"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
- <date>2009-02-18</date>
+ <date>2009-03-12</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
- <refmiscinfo>radsecproxy devel 2009-02-18</refmiscinfo>
+ <refmiscinfo>radsecproxy devel 2009-03-12</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
</para>
<para>
There are two types of configuration structures than can be used. The first
-and simplest are lines of the format <emphasis>option value</emphasis>. That
+and simplest are lines on the format <emphasis>option value</emphasis>. That
is, an option name, see below for a list of valid options, followed by
whitespace (at least one space or tab character), followed by a value. Note
that if the value contains whitespace, then it must be quoted using
<term><literal>logLevel</literal></term>
<listitem>
<para>
-This option specifies the debug level. It must be set to 1, 2, 3 or 4, where 1
-logs only serious errors, and 4 logs everything. The default is 3 which logs
-errors, warnings and some informational messages. Note that the command line
+This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where
+1 logs only serious errors, and 5 logs everything. The default is 2 which logs
+errors, warnings and a few informational messages. Note that the command line
option <option>-d</option> overrides this.
</para>
</listitem>
<literal>1812</literal> if configured to handle UDP clients. On most systems it
will do this for all of the system's IP addresses (both IPv4 and IPv6). On some
systems however, it may respond to only IPv4 or only IPv6. To specify an
-alternate port you may use a value of the form <literal>*:port</literal> where
+alternate port you may use a value on the form <literal>*:port</literal> where
port is any valid port number. If you also want to specify a specific address
you can do e.g. <literal>192.168.1.1:1812</literal> or
<literal>[2001:db8::1]:1812</literal>. The port may be omitted if you want the
will never be sent to a server named the same as the client it was received
from. I.e., the names of the client block and the server block are compared.
Note that this only gives limited protection against loops.
+It can be used as a basic option and inside server blocks where it overrides
+the basic setting.
</para>
</listitem>
</varlistentry>
The client block is used to configure a client. That is, tell the proxy about a
client, and what parameters should be used for that client. The name of the
client block must (with one exception, see below) be either the IP address
-(IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) of the form
+(IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form
IpAddress/PrefixLength, or a domain name (FQDN). Note that literal IPv6
addresses must be enclosed in brackets.
</para>
specify that the User-Name attribute in a client request shall be rewritten in
the request sent by the proxy. The User-Name attribute is written back to the
original value if a matching response is later sent back to the client. The
-value must be of the form User-Name:/regexpmatch/replacement/. Example usage:
+value must be on the form User-Name:/regexpmatch/replacement/. Example usage:
<blockquote>
<para>
-rewriteAttribute User-Name:/^(.*)@local$/$1@example.com/
+rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
</para>
</blockquote>
</para>
<literal>rewrite</literal>,
<literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
<literal>statusServer</literal>, <literal>retryCount</literal>,
-<literal>retryInterval</literal> and <literal>dynamicLookupCommand</literal>.
+<literal>retryInterval</literal>, <literal>dynamicLookupCommand</literal>
+and <literal>loopPrevention</literal>.
</para>
<para>
We already discussed the <literal>host</literal> option. The
command that should be executed to dynamically configure and use a server.
The use of this feature will be documented separately/later.
</para>
+ <para>
+Using the <literal>loopPrevention</literal> option here overrides any
+basic setting of this option. See section <literal>BASIC
+OPTIONS</literal> for details on this option.
+ </para>
</refsect1>
<refsect1>
<title>Realm Block</title>
using the <literal>rewriteOut</literal> option.
</para>
<para>
-The available rewrite block options are <literal>addAttribute</literal>,
+The available rewrite block options
+are <literal>addAttribute</literal>, <literal>addVendorAttribute</literal>,
<literal>removeAttribute</literal>, <literal>removeVendorAttribute</literal>
and <literal>modifyAttribute</literal>. They can all be specified none, one
or multiple times.
</para>
<para>
-<literal>addAttribute</literal> is used to add attributes to a message. The
-option value must be of the form <literal>attribute:value</literal> where
-attribute is a numerical value specifying the attribute.
+<literal>addAttribute</literal> is used to add attributes to a
+message. The option value must be on the
+form <literal>attribute:value</literal> where attribute is a numerical
+value specifying the attribute. Simliarly,
+the <literal>addVendorAttribute</literal> is used to specify a vendor
+attribute to be added. The option value must be on the
+form <literal>vendor:subattribute:value</literal>, where vendor and
+subattribute are numerical values.
</para>
<para>
The <literal>removeAttribute</literal> option is used to specify an
must be a numerical value specifying which attribute is to be removed.
Similarly, <literal>removeVendorAttribute</literal> is used to specify a
vendor attribute that is to be removed. The value can be a numerical value
-for removing all attributes from a given vendor, or of the form
+for removing all attributes from a given vendor, or on the form
<literal>vendor:subattribute</literal>, where vendor and subattribute are
numerical values, for removing a specific subattribute for a specific
vendor.
</para>
<para>
<literal>modifyAttribute</literal> is used to specify modification of
-attributes. The value must be of the form
+attributes. The value must be on the form
<literal>attribute:/regexpmatch/replacement/</literal> where attribute is
a numerical attribute type, regexpmatch is regexp matching rule and
replacement specifies how to replace the matching regexp. Example usage:
<blockquote>
<para>
-modifyAttribute 1:/^(.*)@local$/$1@example.com/
+modifyAttribute 1:/^(.*)@local$/\1@example.com/
</para>
</blockquote>
</para>
projects / radsecproxy.git / blobdiff