2 # This file contains the configuration for experimental modules.
4 # By default, it is NOT included in the build.
9 # Configuration for the Python module.
11 # Where radiusd is a Python module, radiusd.py, and the
12 # function 'authorize' is called. Here is a dummy piece
15 # def authorize(params):
17 # return (5, ('Reply-Message', 'banned'))
19 # The RADIUS value-pairs are passed as a tuple of tuple
20 # pairs as the first argument, e.g. (('attribute1',
21 # 'value1'), ('attribute2', 'value2'))
23 # The function return is a tuple with the first element
24 # being the return value of the function.
25 # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
26 # write the return values as Python symbols to avoid
29 # The remaining tuple members are the string form of
30 # value-pairs which are passed on to pairmake().
33 mod_instantiate = radiusd_test
34 func_instantiate = instantiate
36 mod_authorize = radiusd_test
37 func_authorize = authorize
39 mod_accounting = radiusd_test
40 func_accounting = accounting
42 mod_preacct = radiusd_test
43 func_preacct = preacct
45 mod_detach = radiusd_test
50 # Configuration for the example module. Uncommenting it will cause it
51 # to get loaded and initialized, but should have no real effect as long
52 # it is not referencened in one of the autz/auth/preacct/acct sections
55 # allowed values: {no, yes}
58 # An integer, of any value.
62 string = "This is an example configuration string"
64 # An IP address, either in dotted quad (1.2.3.4) or hostname
73 string = "This is a different string"
79 # This module is an SQL enabled version of the counter module.
81 # Rather than maintaining seperate (GDBM) databases of
82 # accounting info for each counter, this module uses the data
83 # stored in the raddacct table by the sql modules. This
84 # module NEVER does any database INSERTs or UPDATEs. It is
85 # totally dependent on the SQL module to process Accounting
88 # The 'sqlmod_inst' parameter holds the instance of the sql
89 # module to use when querying the SQL database. Normally it
90 # is just "sql". If you define more and one SQL module
91 # instance (usually for failover situations), you can
92 # specify which module has access to the Accounting Data
95 # The 'reset' parameter defines when the counters are all
96 # reset to zero. It can be hourly, daily, weekly, monthly or
97 # never. It can also be user defined. It should be of the
100 # h: hours, d: days, w: weeks, m: months
101 # If the letter is ommited days will be assumed. In example:
102 # reset = 10h (reset every 10 hours)
103 # reset = 12 (reset every 12 days)
105 # The 'key' parameter specifies the unique identifier for the
106 # counter records (usually 'User-Name').
108 # The 'query' parameter specifies the SQL query used to get
109 # the current Counter value from the database. There are 3
110 # parameters that can be used in the query:
112 # %b unix time value of beginning of reset period
113 # %e unix time value of end of reset period
116 # The 'check-name' parameter is the name of the 'check'
117 # attribute to use to access the counter in the 'users' file
118 # or SQL radcheck or radcheckgroup tables.
120 # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
121 # Reply-Message = "You've used up more than one hour today"
123 sqlcounter dailycounter {
124 counter-name = Daily-Session-Time
125 check-name = Max-Daily-Session
130 # This query properly handles calls that span from the
131 # previous reset period into the current period but
132 # involves more work for the SQL server than those
134 query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
136 # This query ignores calls that started in a previous
137 # reset period and continue into into this one. But it
138 # is a little easier on the SQL server
139 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
141 # This query is the same as above, but demonstrates an
142 # additional counter parameter '%e' which is the
143 # timestamp for the end of the period
144 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
147 sqlcounter monthlycounter {
148 counter-name = Monthly-Session-Time
149 check-name = Max-Monthly-Session
150 sqlmod-inst = sqlcca3
154 # This query properly handles calls that span from the
155 # previous reset period into the current period but
156 # involves more work for the SQL server than those
158 query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
160 # This query ignores calls that started in a previous
161 # reset period and continue into into this one. But it
162 # is a little easier on the SQL server
163 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
165 # This query is the same as above, but demonstrates an
166 # additional counter parameter '%e' which is the
167 # timestamp for the end of the period
168 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
171 # To create a dbm users file, do:
173 # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
175 # Then add 'dbm' in 'authorize' section.
177 # Note that even if the file has a ".db" or ".dbm" extension,
178 # you may have to specify it here without that extension. This
179 # is because the DBM libraries "helpfully" add a ".db" to the
180 # filename, but don't check if it's already there.
183 usersfile = ${raddbdir}/users_db
187 # Persistent, embedded Perl interpreter.
191 # The Perl script to execute on authorize, authenticate,
192 # accounting, xlat, etc. This is very similar to using
193 # 'rlm_exec' module, but it is persistent, and therefore
196 module = /path/to/your/perl_module.pm
199 # The following hashes are given to the module and
200 # filled with value-pairs (Attribute names and values)
202 # %RAD_CHECK Read-only Check items
203 # %RAD_REQUEST Read-only Attributes from the request
204 # %RAD_REPLY Read-write Attributes for the reply
206 # The return codes from functions in the perl_script
207 # are passed directly back to the server. These
208 # codes are defined in doc/configurable_failover,
209 # src/include/modules.h (RLM_MODULE_REJECT, etc),
210 # and are pre-defined in the 'example.pl' program
215 # List of functions in the module to call.
216 # Comment out and change if you want to use other
217 # function names than the defaults.
219 #func_authenticate = authenticate
220 #func_authorize = authorize
221 #func_preacct = preacct
222 #func_accounting = accounting
223 #func_checksimul = checksimul
224 #func_pre_proxy = pre_proxy
225 #func_post_proxy = post_proxy
226 #func_post_auth = post_auth
228 #func_detach = detach
231 # Comment out the following line if you whish
232 # to use seperate functions for Start and Stop
233 # accounting packets. In that case, the
234 # func_accounting function is not called.
236 #func_start_accounting = accounting_start
237 #func_stop_accounting = accounting_stop
239 # Comment out the following lines if your perl is
240 # compiled with ithreads support.
241 # the settings bellow are the default one.
245 #min_spare_clones = 0
246 #max_spare_clones = 32
248 #max_request_per_clone = 0
253 # Perform NT-Domain authentication. This only works
254 # with PAP authentication. That is, Authentication-Request
255 # packets containing a User-Password attribute.
257 # To use it, add 'smb' into the 'authenticate' section,
258 # and then in another module (usually the 'users' file),
259 # set 'Auth-Type := SMB'
262 server = ntdomain.server.example.com
263 backup = backup.server.example.com
267 # See doc/rlm_fastusers before using this
268 # module or changing these values.
271 usersfile = ${confdir}/users_fast
274 # Reload the hash every 600 seconds (10mins)
279 # See also protocol_filter.conf
283 # Location of the protocol filter configuration file.
285 filename = ${raddbdir}/protocol_filter.conf
288 # The key to look up the section with filtering rules.
290 key = %{Realm:-DEFAULT}
295 # Should be added in the post-auth section (after all other modules)
296 # and in the authorize section (before any other modules)
302 # [... other modules ...]
305 # [... other modules ...]
309 # The caching module will cache the Auth-Type and reply items
310 # and send them back on any subsequent requests for the same key
314 # filename: The gdbm file to use for the cache database
315 # (can be memory mapped for more speed)
317 # key: A string to xlat and use as a key. For instance,
318 # "%{Acct-Unique-Session-Id}"
320 # post-auth: If we find a cached entry, set the post-auth to that value
322 # cache-ttl: The time to cache the entry. The same time format
323 # as the counter module apply here.
325 # h: hours, d: days, w: weeks, m: months
326 # If the letter is ommited days will be assumed.
329 # cache-size: The gdbm cache size to request (default 1000)
331 # hit-ratio: If set to non-zero we print out statistical
332 # information after so many cache requests
334 # cache-rejects: Do we also cache rejects, or not? (default 'yes')
337 filename = ${raddbdir}/db.cache
340 key = "%{Acct-Unique-Session-Id}"
343 # cache-rejects = yes