2 # This file contains the configuration for experimental modules.
4 # By default, it is NOT included in the build.
9 # Configuration for the Python module.
11 # Where radiusd is a Python module, radiusd.py, and the
12 # function 'authorize' is called. Here is a dummy piece
15 # def authorize(params):
17 # return (5, ('Reply-Message', 'banned'))
19 # The RADIUS value-pairs are passed as a tuple of tuple
20 # pairs as the first argument, e.g. (('attribute1',
21 # 'value1'), ('attribute2', 'value2'))
23 # The function return is a tuple with the first element
24 # being the return value of the function.
25 # The 5 corresponds to RLM_MODULE_USERLOCK. I plan to
26 # write the return values as Python symbols to avoid
29 # The remaining tuple members are the string form of
30 # value-pairs which are passed on to pairmake().
33 mod_instantiate = radiusd_test
34 func_instantiate = instantiate
36 mod_authorize = radiusd_test
37 func_authorize = authorize
39 mod_accounting = radiusd_test
40 func_accounting = accounting
42 mod_preacct = radiusd_test
43 func_preacct = preacct
45 mod_detach = radiusd_test
50 # Configuration for the example module. Uncommenting it will cause it
51 # to get loaded and initialized, but should have no real effect as long
52 # it is not referencened in one of the autz/auth/preacct/acct sections
55 # allowed values: {no, yes}
58 # An integer, of any value.
62 string = "This is an example configuration string"
64 # An IP address, either in dotted quad (1.2.3.4) or hostname
73 string = "This is a different string"
79 # This module is an SQL enabled version of the counter module.
81 # Rather than maintaining seperate (GDBM) databases of
82 # accounting info for each counter, this module uses the data
83 # stored in the raddacct table by the sql modules. This
84 # module NEVER does any database INSERTs or UPDATEs. It is
85 # totally dependent on the SQL module to process Accounting
88 # The 'sqlmod_inst' parameter holds the instance of the sql
89 # module to use when querying the SQL database. Normally it
90 # is just "sql". If you define more and one SQL module
91 # instance (usually for failover situations), you can
92 # specify which module has access to the Accounting Data
95 # The 'reset' parameter defines when the counters are all
96 # reset to zero. It can be hourly, daily, weekly, monthly or
97 # never. It can also be user defined. It should be of the
100 # h: hours, d: days, w: weeks, m: months
101 # If the letter is ommited days will be assumed. In example:
102 # reset = 10h (reset every 10 hours)
103 # reset = 12 (reset every 12 days)
105 # The 'key' parameter specifies the unique identifier for the
106 # counter records (usually 'User-Name').
108 # The 'query' parameter specifies the SQL query used to get
109 # the current Counter value from the database. There are 3
110 # parameters that can be used in the query:
112 # %b unix time value of beginning of reset period
113 # %e unix time value of end of reset period
116 # The 'check-name' parameter is the name of the 'check'
117 # attribute to use to access the counter in the 'users' file
118 # or SQL radcheck or radcheckgroup tables.
120 # DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
121 # Reply-Message = "You've used up more than one hour today"
123 sqlcounter dailycounter {
124 counter-name = Daily-Session-Time
125 check-name = Max-Daily-Session
130 # This query properly handles calls that span from the
131 # previous reset period into the current period but
132 # involves more work for the SQL server than those
134 query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
136 # This query ignores calls that started in a previous
137 # reset period and continue into into this one. But it
138 # is a little easier on the SQL server
139 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
141 # This query is the same as above, but demonstrates an
142 # additional counter parameter '%e' which is the
143 # timestamp for the end of the period
144 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
147 sqlcounter monthlycounter {
148 counter-name = Monthly-Session-Time
149 check-name = Max-Monthly-Session
150 sqlmod-inst = sqlcca3
154 # This query properly handles calls that span from the
155 # previous reset period into the current period but
156 # involves more work for the SQL server than those
158 query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
160 # This query ignores calls that started in a previous
161 # reset period and continue into into this one. But it
162 # is a little easier on the SQL server
163 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
165 # This query is the same as above, but demonstrates an
166 # additional counter parameter '%e' which is the
167 # timestamp for the end of the period
168 # query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' AND AcctStartTime BETWEEN FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
171 # To create a dbm users file, do:
173 # cat test.users | rlm_dbm_parser -f /etc/raddb/users_db
175 # Then add 'dbm' in 'authorize' section.
177 # Note that even if the file has a ".db" or ".dbm" extension,
178 # you may have to specify it here without that extension. This
179 # is because the DBM libraries "helpfully" add a ".db" to the
180 # filename, but don't check if it's already there.
183 usersfile = ${raddbdir}/users_db
187 # Persistent, embedded Perl interpreter.
191 # The Perl script to execute on authorize, authenticate,
192 # accounting, xlat, etc. This is very similar to using
193 # Exec-Program-Wait = "/path/foo.pl", but it is persistent,
194 # and therefore faster.
196 module = /path/to/your/perl_program
199 # The following hashes are given to the module and
200 # filled with value-pairs (Attribute names and values)
202 # %RAD_REPLY Attributes to go into the reply
203 # %RAD_REQUEST Attributes from the request
204 # %RAD_CHECK Check items
206 # Only the %RAD_REPLY hash can be modified.
207 # All of the other hashes are read only.
209 # The return codes from functions in the perl_script
210 # are passed directly back to the server. These
211 # codes are defined in doc/configurable_failover,
212 # src/include/modules.h (RLM_MODULE_REJECT, etc),
213 # and are pre-defined in the 'example.pl' program
216 func_accounting = accounting
217 func_authentication = authenticate
218 func_preacct = preacct
219 func_checksimul = checksimul
224 # Perform NT-Domain authentication. This only works
225 # with PAP authentication. That is, Authentication-Request
226 # packets containing a User-Password attribute.
228 # To use it, add 'smb' into the 'authenticate' section,
229 # and then in another module (usually the 'users' file),
230 # set 'Auth-Type := SMB'
233 server = ntdomain.server.example.com
234 backup = backup.server.example.com
238 # See doc/rlm_fastusers before using this
239 # module or changing these values.
242 usersfile = ${confdir}/users_fast
245 # Reload the hash every 600 seconds (10mins)
250 # See also protocol_filter.conf
254 # Location of the protocol filter configuration file.
256 filename = ${raddbdir}/protocol_filter.conf
259 # The key to look up the section with filtering rules.
261 key = %{Realm:-DEFAULT}
265 # Should be added in the post-auth section (after all other modules)
266 # and in the authorize section (before any other modules)
272 # [... other modules ...]
275 # [... other modules ...]
279 # The caching module will cache the Auth-Type and reply items and send them back
280 # on any subsequent requests for the same key
284 # filename: The gdbm file to use for the cache database (can be memory mapped for
286 # key: A string to xlat and use as a key. For instace, "%{Acct-Unique-Session-Id}"
287 # post-auth: If we find a cached entry, set the post-auth to that value
288 # cache-ttl: The time to cache the entry. The values from the counter module apply here
289 # cache-size: The gdbm cache size to request (default 1000)
290 # hit-ratio: If set to non-zero we print out statistical information after so many cache requests
291 # cache-rejects: Do we also cache rejects, or not? (default 'yes')
294 filename = ${raddbdir}/db.cache
297 key = "%{Acct-Unique-Session-Id}"
300 # cache-rejects = yes