--- /dev/null
+# This script can be used in the sites-available/inner-tunnel file (on an IdP()
+# or sites-available/abfab-tr-idp file (on a Moonshot RP Proxy) to log the
+# values of certain attributes that are returned to the client.
+#
+# This is for testing and debugging purposes; it is not enabled by default.
+# To enable:
+#
+# 1) Add a softlink from ../mods-enabled/custom_linelog to this file
+#
+# 2) If on an IdP, uncomment the lines in sites-available/inner-tunnel that
+# contain "log_moonshot_authn_idp"
+#
+# 3) If on a Moonshot RP Proxy, uncomment the lines in sites-available/abfab-tr-idp
+# that contain "log_moonshot_authn_rp_proxy"
+
+
+linelog log_moonshot_authn_rp_proxy {
+ destination = file
+
+ #
+ # Used if the expansion of "reference" fails.
+ #
+ format = ""
+
+# file {
+ filename = ${logdir}/moonshot-authn-linelog
+
+ permissions = 0600
+# }
+
+ reference = "messages.%{%{reply:Packet-Type}:-default}"
+
+ #
+ # The messages defined here are taken from the "reference"
+ # expansion, above.
+ #
+ # Pairs may be attributes refs, xlats, literals or execs.
+ messages {
+ default = "Unknown packet type %{Packet-Type}"
+
+ Access-Accept = "moonshot-auth#AUTH=OK#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#MOONSHOT_HOST_TID=%{reply:Moonshot-Host-TargetedId}#MOONSHOT_REALM_TID=%{reply:Moonshot-Realm-TargetedId}#MOONSHOT_COI_TID=%{reply:Moonshot-TR-COI-TargetedId}#MOONSHOT_SAML=%{%{reply:SAML-AAA-Assertion[*]}:-none}"
+ Access-Reject = "moonshot-auth#AUTH=FAIL#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#FAILURE_REASON=%{%{reply:EAP-Message}:-%{reply:Reply-Message[*]}:-unknown}"
+ }
+}
+
+
+
+linelog log_moonshot_authn_idp {
+ destination = file
+
+ #
+ # Used if the expansion of "reference" fails.
+ #
+ format = ""
+
+# file {
+ filename = ${logdir}/moonshot-authn-linelog
+
+ permissions = 0600
+# }
+
+ reference = "messages.%{%{reply:Packet-Type}:-default}"
+
+ #
+ # The messages defined here are taken from the "reference"
+ # expansion, above.
+ #
+ # Pairs may be attributes refs, xlats, literals or execs.
+ messages {
+ default = "Unknown packet type %{Packet-Type}"
+
+ Access-Accept = "moonshot-auth#AUTH=OK#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#USERNAME=%{request:User-Name}#MOONSHOT_HOST_TID=%{reply:Moonshot-Host-TargetedId}#MOONSHOT_REALM_TID=%{reply:Moonshot-Realm-TargetedId}#MOONSHOT_COI_TID=%{reply:Moonshot-TR-COI-TargetedId}#MOONSHOT_SAML=%{%{reply:SAML-AAA-Assertion[*]}:-none}"
+ Access-Reject = "moonshot-auth#AUTH=FAIL#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#USERNAME=%{request:User-Name}#FAILURE_REASON=%{%{reply:EAP-Message}:-%{reply:Reply-Message[*]}:-unknown}"
+ }
+}
server abfab-idp {
authorize {
- psk_authorize
+ psk_authorize
abfab_client_check
filter_username
preprocess
# cui
suffix {
- updated = 1
+ updated = 1
noop = reject
- }
+ }
eap {
ok = return
}
exec
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
+
+ # Uncomment to enable logging of certain Moonshot attributes. See
+ # mods-available/moonshot_custom_linelog.
+ # log_moonshot_authn_rp_proxy
+
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
+ # Uncomment to enable logging of certain Moonshot attributes. See
+ # mods-available/moonshot_custom_linelog.
+ # log_moonshot_authn_rp_proxy
+
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
# Remove reply message if the response contains an EAP-Message
remove_reply_message_if_eap
}
+
+ # Uncomment to enable logging of certain Moonshot attributes. See
+ # mods-available/moonshot_custom_linelog.
+ # log_moonshot_authn_rp_proxy
}
#
# When the server decides to proxy a request to a home server,
}
}
+ # Uncomment to enable logging of certain Moonshot attributes. See
+ # mods-available/moonshot_custom_linelog.
+ # log_moonshot_authn_idp
+
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
+ # Uncomment to enable logging of certain Moonshot attributes. See
+ # mods-available/moonshot_custom_linelog.
+ # log_moonshot_authn_idp
+
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
&Module-Failure-Message := &request:Module-Failure-Message
}
}
+ # Uncomment to enable logging of certain Moonshot attributes. See
+ # mods-available/moonshot_custom_linelog.
+ # log_moonshot_authn_idp
}
#