
+#
+# See raddb/sites-available/default for reference to the
+# ldap module in the authorize and authenticate sections.
+#
+# However, LDAP can be used for authentication ONLY when the
+# Access-Request packet contains a clear-text User-Password
+# attribute. LDAP authentication will NOT work for any other
+# authentication method.
+#
+# This means that LDAP servers don't understand EAP. If you
+# force "Auth-Type = LDAP", and then send the server a
+# request containing EAP authentication, then authentication
+# WILL NOT WORK.
+#
+# The solution is to use the default configuration, which does
+# work.
+#
+# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
+# really can't emphasize this enough.
+#
+ldap {
+ #
+ # Note that this needs to match the name in the LDAP
+ # server certificate, if you're using ldaps.
+ server = "$varmodulesldapserver"
+ identity = "$varmodulesldapidentity"
+ password = $varmodulesldappassword
+ basedn = "$varmodulesldapbasedn"
+ filter = "$varmodulesldapfilter"
+ base_filter = "$varmodulesldapbasefilter"
+
+ # How many connections to keep open to the LDAP server.
+ # This saves time over opening a new LDAP socket for
+ # every authentication request.
+ ldap_connections_number = $varmodulesldapldapconnectionsnumber
+
+ # seconds to wait for LDAP query to finish. default: 20
+ timeout = $varmodulesldaptimeout
+
+ # seconds LDAP server has to process the query (server-side
+ # time limit). default: 20
+ #
+ # LDAP_OPT_TIMELIMIT is set to this value.
+ timelimit = $varmodulesldaptimelimit
+
+ #
+ # seconds to wait for response of the server. (network
+ # failures) default: 10
+ #
+ # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
+ net_timeout = $varmodulesldapnettimeout
+
+ #
+ # This subsection configures the tls related items
+ # that control how FreeRADIUS connects to an LDAP
+ # server. It contains all of the "tls_*" configuration
+ # entries used in older versions of FreeRADIUS. Those
+ # configuration entries can still be used, but we recommend
+ # using these.
+ #
+ tls {
+ # Set this to 'yes' to use TLS encrypted connections
+ # to the LDAP database by using the StartTLS extended
+ # operation.
+ #
+ # The StartTLS operation is supposed to be
+ # used with normal ldap connections instead of
+ # using ldaps (port 689) connections
+ start_tls = no
+
+ # cacertfile = /path/to/cacert.pem
+ # cacertdir = /path/to/ca/dir/
+ # certfile = /path/to/radius.crt
+ # keyfile = /path/to/radius.key
+ # randfile = /path/to/rnd
+
+ # Certificate Verification requirements. Can be:
+ # "never" (don't even bother trying)
+ # "allow" (try, but don't fail if the cerificate
+ # can't be verified)
+ # "demand" (fail if the certificate doesn't verify.)
+ #
+ # The default is "allow"
+ # require_cert = "demand"
+ }
+
+ $varmodulesldapdefaultprofile
+ $varmodulesldapprofileattribute
+ $varmodulesldapaccessattr
+
+ # Mapping of RADIUS dictionary attributes to LDAP
+ # directory attributes.
+ dictionary_mapping = ${confdir}/ldap.attrmap
+ ################## THE BELOW IS NOT COMPILED WITH FREERADIUS #################################
+ # Set password_attribute = nspmPassword to get the
+ # user's password from a Novell eDirectory
+ # backend. This will work ONLY IF FreeRADIUS has been
+ # built with the --with-edir configure option.
+ #
+ # See also the following links:
+ #
+ # http://www.novell.com/coolsolutions/appnote/16745.html
+ # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
+ #
+ # Novell may require TLS encrypted sessions before returning
+ # the user's password.
+ #
+ # password_attribute = userPassword
+
+ # Un-comment the following to disable Novell
+ # eDirectory account policy check and intruder
+ # detection. This will work *only if* FreeRADIUS is
+ # configured to build with --with-edir option.
+ #
+ edir_account_policy_check = no
+ ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS #################################
+ #
+ # Group membership checking. Disabled by default.
+ #
+ $varmodulesldapgroupnameattribute
+ $varmodulesldapgroupmembershipfilter
+ $varmodulesldapgroupmembershipattribute
+
+ $varmodulesldapcomparecheckitems
+ $varmodulesldapdoxlat
+ $varmodulesldapaccessattrusedforallow
+
+ #
+ # The following two configuration items are for Active Directory
+ # compatibility. If you see the helpful "operations error"
+ # being returned to the LDAP module, uncomment the next
+ # two lines.
+ #
+
+ $varmodulesldapmsadcompatibility
+
+ #
+ # By default, if the packet contains a User-Password,
+ # and no other module is configured to handle the
+ # authentication, the LDAP module sets itself to do
+ # LDAP bind for authentication.
+ #
+ # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
+ #
+ # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
+ #
+ # You can disable this behavior by setting the following
+ # configuration entry to "no".
+ #
+ # allowed values: {no, yes}
+ # set_auth_type = yes
+
+ # ldap_debug: debug flag for LDAP SDK
+ # (see OpenLDAP documentation). Set this to enable
+ # huge amounts of LDAP debugging on the screen.
+ # You should only use this if you are an LDAP expert.
+ #
+ # default: 0x0000 (no debugging messages)
+ # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
+ #ldap_debug = 0x0028
+
+ #
+ # Keepalive configuration. This MAY NOT be supported by your
+ # LDAP library. If these configuration entries appear in the
+ # output of "radiusd -X", then they are supported. Otherwise,
+ # they are unsupported, and changing them will do nothing.
+ #
+ keepalive {
+ # LDAP_OPT_X_KEEPALIVE_IDLE
+ idle = $varmodulesldapkeepaliveidle
+
+ # LDAP_OPT_X_KEEPALIVE_PROBES
+ probes = $varmodulesldapkeepaliveprobes
+
+ # LDAP_OPT_X_KEEPALIVE_INTERVAL
+ interval = $varmodulesldapkeepaliveinterval
+ }
+}
+EOD;
+
+ $filename = RADDB . '/modules/ldap';
+ conf_mount_rw();
+ file_put_contents($filename, $conf);
+ chmod($filename, 0600);
+ conf_mount_ro();
+
+ // We need to rebuild "freeradius_serverdefault_resync" before restart service
+ // "freeradius_serverdefault_resync" needs to restart other dependencies so we are pointing directly to "freeradius_settings_resync()"
+ freeradius_settings_resync();
+
+}
+
?> \ No newline at end of file
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index bcff9b17..f2cd3dcf 100755..100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -65,7 +65,7 @@
<tab>
<text>Users</text>
<url>/pkg.php?xml=freeradius.xml</url>
- <active/>
+ <active/>
</tab>
<tab>
<text>NAS / Clients</text>
@@ -90,7 +90,11 @@
<tab>
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>
@@ -101,6 +105,11 @@
</tab>
</tabs>
<additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
<prefix>/usr/local/www/</prefix>
<chmod>0755</chmod>
<item>http://www.pfsense.org/packages/config/freeradius2/freeradius_view_config.php</item>
@@ -143,7 +152,7 @@
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
<chmod>0755</chmod>
- <item>http://www.pfsense.org/packages/config/freeradius2/freeradius.inc</item>
+ <item>http://www.pfsense.org/packages/config/freeradius2/freeradiusmodulesldap.xml</item>
</additional_files_needed>
<adddeleteeditpagefields>
<columnitem>
diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php
index 14e37455..218a9abb 100755..100644
--- a/config/freeradius2/freeradius_view_config.php
+++ b/config/freeradius2/freeradius_view_config.php
@@ -42,6 +42,7 @@ function get_file($file){
$files['server']="/usr/local/etc/raddb/certs/server.cnf";
$files['client']="/usr/local/etc/raddb/certs/client.cnf";
$files['index']="/usr/local/etc/raddb/certs/index.txt";
+ $files['ldap']="/usr/local/etc/raddb/modules/ldap";
if ($files[$file]!="" && file_exists($files[$file])){
@@ -86,6 +87,7 @@ else{
$tab_array[] = array(gettext("EAP"), false, "/pkg_edit.php?xml=freeradiuseapconf.xml&id=0");
$tab_array[] = array(gettext("SQL"), false, "/pkg_edit.php?xml=freeradiussqlconf.xml&id=0");
$tab_array[] = array(gettext("Certificates"), false, "/pkg_edit.php?xml=freeradiuscerts.xml&id=0");
+ $tab_array[] = array(gettext("LDAP"), false, "/pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0");
$tab_array[] = array(gettext("View config"), true, "/freeradius_view_config.php");
$tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=freeradiussync.xml&amp;id=0");
display_top_tabs($tab_array);
@@ -112,6 +114,7 @@ else{
<input type="button" onClick="get_freeradius_file('server');" id='btn_server' value="server.cnf">&nbsp;
<input type="button" onClick="get_freeradius_file('client');" id='btn_client' value="client.cnf">&nbsp;
<input type="button" onClick="get_freeradius_file('index');" id='btn_index' value="index.txt">&nbsp;
+ <input type="button" onClick="get_freeradius_file('ldap');" id='btn_ldap' value="ldap">&nbsp;
</td>
</tr>
<tr>
@@ -152,6 +155,7 @@ else{
$('btn_server').value="server.cnf";
$('btn_client').value="client.cnf";
$('btn_index').value="index.txt";
+ $('btn_ldap').value="ldap";
scroll(0,0);
}
</script>
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
index 34ab5a03..1393dea8 100755..100644
--- a/config/freeradius2/freeradiuscerts.xml
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -78,7 +78,11 @@
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
<active/>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index 8e5e6b5b..57ad1b7d 100755..100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -77,7 +77,11 @@
<tab>
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>
@@ -86,7 +90,7 @@
<text>XMLRPC Sync</text>
<url>/pkg_edit.php?xml=freeradiussync.xml&amp;id=0</url>
</tab>
-</tabs>
+ </tabs>
<adddeleteeditpagefields>
<columnitem>
<fielddescr>Client IP Address</fielddescr>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index dd70a959..b319f198 100755..100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -78,7 +78,11 @@
<tab>
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>
diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml
index 3819908e..f15e998f 100755..100644
--- a/config/freeradius2/freeradiusinterfaces.xml
+++ b/config/freeradius2/freeradiusinterfaces.xml
@@ -77,7 +77,11 @@
<tab>
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>
diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml
new file mode 100644
index 00000000..317054d2
--- /dev/null
+++ b/config/freeradius2/freeradiusmodulesldap.xml
@@ -0,0 +1,345 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+<![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ freeradiusmodulesldap.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+]]> </copyright>
+ <description><![CDATA[Describe your package here]]></description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>freeradiusmodulesldap</name>
+ <version>none</version>
+ <title>FreeRADIUS: LDAP</title>
+ <aftersaveredirect>pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</aftersaveredirect>
+ <include_file>/usr/local/pkg/freeradius.inc</include_file>
+ <tabs>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=freeradius.xml</url>
+ </tab>
+ <tab>
+ <text>NAS / Clients</text>
+ <url>/pkg.php?xml=freeradiusclients.xml</url>
+ </tab>
+ <tab>
+ <text>Interfaces</text>
+ <url>/pkg.php?xml=freeradiusinterfaces.xml</url>
+ </tab>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>EAP</text>
+ <url>/pkg_edit.php?xml=freeradiuseapconf.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>SQL</text>
+ <url>/pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Certificates</text>
+ <url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>View config</text>
+ <url>/freeradius_view_config.php</url>
+ </tab>
+ <tab>
+ <text>XMLRPC Sync</text>
+ <url>/pkg_edit.php?xml=freeradiussync.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>ENABLE LDAP SUPPORT</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable LDAP For Authorization</fielddescr>
+ <fieldname>varmodulesldapenableauthorize</fieldname>
+ <description><![CDATA[This enables LDAP in authorize section. The ldap module will set Auth-Type to LDAP if it has not already been set. (Default: unchecked)]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable LDAP For Authentication</fielddescr>
+ <fieldname>varmodulesldapenableauthenticate</fieldname>
+ <description><![CDATA[This enables LDAP in authenticate section. Note that this means "check plain-text password against the ldap database", which means that EAP won't work, as it does not supply a plain-text password.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>GENERAL CONFIGURATION</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Server</fielddescr>
+ <fieldname>varmodulesldapserver</fieldname>
+ <description><![CDATA[No description. (Default: ldap.your.domain )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>ldap.your.domain</default_value>
+ </field>
+ <field>
+ <fielddescr>Identity</fielddescr>
+ <fieldname>varmodulesldapidentity</fieldname>
+ <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[cn=admin,o=My Org,c=UA]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Password</fielddescr>
+ <fieldname>varmodulesldappassword</fieldname>
+ <description><![CDATA[No description. (Default: mypass)]]></description>
+ <type>password</type>
+ <size>80</size>
+ <default_value>mypass</default_value>
+ </field>
+ <field>
+ <fielddescr>Basedn</fielddescr>
+ <fieldname>varmodulesldapbasedn</fieldname>
+ <description><![CDATA[No description (Default: o=My Org,c=UA )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[o=My Org,c=UA]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Filter</fielddescr>
+ <fieldname>varmodulesldapfilter</fieldname>
+ <description><![CDATA[No description. (Default: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[(uid=%{%{Stripped-User-Name}:-%{User-Name}})]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Base Filter</fielddescr>
+ <fieldname>varmodulesldapbasefilter</fieldname>
+ <description><![CDATA[No description. (Default: (objectclass=radiusprofile) )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[(objectclass=radiusprofile)]]></default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP Connections Number</fielddescr>
+ <fieldname>varmodulesldapldapconnectionsnumber</fieldname>
+ <description><![CDATA[How many connections to keep open to the LDAP server. This saves time over opening a new LDAP socket for every authentication request. (Default: 5)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Timeout</fielddescr>
+ <fieldname>varmodulesldaptimeout</fieldname>
+ <description><![CDATA[Seconds to wait for LDAP query to finish. (Default: 4)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>4</default_value>
+ </field>
+ <field>
+ <fielddescr>Timelimit</fielddescr>
+ <fieldname>varmodulesldaptimelimit</fieldname>
+ <description><![CDATA[Seconds the LDAP server has to process the query (server-side time limit). (Default: 3)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>3</default_value>
+ </field>
+ <field>
+ <fielddescr>Net Timeout</fielddescr>
+ <fieldname>varmodulesldapnettimeout</fieldname>
+ <description><![CDATA[Seconds to wait for response of the server because of network failures. (Default: 1)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>1</default_value>
+ </field>
+ <field>
+ <name>MISCELLANEOUS CONFIGURATION</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Active Directory Compatibility</fielddescr>
+ <fieldname>varmodulesldapmsadcompatibilityenable</fieldname>
+ <description><![CDATA[If you see the helpful "operations error" being returned to the LDAP module enable this. (Default: Disable)]]></description>
+ <type>select</type>
+ <default_value>Disable</default_value>
+ <options>
+ <option><name>Disable</name><value>Disable</value></option>
+ <option><name>Enable</name><value>Enable</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Enable Misc Configuration</fielddescr>
+ <fieldname>varmodulesldapdmiscenable</fieldname>
+ <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description>
+ <type>checkbox</type>
+ <enablefields>varmodulesldapdefaultprofile,varmodulesldapprofileattribute,varmodulesldapaccessattr</enablefields>
+ </field>
+ <field>
+ <fielddescr>Default Profile</fielddescr>
+ <fieldname>varmodulesldapdefaultprofile</fieldname>
+ <description><![CDATA[No description. (Default: cn=radprofile,ou=dialup,o=My Org,c=UA )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[cn=radprofile,ou=dialup,o=My Org,c=UA]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Profile Attribute</fielddescr>
+ <fieldname>varmodulesldapprofileattribute</fieldname>
+ <description><![CDATA[No description. (Default: radiusProfileDn)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>radiusProfileDn</default_value>
+ </field>
+ <field>
+ <fielddescr>Access Attribute</fielddescr>
+ <fieldname>varmodulesldapaccessattr</fieldname>
+ <description><![CDATA[No description. (Default: dialupAccess)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>dialupAccess</default_value>
+ </field>
+ <field>
+ <name>Group Membership Options</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable Group Membership Options</fielddescr>
+ <fieldname>varmodulesldapgroupenable</fieldname>
+ <description><![CDATA[By default the below options are not active in the configuration. (Default: unchecked)]]></description>
+ <type>checkbox</type>
+ <enablefields>varmodulesldapaccessattrusedforallow,varmodulesldapdoxlat,varmodulesldapcomparecheckitems,varmodulesldapgroupmembershipattribute,varmodulesldapgroupmembershipfilter,varmodulesldapgroupnameattribute</enablefields>
+ </field>
+ <field>
+ <fielddescr>Groupname Attribute</fielddescr>
+ <fieldname>varmodulesldapgroupnameattribute</fieldname>
+ <description><![CDATA[No description. (Default: cn)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>cn</default_value>
+ </field>
+ <field>
+ <fielddescr>Groupmembership Filter</fielddescr>
+ <fieldname>varmodulesldapgroupmembershipfilter</fieldname>
+ <description><![CDATA[No description. (Default: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) )]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value><![CDATA[(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))]]></default_value>
+ </field>
+ <field>
+ <fielddescr>Groupmembership Attribute</fielddescr>
+ <fieldname>varmodulesldapgroupmembershipattribute</fieldname>
+ <description><![CDATA[No description. (Default: radiusGroupName)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>radiusGroupName</default_value>
+ </field>
+ <field>
+ <fielddescr>Compare Check Items</fielddescr>
+ <fieldname>varmodulesldapcomparecheckitems</fieldname>
+ <description><![CDATA[No description. (Default: Yes)]]></description>
+ <type>select</type>
+ <default_value>Yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Do XLAT</fielddescr>
+ <fieldname>varmodulesldapdoxlat</fieldname>
+ <description><![CDATA[No description. (Default: Yes)]]></description>
+ <type>select</type>
+ <default_value>Yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Access Attribute Used For Allow</fielddescr>
+ <fieldname>varmodulesldapaccessattrusedforallow</fieldname>
+ <description><![CDATA[No description. (Default: Yes)]]></description>
+ <type>select</type>
+ <default_value>Yes</default_value>
+ <options>
+ <option><name>Yes</name><value>yes</value></option>
+ <option><name>No</name><value>no</value></option>
+ </options>
+ </field>
+ <field>
+ <name>KEEPALIVE CONFIGURATION</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>LDAP OPT X KEEPALIVE IDLE</fielddescr>
+ <fieldname>varmodulesldapkeepaliveidle</fieldname>
+ <description><![CDATA[No description. (Default: 60)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>60</default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP OPT X KEEPALIVE PROBES</fielddescr>
+ <fieldname>varmodulesldapkeepaliveprobes</fieldname>
+ <description><![CDATA[No description. (Default: 3)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>3</default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP OPT X KEEPALIVE INTERVAL</fielddescr>
+ <fieldname>varmodulesldapkeepaliveinterval</fieldname>
+ <description><![CDATA[No description. (Default: 3)]]></description>
+ <type>input</type>
+ <size>80</size>
+ <default_value>3</default_value>
+ </field>
+ </fields>
+ <custom_delete_php_command>
+ freeradius_modulesldap_resync();
+ </custom_delete_php_command>
+ <custom_php_resync_config_command>
+ freeradius_modulesldap_resync();
+ </custom_php_resync_config_command>
+</packagegui> \ No newline at end of file
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index e49aee1a..8115945a 100755..100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -78,7 +78,11 @@
<tab>
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>
@@ -154,20 +158,18 @@
<field>
<fielddescr>Logging Destination of RADIUS</fielddescr>
<fieldname>varsettingslogdir</fieldname>
- <description><![CDATA[Choose the destination where freeRADIUS should log. Logging must be enabled.(Default: radius.log)]]></description>
+ <description><![CDATA[Choose the destination where freeRADIUS should log. This will log if service started or failed but no authentication information. (Default: radius.log)]]></description>
<type>select</type>
<default_value>syslog</default_value>
<options>
<option><name>/var/log/radius.log</name><value>files</value></option>
<option><name>System Logs -> System</name><value>syslog</value></option>
- <option><name>stdout</name><value>stdout</value></option>
- <option><name>stderr</name><value>stderr</value></option>
</options>
</field>
<field>
<fielddescr>RADIUS Logging</fielddescr>
<fieldname>varsettingsauth</fieldname>
- <description><![CDATA[Choose if you want to enable logging. (Default: Disabled)]]></description>
+ <description><![CDATA[This enables logging if an authentication is accepted or rejected. (Default: Disabled)]]></description>
<type>select</type>
<default_value>yes</default_value>
<options>
@@ -178,7 +180,7 @@
<field>
<fielddescr>Log Bad Authentication Attempts</fielddescr>
<fieldname>varsettingsauthbadpass</fieldname>
- <description><![CDATA[Choose if you want to log bad authentication attempts. Logging must be enabled. (Default: no)]]></description>
+ <description><![CDATA[If an authentication fails then it will log the username and <b>wrong</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -189,7 +191,7 @@
<field>
<fielddescr>Log good authentication attempts?</fielddescr>
<fieldname>varsettingsauthgoodpass</fieldname>
- <description><![CDATA[Choose if you want to log good authentication attempts. Logging must be enabled. (Default: no)]]></description>
+ <description><![CDATA[If an authentication succeeds then it will log the username and <b>correct</b> password visible in syslog. Logging must be enabled. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -200,7 +202,7 @@
<field>
<fielddescr>Log Stripped Names</fielddescr>
<fieldname>varsettingsstrippednames</fieldname>
- <description><![CDATA[Choose if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)]]></description>
+ <description><![CDATA[Choose this if you want to log the full User-Name attribute as it was found in the request. Logging must be enabled. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml
index bce593fe..538ad45d 100755..100644
--- a/config/freeradius2/freeradiussqlconf.xml
+++ b/config/freeradius2/freeradiussqlconf.xml
@@ -78,7 +78,11 @@
<tab>
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>
diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml
index 4a15c8d2..66a2701f 100755..100644
--- a/config/freeradius2/freeradiussync.xml
+++ b/config/freeradius2/freeradiussync.xml
@@ -90,7 +90,11 @@ POSSIBILITY OF SUCH DAMAGE.
<tab>
<text>Certificates</text>
<url>/pkg_edit.php?xml=freeradiuscerts.xml&amp;id=0</url>
- </tab>
+ </tab>
+ <tab>
+ <text>LDAP</text>
+ <url>/pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</url>
+ </tab>
<tab>
<text>View config</text>
<url>/freeradius_view_config.php</url>