also removed the part saying control-socket was highly experiment.
Unless the config item is a well recognised portmanteau
(as ``filename`` is for example), it must be written as multiple
-distinct words seperated by underscores ``_``.
+distinct words separated by underscores ``_``.
The configuration items ``file``, ``script_file``, ``module``,
``detail``, ``detailfile``, ``attrsfile``, ``perm``, ``dirperm``,
appropriate sub-section, and resolve this to a configuration
item. This behaviour is similar to rlm_linelog. This dynamic
expansion allows for a dynamic mapping between accounting types and
-SQL qeuries. Previously, the mapping was fixed. Any "new" accounting
+SQL queries. Previously, the mapping was fixed. Any "new" accounting
type was ignored by the module. Now, support for any accounting type
can be added by just adding a new target, as below.
From version 3.0 onwards the server no longer supports authenticating
against a cleartext password in the 'User-Password' attribute. Any
-occurances of this (for instance, in the users file) should now be changed
+occurences of this (for instance, in the users file) should now be changed
to 'Cleartext-Password' instead.
If this is not done, authentication will likely fail. The server will
}
}
-We suggest updating all uses of attr_write to use unlang instead.
+We suggest updating all uses of attr_rewrite to use unlang instead.
rlm_checkval
------------
# Configuration for the example module. Uncommenting it will cause it
# to get loaded and initialized, but should have no real effect as long
- # it is not referencened in one of the autz/auth/preacct/acct sections
+ # it is not referenced in one of the autz/auth/preacct/acct sections
example {
# Boolean variable.
# allowed values: {no, yes}
#
-# Cache EAP responses for resiliancy on intermediary proxy failover
+# Cache EAP responses for resiliency on intermediary proxy failover
#
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
# the driver below.
#
# If you're using rlm_sql_null, then it should be the type of
- # database the logged queries are going to be exected against.
+ # database the logged queries are going to be executed against.
dialect = "sqlite"
# The submodule to use to execute queries. This should match
# There are no configuration entries for this module. Instead, it
# relies on the "client" configuration. You must:
#
-# 1) link raddb/sites-enabled/dyanmic_clients to
-# raddb/sites-available/dyanmic_clients
+# 1) link raddb/sites-enabled/dynamic_clients to
+# raddb/sites-available/dynamic_clients
#
# 2) Define a client network/mask (see top of the above file)
#
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
- # If you do not currently have certifictes signed by
+ # If you do not currently have certificates signed by
# a trusted CA you may use the 'snakeoil' certificates.
# Included with the server in raddb/certs.
#
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
- # that, to accomodate other attributes in
+ # that, to accommodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
- # match, the cerficate verification will fail,
+ # match, the certificate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
# Certificates can be verified against an OCSP
# Responder. This makes it possible to immediately
# revoke certificates without the distribution of
- # new Certificate Revokation Lists (CRLs).
+ # new Certificate Revocation Lists (CRLs).
#
ocsp {
#
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
-# The module also requires the existance of the Pool-Name
+# The module also requires the existence of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# identity = "cn=admin,dc=example,dc=org"
# password = mypass
- # Unless overridden in another section, the dn from whilch all
+ # Unless overridden in another section, the dn from which all
# searches will start from.
# base_dn = "dc=example,dc=org"
#
# User profiles. RADIUS profile objects contain sets of attributes
- # to insert into the request. These attribtues are mapped using
- # the same mapping scheme appled to user objects.
+ # to insert into the request. These attributes are mapped using
+ # the same mapping scheme applied to user objects.
#
profile {
# Filter for RAIDUS profile objects
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
- # "allow" (try, but don't fail if the cerificate
+ # "allow" (try, but don't fail if the certificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# and Time-Of-Day comparison functions.
#
# When the Login-Time attribute is set to some value, and the
-# user has bene permitted to log in, a Session-Timeout is
+# user has been permitted to log in, a Session-Timeout is
# calculated based on the remaining time. See "doc/README".
#
logintime {
# the record from passwd file
#
# Attributes marked as '=' are added to reply_items instead
-# of default configure_itmes
+# of default configure_items
#
# Attributes marked as '~' are added to request_items
#
huntgroups = ${moddir}/huntgroups
hints = ${moddir}/hints
- # This hack changes Ascend's wierd port numberings
+ # This hack changes Ascend's weird port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
-# support multiple realm syntaxs at the same time. The
+# support multiple realm syntaxes at the same time. The
# search order is defined by the order that the modules are listed
# in the authorize and preacct sections.
#
#
wimax {
#
- # Some WiMAX equipement requires that the MS-MPPE-*-Key
+ # Some WiMAX equipment requires that the MS-MPPE-*-Key
# attributes are sent in the Access-Accept, in addition to
# the WiMAX-MSK attribute.
#
# retrieved from persistent storage:
# * Yubikey-Key - The AES key used to decrypt the OTP data.
# The Yubikey-Public-Id and/or User-Name
- # attrubutes may be used to retrieve the key.
+ # attributes may be used to retrieve the key.
# * Yubikey-Counter - This is compared with the counter in the OTP
# data and used to prevent replay attacks.
# This attribute will also be available in
- # the request list after successfull
+ # the request list after successful
# decryption.
#
# Yubikey-Counter isn't strictly required, but the server will
# huntgroup is defined by specifying the IP address of
# the NAS and possibly a port range. Port can be identified
# as just one port, or a range (from-to), and multiple ports
-# or ranges of ports must be seperated by a comma. For
+# or ranges of ports must be separated by a comma. For
# example: 1,2,3-8
#
# Matching is done while RADIUS scans the user file; if it
##
## $Id$
-# Rather than maintaining seperate (GDBM) databases of
+# Rather than maintaining separate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
##
## $Id$
-# Rather than maintaining seperate (GDBM) databases of
+# Rather than maintaining separate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
#
if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) {
update reply {
- Reply-Message += "Rejected: Realm does not have at least one dot seperator"
+ Reply-Message += "Rejected: Realm does not have at least one dot separator"
}
reject
}
#
# As of 2.0, the "realm" configuration has changed. Instead of
# specifying "authhost" and "accthost" in a realm section, the home
-# servers are specified seperately in a "home_server" section. For
+# servers are specified separately in a "home_server" section. For
# backwards compatibility, you can still use the "authhost" and
# "accthost" directives. If you only have one home server for a
# realm, it is easier to use the old-style configuration.
response_window = 20
#
- # If you want the old behavior of the server rejecting
+ # If you want the old behaviour of the server rejecting
# proxied requests after "response_window" timeout, set
# the following configuration item to "yes".
#
#
# RT = 2 * RTprev + RAND * RTprev
#
- # Re-trasnmits are capped at:
+ # Re-transmits are capped at:
#
# if (MRT && (RT > MRT)) RT = MRT + RAND * MRT
#
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
-# MAY NOT be detected, and will instead be handled as seperate requests.
+# MAY NOT be detected, and will instead be handled as separate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
auth_goodpass = no
# Log additional text at the end of the "Login OK" messages.
- # for these to work, the "auth" and "auth_goopass" or "auth_badpass"
+ # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
# configurations above have to be set to "yes".
#
# The strings below are dynamically expanded, which means that
# If these are commented out, the server will run as the
# user/group that started it. In order to change to a
# different user/group, you MUST be root ( or have root
- # privleges ) to start the server.
+ # privileges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few
# permissions as possible. That is, if you're not using
# If the received PPS is larger than the processed PPS, *and*
# the queue is more than half full, then new accounting
- # requests are probabalistically discarded. This lowers the
+ # requests are probabilistically discarded. This lowers the
# number of packets that the server needs to process. Over
# time, the server will "catch up" with the traffic.
#
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
-# the order in which they are initalized. If one module needs
+# the order in which they are initialized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
######################################################################
#
# Policies are virtual modules, similar to those defined in the
-# "instantate" section above.
+# "instantiate" section above.
#
# Defining a policy in one of the policy.d files means that it can be
# referenced in multiple places as a *name*, rather than as a series of
# needed by the RADIUS server as it is running.
#
# The benefit of this approach is that for a busy server, the
-# overhead of performing SQL qeuries may be significant. Also,
+# overhead of performing SQL queries may be significant. Also,
# if the SQL databases are large (as is typical for ones storing
# months of data), the INSERTs and UPDATEs may take a relatively
# long time. Rather than slowing down the RADIUS server by
#
# Control socket interface.
#
-# HIGHLY experimental! It should NOT be used in production
-# environments.
-#
# In the future, we will add username/password checking for
# connections to the control socket. We will also add
# command authorization, where the commands entered by the
# directory to these files. This is done in a normal installation.
#
# If you are using 802.1X (EAP) authentication, please see also
-# the "inner-tunnel" virtual server. You wll likely have to edit
+# the "inner-tunnel" virtual server. You will likely have to edit
# that, too, for authentication to work.
#
# $Id$
server default {
#
# If you want the server to listen on additional addresses, or on
-# additionnal ports, you can use multiple "listen" sections.
+# additional ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
#
# If you want to generate CUI for some clients that do not
- # send proper CUI requiests, then uncomment the
- # cui below and set "add-cui = yes" for these clients in clients.conf
+ # send proper CUI requests, then uncomment the
+ # cui below and set "add_cui = yes" for these clients in clients.conf
# cui
#
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
-# used to pick the apropriate module from the list below.
+# used to pick the appropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# secrets
#
# FYI: We use an address in the 192.0.2.* space for this example,
-# as RFC 3330 says that that /24 range is used for documenation
+# as RFC 3330 says that that /24 range is used for documentation
# and examples, and should not appear on the net. You shouldn't
# use it for anything, either.
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
- # match, the cerficate verification will fail,
+ # match, the certificate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
- # match, the cerficate verification will fail,
+ # match, the certificate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
-# MUST be root ( or have root privleges ) to start the server.
+# MUST be root ( or have root privileges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
-# MAY NOT be detected, and will instead be handled as seperate requests.
+# MAY NOT be detected, and will instead be handled as separate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
# hosts with multiple IP addresses on one interface.
#
# If you want the server to listen on additional addresses, or on
-# additionnal ports, you can use multiple "listen" sections.
+# additional ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
-# the order in which they are initalized. If one module needs
+# the order in which they are initialized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
# from C source files, and (at your command) removes the duplicates.
#
# It is meant to be run ONLY by FreeRADUS developers, and has nothing
-# whatsoever to do with RADIUS, FreeRADIUS, or confguring a RADIUS server.
+# whatsoever to do with RADIUS, FreeRADIUS, or configuring a RADIUS server.
#
######################################################################
#
}
/*
- * Add non-protocol attibutes.
+ * Add non-protocol attributes.
*/
if (compat) {
#ifdef WITH_PROXY
/*
* EAP authorization DEPENDS on other rlm authorizations,
- * to check for user existance & get their configured values.
+ * to check for user existence & get their configured values.
* It Handles EAP-START Messages, User-Name initilization.
*/
static rlm_rcode_t mod_authorize(void *instance, REQUEST *request)
# Do server side ip pool management. Should be added in post-auth and
# accounting sections.
#
- # The module also requires the existance of the Pool-Name
+ # The module also requires the existence of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools
# for different users. The Pool-Name attribute is a *check* item not
projects / freeradius.git / commitdiff