X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=radsecproxy.conf.5.xml;h=2b6367c469b3c8d3809806d337e83ae0e9ed4cd4;hb=c807e7de8300f2bd56c574173c362451182e0e53;hp=7fef19ce1ef643055f3281aa6a34f1ff7a220cae;hpb=8f9844399efbefe64a90741767bd07f816a26790;p=libradsec.git

diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 7fef19c..2b6367c 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -2,14 +2,14 @@
 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
 <refentry>
   <refentryinfo>
-    <date>2011-09-30</date>
+    <date>2012-04-11</date>
   </refentryinfo>
   <refmeta>
     <refentrytitle>
       <application>radsecproxy.conf</application>
     </refentrytitle>
     <manvolnum>5</manvolnum>
-    <refmiscinfo>radsecproxy 1.5-dev</refmiscinfo>
+    <refmiscinfo>radsecproxy 1.6-dev</refmiscinfo>
   </refmeta>
   <refnamediv>
     <refname>
@@ -126,6 +126,17 @@ blocktype name {
     </para>
     <variablelist>
       <varlistentry>
+        <term><literal>PidFile</literal></term>
+        <listitem>
+	  <para>
+            The PidFile option specifies the name of a file to which
+            the process id (PID) will be written.  This is overridden
+            by the <option>-i</option> command line option.  There is
+            no default value for the PidFile option.
+	  </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
         <term><literal>LogLevel</literal></term>
         <listitem>
 	  <para>
@@ -176,13 +187,17 @@ blocktype name {
 	    The FTicksReporting option is used to enable F-Ticks
 	    logging and can be set to <literal>None</literal>,
 	    <literal>Basic</literal> or <literal>Full</literal>.  Its
-	    default value is <literal>None</literal>.
+	    default value is <literal>None</literal>.  If
+	    FTicksReporting is set to anything other than
+	    <literal>None</literal>, note that the default value for
+	    FTicksMAC is <literal>VendorKeyHashed</literal> which
+	    needs FTicksKey to be set.
 	  </para>
 	  <para>
 	    See <literal>radsecproxy.conf-example</literal> for
 	    details.  Note that radsecproxy has to be configured with
-	    support for F-Ticks (<literal>--enable-fticks</literal>)
-	    for this option to have any effect.
+	    F-Ticks support (<literal>--enable-fticks</literal>) for
+	    this option to have any effect.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -192,23 +207,31 @@ blocktype name {
         <listitem>
 	  <para>
 	    The FTicksMAC option can be used to control if and how
-	    Calling-Station-Id is being logged.  It can be set to one
-	    of <literal>Static</literal>,
-	    <literal>Original</literal>,
+	    Calling-Station-Id (the users Ethernet MAC address) is
+	    being logged.  It can be set to one of
+	    <literal>Static</literal>, <literal>Original</literal>,
 	    <literal>VendorHashed</literal>,
 	    <literal>VendorKeyHashed</literal>,
 	    <literal>FullyHashed</literal> or
 	    <literal>FullyKeyHashed</literal>.
 	  </para>
 	  <para>
-	    The default value for FTicksMAC is <literal>Static</literal>.
-	    Before chosing any of <literal>Original</literal>
+	    The default value for FTicksMAC is
+	    <literal>VendorKeyHashed</literal>.  This means that
+	    FTicksKey has to be set.
+	  <para>
+	    Before chosing any of <literal>Original</literal>,
+	    <literal>FullyHashed</literal> or
+	    <literal>VendorHashed</literal>, consider the implications
+	    for user privacy when MAC addresses are collected.  How
+	    will the logs be stored, transferred and accessed?
+	  </para>
 	  </para>
 	  <para>
 	    See <literal>radsecproxy.conf-example</literal> for
 	    details.  Note that radsecproxy has to be configured with
-	    support for F-Ticks (<literal>--enable-fticks</literal>)
-	    for this option to have any effect.
+	    F-Ticks support (<literal>--enable-fticks</literal>) for
+	    this option to have any effect.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -223,14 +246,33 @@ blocktype name {
 	    option.
 	  </para>
 	  <para>
-	    Note that radsecproxy has to be configured with support
-	    for F-Ticks (<literal>--enable-fticks</literal>) for this
+	    Note that radsecproxy has to be configured with F-Ticks
+	    support (<literal>--enable-fticks</literal>) for this
 	    option to have any effect.
 	  </para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
+        <term><literal>FTicksSyslogFacility</literal></term>
+        <listitem>
+	  <para>
+	    The FTicksSyslogFacility option is used to specify a
+	    dedicated syslog facility for F-Ticks messages.  This
+	    allows for easier filtering of F-Ticks messages.  If no
+	    FTicksSyslogFacility option is given, F-Ticks messages are
+	    written to what the LogDestination option specifies.
+	  </para>
+	  <para>
+	    F-Ticks messages are always logged using the log level
+	    LOG_DEBUG.  Note that specifying a file in
+	    FTicksSyslogFacility (using the file:/// prefix) is
+	    not supported.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><literal>ListenUDP</literal></term>
         <listitem>
 	  <para>
@@ -449,9 +491,9 @@ blocktype name {
       <literal>certificateNameCheck</literal>,
       <literal>matchCertificateAttribute</literal>,
       <literal>duplicateInterval</literal>, <literal>AddTTL</literal>,
-      <literal>fticksVISCOUNTRY</literal>, <literal>rewrite</literal>,
-      <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and
-      <literal>rewriteAttribute</literal>.
+      <literal>fticksVISCOUNTRY</literal>, <literal>fticksVISINST</literal>,
+      <literal>rewrite</literal>, <literal>rewriteIn</literal>, 
+      <literal>rewriteOut</literal>, and <literal>rewriteAttribute</literal>.
 
       We already discussed the <literal>host</literal> option. The
       value of <literal>type</literal> must be one of
@@ -513,6 +555,11 @@ blocktype name {
       <literal>FTicksReporting</literal> basic option.
     </para>
     <para>
+      The <literal>fticksVISINST</literal> option overwrites
+      the default <literal>VISINST</literal> value taken from the client
+      block name.
+    </para>
+    <para>
       The <literal>rewrite</literal> option is deprecated. Use
       <literal>rewriteIn</literal> instead.
     </para>
@@ -597,8 +644,8 @@ blocktype name {
       <literal>AddTTL</literal>, <literal>rewrite</literal>,
       <literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
       <literal>statusServer</literal>, <literal>retryCount</literal>,
-      <literal>retryInterval</literal>,
       <literal>dynamicLookupCommand</literal> and
+      <literal>retryInterval</literal> and
       <literal>LoopPrevention</literal>.
     </para>
     <para>
@@ -635,8 +682,17 @@ blocktype name {
     <para>
       The option <literal>dynamicLookupCommand</literal> can be used
       to specify a command that should be executed to dynamically
-      configure and use a server.  The use of this feature will be
-      documented separately/later.
+      configure a server.  The executable file should be given with
+      full path and will be invoked with the name of the realm as its
+      first and only argument.  It should either print a valid
+      <literal>server</literal> option on stdout and exit with a code
+      of 0 or print nothing and exit with a non-zero exit code.  An
+      example of a shell script resolving the DNS NAPTR records for
+      the realm and then the SRV records for each NAPTR matching
+      'x-eduroam:radius.tls' is provided in
+      <literal>tools/naptr-eduroam.sh</literal>.  This option was
+      added in radsecproxy-1.3 but tends to crash radsecproxy versions
+      earlier than 1.6.
     </para>
     <para>
       Using the <literal>LoopPrevention</literal> option here