From: Dan Breslau Date: Wed, 10 May 2017 20:25:03 +0000 (-0400) Subject: Merged the custom logging that I'd added on the now-defunct debian branch post 3... X-Git-Tag: moonshot_release_3_0_13~1 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=freeradius.git;a=commitdiff_plain;h=429c2bc33ab09d69c81e2d1e7e69bb9afdabf183 Merged the custom logging that I'd added on the now-defunct debian branch post 3.0.12. (This logging is disabled by default.) --- diff --git a/raddb/mods-available/moonshot_custom_linelog b/raddb/mods-available/moonshot_custom_linelog new file mode 100644 index 0000000..2ff2652 --- /dev/null +++ b/raddb/mods-available/moonshot_custom_linelog @@ -0,0 +1,75 @@ +# This script can be used in the sites-available/inner-tunnel file (on an IdP() +# or sites-available/abfab-tr-idp file (on a Moonshot RP Proxy) to log the +# values of certain attributes that are returned to the client. +# +# This is for testing and debugging purposes; it is not enabled by default. +# To enable: +# +# 1) Add a softlink from ../mods-enabled/custom_linelog to this file +# +# 2) If on an IdP, uncomment the lines in sites-available/inner-tunnel that +# contain "log_moonshot_authn_idp" +# +# 3) If on a Moonshot RP Proxy, uncomment the lines in sites-available/abfab-tr-idp +# that contain "log_moonshot_authn_rp_proxy" + + +linelog log_moonshot_authn_rp_proxy { + destination = file + + # + # Used if the expansion of "reference" fails. + # + format = "" + +# file { + filename = ${logdir}/moonshot-authn-linelog + + permissions = 0600 +# } + + reference = "messages.%{%{reply:Packet-Type}:-default}" + + # + # The messages defined here are taken from the "reference" + # expansion, above. + # + # Pairs may be attributes refs, xlats, literals or execs. + messages { + default = "Unknown packet type %{Packet-Type}" + + Access-Accept = "moonshot-auth#AUTH=OK#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#MOONSHOT_HOST_TID=%{reply:Moonshot-Host-TargetedId}#MOONSHOT_REALM_TID=%{reply:Moonshot-Realm-TargetedId}#MOONSHOT_COI_TID=%{reply:Moonshot-TR-COI-TargetedId}#MOONSHOT_SAML=%{%{reply:SAML-AAA-Assertion[*]}:-none}" + Access-Reject = "moonshot-auth#AUTH=FAIL#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#FAILURE_REASON=%{%{reply:EAP-Message}:-%{reply:Reply-Message[*]}:-unknown}" + } +} + + + +linelog log_moonshot_authn_idp { + destination = file + + # + # Used if the expansion of "reference" fails. + # + format = "" + +# file { + filename = ${logdir}/moonshot-authn-linelog + + permissions = 0600 +# } + + reference = "messages.%{%{reply:Packet-Type}:-default}" + + # + # The messages defined here are taken from the "reference" + # expansion, above. + # + # Pairs may be attributes refs, xlats, literals or execs. + messages { + default = "Unknown packet type %{Packet-Type}" + + Access-Accept = "moonshot-auth#AUTH=OK#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#USERNAME=%{request:User-Name}#MOONSHOT_HOST_TID=%{reply:Moonshot-Host-TargetedId}#MOONSHOT_REALM_TID=%{reply:Moonshot-Realm-TargetedId}#MOONSHOT_COI_TID=%{reply:Moonshot-TR-COI-TargetedId}#MOONSHOT_SAML=%{%{reply:SAML-AAA-Assertion[*]}:-none}" + Access-Reject = "moonshot-auth#AUTH=FAIL#TIME=%T#IP=%{request:Packet-Src-IP-Address}#SVC=%{%{request:GSS-Acceptor-Service-Name}:-none}/%{%{request:GSS-Acceptor-Host-Name}:-none}#FROM=%{%{request:Realm}:-LOCAL}#USERNAME=%{request:User-Name}#FAILURE_REASON=%{%{reply:EAP-Message}:-%{reply:Reply-Message[*]}:-unknown}" + } +} diff --git a/raddb/sites-available/abfab-tr-idp b/raddb/sites-available/abfab-tr-idp index 3ef581e..61bc9e4 100644 --- a/raddb/sites-available/abfab-tr-idp +++ b/raddb/sites-available/abfab-tr-idp @@ -12,7 +12,7 @@ server abfab-idp { authorize { - psk_authorize + psk_authorize abfab_client_check filter_username preprocess @@ -30,9 +30,9 @@ authorize { # cui suffix { - updated = 1 + updated = 1 noop = reject - } + } eap { ok = return } @@ -96,6 +96,11 @@ post-auth { exec # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap + + # Uncomment to enable logging of certain Moonshot attributes. See + # mods-available/moonshot_custom_linelog. + # log_moonshot_authn_rp_proxy + # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # @@ -103,6 +108,10 @@ post-auth { # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { + # Uncomment to enable logging of certain Moonshot attributes. See + # mods-available/moonshot_custom_linelog. + # log_moonshot_authn_rp_proxy + # log failed authentications in SQL, too. -sql attr_filter.access_reject @@ -119,6 +128,10 @@ post-auth { # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap } + + # Uncomment to enable logging of certain Moonshot attributes. See + # mods-available/moonshot_custom_linelog. + # log_moonshot_authn_rp_proxy } # # When the server decides to proxy a request to a home server, diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel index 5479352..b4d26cf 100644 --- a/raddb/sites-available/inner-tunnel +++ b/raddb/sites-available/inner-tunnel @@ -354,6 +354,10 @@ post-auth { } } + # Uncomment to enable logging of certain Moonshot attributes. See + # mods-available/moonshot_custom_linelog. + # log_moonshot_authn_idp + # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. @@ -362,6 +366,10 @@ post-auth { # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { + # Uncomment to enable logging of certain Moonshot attributes. See + # mods-available/moonshot_custom_linelog. + # log_moonshot_authn_idp + # log failed authentications in SQL, too. -sql attr_filter.access_reject @@ -373,6 +381,9 @@ post-auth { &Module-Failure-Message := &request:Module-Failure-Message } } + # Uncomment to enable logging of certain Moonshot attributes. See + # mods-available/moonshot_custom_linelog. + # log_moonshot_authn_idp } #