"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
- <date>2012-12-12</date>
+ <date>2012-04-27</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
- <refmiscinfo>radsecproxy 1.6-dev</refmiscinfo>
+ <refmiscinfo>radsecproxy 1.6</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
When the proxy server starts, it will first check the command
line arguments, and then read the configuration file. Normally
radsecproxy will read the configuration file
- <filename>/etc/radsecproxy.conf</filename>. The command line
+ <filename>/usr/local/etc/radsecproxy.conf</filename>. The command line
<option>-c</option> option can be used to instead read an
alternate file (see
<citerefentry>
shell globbing to specify multiple files, e.g.:
<blockquote>
<para>
- include /etc/radsecproxy.conf.d/*.conf
+ include /usr/local/etc/radsecproxy.conf.d/*.conf
</para>
</blockquote>
The files are sorted alphabetically. Included files are read in
</para>
<variablelist>
<varlistentry>
+ <term><literal>PidFile</literal></term>
+ <listitem>
+ <para>
+ The PidFile option specifies the name of a file to which
+ the process id (PID) will be written. This is overridden
+ by the <option>-i</option> command line option. There is
+ no default value for the PidFile option.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><literal>LogLevel</literal></term>
<listitem>
<para>
</varlistentry>
<varlistentry>
+ <term><literal>FTicksSyslogFacility</literal></term>
+ <listitem>
+ <para>
+ The FTicksSyslogFacility option is used to specify a
+ dedicated syslog facility for F-Ticks messages. This
+ allows for easier filtering of F-Ticks messages. If no
+ FTicksSyslogFacility option is given, F-Ticks messages are
+ written to what the LogDestination option specifies.
+ </para>
+ <para>
+ F-Ticks messages are always logged using the log level
+ LOG_DEBUG. Note that specifying a file in
+ FTicksSyslogFacility (using the file:/// prefix) is
+ not supported.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><literal>ListenUDP</literal></term>
<listitem>
<para>
</listitem>
</varlistentry>
<varlistentry>
+ <term><literal>IPv4Only and IPv6Only</literal></term>
+ <listitem>
+ <para>
+ These can be set to <literal>on</literal> or
+ <literal>off</literal> with <literal>off</literal> being
+ the default. At most one of <literal>IPv4Only</literal>
+ and <literal>IPv6Only</literal> can be enabled. Enabling
+ <literal>IPv4Only</literal> or <literal>IPv6Only</literal>
+ makes radsecproxy resolve DNS names to the corresponding
+ address family only, and not the other. This is done for
+ both clients and servers. Note that this can be
+ overridden in <literal>client</literal> and
+ <literal>server</literal> blocks, see below.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><literal>Include</literal></term>
<listitem>
<para>
that client. The name of the client block must (with one
exception, see below) be either the IP address (IPv4 or IPv6) of
the client, an IP prefix (IPv4 or IPv6) on the form
- IpAddress/PrefixLength, or a domain name (FQDN). Note that
- literal IPv6 addresses must be enclosed in brackets.
+ IpAddress/PrefixLength, or a domain name (FQDN). The way an
+ FQDN is resolved into an IP address may be influenced by the use
+ of the <literal>IPv4Only</literal> and
+ <literal>IPv6Only</literal> options. Note that literal IPv6
+ addresses must be enclosed in brackets.
</para>
<para>
If a domain name is specified, then this will be resolved
</para>
<para>
The allowed options in a client block are
- <literal>host</literal>, <literal>type</literal>,
+ <literal>host</literal>, <literal>IPv4Only</literal>,
+ <literal>IPv6Only</literal>, <literal>type</literal>,
<literal>secret</literal>, <literal>tls</literal>,
<literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
<literal>duplicateInterval</literal>, <literal>AddTTL</literal>,
- <literal>fticksVISCOUNTRY</literal>, <literal>rewrite</literal>,
+ <literal>fticksVISCOUNTRY</literal>,
+ <literal>fticksVISINST</literal>, <literal>rewrite</literal>,
<literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and
<literal>rewriteAttribute</literal>.
- We already discussed the <literal>host</literal> option. The
- value of <literal>type</literal> must be one of
+ We already discussed the <literal>host</literal> option. To
+ specify how radsecproxy should resolve a <literal>host</literal>
+ given as a DNS name, the <literal>IPv4Only</literal> or the
+ <literal>IPv6Only</literal> can be set to <literal>on</literal>.
+ At most one of these options can be enabled. Enabling
+ <literal>IPv4Only</literal> or <literal>IPv6Only</literal> here
+ overrides any basic settings set at the top level.
+
+ The value of <literal>type</literal> must be one of
<literal>udp</literal>, <literal>tcp</literal>,
<literal>tls</literal> or <literal>dtls</literal>. The value of
<literal>secret</literal> is the shared RADIUS key used with
<literal>FTicksReporting</literal> basic option.
</para>
<para>
+ The <literal>fticksVISINST</literal> option overwrites
+ the default <literal>VISINST</literal> value taken from the client
+ block name.
+ </para>
+ <para>
The <literal>rewrite</literal> option is deprecated. Use
<literal>rewriteIn</literal> instead.
</para>
after startup. If the domain name resolves to multiple
addresses, then for UDP/DTLS the first address is used. For
TCP/TLS, the proxy will loop through the addresses until it can
- connect to one of them. In the case of TLS/DTLS, the name of the
- server must match the FQDN or IP address in the server
- certificate.
+ connect to one of them. The way an FQDN is resolved into an IP
+ address may be influenced by the use of the
+ <literal>IPv4Only</literal> and <literal>IPv6Only</literal>
+ options. In the case of TLS/DTLS, the name of the server must
+ match the FQDN or IP address in the server certificate.
</para>
<para>
Alternatively one may use the <literal>host</literal> option
<para>
The allowed options in a server block are
<literal>host</literal>, <literal>port</literal>,
+ <literal>IPv4Only</literal>, <literal>IPv6Only</literal>,
<literal>type</literal>, <literal>secret</literal>,
<literal>tls</literal>, <literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
<literal>AddTTL</literal>, <literal>rewrite</literal>,
<literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
<literal>statusServer</literal>, <literal>retryCount</literal>,
- <literal>retryInterval</literal>,
<literal>dynamicLookupCommand</literal> and
+ <literal>retryInterval</literal> and
<literal>LoopPrevention</literal>.
</para>
<para>
- We already discussed the <literal>host</literal> option. The
- <literal>port</literal> option allows you to specify which port
- number the server uses. The usage of <literal>type</literal>,
- <literal>secret</literal>, <literal>tls</literal>,
- <literal>certificateNameCheck</literal>,
+
+ We already discussed the <literal>host</literal> option. To
+ specify how radsecproxy should resolve a <literal>host</literal>
+ given as a DNS name, the <literal>IPv4Only</literal> or the
+ <literal>IPv6Only</literal> can be set to <literal>on</literal>.
+ At most one of these options can be enabled. Enabling
+ <literal>IPv4Only</literal> or <literal>IPv6Only</literal> here
+ overrides any basic settings set at the top level.
+
+ The <literal>port</literal> option allows you to specify which
+ port number the server uses. The usage of
+ <literal>type</literal>, <literal>secret</literal>,
+ <literal>tls</literal>, <literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
<literal>AddTTL</literal>, <literal>rewrite</literal>,
<literal>rewriteIn</literal> and <literal>rewriteOut</literal>
<para>
The option <literal>dynamicLookupCommand</literal> can be used
to specify a command that should be executed to dynamically
- configure and use a server. The use of this feature will be
- documented separately/later.
+ configure a server. The executable file should be given with
+ full path and will be invoked with the name of the realm as its
+ first and only argument. It should either print a valid
+ <literal>server</literal> option on stdout and exit with a code
+ of 0 or print nothing and exit with a non-zero exit code. An
+ example of a shell script resolving the DNS NAPTR records for
+ the realm and then the SRV records for each NAPTR matching
+ 'x-eduroam:radius.tls' is provided in
+ <literal>tools/naptr-eduroam.sh</literal>. This option was
+ added in radsecproxy-1.3 but tends to crash radsecproxy versions
+ earlier than 1.6.
</para>
<para>
Using the <literal>LoopPrevention</literal> option here
projects / radsecproxy.git / blobdiff