From a750b5c9d3153f5587e27d29221c087b3ad81a13 Mon Sep 17 00:00:00 2001 From: phampson Date: Mon, 16 Jun 2003 15:23:40 +0000 Subject: [PATCH] Move configuration for newly-stable modules from experimental.conf to radiusd.conf.in: rlm_digest rlm_exec rlm_ippool --- raddb/experimental.conf | 152 ------------------------------------------------ raddb/radiusd.conf.in | 144 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 143 insertions(+), 153 deletions(-) diff --git a/raddb/experimental.conf b/raddb/experimental.conf index e111ed1..528baa8 100644 --- a/raddb/experimental.conf +++ b/raddb/experimental.conf @@ -168,49 +168,6 @@ # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')" } - # Do server side ip pool management. Should be added in post-auth and - # accounting sections. - # - ## This module is highly experimental at the moment. Please - ## give feedback on the mailing list. - # - # The module also requires the existance of the Pool-Name - # attribute. That way the administrator can add the Pool-Name - # attribute in the user profiles and use different pools - # for different users. The Pool-Name attribute is a *check* item not - # a reply item. - # - # Example: - # radiusd.conf: ippool students { [...] } - # users file : DEFAULT Group == students, Pool-Name := "students" - # - # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB FILES ******* - # - ippool main_pool { - - # range-start,range-stop: The start and end ip - # addresses for the ip pool - range-start = 192.168.1.1 - range-stop = 192.168.3.254 - - # netmask: The network mask used for the ip's - netmask = 255.255.255.0 - - # cache-size: The gdbm cache size for the db - # files. Should be equal to the number of ip's - # available in the ip pool - cache-size = 800 - - # session-db: The main db file used to allocate ip's to clients - session-db = ${raddbdir}/db.ippool - - # ip-index: Helper db index file used in multilink - ip-index = ${raddbdir}/db.ipindex - - # override: Will this ippool override a Framed-IP-Address already set - override = no - } - # To create a dbm users file, do: # # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db @@ -264,19 +221,6 @@ } # - # The digest module. It doesn't take any configuration - # parameters, but it does require a configuration section, - # otherwise the parser complains. - # - # - # - # See '../doc/rfc/draft-sterman-aaa-sip-00.txt' for details - # on performing digest authentication for Cisco SIP servers. - # - digest { - } - - # # Perform NT-Domain authentication. This only works # with PAP authentication. That is, Authentication-Request # packets containing a User-Password attribute. @@ -337,99 +281,3 @@ # DEFAULT is no #notfound-reject = no } - - # - # Execute external programs - # - # The first example is useful only for 'xlat'. To use it, - # put 'exec' into the 'instantiate' section. You can then - # do dynamic translation of attributes like: - # - # Attribute-Name = `{%exec:/path/to/program args}` - # - # The value of the attribute will be replaced with the output - # of the program which is executed. Due to RADIUS protocol - # limitations, any output over 253 bytes will be ignored. - # - # The RADIUS attributes from the user request will be placed - # into environment variables of the executed program, as - # described in 'doc/variables.txt' - # - exec { - wait = yes - input_pairs = request - } - - # - # This is a more general example of the execute module. - # - # If you wish to execute an external program in more than - # one section (e.g. 'authorize', 'pre_proxy', etc), then it - # is probably best to define a different instance of the - # 'exec' module for every section. - # - exec echo { - # - # Wait for the program to finish. - # - # If we do NOT wait, then the program is "fire and - # forget", and any output attributes from it are ignored. - # - # If we are looking for the program to output - # attributes, and want to add those attributes to the - # request, then we MUST wait for the program to - # finish, and therefore set 'wait=yes' - # - # allowed values: {no, yes} - wait = yes - - # - # The name of the program to execute, and it's - # arguments. Dynamic translation is done on this - # field, so things like the following example will - # work. - # - program = "/bin/echo %{User-Name}" - - # - # The attributes which are placed into the - # environment variables for the program. - # - # Allowed values are: - # - # request attributes from the request - # reply attributes from the reply - # proxy-request attributes from the proxy request - # proxy-reply attributes from the proxy reply - # - # Note that some attributes may not exist at some - # stages. e.g. There may be no proxy-reply - # attributes if this module is used in the - # 'authorize' section. - # - input_pairs = request - - # - # Where to place the output attributes (if any) from - # the executed program. The values allowed, and the - # restrictions as to availability, are the same as - # for the input_pairs. - # - output_pairs = reply - - # - # When to execute the program. If the packet - # type does NOT match what's listed here, then - # the module does NOT execute the program. - # - # For a list of allowed packet types, see - # the 'dictionary' file, and look for VALUEs - # of the Packet-Type attribute. - # - # By default, the module executes on ANY packet. - # Un-comment out the following line to tell the - # module to execute only if an Access-Accept is - # being sent to the NAS. - # - #packet_type = Access-Accept - } diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index e06dd5c..dc0e82d 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -1137,9 +1137,149 @@ modules { # The 'digest' module currently has no configuration. # # "Digest" authentication against a Cisco SIP server. + # See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details + # on performing digest authentication for Cisco SIP servers. + # digest { } + # + # Execute external programs + # + # The first example is useful only for 'xlat'. To use it, + # put 'exec' into the 'instantiate' section. You can then + # do dynamic translation of attributes like: + # + # Attribute-Name = `{%exec:/path/to/program args}` + # + # The value of the attribute will be replaced with the output + # of the program which is executed. Due to RADIUS protocol + # limitations, any output over 253 bytes will be ignored. + # + # The RADIUS attributes from the user request will be placed + # into environment variables of the executed program, as + # described in 'doc/variables.txt' + # + exec { + wait = yes + input_pairs = request + } + + # + # This is a more general example of the execute module. + # + # If you wish to execute an external program in more than + # one section (e.g. 'authorize', 'pre_proxy', etc), then it + # is probably best to define a different instance of the + # 'exec' module for every section. + # + exec echo { + # + # Wait for the program to finish. + # + # If we do NOT wait, then the program is "fire and + # forget", and any output attributes from it are ignored. + # + # If we are looking for the program to output + # attributes, and want to add those attributes to the + # request, then we MUST wait for the program to + # finish, and therefore set 'wait=yes' + # + # allowed values: {no, yes} + wait = yes + + # + # The name of the program to execute, and it's + # arguments. Dynamic translation is done on this + # field, so things like the following example will + # work. + # + program = "/bin/echo %{User-Name}" + + # + # The attributes which are placed into the + # environment variables for the program. + # + # Allowed values are: + # + # request attributes from the request + # reply attributes from the reply + # proxy-request attributes from the proxy request + # proxy-reply attributes from the proxy reply + # + # Note that some attributes may not exist at some + # stages. e.g. There may be no proxy-reply + # attributes if this module is used in the + # 'authorize' section. + # + input_pairs = request + + # + # Where to place the output attributes (if any) from + # the executed program. The values allowed, and the + # restrictions as to availability, are the same as + # for the input_pairs. + # + output_pairs = reply + + # + # When to execute the program. If the packet + # type does NOT match what's listed here, then + # the module does NOT execute the program. + # + # For a list of allowed packet types, see + # the 'dictionary' file, and look for VALUEs + # of the Packet-Type attribute. + # + # By default, the module executes on ANY packet. + # Un-comment out the following line to tell the + # module to execute only if an Access-Accept is + # being sent to the NAS. + # + #packet_type = Access-Accept + } + + # Do server side ip pool management. Should be added in post-auth and + # accounting sections. + # + # The module also requires the existance of the Pool-Name + # attribute. That way the administrator can add the Pool-Name + # attribute in the user profiles and use different pools + # for different users. The Pool-Name attribute is a *check* item not + # a reply item. + # + # Example: + # radiusd.conf: ippool students { [...] } + # users file : DEFAULT Group == students, Pool-Name := "students" + # + # ********* IF YOU CHANGE THE RANGE PARAMETERS YOU MUST THEN ERASE THE DB FILES ******* + # + ippool main_pool { + + # range-start,range-stop: The start and end ip + # addresses for the ip pool + range-start = 192.168.1.1 + range-stop = 192.168.3.254 + + # netmask: The network mask used for the ip's + netmask = 255.255.255.0 + + # cache-size: The gdbm cache size for the db + # files. Should be equal to the number of ip's + # available in the ip pool + cache-size = 800 + + # session-db: The main db file used to allocate ip's to clients + session-db = ${raddbdir}/db.ippool + + # ip-index: Helper db index file used in multilink + ip-index = ${raddbdir}/db.ipindex + + # override: Will this ippool override a Framed-IP-Address already set + override = no + } + + # ANSI X9.9 token support. Not included by default. # $INCLUDE ${confdir}/x99.conf @@ -1366,6 +1506,8 @@ accounting { # may be incorrect. There's little we can do about it. radutmp # sradutmp + # Return an address to the IP Pool when we see a stop record. +# main_pool } @@ -1383,7 +1525,7 @@ session { # additional steps we can take. post-auth { # Get an address from the IP Pool. - #main_pool +# main_pool } # -- 2.1.4