Initial revision

[freeradius.git] / raddb / modules

# -*- text -*-
#
#  $Id$

#
#  Create a unique accounting session Id.  Many NASes re-use
#  or repeat values for Acct-Session-Id, causing no end of
#  confusion.
#
#  This module will add a (probably) unique session id 
#  to an accounting packet based on the attributes listed
#  below found in the packet.  See doc/rlm_acct_unique for
#  more information.
#
acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# -*- text -*-
#
#  $Id$

#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
        rcode = fail
}
always reject {
        rcode = reject
}
always noop {
        rcode = noop
}
always handled {
        rcode = handled
}
always updated {
        rcode = updated
}
always notfound {
        rcode = notfound
}
always ok {
        rcode = ok
        simulcount = 0
        mpp = no
}
# -*- text -*-
#
#  $Id$

#
#  This file defines a number of instances of the "attr_filter" module.
#

# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
        attrsfile = ${confdir}/attrs
}

# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
        attrsfile = ${confdir}/attrs.pre-proxy
}

# Enforce RFC requirements on the contents of Access-Reject
# packets.  See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
        key = %{User-Name}
        attrsfile = ${confdir}/attrs.access_reject
}

#  Enforce RFC requirements on the contents of the
#  Accounting-Response packets.  See the comments at the
#  top of the file for more details.
#
attr_filter attr_filter.accounting_response {
        key = %{User-Name}
        attrsfile = ${confdir}/attrs.accounting_response
}
# -*- text -*-
#
#  $Id$

#  rewrite arbitrary packets.  Useful in accounting and authorization.
#
#  As of 2.0, much of the functionality of this module is in "unlang".
#  You should probably investigate using that before trying to use
#  the "attr_rewrite" module.
#
#
#  The module can also use the Rewrite-Rule attribute. If it
#  is set and matches the name of the module instance, then
#  that module instance will be the only one which runs.
#
#  Also if new_attribute is set to yes then a new attribute
#  will be created containing the value replacewith and it
#  will be added to searchin (packet, reply, proxy,
#  proxy_reply or config).
#
# searchfor,ignore_case and max_matches will be ignored in that case.
#
# Backreferences are supported.
#       %{0} will contain the string the whole match
#       %{1} to %{8} will contain the contents of the 1st to
#       the 8th parentheses
#
# If max_matches is greater than one, the backreferences will
# correspond to the first attributed that matched.

#
attr_rewrite sanecallerid {
        attribute = Called-Station-Id
        # may be "packet", "reply", "proxy", "proxy_reply" or "config"
        searchin = packet
        searchfor = "[+ ]"
        replacewith = ""
        ignore_case = no
        new_attribute = no
        max_matches = 10

        ## If set to yes then the replace string will be
        ## appended to the original string
        append = no
}

# -*- text -*-
#
#  $Id$

# CHAP module
#
#  To authenticate requests containing a CHAP-Password attribute.
#
chap {
        # no configuration
}
# -*- text -*-
#
#  $Id$

#  A simple value checking module
#
#  As of 2.0, much of the functionality of this module is in "unlang".
#  You should probably investigate using that before trying to use
#  the "checkval" module.
#
#  It can be used to check if an attribute value in the request
#  matches a (possibly multi valued) attribute in the check
#  items This can be used for example for caller-id
#  authentication.  For the module to run, both the request
#  attribute and the check items attribute must exist
#
#  i.e.
#  A user has an ldap entry with 2 radiusCallingStationId
#  attributes with values "12345678" and "12345679".  If we
#  enable rlm_checkval, then any request which contains a
#  Calling-Station-Id with one of those two values will be
#  accepted.  Requests with other values for
#  Calling-Station-Id will be rejected.
#
#  Regular expressions in the check attribute value are allowed
#  as long as the operator is '=~'
#
checkval {
        # The attribute to look for in the request
        item-name = Calling-Station-Id

        # The attribute to look for in check items. Can be multi valued
        check-name = Calling-Station-Id

        # The data type. Can be
        # string,integer,ipaddr,date,abinary,octets
        data-type = string

        # If set to yes and we dont find the item-name attribute in the
        # request then we send back a reject
        # DEFAULT is no
        #notfound-reject = no
}
        
# -*- text -*-
#
#  $Id$

#  counter module:
#  This module takes an attribute (count-attribute).
#  It also takes a key, and creates a counter for each unique
#  key.  The count is incremented when accounting packets are
#  received by the server.  The value of the increment depends
#  on the attribute type.
#  If the attribute is Acct-Session-Time or of an integer type we add
#  the value of the attribute. If it is anything else we increase the
#  counter by one.
#
#  The 'reset' parameter defines when the counters are all reset to
#  zero.  It can be hourly, daily, weekly, monthly or never.
#
#  hourly: Reset on 00:00 of every hour
#  daily: Reset on 00:00:00 every day
#  weekly: Reset on 00:00:00 on sunday
#  monthly: Reset on 00:00:00 of the first day of each month
#
#  It can also be user defined. It should be of the form:
#  num[hdwm] where:
#  h: hours, d: days, w: weeks, m: months
#  If the letter is ommited days will be assumed. In example:
#  reset = 10h (reset every 10 hours)
#  reset = 12  (reset every 12 days)
#
#
#  The check-name attribute defines an attribute which will be
#  registered by the counter module and can be used to set the
#  maximum allowed value for the counter after which the user
#  is rejected.
#  Something like:
#
#  DEFAULT Max-Daily-Session := 36000
#          Fall-Through = 1
#
#  You should add the counter module in the instantiate
#  section so that it registers check-name before the files
#  module reads the users file.
#
#  If check-name is set and the user is to be rejected then we
#  send back a Reply-Message and we log a Failure-Message in
#  the radius.log
#
#  If the count attribute is Acct-Session-Time then on each
#  login we send back the remaining online time as a
#  Session-Timeout attribute ELSE and if the reply-name is
#  set, we send back that attribute.  The reply-name attribute
#  MUST be of an integer type.
#
#  The counter-name can also be used instead of using the check-name
#  like below:
#
#  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
#      Reply-Message = "You've used up more than one hour today"
#
#  The allowed-servicetype attribute can be used to only take
#  into account specific sessions. For example if a user first
#  logs in through a login menu and then selects ppp there will
#  be two sessions. One for Login-User and one for Framed-User
#  service type. We only need to take into account the second one.
#
#  The module should be added in the instantiate, authorize and
#  accounting sections.  Make sure that in the authorize
#  section it comes after any module which sets the
#  'check-name' attribute.
#
counter daily {
        filename = ${db_dir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        reply-name = Session-Timeout
        allowed-servicetype = Framed-User
        cache-size = 5000
}

# -*- text -*-
#
#  $Id$

# Write a detailed log of all accounting records received.
#
detail {
        #  Note that we do NOT use NAS-IP-Address here, as
        #  that attribute MAY BE from the originating NAS, and
        #  NOT from the proxy which actually sent us the
        #  request.  The Client-IP-Address attribute is ALWAYS
        #  the address of the client which sent us the
        #  request.
        #
        #  The following line creates a new detail file for
        #  every radius client (by IP address or hostname).
        #  In addition, a new detail file is created every
        #  day, so that the detail file doesn't have to go
        #  through a 'log rotation'
        #
        #  If your detail files are large, you may also want
        #  to add a ':%H' (see doc/variables.txt) to the end
        #  of it, to create a new detail file every hour, e.g.:
        #
        #   ..../detail-%Y%m%d:%H
        #
        #  This will create a new detail file for every hour.
        #
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

        #
        #  The Unix-style permissions on the 'detail' file.
        #
        #  The detail file often contains secret or private
        #  information about users.  So by keeping the file
        #  permissions restrictive, we can prevent unwanted
        #  people from seeing that information.
        detailperm = 0600

        #
        #  Every entry in the detail file has a header which
        #  is a timestamp.  By default, we use the ctime
        #  format (see "man ctime" for details).
        #
        #  The header can be customized by editing this
        #  string.  See "doc/variables.txt" for a description
        #  of what can be put here.
        #
        header = "%t"

        #
        # Certain attributes such as User-Password may be
        # "sensitive", so they should not be printed in the
        # detail file.  This section lists the attributes
        # that should be suppressed.
        #
        # The attributes should be listed one to a line.
        #
        #suppress {
                # User-Password
        #}

}
# -*- text -*-
#
#  Detail file writer, used in the following examples:
#
#       raddb/sites-available/robust-proxy-accounting
#       raddb/sites-available/decoupled-accounting
#
#  Note that this module can write detail files that are read by
#  only ONE "listen" section.  If you use BOTH of the examples
#  above, you will need to define TWO "detail" modules.
#
#  e.g. detail1.example.com && detail2.example.com
#
#
#  We write *multiple* detail files here.  They will be processed by
#  the detail "listen" section in the order that they were created.
#  The directory containing these files should NOT be used for any
#  other purposes.  i.e. It should have NO other files in it.
#
#  Writing multiple detail enables the server to process the pieces
#  in smaller chunks.  This helps in certain catastrophic corner cases.
#
#  $Id$
#
detail detail.example.com {
        detailfile = ${radacctdir}/detail.example.com/detail-%Y%m%d:%H
}
# -*- text -*-
#
#  $Id$

#
#  More examples of doing detail logs.

#
#  Many people want to log authentication requests.
#  Rather than modifying the server core to print out more
#  messages, we can use a different instance of the 'detail'
#  module, to log the authentication requests to a file.
#
#  You will also need to un-comment the 'auth_log' line
#  in the 'authorize' section, below.
#
detail auth_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d

        #
        #  This MUST be 0600, otherwise anyone can read
        #  the users passwords!
        detailperm = 0600

        # You may also strip out passwords completely
        suppress {
                User-Password
        }
}

#
#  This module logs authentication reply packets sent
#  to a NAS.  Both Access-Accept and Access-Reject packets
#  are logged.
#
#  You will also need to un-comment the 'reply_log' line
#  in the 'post-auth' section, below.
#
detail reply_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d

        detailperm = 0600
}

#
#  This module logs packets proxied to a home server.
#
#  You will also need to un-comment the 'pre_proxy_log' line
#  in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d

        #
        #  This MUST be 0600, otherwise anyone can read
        #  the users passwords!
        detailperm = 0600

        # You may also strip out passwords completely
        #suppress {
                # User-Password
        #}
}

#
#  This module logs response packets from a home server.
#
#  You will also need to un-comment the 'post_proxy_log' line
#  in the 'post-proxy' section, below.
#
detail post_proxy_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d

        detailperm = 0600
}
# -*- text -*-
#
#  $Id$

#
#  The 'digest' module currently has no configuration.
#
#  "Digest" authentication against a Cisco SIP server.
#  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
#  on performing digest authentication for Cisco SIP servers.
#
digest {
}
# -*- text -*-
#
#  $Id$

#
#  This is a more general example of the execute module.
#
#  This one is called "echo".
#
#  Attribute-Name = `%{echo:/path/to/program args}`
#
#  If you wish to execute an external program in more than
#  one section (e.g. 'authorize', 'pre_proxy', etc), then it
#  is probably best to define a different instance of the
#  'exec' module for every section.     
#
#  The return value of the program run determines the result
#  of the exec instance call as follows:
#  (See doc/configurable_failover for details)
#
#  < 0 : fail      the module failed
#  = 0 : ok        the module succeeded
#  = 1 : reject    the module rejected the user
#  = 2 : fail      the module failed
#  = 3 : ok        the module succeeded
#  = 4 : handled   the module has done everything to handle the request
#  = 5 : invalid   the user's configuration entry was invalid
#  = 6 : userlock  the user was locked out
#  = 7 : notfound  the user was not found
#  = 8 : noop      the module did nothing
#  = 9 : updated   the module updated information in the request
#  > 9 : fail      the module failed
#
exec echo {
        #
        #  Wait for the program to finish.
        #
        #  If we do NOT wait, then the program is "fire and
        #  forget", and any output attributes from it are ignored.
        #
        #  If we are looking for the program to output
        #  attributes, and want to add those attributes to the
        #  request, then we MUST wait for the program to
        #  finish, and therefore set 'wait=yes'
        #
        # allowed values: {no, yes}
        wait = yes

        #
        #  The name of the program to execute, and it's
        #  arguments.  Dynamic translation is done on this
        #  field, so things like the following example will
        #  work.
        #
        program = "/bin/echo %{User-Name}"

        #
        #  The attributes which are placed into the
        #  environment variables for the program.
        #
        #  Allowed values are:
        #
        #       request         attributes from the request
        #       config          attributes from the configuration items list
        #       reply           attributes from the reply
        #       proxy-request   attributes from the proxy request
        #       proxy-reply     attributes from the proxy reply
        #
        #  Note that some attributes may not exist at some
        #  stages.  e.g. There may be no proxy-reply
        #  attributes if this module is used in the
        #  'authorize' section.
        #
        input_pairs = request

        #
        #  Where to place the output attributes (if any) from
        #  the executed program.  The values allowed, and the
        #  restrictions as to availability, are the same as
        #  for the input_pairs.
        #
        output_pairs = reply

        #
        #  When to execute the program.  If the packet
        #  type does NOT match what's listed here, then
        #  the module does NOT execute the program.
        #
        #  For a list of allowed packet types, see
        #  the 'dictionary' file, and look for VALUEs
        #  of the Packet-Type attribute.
        #
        #  By default, the module executes on ANY packet.
        #  Un-comment out the following line to tell the
        #  module to execute only if an Access-Accept is
        #  being sent to the NAS.
        #
        #packet_type = Access-Accept

        #
        #  Should we escape the environment variables?
        #  
        #  If this is set, all the RADIUS attributes
        #  are capitalised and dashes replaced with
        #  underscores. Also, RADIUS values are surrounded
        #  with double-quotes.
        #
        #  That is to say: User-Name=BobUser => USER_NAME="BobUser"
        shell_escape = yes

}
# -*- text -*-
#
#  $Id$

#  "passwd" configuration, for the /etc/group file. Adds a Etc-Group-Name
#  attribute for every group that the user is member of.
#
#  You will have to define the Etc-Group-Name in the 'dictionary' file
#  as a 'string' type.
#
#  The Group-Name attribute is automatically created by the Unix module,
#  and does checking against /etc/group automatically.
#
#  i.e. this module should NOT be used as-is, but should be edited to
#  point to a different group file.
#
passwd etc_group {
        filename = /etc/group
        format = "=Etc-Group-Name:::*,User-Name"
        hashsize = 50
        ignorenislike = yes
        allowmultiplekeys = yes
        delimiter = ":"
}

# -*- text -*-
#
#  $Id$

#
#  Execute external programs
#
#  This module is useful only for 'xlat'.  To use it,
#  put 'exec' into the 'instantiate' section.  You can then
#  do dynamic translation of attributes like:
#
#  Attribute-Name = `%{exec:/path/to/program args}`
#
#  The value of the attribute will be replaced with the output
#  of the program which is executed.  Due to RADIUS protocol
#  limitations, any output over 253 bytes will be ignored.
#
#  The RADIUS attributes from the user request will be placed
#  into environment variables of the executed program, as
#  described in "man unlang" and in doc/variables.txt
#
#  See also "echo" for more sample configuration.
#
exec {
        wait = no
        input_pairs = request
        shell_escape = yes
        output = none
}
# -*- text -*-
#
#  $Id$

#
# The expiration module. This handles the Expiration attribute
# It should be included in the *end* of the authorize section
# in order to handle user Expiration. It should also be included
# in the instantiate section in order to register the Expiration
# compare function
#
expiration {
        #
        # The Reply-Message which will be sent back in case the
        # account has expired. Dynamic substitution is supported
        #
        reply-message = "Password Has Expired\r\n" 
        #reply-message = "Your account has expired, %{User-Name}\r\n"
}
# -*- text -*-
#
#  $Id$

#
#  The 'expression' module currently has no configuration.
#
#  This module is useful only for 'xlat'.  To use it,
#  put 'expr' into the 'instantiate' section.  You can then
#  do dynamic translation of attributes like:
#
#  Attribute-Name = `%{expr:2 + 3 + %{exec: uid -u}}`
#
#  The value of the attribute will be replaced with the output
#  of the program which is executed.  Due to RADIUS protocol
#  limitations, any output over 253 bytes will be ignored.
#
#  The module also registers a few paircompare functions
expr {
}
# -*- text -*-
#
#  $Id$

# Livingston-style 'users' file
#
files {
        # The default key attribute to use for matches.  The content
        # of this attribute is used to match the "name" of the
        # entry.
        #key = "%{Stripped-User-Name:-%{User-Name}}"

        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        preproxy_usersfile = ${confdir}/preproxy_users

        #  If you want to use the old Cistron 'users' file
        #  with FreeRADIUS, you should change the next line
        #  to 'compat = cistron'.  You can the copy your 'users'
        #  file from Cistron.
        compat = no
}
# -*- text -*-
#
#  $Id$

#  Do server side ip pool management. Should be added in
#  post-auth and accounting sections.
#
#  The module also requires the existance of the Pool-Name
#  attribute. That way the administrator can add the Pool-Name
#  attribute in the user profiles and use different pools for
#  different users. The Pool-Name attribute is a *check* item
#  not a reply item.
#
#  The Pool-Name should be set to the ippool module instance
#  name or to DEFAULT to match any module.

#
# Example:
# radiusd.conf: ippool students { [...] }
#               ippool teachers { [...] }
# users file  : DEFAULT Group == students, Pool-Name := "students"
#               DEFAULT Group == teachers, Pool-Name := "teachers"
#               DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST *********
# ********* THEN ERASE THE DB FILES                     *********
#
ippool main_pool {

        #  range-start,range-stop:
        #       The start and end ip addresses for this pool.
        range-start = 192.168.1.1
        range-stop = 192.168.3.254

        #  netmask:
        #       The network mask used for this pool.
        netmask = 255.255.255.0

        #  cache-size:
        #       The gdbm cache size for the db files. Should
        #       be equal to the number of ip's available in
        #       the ip pool
        cache-size = 800

        # session-db:
        #       The main db file used to allocate addresses.
        session-db = ${db_dir}/db.ippool

        # ip-index:
        #       Helper db index file used in multilink
        ip-index = ${db_dir}/db.ipindex

        # override:
        #       If set, the Framed-IP-Address already in the
        #       reply (if any) will be discarded, and replaced
        #       with a Framed-IP-Address assigned here.
        override = no

        # maximum-timeout:
        #       Specifies the maximum time in seconds that an
        #       entry may be active.  If set to zero, means
        #       "no timeout".  The default value is 0
        maximum-timeout = 0

        # key:
        #       The key to use for the session database (which
        #       holds the allocated ip's) normally it should
        #       just be the nas ip/port (which is the default).
        #
        #       If your NAS sends the same value of NAS-Port
        #       all requests, the key should be based on some
        #       other attribute that is in ALL requests, AND
        #       is unique to each machine needing an IP address.
        #key = "%{NAS-IP-Address} %{NAS-Port}"
}
# -*- text -*-
#
#  $Id$

#
#  Kerberos.  See doc/rlm_krb5 for minimal docs.
#
krb5 {
        keytab = /path/to/keytab
        service_principal = name_of_principle
}
# -*- text -*-
#
#  $Id$

# Lightweight Directory Access Protocol (LDAP)
#
#  This module definition allows you to use LDAP for
#  authorization and authentication.
#
#  See raddb/sites-available/default for reference to the
#  ldap module in the authorize and authenticate sections.
#
#  However, LDAP can be used for authentication ONLY when the
#  Access-Request packet contains a clear-text User-Password
#  attribute.  LDAP authentication will NOT work for any other
#  authentication method.
#
#  This means that LDAP servers don't understand EAP.  If you
#  force "Auth-Type = LDAP", and then send the server a
#  request containing EAP authentication, then authentication
#  WILL NOT WORK.
#
#  The solution is to use the default configuration, which does
#  work.
#
#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
#  really can't emphasize this enough.
#       
ldap {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "ldap.your.domain"
        #identity = "cn=admin,o=My Org,c=UA"
        #password = mypass
        basedn = "o=My Org,c=UA"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        #base_filter = "(objectclass=radiusprofile)"

        #  How many connections to keep open to the LDAP server.
        #  This saves time over opening a new LDAP socket for
        #  every authentication request.
        ldap_connections_number = 5

        # seconds to wait for LDAP query to finish. default: 20
        timeout = 4

        #  seconds LDAP server has to process the query (server-side
        #  time limit). default: 20
        #
        #  LDAP_OPT_TIMELIMIT is set to this value.
        timelimit = 3

        #
        #  seconds to wait for response of the server. (network
        #   failures) default: 10
        #
        #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
        net_timeout = 1

        #
        #  This subsection configures the tls related items
        #  that control how FreeRADIUS connects to an LDAP
        #  server.  It contains all of the "tls_*" configuration
        #  entries used in older versions of FreeRADIUS.  Those
        #  configuration entries can still be used, but we recommend
        #  using these.
        #
        tls {
                # Set this to 'yes' to use TLS encrypted connections
                # to the LDAP database by using the StartTLS extended
                # operation.
                #                       
                # The StartTLS operation is supposed to be
                # used with normal ldap connections instead of
                # using ldaps (port 689) connections
                start_tls = no

                # cacertfile    = /path/to/cacert.pem
                # cacertdir             = /path/to/ca/dir/
                # certfile              = /path/to/radius.crt
                # keyfile               = /path/to/radius.key
                # randfile              = /path/to/rnd

                #  Certificate Verification requirements.  Can be:
                #    "never" (don't even bother trying)
                #    "allow" (try, but don't fail if the cerificate
                #               can't be verified)
                #    "demand" (fail if the certificate doesn't verify.)
                #
                #       The default is "allow"
                # require_cert  = "demand"
        }

        # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
        # profile_attribute = "radiusProfileDn"
        # access_attr = "dialupAccess"

        # Mapping of RADIUS dictionary attributes to LDAP
        # directory attributes.
        dictionary_mapping = ${confdir}/ldap.attrmap

        #  Set password_attribute = nspmPassword to get the
        #  user's password from a Novell eDirectory
        #  backend. This will work ONLY IF FreeRADIUS has been
        #  built with the --with-edir configure option.
        #
        #  See also the following links:
        #
        #  http://www.novell.com/coolsolutions/appnote/16745.html
        #  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
        #
        #  Novell may require TLS encrypted sessions before returning
        #  the user's password.
        #
        # password_attribute = userPassword

        #  Un-comment the following to disable Novell
        #  eDirectory account policy check and intruder
        #  detection. This will work *only if* FreeRADIUS is
        #  configured to build with --with-edir option.
        #
        edir_account_policy_check = no

        #
        #  Group membership checking.  Disabled by default.
        #
        # groupname_attribute = cn
        # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        # groupmembership_attribute = radiusGroupName

        # compare_check_items = yes
        # do_xlat = yes
        # access_attr_used_for_allow = yes

        #
        #  By default, if the packet contains a User-Password,
        #  and no other module is configured to handle the
        #  authentication, the LDAP module sets itself to do
        #  LDAP bind for authentication.
        #
        #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
        #
        #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
        #
        #  You can disable this behavior by setting the following
        #  configuration entry to "no".
        #
        #  allowed values: {no, yes}
        # set_auth_type = yes

        #  ldap_debug: debug flag for LDAP SDK
        #  (see OpenLDAP documentation).  Set this to enable
        #  huge amounts of LDAP debugging on the screen.
        #  You should only use this if you are an LDAP expert.
        #
        #       default: 0x0000 (no debugging messages)
        #       Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
        #ldap_debug = 0x0028 
}
# -*- text -*-
#
#  $Id$

# The logintime module. This handles the Login-Time,
# Current-Time, and Time-Of-Day attributes.  It should be
# included in the *end* of the authorize section in order to
# handle Login-Time checks. It should also be included in the
# instantiate section in order to register the Current-Time
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
# user has bene permitted to log in, a Session-Timeout is
# calculated based on the remaining time.  See "doc/README".
#
logintime {
        #
        # The Reply-Message which will be sent back in case
        # the account is calling outside of the allowed
        # timespan. Dynamic substitution is supported.
        #
        reply-message = "You are calling outside your allowed timespan\r\n"
        #reply-message = "Outside allowed timespan (%{control:Login-Time}), %{User-Name}\r\n"

        # The minimum timeout (in seconds) a user is allowed
        # to have. If the calculated timeout is lower we don't
        # allow the logon. Some NASes do not handle values
        # lower than 60 seconds well.
        minimum-timeout = 60
}

# -*- text -*-
#
#  $Id$

######################################################################
#
#  This next section is a sample configuration for the "passwd"
#  module, that reads flat-text files.
#
#  The file is in the format <mac>,<ip>
#
#       00:01:02:03:04:05,192.168.1.100
#       01:01:02:03:04:05,192.168.1.101
#       02:01:02:03:04:05,192.168.1.102
#
#  This lets you perform simple static IP assignments from a flat-text
#  file.  You will have to define lease times yourself.
#
######################################################################

passwd mac2ip {
        filename = ${confdir}/mac2ip
        format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
        delimiter = ","
}
# -*- text -*-
#
#  $Id$

#  A simple file to map a MAC address to a VLAN.
#
#  The file should be in the format MAC,VLAN
#  the VLAN name cannot have spaces in it, for example:
#
#       00:01:02:03:04:05,VLAN1
#       03:04:05:06:07:08,VLAN2
#       ...
#
passwd mac2vlan {
        filename = ${confdir}/mac2vlan
        format = "*VMPS-Mac:=VMPS-VLAN-Name"
        delimiter = ","
}
# -*- text -*-
#
#  $Id$

# Microsoft CHAP authentication
#
#  This module supports MS-CHAP and MS-CHAPv2 authentication.
#  It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
        #
        #  If you are using /etc/smbpasswd, see the 'passwd'
        #  module for an example of how to use /etc/smbpasswd

        # if use_mppe is not set to no mschap will
        # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
        # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
        #
        #use_mppe = no

        # if mppe is enabled require_encryption makes
        # encryption moderate
        #
        #require_encryption = yes

        # require_strong always requires 128 bit key
        # encryption
        #
        #require_strong = yes

        # Windows sends us a username in the form of
        # DOMAIN\user, but sends the challenge response
        # based on only the user portion.  This hack
        # corrects for that incorrect behavior.
        #
        #with_ntdomain_hack = no

        # The module can perform authentication itself, OR
        # use a Windows Domain Controller.  This configuration
        # directive tells the module to call the ntlm_auth
        # program, which will do the authentication, and return
        # the NT-Key.  Note that you MUST have "winbindd" and
        # "nmbd" running on the local machine for ntlm_auth
        # to work.  See the ntlm_auth program documentation
        # for details.
        #
        # If ntlm_auth is configured below, then the mschap
        # module will call ntlm_auth for every MS-CHAP
        # authentication request.  If there is a cleartext
        # or NT hashed password available, you can set
        # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
        # and the mschap module will do the authentication itself,
        # without calling ntlm_auth.
        #
        # Be VERY careful when editing the following line!
        #
        # You can also try setting the user name as:
        #
        #       ... --username=%{mschap:User-Name} ...
        #
        # In that case, the mschap module will look at the User-Name
        # attribute, and do prefix/suffix checks in order to obtain
        # the "best" user name for the request.
        #
        #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
# -*- text -*-
#
#  $Id$


# Pluggable Authentication Modules
#
#  For Linux, see:
#       http://www.kernel.org/pub/linux/libs/pam/index.html
#
#  WARNING: On many systems, the system PAM libraries have
#           memory leaks!  We STRONGLY SUGGEST that you do not
#           use PAM for authentication, due to those memory leaks.
#
pam {
        #
        #  The name to use for PAM authentication.
        #  PAM looks in /etc/pam.d/${pam_auth_name}
        #  for it's configuration.  See 'redhat/radiusd-pam'
        #  for a sample PAM configuration file.
        #
        #  Note that any Pam-Auth attribute set in the 'authorize'
        #  section will over-ride this one.
        #
        pam_auth = radiusd
}
# -*- text -*-
#
#  $Id$

# PAP module to authenticate users based on their stored password
#
#  Supports multiple encryption/hash schemes.  See "man rlm_pap"
#  for details.
#
#  The "auto_header" configuration item can be set to "yes".
#  In this case, the module will look inside of the User-Password
#  attribute for the headers {crypt}, {clear}, etc., and will
#  automatically create the attribute on the right-hand side,
#  with the correct value.  It will also automatically handle
#  Base-64 encoded data, hex strings, and binary data.
pap {
        auto_header = no
}
# -*- text -*-
#
#  $Id$

# passwd module allows to do authorization via any passwd-like
# file and to extract any attributes from these modules
#
# parameters are:
#   filename - path to filename
#   format - format for filename record. This parameters
#            correlates record in the passwd file and RADIUS
#            attributes.
#
#            Field marked as '*' is key field. That is, the parameter
#            with this name from the request is used to search for
#            the record from passwd file
#            Attribute marked as '=' is added to reply_itmes instead
#            of default configure_itmes
#            Attribute marked as '~' is added to request_items
#
#            Field marked as ',' may contain a comma separated list
#            of attributes.
#   hashsize - hashtable size. If 0 or not specified records are not
#            stored in memory and file is red on every request.
#   allowmultiplekeys - if few records for every key are allowed
#   ignorenislike - ignore NIS-related records
#   delimiter - symbol to use as a field separator in passwd file,
#            for format ':' symbol is always used. '\0', '\n' are
#            not allowed 
#

# -*- text -*-
#
#  $Id$

#
#  Module implementing a DIFFERENT policy language.
#  The syntax here is NOT "unlang", but something else.
#
#  See the "raddb/policy.txt" file for documentation and examples.
#  There isn't much else in the way of documentation, sorry.
#
policy {
       #  The only configuration item is a filename containing
       #  the policies to execute.
       #
       #  When "policy" is listed in a section (e.g. "authorize"),
       #  it will run a policy named for that section.
       # 
       filename = ${confdir}/policy.txt
}

# -*- text -*-
#
#  $Id$

# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
#  This module processes the 'huntgroups' and 'hints' files.
#  In addition, it re-writes some weird attributes created
#  by some NASes, and converts the attributes into a form which
#  is a little more standard.
#
preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints

        # This hack changes Ascend's wierd port numberings
        # to standard 0-??? port numbers so that the "+" works
        # for IP address assignments.
        with_ascend_hack = no
        ascend_channels_per_line = 23

        # Windows NT machines often authenticate themselves as
        # NT_DOMAIN\username
        #
        # If this is set to 'yes', then the NT_DOMAIN portion
        # of the user-name is silently discarded.
        #
        # This configuration entry SHOULD NOT be used.
        # See the "realms" module for a better way to handle
        # NT domains.
        with_ntdomain_hack = no

        # Specialix Jetstream 8500 24 port access server.
        #
        # If the user name is 10 characters or longer, a "/"
        # and the excess characters after the 10th are
        # appended to the user name.
        #
        # If you're not running that NAS, you don't need
        # this hack.
        with_specialix_jetstream_hack = no

        # Cisco (and Quintum in Cisco mode) sends it's VSA attributes
        # with the attribute name *again* in the string, like:
        #
        #   H323-Attribute = "h323-attribute=value".
        #
        # If this configuration item is set to 'yes', then
        # the redundant data in the the attribute text is stripped
        # out.  The result is:
        #
        #  H323-Attribute = "value"
        #
        # If you're not running a Cisco or Quintum NAS, you don't
        # need this hack.
        with_cisco_vsa_hack = no
}
# -*- text -*-
#
#  $Id$

#  Write a 'utmp' style file, of which users are currently
#  logged in, and where they've logged in from.
#
#  This file is used mainly for Simultaneous-Use checking,
#  and also 'radwho', to see who's currently logged in.
#
radutmp {
        #  Where the file is stored.  It's not a log file,
        #  so it doesn't need rotating.
        #
        filename = ${logdir}/radutmp

        #  The field in the packet to key on for the
        #  'user' name,  If you have other fields which you want
        #  to use to key on to control Simultaneous-Use,
        #  then you can use them here.
        #
        #  Note, however, that the size of the field in the
        #  'utmp' data structure is small, around 32
        #  characters, so that will limit the possible choices
        #  of keys.
        #
        #  You may want instead: %{Stripped-User-Name:-%{User-Name}}
        username = %{User-Name}


        #  Whether or not we want to treat "user" the same
        #  as "USER", or "User".  Some systems have problems
        #  with case sensitivity, so this should be set to
        #  'no' to enable the comparisons of the key attribute
        #  to be case insensitive.
        #
        case_sensitive = yes

        #  Accounting information may be lost, so the user MAY
        #  have logged off of the NAS, but we haven't noticed.
        #  If so, we can verify this information with the NAS,
        #
        #  If we want to believe the 'utmp' file, then this
        #  configuration entry can be set to 'no'.
        #
        check_with_nas = yes            

        # Set the file permissions, as the contents of this file
        # are usually private.
        perm = 0600

        callerid = "yes"
}
# -*- text -*-
#
#  $Id$

# Realm module, for proxying.
#
#  You can have multiple instances of the realm module to
#  support multiple realm syntaxs at the same time.  The
#  search order is defined by the order that the modules are listed
#  in the authorize and preacct sections.
#
#  Four config options:
#       format         -  must be "prefix" or "suffix"
#                         The special cases of "DEFAULT"
#                         and "NULL" are allowed, too.
#       delimiter      -  must be a single character

#  'realm/username'
#
#  Using this entry, IPASS users have their realm set to "IPASS".
realm IPASS {
        format = prefix
        delimiter = "/"
}

#  'username@realm'
#
realm suffix {
        format = suffix
        delimiter = "@"
}

#  'username%realm'
#
realm realmpercent {
        format = suffix
        delimiter = "%"
}

#
#  'domain\user'
#
realm ntdomain {
        format = prefix
        delimiter = "\\"
}       
# -*- text -*-
#
#  $Id$

#  An example configuration for using /etc/smbpasswd.
#
#  See the "passwd" file for documentation on the configuration items
#  for this module.
#
passwd smbpasswd {
        filename = /etc/smbpasswd
        format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
        hashsize = 100
        ignorenislike = no
        allowmultiplekeys = no
}
# -*- text -*-
#
#  $Id$

#
#  The rlm_sql_log module appends the SQL queries in a log
#  file which is read later by the radsqlrelay program.
#
#  This module only performs the dynamic expansion of the
#  variables found in the SQL statements. No operation is
#  executed on the database server. (this could be done
#  later by an external program) That means the module is
#  useful only with non-"SELECT" statements.
#
#  See rlm_sql_log(5) manpage.
#
#  This same functionality could also be implemented by logging
#  to a "detail" file, reading that, and then writing to SQL.
#  See raddb/sites-available/buffered-sql for an example.
#
sql_log {
        path = "${radacctdir}/sql-relay"
        acct_table = "radacct"
        postauth_table = "radpostauth"
        sql_user_name = "%{%{User-Name}:-DEFAULT}"

        Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
         NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
         AcctSessionTime, AcctTerminateCause) VALUES                 \
         ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
         '%{Framed-IP-Address}', '%S', '0', '0', '');"
        Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName,  \
         NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
         AcctSessionTime, AcctTerminateCause) VALUES                 \
         ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
         '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}',  \
         '%{Acct-Terminate-Cause}');"
        Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
         NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
         AcctSessionTime, AcctTerminateCause) VALUES                 \
         ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
         '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"

        Post-Auth = "INSERT INTO ${postauth_table}                   \
         (username, pass, reply, authdate) VALUES                    \
         ('%{User-Name}', '%{User-Password:-Chap-Password}',         \
         '%{reply:Packet-Type}', '%S');"
}

# -*- text -*-
#
#  $Id$

# "Safe" radutmp - does not contain caller ID, so it can be
# world-readable, and radwho can work for normal users, without
# exposing any information that isn't already exposed by who(1).
#
# This is another 'instance' of the radutmp module, but it is given
# then name "sradutmp" to identify it later in the "accounting"
# section.
radutmp sradutmp {
        filename = ${logdir}/sradutmp
        perm = 0644
        callerid = "no"
}
# -*- text -*-
#
#  $Id$

# Unix /etc/passwd style authentication
#
unix {
        #  As of 1.1.0, the Unix module no longer reads,
        #  or caches /etc/passwd, /etc/shadow, or /etc/group.
        #  If you wish to cache those files, see the passwd
        #  module.
        #

        #
        #  The location of the "wtmp" file.
        #  The only use for 'radlast'.  If you don't use
        #  'radlast', then you can comment out this item.
        #
        #  Note that the radwtmp file may get large!  You should
        #  rotate it (cp /dev/null radwtmp), or just not use it.
        #
        radwtmp = ${logdir}/radwtmp
}