++<<<<<<< HEAD
+#Module for PSK authorizations from ABFAb trust router
++=======
+ # -*- text -*-
+ ##
+ ## Module for PSK authorizations from ABFAB trust router
+ ##
+ ## $Id$
+
++>>>>>>> v3.0.x
sql psksql {
driver = "rlm_sql_sqlite"
sqlite {
filename = "/var/lib/trust_router/keys"
++<<<<<<< HEAD
+ }
+
+ }
++=======
+ }
+
+ }
++>>>>>>> v3.0.x
reject
}
}
- # set trust-router-coi attribute from client configuration
+
+ # set trust-router-coi attribute from the client configuration
- if ("%{client:trust-router_coi}") {
+ if ("%{client:trust_router_coi}") {
update proxy-request {
- trust-router-coi := "%{client:trust_router_coi}"
- Trust-Router-COI := "%{client:moonshot_coi}"
++ Trust-Router-COI := "%{client:trust_router_coi}"
}
}
- # set gss-acceptor-realm-name attribute from client configuration
+
+ # set gss-acceptor-realm-name attribute from the client configuration
if ("%{client:gss_acceptor_realm_name}") {
update proxy-request {
- gss-acceptor-realm-name := "%{client:gss_acceptor_realm_name}"
+ GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
}
}
}
--#
- # A virtual server which is used to validate channel-bindings.
+ # A policy which is used to validate channel-bindings.
#
abfab_channel_bindings {
if (GSS-Acceptor-Service-Name && (outer.request:GSS-Acceptor-Service-Name != GSS-Acceptor-Service-Name)) {
++<<<<<<< HEAD
++=======
+ #
+ # Example configuration for ABFAB listening on TLS.
+ #
+ # $Id$
+ #
++>>>>>>> v3.0.x
listen {
ipaddr = *
port = 2083
type = auth
proto = tcp
++<<<<<<< HEAD
+ clients = radsec-abfab
+ tls {
+ private_key_password = whatever
++=======
+ tls {
+ private_key_password = whatever
+
++>>>>>>> v3.0.x
# Moonshot tends to distribute certs separate from keys
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
++<<<<<<< HEAD
+ cache {
+ enable = no
+ lifetime = 24 # hours
+ max_entries = 255
+ }
+
+ require_client_cert = yes
+ verify {
+ }
+ psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{tls-psk-identity}';}"
+ }
+ virtual_server = abfab-idp
+}
+ clients radsec-abfab {
+ client default {
+ ipaddr = 0.0.0.0/0
+
+ proto = tls
+
++=======
+
+ cache {
+ enable = no
+ lifetime = 24 # hours
+ max_entries = 255
+ }
+
+ require_client_cert = yes
+ verify {
+ }
+
+ psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Udentity}'}"
+ }
+
+ virtual_server = abfab-idp
+
+ clients = radsec-abfab
+ }
+
+ clients radsec-abfab {
+ #
+ # Allow all clients, but require TLS.
+ #
+ client default {
+ ipaddr = 0.0.0.0/0
+ proto = tls
++>>>>>>> v3.0.x
}
}