logdir = @logdir@
includedir = @includedir@
raddbdir = @raddbdir@
+modconfdir = @modconfdir@
radacctdir = @radacctdir@
top_builddir = @abs_top_builddir@
top_build_prefix=@abs_top_builddir@/
SNMPWALK
SNMPGET
PERL
+modconfdir
raddbdir
radacctdir
logdir
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $raddbdir" >&5
$as_echo "$raddbdir" >&6; }
+modconfdir="$raddbdir/mods-config"
+
+
WITH_ASCEND_BINARY=yes
# Check whether --with-ascend-binary was given.
AC_SUBST(raddbdir)
AC_MSG_RESULT($raddbdir)
+modconfdir="$raddbdir/mods-config"
+AC_SUBST(modconfdir)
+
dnl #
dnl # extra argument: --with-ascend-binary
dnl #
+++ /dev/null
-.TH ACCT_USERS 5 "05 August 2000" "" "FreeRADIUS user accounting file"
-.SH NAME
-acct_users \- user accounting file for the FreeRADIUS server
-.SH DESCRIPTION
-The \fBacct_users\fP file resides in the radius database directory, by
-default \fB/etc/raddb\fP. It contains a series of configuration
-directives which are used by the \fIfiles\fP module to decide how to
-log accounting messages.
-
-The format of this file is identical to that of the \fBusers\fP file,
-except that it controls the response to accounting requests, not
-authentication requests.
-
-.SH FILES
-/etc/raddb/acct_users
-.SH "SEE ALSO"
-.BR radclient (1),
-.BR radiusd (8),
-.BR dictionary (5),
-.BR users (5)
-
-.SH AUTHOR
-Alan DeKok <aland@ox.org>
.RE
.sp
..
-.TH rlm_attr_filter 5 "12 February 2008" "" "FreeRADIUS Module"
+.TH rlm_attr_filter 5 "27 June 2013" "" "FreeRADIUS Module"
.SH NAME
rlm_attr_filter \- FreeRADIUS Module
.SH DESCRIPTION
+++ /dev/null
-.\" # DS - begin display
-.de DS
-.RS
-.nf
-.sp
-..
-.\" # DE - end display
-.de DE
-.fi
-.RE
-.sp
-..
-.TH rlm_sql_log 5 "28 May 2005" "" "FreeRADIUS Module"
-.SH NAME
-rlm_sql_log \- FreeRADIUS Module
-.SH DESCRIPTION
-The \fBrlm_sql_log\fP module appends the SQL queries in a log file
-which is read later by the scripts/radsqlrelay Perl program.
-.PP
-The purpose of this module is to de-couple the storage of long-term
-accounting data in SQL from "live" information needed by the RADIUS
-server as it's running. If you are not using SQL for simultaneous
-login restrictions (i.e. "sql" is not listed in the "session" section
-of "radiusd.conf"), then this module allows you to log SQL queries to
-a file, and then process them at your leisure.
-.PP
-The benefit of this approach is that for a busy server, the overhead
-of performing SQL qeuries may be significant. Also, if the SQL
-databases are large (as is typical for ones storing months of data),
-the INSERTs and UPDATEs may take a relatively long time. Rather than
-slowing down the RADIUS server by having it interact with a database,
-you can just log the queries to a file, and then run those queries on
-another machine, or at a time when the RADIUS server is typically
-lightly loaded.
-.PP
-If the "sql" module is listed in the "session" section of
-"radiusd.conf", then a similar system can still be used. In that
-case, one database would be used to maintain "live" session
-information. That database would be small, fast, and information
-would be deleted from it when a user logs out. A second database
-would store long-term accounting information, as described above.
-.SH LIMITATIONS
-This module only performs the dynamic expansion of the variables found
-in the SQL statements. No operation is executed on the database server.
-(this would be done later by an external program) That means the module
-is useful only with non-"SELECT" statements.
-.SH CONFIGURATION
-The main configuration items to be aware of are the path of the log
-file and the different SQL queries.
-.IP "path"
-An entry named "path" sets the full path of the file where the SQL
-queries are recorded. (this variable is run through dynamic string
-expansion, and can include FreeRADIUS variables to create a dynamic
-filename)
-.IP "Accounting queries"
-When a accounting record is processed, the module searches a config
-entry keyed by the Acct-Status-Type attribute present in the
-packet. For example, the SQL to be run on an accounting start must be
-named "Start" in the configuration for the module. Other usual values
-for Acct-Status-Type are "Stop", "Alive", "Accounting-On", etc. See
-the VALUEs for Acct-Status-Type in the dictionary.rfc2866 file.
-.IP "Post-Auth query"
-An entry named "Post-Auth" sets the query to run during the
-post-authentication stage. This query is mainly used to log sessions
-where there may not be a later accounting packet.
-.PP
-.DS
-modules {
- ...
-.br
- sql_log {
-.br
- path = "${radacctdir}/sql-relay"
-.br
- acct_table = "radacct"
-.br
- postauth_table = "radpostauth"
-.br
- sql_user_name = "%{%{User-Name}:-DEFAULT}"
-.br
-
-.br
- Start = "INSERT INTO ${acct_table} ..."
-.br
- Stop = "UPDATE ${acct_table} SET ..."
-.br
- Alive = "UPDATE ${acct_table} SET ..."
-.br
-
-.br
- Post-Auth = "INSERT INTO ${postauth_table} ..."
-.br
- }
-.br
- ...
-.br
-}
-
-.br
-accounting {
- ...
-.br
- sql_log
- ...
-.br
-}
-.br
-
-.br
-post-auth {
- ...
-.br
- sql_log
- ...
-.br
-}
-.DE
-.SH SECTIONS
-.BR accounting,
-.BR post-auth
-.SH FILES
-.I /etc/raddb/radiusd.conf
-.SH SEE ALSO
-.BR radsqlrelay (8),
-.BR radiusd (8),
-.BR radiusd.conf (5)
-.SH AUTHOR
-Nicolas Baradakis <nicolas.baradakis@cegetel.net>
.SH NAME
users \- user authorization file for the FreeRADIUS server
.SH DESCRIPTION
-The \fBusers\fP file resides in the RADIUS database directory, by
-default \fB/etc/raddb\fP. It contains a series of configuration
-directives which are used by the \fIfiles\fP module to decide how to
-authorize and authenticate each user request.
+The \fBusers\fP files reside in the files module configuration directory,
+by default \fB/etc/raddb/mods-config/files/\fP. It contains a series
+of configuration directives which are used by the \fIfiles\fP
+module to decide how to authorize and authenticate each user request.
Every line starting with a hash sign
.RB (' # ')
entries that set reply attributes.
.SH FILES
-/etc/raddb/users
+/etc/raddb/mods-config/files/
.SH "SEE ALSO"
.BR radclient (1),
.BR radiusd (8),
#
# The list of files to install.
#
-LOCAL_FILES := acct_users clients.conf dictionary templates.conf \
- experimental.conf hints huntgroups \
- preproxy_users proxy.conf radiusd.conf trigger.conf \
- users README.rst
+LOCAL_FILES := clients.conf dictionary templates.conf experimental.conf \
+ proxy.conf radiusd.conf trigger.conf README.rst
-DEFAULT_SITES := default inner-tunnel
-LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES))
+DEFAULT_SITES := default inner-tunnel
+LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES))
-DEFAULT_MODULES := always attr_filter cache_eap chap \
- detail detail.log digest dhcp dynamic_clients eap \
- echo exec expiration expr files linelog logintime \
- mschap ntlm_auth pap passwd preprocess radutmp realm \
- replicate soh sradutmp unix utf8
+DEFAULT_MODULES := always attr_filter cache_eap chap \
+ detail detail.log digest dhcp dynamic_clients eap \
+ echo exec expiration expr files linelog logintime \
+ mschap ntlm_auth pap passwd preprocess radutmp realm \
+ replicate soh sradutmp unix utf8
-LOCAL_MODULES := $(addprefix raddb/mods-enabled/,$(DEFAULT_MODULES))
+LOCAL_MODULES := $(addprefix raddb/mods-enabled/,$(DEFAULT_MODULES))
-LOCAL_CERT_FILES := Makefile README xpextensions \
- ca.cnf server.cnf client.cnf bootstrap
+LOCAL_CERT_FILES := Makefile README xpextensions \
+ ca.cnf server.cnf client.cnf bootstrap
+
+LOCAL_CERT_PRODUCTS := $(addprefix $(R)$(raddbdir)/certs/,ca.key ca.pem \
+ client.key client.pem server.key server.pem)
+
+LEGACY_LINKS := $(addprefix $(R)$(raddbdir)/,users huntgroups hints)
-RADDB_DIRS := sites-available sites-enabled mods-available mods-enabled \
- filter policy.d certs
+RADDB_DIRS := certs mods-available mods-enabled policy.d \
+ sites-available sites-enabled \
+ $(patsubst raddb/%,%,$(shell find raddb/mods-config -type d -print))
# Installed directories
-INSTALL_RADDB_DIRS := $(R)$(raddbdir)/ $(addprefix $(R)$(raddbdir)/, \
- $(RADDB_DIRS) $(shell find raddb/sql -type d -print))
+INSTALL_RADDB_DIRS := $(R)$(raddbdir)/ $(addprefix $(R)$(raddbdir)/, $(RADDB_DIRS))
# Grab files from the various subdirectories
-INSTALL_FILES := $(wildcard raddb/sites-available/* raddb/mods-available/*) \
- $(LOCAL_SITES) $(LOCAL_MODULES) \
- $(addprefix raddb/,$(LOCAL_FILES)) \
- $(addprefix raddb/certs/,$(LOCAL_CERT_FILES)) \
- $(wildcard raddb/policy.d/* raddb/filter/*) \
- $(shell find raddb/sql -type f -print)
-
+INSTALL_FILES := $(wildcard raddb/sites-available/* raddb/mods-available/*) \
+ $(LOCAL_SITES) $(LOCAL_MODULES) \
+ $(addprefix raddb/,$(LOCAL_FILES)) \
+ $(addprefix raddb/certs/,$(LOCAL_CERT_FILES)) \
+ $(shell find raddb/mods-config -type f -print) \
+ $(shell find raddb/policy.d -type f -print)
# Re-write local files to installed files, filtering out editor backups
-INSTALL_RADDB := $(patsubst raddb/%,$(R)$(raddbdir)/%,\
+INSTALL_RADDB := $(patsubst raddb/%,$(R)$(raddbdir)/%,\
$(filter-out %~,$(INSTALL_FILES)))
all: build.raddb
# Set up the default modules for running in-source builds
raddb/mods-enabled/%: raddb/mods-available/% | raddb/mods-enabled
- @echo LN-S $@
+ @echo "LN-S $@"
@cd $(dir $@) && ln -sf ../mods-available/$(notdir $@)
# Set up the default sites for running in-source builds
raddb/sites-enabled/%: raddb/sites-available/% | raddb/sites-enabled
- @echo LN-S $@
+ @echo "LN-S $@"
@cd $(dir $@) && ln -sf ../sites-available/$(notdir $@)
# Installation rules for directories. Note permissions are 750!
$(R)$(raddbdir)/%: | raddb/%
@echo INSTALL $(patsubst $(R)$(raddbdir)/%,raddb/%,$@)
@$(INSTALL) -m 640 $(patsubst $(R)$(raddbdir)/%,raddb/%,$@) $@
-
-.PHONY: certs.bootstrap
-certs.bootstrap:
- @echo BOOTSTRAP certs
+
+# Create symbolic links for legacy files
+$(R)$(raddbdir)/huntgroups : $(R)$(modconfdir)/preprocess/huntgroups
+ @echo "LN-S $@ -> $<"
+ @ln -s $< $@
+
+$(R)$(raddbdir)/hints : $(R)$(modconfdir)/preprocess/hints
+ @echo "LN-S $@ -> $<"
+ @ln -s $< $@
+
+$(R)$(raddbdir)/users : $(R)$(modconfdir)/files/authorize
+ @echo "LN-S $@ -> $<"
+ @ln -s $< $@
+
+
+$(LOCAL_CERT_PRODUCTS):
+ @echo BOOTSTRAP $(R)$(raddbdir)/certs/
@$(MAKE) -C $(R)$(raddbdir)/certs/
# Bootstrap is special
-$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap certs.bootstrap
+$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
@echo INSTALL $(patsubst $(R)$(raddbdir)/%,raddb/%,$@)
@$(INSTALL) -m 750 $(patsubst $(R)$(raddbdir)/%,raddb/%,$@) $@
# List directories before the file targets.
# It's not clear why GNU Make doesn't deal well with this.
-install.raddb: $(INSTALL_RADDB_DIRS) $(INSTALL_RADDB)
+install.raddb: | $(INSTALL_RADDB_DIRS) $(INSTALL_RADDB) $(LEGACY_LINKS)
clean.raddb:
@rm -f *~ $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES)) \
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
- file = ${confdir}/filter/post-proxy
+ file = ${modconfdir}/${.:name}/post-proxy
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
- file = ${confdir}/filter/pre-proxy
+ file = ${modconfdir}/${.:name}/pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
#
attr_filter attr_filter.access_reject {
key = %{User-Name}
- file = ${confdir}/filter/access_reject
+ file = ${modconfdir}/${.:name}/access_reject
}
# Enforce RFC requirements on the contents of Access-Challenge
#
attr_filter attr_filter.access_challenge {
key = %{User-Name}
- file = ${confdir}/filter/access_challenge
+ file = ${modconfdir}/${.:name}/access_challenge
}
#
attr_filter attr_filter.accounting_response {
key = %{User-Name}
- file = ${confdir}/filter/accounting_response
+ file = ${modconfdir}/${.:name}/accounting_response
}
sqlite {
filename = ${radacctdir}/cui.sqlite
- bootstrap = ../sql/cui/sqlite/schema.sql
+ bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
}
# sqltrace = yes
cui_table = "cui"
sql_user_name = "%{User-Name}"
- $INCLUDE ../sql/cui/${dialect}/queries.conf
+ $INCLUDE ${modconfdir}/${.:name}/cui/${dialect}/queries.conf
}
pool-key = "%{Calling-Station-Id}"
# For now, it only works with MySQL.
- $INCLUDE ${confdir}/sql/ippool-dhcp/mysql/queries.conf
+ $INCLUDE ${modconfdir}/sql/ippool-dhcp/mysql/queries.conf
sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
# Livingston-style 'users' file
#
files {
+ # Search for files in a subdirectory of mods-config which
+ # matches this instance of the files module.
+ moddir = ${modconfdir}/${.:instance}
+
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{Stripped-User-Name:-%{User-Name}}"
- usersfile = ${confdir}/users
- acctusersfile = ${confdir}/acct_users
- preproxy_usersfile = ${confdir}/preproxy_users
+ # Sets a common file for all sections which do not have
+ # specific files configured. It's recommended that
+ # per section instances of 'files' are used, as per section
+ # files will be deprecated in a future release.
+ file = ${moddir}/authorize
+
+ usersfile = ${moddir}/authorize
+ acctusersfile = ${moddir}/accounting
+ preproxy_usersfile = ${moddir}/pre-proxy
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
######################################################################
passwd mac2ip {
- filename = ${confdir}/mac2ip
+ filename = ${modconfdir}/${.:name}/${.:instance}
format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
delimiter = ","
}
# ...
#
passwd mac2vlan {
- filename = ${confdir}/mac2vlan
+ filename = ${modconfdir}/${.:name}/${.:instance}
format = "*VMPS-Mac:=VMPS-VLAN-Name"
delimiter = ","
}
# 'rlm_exec' module, but it is persistent, and therefore
# faster.
#
- module = ${confdir}/example.pl
+ module = ${modconfdir}/${.:instance}/example.pl
#
# The following hashes are given to the module and
# is a little more standard.
#
preprocess {
- huntgroups = ${confdir}/huntgroups
- hints = ${confdir}/hints
+ # Search for files in a subdirectory of mods-config which
+ # matches this instance of the preprocess module.
+ moddir = ${modconfdir}/${.:instance}
+
+ huntgroups = ${moddir}/huntgroups
+ hints = ${moddir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
nas_table = "nas"
# Read database-specific queries
- $INCLUDE ../sql/main/${dialect}/queries.conf
+ $INCLUDE ${modconfdir}/${.:name}/${dialect}/queries.conf
}
+++ /dev/null
-# Configuration for the SQL based IP Pool module (rlm_sqlippool)
-#
-# Database queries and main configuration are available at:
-#
-# raddb/sql/counter/<DB>/schema.sql
-# raddb/sql/counter/<DB>/queries.conf
-#
-# $Id$
-
-$INCLUDE sql/counter/mysql/queries.conf
# Use the same database as configured in the "sql" module, "database"
# configuration item.
#
- $INCLUDE sql/ippool/${modules.${sql-instance-name}.dialect}/queries.conf
+ $INCLUDE ${modconfdir}/sql/ippool/${modules.${sql-instance-name}.dialect}/queries.conf
}
#
# Yubikey authentication needs two control attributes
# retrieved from persistent storage:
- # * Yubikey-Key - The AES key use to decrypt the OTP data.
+ # * Yubikey-Key - The AES key used to decrypt the OTP data.
# The Yubikey-Public-Id and/or User-Name
# attrubutes may be used to retrieve the key.
# * Yubikey-Counter - This is compared with the counter in the OTP
# decryption.
#
# Yubikey-Counter isn't strictly required, but the server will
- # generate warnings if it's not present when Yubikey.authenticate
+ # generate warnings if it's not present when yubikey.authenticate
# is called.
#
# These attributes are available after authorization:
# Location of config and logfiles.
confdir = ${raddbdir}
+modconfdir = ${raddbdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
SRC_CFLAGS := @mod_cflags@
TGT_LDLIBS := @mod_ldflags@
-install: $(R)$(raddbdir)/example.pl
+install: $(R)$(modconfdir)/perl/example.pl
-$(R)$(raddbdir)/example.pl: src/modules/rlm_perl/example.pl | $(R)$(raddbdir)/
+$(R)$(modconfdir)/perl: $(R)$(modconfdir)
+ @echo MKDIR $@
+ @mkdir -p $@
+
+$(R)$(modconfdir)/perl/example.pl: src/modules/rlm_perl/example.pl | $(R)$(modconfdir)/perl
@$(ECHO) INSTALL $(notdir $<)
- @$(INSTALL) -m 755 $< $(R)$(raddbdir)/
+ @$(INSTALL) -m 755 $< $(R)$(modconfdir)/perl
SRC_CFLAGS := @mod_cflags@
TGT_LDLIBS := @mod_ldflags@
-install: $(R)$(raddbdir)/example.py
+install: $(R)$(modconfdir)/python/example.py
-$(R)$(raddbdir)/example.py: src/modules/rlm_python/example.py | $(R)$(raddbdir)/
+$(R)$(modconfdir)/python: $(R)$(modconfdir)
+ @echo MKDIR $@
+ @mkdir -p $@
+
+$(R)$(modconfdir)/python/example.py: src/modules/rlm_python/example.py | $(R)$(modconfdir)/python
@$(ECHO) INSTALL $(notdir $<)
- @$(INSTALL) -m 755 $< $(R)$(raddbdir)/
+ @$(INSTALL) -m 755 $< $(R)$(modconfdir)/python
SRC_CFLAGS := @mod_cflags@
TGT_LDLIBS := @mod_ldflags@
-install: $(R)$(raddbdir)/example.rb
+install: $(R)$(modconfdir)/ruby/example.rb
-$(R)$(raddbdir)/example.rb: src/modules/rlm_ruby/example.rb | $(R)$(raddbdir)/
+$(R)$(modconfdir)/ruby: $(R)$(modconfdir)
+ @echo MKDIR $@
+ @mkdir -p $@
+
+$(R)$(modconfdir)/ruby/example.rb: src/modules/rlm_ruby/example.rb | $(R)$(modconfdir)/ruby
@$(ECHO) INSTALL $(notdir $<)
- @$(INSTALL) -m 755 $< $(R)$(raddbdir)/
+ @$(INSTALL) -m 755 $< $(R)$(modconfdir)/ruby