| 775 |
stephane |
1 |
<?php
|
|
|
2 |
/*
|
|
|
3 |
This class handled of ldap configuration.
|
|
|
4 |
WARNING! This class can't says if the configuration is valid or not.
|
|
|
5 |
*/
|
|
|
6 |
require_once('configreader.php');
|
|
|
7 |
class siteConfig
|
|
|
8 |
{
|
|
|
9 |
/*
|
|
|
10 |
$_sections : radius sections container
|
|
|
11 |
*/
|
|
|
12 |
protected $_sections = Array();
|
|
|
13 |
|
|
|
14 |
public function __construct() {
|
|
|
15 |
$this->_sections['authorize'] = new sectionItem('authorize');
|
|
|
16 |
$this->_sections['authenticate'] = new sectionItem('authorize');
|
| 1623 |
franck |
17 |
$this->_sections['preacct'] = new sectionItem('preacct');
|
| 775 |
stephane |
18 |
$this->_sections['accounting'] = new sectionItem('accounting');
|
| 1623 |
franck |
19 |
$this->_sections['session'] = new sectionItem('session');
|
| 775 |
stephane |
20 |
$this->_sections['post-auth'] = new sectionItem('post-auth');
|
|
|
21 |
$this->_sections['pre-proxy'] = new sectionItem('pre-proxy');
|
|
|
22 |
$this->_sections['post-proxy'] = new sectionItem('post-proxy');
|
|
|
23 |
}
|
|
|
24 |
private function _doSpace($nbspace = 0){
|
|
|
25 |
$resp="";
|
|
|
26 |
for ($i = 1; $i <= $nbspace; $i++){
|
|
|
27 |
$resp.=" ";
|
|
|
28 |
}
|
|
|
29 |
return $resp;
|
|
|
30 |
}
|
|
|
31 |
private function _writeModule($module, $default=null, $space=0){
|
|
|
32 |
if (is_object($module)){
|
|
|
33 |
if ($module->getType()==='section'){
|
|
|
34 |
$resp = $this->_doSpace($space).$module." ".$module->getInstanceName();
|
|
|
35 |
if (count($module->getAll())>0){
|
|
|
36 |
$resp .= " { \n";
|
|
|
37 |
foreach ($module->getAll() as $childItem) {
|
|
|
38 |
$resp .= $this->_writeModule($childItem, null, $space+1);
|
|
|
39 |
}
|
|
|
40 |
$resp .= $this->_doSpace($space)." } \n";
|
|
|
41 |
} elseif ($module->getInstanceName()!==""){
|
|
|
42 |
$resp .= " { \n";
|
|
|
43 |
$resp .= "\n";
|
|
|
44 |
$resp .= $this->_doSpace($space)." } \n";
|
|
|
45 |
} else {
|
|
|
46 |
$resp .= "\n";
|
|
|
47 |
}
|
|
|
48 |
return $resp;
|
|
|
49 |
}elseif ($module->getType()==='pair'){
|
|
|
50 |
$resp = $this->_doSpace($space).$module->getName()."=";
|
|
|
51 |
$resp .=$module->getPair($module->getName());
|
|
|
52 |
$resp .="\n";
|
|
|
53 |
return $resp;
|
|
|
54 |
} else {
|
|
|
55 |
|
|
|
56 |
}
|
|
|
57 |
} elseif (is_array($module)&&count($module)>0) {
|
|
|
58 |
/*
|
|
|
59 |
for section width multiple instance
|
|
|
60 |
!!! empty section are array too!! we must count the array!
|
|
|
61 |
*/
|
|
|
62 |
$resp = "";
|
|
|
63 |
foreach ($module as $instance) {
|
|
|
64 |
$resp .= $this->_doSpace($space). $this->_writeModule($instance, $default, $space);
|
|
|
65 |
}
|
|
|
66 |
return $resp;
|
|
|
67 |
} else {
|
|
|
68 |
return $default;
|
|
|
69 |
}
|
|
|
70 |
}
|
|
|
71 |
public function __get($attr){
|
|
|
72 |
if (array_key_exists($attr, $this->_sections)){
|
|
|
73 |
return $this->_sections[$attr];
|
|
|
74 |
}
|
|
|
75 |
return false;
|
|
|
76 |
}
|
|
|
77 |
public function __set($attr, $value){
|
|
|
78 |
/*
|
| 776 |
stephane |
79 |
Ne prend pas en compte les section contenant un "-". Pour ce cas utiliser la méthode setSection('sectionName', 'myvalue').
|
| 775 |
stephane |
80 |
*/
|
| 776 |
stephane |
81 |
$this->setSection($sectionName, $value);
|
|
|
82 |
exit('ee');
|
| 775 |
stephane |
83 |
}
|
| 776 |
stephane |
84 |
public function setSection($sectionName, $value){
|
|
|
85 |
if (array_key_exists($sectionName, $this->_sections)){
|
|
|
86 |
$this->_sections[$sectionName] = $value;
|
|
|
87 |
}
|
|
|
88 |
}
|
| 775 |
stephane |
89 |
public function load($confFile){
|
|
|
90 |
// use here the parsing class
|
|
|
91 |
require_once("configreader.php");
|
|
|
92 |
|
|
|
93 |
$r = new configReader($confFile);
|
|
|
94 |
$this->_sections['authorize'] = $r->getSection('authorize');
|
|
|
95 |
$this->_sections['authenticate'] = $r->getSection('authenticate');
|
| 1623 |
franck |
96 |
$this->_sections['preacct'] = $r->getSection('preacct');
|
| 775 |
stephane |
97 |
$this->_sections['accounting'] = $r->getSection('accounting');
|
| 1623 |
franck |
98 |
$this->_sections['session'] = $r->getSection('session');
|
| 775 |
stephane |
99 |
$this->_sections['post-auth'] = $r->getSection('post-auth');
|
|
|
100 |
$this->_sections['pre-proxy'] = $r->getSection('pre-proxy');
|
|
|
101 |
$this->_sections['post-proxy'] = $r->getSection('post-proxy');
|
|
|
102 |
}
|
|
|
103 |
public function __toString() {
|
|
|
104 |
return "siteConfig";
|
|
|
105 |
}
|
|
|
106 |
public function save($savefile = null, $returnconfig = false){
|
|
|
107 |
/*
|
|
|
108 |
outpout with template (faster and we can write a lot of comments)
|
|
|
109 |
*/
|
|
|
110 |
$config = "
|
|
|
111 |
######################################################################
|
|
|
112 |
#
|
|
|
113 |
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
|
|
|
114 |
# \"server\" section, and configuration directives.
|
|
|
115 |
#
|
|
|
116 |
# Virtual hosts should be put into the \"sites-available\"
|
|
|
117 |
# directory. Soft links should be created in the \"sites-enabled\"
|
|
|
118 |
# directory to these files. This is done in a normal installation.
|
|
|
119 |
#
|
|
|
120 |
#
|
|
|
121 |
######################################################################
|
|
|
122 |
#
|
|
|
123 |
# Read \"man radiusd\" before editing this file. See the section
|
|
|
124 |
# titled DEBUGGING. It outlines a method where you can quickly
|
|
|
125 |
# obtain the configuration you want, without running into
|
|
|
126 |
# trouble. See also \"man unlang\", which documents the format
|
|
|
127 |
# of this file.
|
|
|
128 |
#
|
|
|
129 |
# This configuration is designed to work in the widest possible
|
|
|
130 |
# set of circumstances, with the widest possible number of
|
|
|
131 |
# authentication methods. This means that in general, you should
|
|
|
132 |
# need to make very few changes to this file.
|
|
|
133 |
#
|
|
|
134 |
# The best way to configure the server for your local system
|
|
|
135 |
# is to CAREFULLY edit this file. Most attempts to make large
|
|
|
136 |
# edits to this file will BREAK THE SERVER. Any edits should
|
|
|
137 |
# be small, and tested by running the server with \"radiusd -X\".
|
|
|
138 |
# Once the edits have been verified to work, save a copy of these
|
|
|
139 |
# configuration files somewhere. (e.g. as a \"tar\" file). Then,
|
|
|
140 |
# make more edits, and test, as above.
|
|
|
141 |
#
|
|
|
142 |
# There are many \"commented out\" references to modules such
|
|
|
143 |
# as ldap, sql, etc. These references serve as place-holders.
|
|
|
144 |
# If you need the functionality of that module, then configure
|
|
|
145 |
# it in radiusd.conf, and un-comment the references to it in
|
|
|
146 |
# this file. In most cases, those small changes will result
|
|
|
147 |
# in the server being able to connect to the DB, and to
|
|
|
148 |
# authenticate users.
|
|
|
149 |
#
|
|
|
150 |
######################################################################
|
|
|
151 |
|
|
|
152 |
#
|
|
|
153 |
# In 1.x, the \"authorize\", etc. sections were global in
|
|
|
154 |
# radiusd.conf. As of 2.0, they SHOULD be in a server section.
|
|
|
155 |
#
|
|
|
156 |
# The server section with no virtual server name is the \"default\"
|
|
|
157 |
# section. It is used when no server name is specified.
|
|
|
158 |
#
|
|
|
159 |
# We don't indent the rest of this file, because doing so
|
|
|
160 |
# would make it harder to read.
|
|
|
161 |
#
|
|
|
162 |
|
|
|
163 |
# Authorization. First preprocess (hints and huntgroups files),
|
|
|
164 |
# then realms, and finally look in the \"users\" file.
|
|
|
165 |
#
|
|
|
166 |
# The order of the realm modules will determine the order that
|
|
|
167 |
# we try to find a matching realm.
|
|
|
168 |
#
|
|
|
169 |
# Make *sure* that 'preprocess' comes before any realm if you
|
|
|
170 |
# need to setup hints for the remote radius server
|
|
|
171 |
authorize {
|
|
|
172 |
#
|
|
|
173 |
# The preprocess module takes care of sanitizing some bizarre
|
|
|
174 |
# attributes in the request, and turning them into attributes
|
|
|
175 |
# which are more standard.
|
|
|
176 |
#
|
|
|
177 |
# It takes care of processing the 'raddb/hints' and the
|
|
|
178 |
# 'raddb/huntgroups' files.
|
|
|
179 |
#
|
|
|
180 |
# It also adds the %{Client-IP-Address} attribute to the request.
|
| 1625 |
franck |
181 |
".$this->_writeModule($this->_sections['authorize']->preprocess, '# preprocess')."
|
| 775 |
stephane |
182 |
|
|
|
183 |
#
|
|
|
184 |
# If you want to have a log of authentication requests,
|
|
|
185 |
# un-comment the following line, and the 'detail auth_log'
|
|
|
186 |
# section, above.
|
| 1625 |
franck |
187 |
".$this->_writeModule($this->_sections['authorize']->getSection('auth-log'), '# auth_log')."
|
| 775 |
stephane |
188 |
#
|
|
|
189 |
# The chap module will set 'Auth-Type := CHAP' if we are
|
|
|
190 |
# handling a CHAP request and Auth-Type has not already been set
|
|
|
191 |
".$this->_writeModule($this->_sections['authorize']->chap, '# chap')."
|
|
|
192 |
#
|
|
|
193 |
# If the users are logging in with an MS-CHAP-Challenge
|
|
|
194 |
# attribute for authentication, the mschap module will find
|
|
|
195 |
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
|
|
|
196 |
# to the request, which will cause the server to then use
|
|
|
197 |
# the mschap module for authentication.
|
|
|
198 |
".$this->_writeModule($this->_sections['authorize']->mschap, '# mschap')."
|
|
|
199 |
#
|
|
|
200 |
# If you have a Cisco SIP server authenticating against
|
|
|
201 |
# FreeRADIUS, uncomment the following line, and the 'digest'
|
|
|
202 |
# line in the 'authenticate' section.
|
|
|
203 |
".$this->_writeModule($this->_sections['authorize']->digest, '# digest')."
|
|
|
204 |
#
|
|
|
205 |
# Look for IPASS style 'realm/', and if not found, look for
|
|
|
206 |
# '@realm', and decide whether or not to proxy, based on
|
|
|
207 |
# that.
|
|
|
208 |
".$this->_writeModule($this->_sections['authorize']->IPASS, '# IPASS')."
|
|
|
209 |
#
|
|
|
210 |
# If you are using multiple kinds of realms, you probably
|
|
|
211 |
# want to set \"ignore_null = yes\" for all of them.
|
|
|
212 |
# Otherwise, when the first style of realm doesn't match,
|
|
|
213 |
# the other styles won't be checked.
|
|
|
214 |
#
|
|
|
215 |
".$this->_writeModule($this->_sections['authorize']->suffix, '# suffix')."
|
|
|
216 |
".$this->_writeModule($this->_sections['authorize']->ntdomain, '# ntdomain')."
|
|
|
217 |
#
|
|
|
218 |
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
|
|
|
219 |
# authentication.
|
|
|
220 |
#
|
|
|
221 |
# It also sets the EAP-Type attribute in the request
|
|
|
222 |
# attribute list to the EAP type from the packet.
|
|
|
223 |
#
|
|
|
224 |
# As of 2.0, the EAP module returns \"ok\" in the authorize stage
|
|
|
225 |
# for TTLS and PEAP. In 1.x, it never returned \"ok\" here, so
|
|
|
226 |
# this change is compatible with older configurations.
|
|
|
227 |
#
|
|
|
228 |
# The example below uses module failover to avoid querying all
|
|
|
229 |
# of the following modules if the EAP module returns \"ok\".
|
|
|
230 |
# Therefore, your LDAP and/or SQL servers will not be queried
|
|
|
231 |
# for the many packets that go back and forth to set up TTLS
|
|
|
232 |
# or PEAP. The load on those servers will therefore be reduced.
|
|
|
233 |
#
|
|
|
234 |
".$this->_writeModule($this->_sections['authorize']->eap, '# eap {
|
|
|
235 |
# ok = return
|
|
|
236 |
# }')."
|
|
|
237 |
#
|
|
|
238 |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
|
|
|
239 |
# using the system API's to get the password. If you want
|
|
|
240 |
# to read /etc/passwd or /etc/shadow directly, see the
|
|
|
241 |
# passwd module in radiusd.conf.
|
|
|
242 |
#
|
|
|
243 |
".$this->_writeModule($this->_sections['authorize']->unix, '# unix')."
|
|
|
244 |
#
|
|
|
245 |
# Read the 'users' file
|
|
|
246 |
".$this->_writeModule($this->_sections['authorize']->files, '# files')."
|
|
|
247 |
#
|
|
|
248 |
# Look in an SQL database. The schema of the database
|
|
|
249 |
# is meant to mirror the \"users\" file.
|
|
|
250 |
#
|
|
|
251 |
# See \"Authorization Queries\" in sql.conf
|
| 1672 |
richard |
252 |
".$this->_writeModule($this->_sections['authorize']->sql, 'sql')."
|
|
|
253 |
".$this->_writeModule($this->_sections['authorize']->noresetcounter, 'noresetcounter')."
|
|
|
254 |
".$this->_writeModule($this->_sections['authorize']->dailycounter, 'dailycounter')."
|
|
|
255 |
".$this->_writeModule($this->_sections['authorize']->monthlycounter, 'monthlycounter')."
|
| 775 |
stephane |
256 |
#
|
|
|
257 |
# If you are using /etc/smbpasswd, and are also doing
|
|
|
258 |
# mschap authentication, the un-comment this line, and
|
|
|
259 |
# configure the 'etc_smbpasswd' module, above.
|
|
|
260 |
".$this->_writeModule($this->_sections['authorize']->etc_smbpasswd, '# etc_smbpasswd')."
|
|
|
261 |
#
|
|
|
262 |
# The ldap module will set Auth-Type to LDAP if it has not
|
|
|
263 |
# already been set
|
|
|
264 |
".$this->_writeModule($this->_sections['authorize']->ldap, '# ldap {
|
| 1672 |
richard |
265 |
# fail = 1
|
|
|
266 |
# }')."
|
| 775 |
stephane |
267 |
#
|
|
|
268 |
# Enforce daily limits on time spent logged in.
|
|
|
269 |
".$this->_writeModule($this->_sections['authorize']->daily, '# daily')."
|
|
|
270 |
#
|
|
|
271 |
# Use the checkval modulel
|
|
|
272 |
".$this->_writeModule($this->_sections['authorize']->checkval, '# checkval')."
|
|
|
273 |
".$this->_writeModule($this->_sections['authorize']->expiration, 'expiration')."
|
|
|
274 |
".$this->_writeModule($this->_sections['authorize']->logintime, 'logintime')."
|
|
|
275 |
#
|
|
|
276 |
# If no other module has claimed responsibility for
|
|
|
277 |
# authentication, then try to use PAP. This allows the
|
|
|
278 |
# other modules listed above to add a \"known good\" password
|
|
|
279 |
# to the request, and to do nothing else. The PAP module
|
|
|
280 |
# will then see that password, and use it to do PAP
|
|
|
281 |
# authentication.
|
|
|
282 |
#
|
|
|
283 |
# This module should be listed last, so that the other modules
|
|
|
284 |
# get a chance to set Auth-Type for themselves.
|
|
|
285 |
#
|
|
|
286 |
".$this->_writeModule($this->_sections['authorize']->pap, '# pap')."
|
|
|
287 |
#
|
|
|
288 |
# If \"status_server = yes\", then Status-Server messages are passed
|
|
|
289 |
# through the following section, and ONLY the following section.
|
|
|
290 |
# This permits you to do DB queries, for example. If the modules
|
|
|
291 |
# listed here return \"fail\", then NO response is sent.
|
|
|
292 |
#
|
|
|
293 |
".$this->_writeModule($this->_sections['authorize']->getSection('Autz-Type'), '# Autz-Type Status-Server {
|
|
|
294 |
#
|
|
|
295 |
# }')."
|
|
|
296 |
|
|
|
297 |
}
|
|
|
298 |
|
|
|
299 |
|
|
|
300 |
# Authentication.
|
|
|
301 |
#
|
|
|
302 |
#
|
|
|
303 |
# This section lists which modules are available for authentication.
|
|
|
304 |
# Note that it does NOT mean 'try each module in order'. It means
|
|
|
305 |
# that a module from the 'authorize' section adds a configuration
|
|
|
306 |
# attribute 'Auth-Type := FOO'. That authentication type is then
|
|
|
307 |
# used to pick the apropriate module from the list below.
|
|
|
308 |
#
|
|
|
309 |
|
|
|
310 |
# In general, you SHOULD NOT set the Auth-Type attribute. The server
|
|
|
311 |
# will figure it out on its own, and will do the right thing. The
|
|
|
312 |
# most common side effect of erroneously setting the Auth-Type
|
|
|
313 |
# attribute is that one authentication method will work, but the
|
|
|
314 |
# others will not.
|
|
|
315 |
#
|
|
|
316 |
# The common reasons to set the Auth-Type attribute by hand
|
|
|
317 |
# is to either forcibly reject the user (Auth-Type := Reject),
|
|
|
318 |
# or to or forcibly accept the user (Auth-Type := Accept).
|
|
|
319 |
#
|
|
|
320 |
# Note that Auth-Type := Accept will NOT work with EAP.
|
|
|
321 |
#
|
|
|
322 |
# Please do not put \"unlang\" configurations into the \"authenticate\"
|
|
|
323 |
# section. Put them in the \"post-auth\" section instead. That's what
|
|
|
324 |
# the post-auth section is for.
|
|
|
325 |
#
|
|
|
326 |
authenticate {
|
|
|
327 |
# #
|
|
|
328 |
# # PAP authentication, when a back-end database listed
|
|
|
329 |
# # in the 'authorize' section supplies a password. The
|
|
|
330 |
# # password can be clear-text, or encrypted.
|
|
|
331 |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','PAP'), '# Auth-Type PAP {
|
|
|
332 |
# pap
|
|
|
333 |
# }')."
|
|
|
334 |
#
|
|
|
335 |
# #
|
|
|
336 |
# # Most people want CHAP authentication
|
|
|
337 |
# # A back-end database listed in the 'authorize' section
|
|
|
338 |
# # MUST supply a CLEAR TEXT password. Encrypted passwords
|
|
|
339 |
# # won't work.
|
|
|
340 |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','CHAP'), '# Auth-Type CHAP {
|
|
|
341 |
# chap
|
|
|
342 |
# }')."
|
|
|
343 |
#
|
|
|
344 |
# #
|
|
|
345 |
# # MSCHAP authentication.
|
|
|
346 |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','MS-CHAP'), '# Auth-Type MS-CHAP {
|
|
|
347 |
# mschap
|
|
|
348 |
# }')."
|
|
|
349 |
#
|
|
|
350 |
# #
|
|
|
351 |
# # If you have a Cisco SIP server authenticating against
|
|
|
352 |
# # FreeRADIUS, uncomment the following line, and the 'digest'
|
|
|
353 |
# # line in the 'authorize' section.
|
|
|
354 |
".$this->_writeModule($this->_sections['authenticate']->digest, '# digest')."
|
|
|
355 |
#
|
|
|
356 |
# #
|
|
|
357 |
# # Pluggable Authentication Modules.
|
|
|
358 |
".$this->_writeModule($this->_sections['authenticate']->pam, '# pam')."
|
|
|
359 |
#
|
|
|
360 |
# #
|
|
|
361 |
# # See 'man getpwent' for information on how the 'unix'
|
|
|
362 |
# # module checks the users password. Note that packets
|
|
|
363 |
# # containing CHAP-Password attributes CANNOT be authenticated
|
|
|
364 |
# # against /etc/passwd! See the FAQ for details.
|
|
|
365 |
# #
|
|
|
366 |
".$this->_writeModule($this->_sections['authenticate']->unix, '# unix')."
|
|
|
367 |
#
|
|
|
368 |
# # Uncomment it if you want to use ldap for authentication
|
|
|
369 |
# #
|
|
|
370 |
# # Note that this means \"check plain-text password against
|
|
|
371 |
# # the ldap database\", which means that EAP won't work,
|
|
|
372 |
# # as it does not supply a plain-text password.
|
|
|
373 |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','LDAP'), '# Auth-Type LDAP {
|
|
|
374 |
# ldap
|
|
|
375 |
# }')."
|
|
|
376 |
#
|
|
|
377 |
# #
|
|
|
378 |
# # Allow EAP authentication.
|
|
|
379 |
".$this->_writeModule($this->_sections['authenticate']->eap, '# eap')."
|
|
|
380 |
}
|
|
|
381 |
|
|
|
382 |
|
|
|
383 |
#
|
|
|
384 |
# Pre-accounting. Decide which accounting type to use.
|
|
|
385 |
#
|
|
|
386 |
preacct {
|
| 1625 |
franck |
387 |
".$this->_writeModule($this->_sections['preacct']->preprocess, '# preprocess')."
|
| 775 |
stephane |
388 |
|
|
|
389 |
#
|
|
|
390 |
# Ensure that we have a semi-unique identifier for every
|
|
|
391 |
# request, and many NAS boxes are broken.
|
|
|
392 |
".$this->_writeModule($this->_sections['preacct']->acct_unique, '# acct_unique')."
|
|
|
393 |
|
|
|
394 |
#
|
|
|
395 |
# Look for IPASS-style 'realm/', and if not found, look for
|
|
|
396 |
# '@realm', and decide whether or not to proxy, based on
|
|
|
397 |
# that.
|
|
|
398 |
#
|
|
|
399 |
# Accounting requests are generally proxied to the same
|
|
|
400 |
# home server as authentication requests.
|
|
|
401 |
".$this->_writeModule($this->_sections['preacct']->IPASS, '# IPASS')."
|
|
|
402 |
".$this->_writeModule($this->_sections['preacct']->suffix, '# suffix')."
|
|
|
403 |
".$this->_writeModule($this->_sections['preacct']->ntdomain, '# ntdomain')."
|
|
|
404 |
|
|
|
405 |
#
|
|
|
406 |
# Read the 'acct_users' file
|
|
|
407 |
".$this->_writeModule($this->_sections['preacct']->files, '# files')."
|
|
|
408 |
}
|
|
|
409 |
|
|
|
410 |
#
|
|
|
411 |
# Accounting. Log the accounting data.
|
|
|
412 |
#
|
|
|
413 |
accounting {
|
|
|
414 |
#
|
|
|
415 |
# Create a 'detail'ed log of the packets.
|
|
|
416 |
# Note that accounting requests which are proxied
|
|
|
417 |
# are also logged in the detail file.
|
|
|
418 |
".$this->_writeModule($this->_sections['accounting']->detail, '# detail')."
|
|
|
419 |
".$this->_writeModule($this->_sections['accounting']->daily, '# daily')."
|
|
|
420 |
|
|
|
421 |
# Update the wtmp file
|
|
|
422 |
#
|
|
|
423 |
# If you don't use \"radlast\", you can delete this line.
|
|
|
424 |
".$this->_writeModule($this->_sections['accounting']->unix, '# unix')."
|
|
|
425 |
|
|
|
426 |
#
|
|
|
427 |
# For Simultaneous-Use tracking.
|
|
|
428 |
#
|
|
|
429 |
# Due to packet losses in the network, the data here
|
|
|
430 |
# may be incorrect. There is little we can do about it.
|
|
|
431 |
".$this->_writeModule($this->_sections['accounting']->radutmp, '# radutmp')."
|
| 1672 |
richard |
432 |
".$this->_writeModule($this->_sections['accounting']->sradutmp, '# sradutmp')."
|
| 775 |
stephane |
433 |
|
|
|
434 |
# Return an address to the IP Pool when we see a stop record.
|
|
|
435 |
".$this->_writeModule($this->_sections['accounting']->main_pool, '# main_pool')."
|
|
|
436 |
|
|
|
437 |
#
|
|
|
438 |
# Log traffic to an SQL database.
|
|
|
439 |
#
|
|
|
440 |
# See \"Accounting queries\" in sql.conf
|
| 1672 |
richard |
441 |
".$this->_writeModule($this->_sections['accounting']->sql, 'sql')."
|
| 775 |
stephane |
442 |
|
|
|
443 |
#
|
|
|
444 |
# Instead of sending the query to the SQL server,
|
|
|
445 |
# write it into a log file.
|
|
|
446 |
#
|
|
|
447 |
".$this->_writeModule($this->_sections['accounting']->sql_log, '# sql_log')."
|
|
|
448 |
|
|
|
449 |
# Cisco VoIP specific bulk accounting
|
|
|
450 |
".$this->_writeModule($this->_sections['accounting']->getSection('pgsql-voip'), '# pgsql-voip')."
|
|
|
451 |
|
|
|
452 |
# Filter attributes from the accounting response.
|
|
|
453 |
".$this->_writeModule($this->_sections['accounting']->getSection('attr_filter.accounting_response'), 'attr_filter.accounting_response')."
|
|
|
454 |
|
|
|
455 |
#
|
|
|
456 |
# See \"Autz-Type Status-Server\" for how this works.
|
|
|
457 |
#
|
|
|
458 |
".$this->_writeModule($this->_sections['accounting']->getSectionInstance('Acct-Type','Status-Server'), '# Acct-Type Status-Server {
|
|
|
459 |
#
|
|
|
460 |
# }')."
|
|
|
461 |
|
|
|
462 |
}
|
|
|
463 |
|
|
|
464 |
|
|
|
465 |
# Session database, used for checking Simultaneous-Use. Either the radutmp
|
|
|
466 |
# or rlm_sql module can handle this.
|
|
|
467 |
# The rlm_sql module is *much* faster
|
|
|
468 |
session {
|
|
|
469 |
".$this->_writeModule($this->_sections['session']->radutmp, '# radutmp')."
|
|
|
470 |
|
|
|
471 |
#
|
|
|
472 |
# See \"Simultaneous Use Checking Queries\" in sql.conf
|
| 1672 |
richard |
473 |
".$this->_writeModule($this->_sections['session']->sql, '# sql')."
|
| 775 |
stephane |
474 |
}
|
|
|
475 |
|
|
|
476 |
|
|
|
477 |
# Post-Authentication
|
|
|
478 |
# Once we KNOW that the user has been authenticated, there are
|
|
|
479 |
# additional steps we can take.
|
|
|
480 |
post-auth {
|
|
|
481 |
# Get an address from the IP Pool.
|
|
|
482 |
".$this->_writeModule($this->_sections['post-auth']->main_pool, '# main_pool')."
|
|
|
483 |
|
|
|
484 |
#
|
|
|
485 |
# If you want to have a log of authentication replies,
|
|
|
486 |
# un-comment the following line, and the 'detail reply_log'
|
|
|
487 |
# section, above.
|
|
|
488 |
".$this->_writeModule($this->_sections['post-auth']->reply_log, '# reply_log')."
|
|
|
489 |
|
|
|
490 |
#
|
|
|
491 |
# After authenticating the user, do another SQL query.
|
|
|
492 |
#
|
|
|
493 |
# See \"Authentication Logging Queries\" in sql.conf
|
|
|
494 |
".$this->_writeModule($this->_sections['post-auth']->sql, '# sql')."
|
|
|
495 |
|
|
|
496 |
#
|
|
|
497 |
# Instead of sending the query to the SQL server,
|
|
|
498 |
# write it into a log file.
|
|
|
499 |
#
|
|
|
500 |
".$this->_writeModule($this->_sections['post-auth']->sql_log, '# sql_log')."
|
|
|
501 |
|
|
|
502 |
#
|
|
|
503 |
# Un-comment the following if you have set
|
|
|
504 |
# 'edir_account_policy_check = yes' in the ldap module sub-section of
|
|
|
505 |
# the 'modules' section.
|
|
|
506 |
#
|
|
|
507 |
".$this->_writeModule($this->_sections['post-auth']->ldap, '# ldap')."
|
|
|
508 |
|
|
|
509 |
".$this->_writeModule($this->_sections['post-auth']->exec, '# exec')."
|
|
|
510 |
|
|
|
511 |
#
|
|
|
512 |
# Access-Reject packets are sent through the REJECT sub-section of the
|
|
|
513 |
# post-auth section.
|
|
|
514 |
#
|
|
|
515 |
# Add the ldap module name (or instance) if you have set
|
|
|
516 |
# 'edir_account_policy_check = yes' in the ldap module configuration
|
|
|
517 |
#
|
|
|
518 |
Post-Auth-Type REJECT {
|
|
|
519 |
attr_filter.access_reject
|
|
|
520 |
}
|
| 1672 |
richard |
521 |
".$this->_writeModule($this->_sections['post-auth']->files, '# files')."
|
| 775 |
stephane |
522 |
}
|
|
|
523 |
|
|
|
524 |
#
|
|
|
525 |
# When the server decides to proxy a request to a home server,
|
|
|
526 |
# the proxied request is first passed through the pre-proxy
|
|
|
527 |
# stage. This stage can re-write the request, or decide to
|
|
|
528 |
# cancel the proxy.
|
|
|
529 |
#
|
|
|
530 |
# Only a few modules currently have this method.
|
|
|
531 |
#
|
|
|
532 |
pre-proxy {
|
|
|
533 |
".$this->_writeModule($this->_sections['preacct']->attr_rewrite, '# attr_rewrite')."
|
|
|
534 |
|
|
|
535 |
# Uncomment the following line if you want to change attributes
|
|
|
536 |
# as defined in the preproxy_users file.
|
|
|
537 |
".$this->_writeModule($this->_sections['preacct']->files, '# files')."
|
|
|
538 |
|
|
|
539 |
# Uncomment the following line if you want to filter requests
|
|
|
540 |
# sent to remote servers based on the rules defined in the
|
|
|
541 |
# 'attrs.pre-proxy' file.
|
|
|
542 |
".$this->_writeModule($this->_sections['preacct']->getSection('attr_filter.pre-proxy'), '# attr_filter.pre-proxy')."
|
|
|
543 |
|
|
|
544 |
# If you want to have a log of packets proxied to a home
|
|
|
545 |
# server, un-comment the following line, and the
|
|
|
546 |
# 'detail pre_proxy_log' section, above.
|
|
|
547 |
".$this->_writeModule($this->_sections['preacct']->pre_proxy_log, '# pre_proxy_log')."
|
|
|
548 |
}
|
|
|
549 |
|
|
|
550 |
#
|
|
|
551 |
# When the server receives a reply to a request it proxied
|
|
|
552 |
# to a home server, the request may be massaged here, in the
|
|
|
553 |
# post-proxy stage.
|
|
|
554 |
#
|
|
|
555 |
post-proxy {
|
|
|
556 |
|
|
|
557 |
# If you want to have a log of replies from a home server,
|
|
|
558 |
# un-comment the following line, and the 'detail post_proxy_log'
|
|
|
559 |
# section, above.
|
|
|
560 |
".$this->_writeModule($this->_sections['post-proxy']->post_proxy_log, '# post_proxy_log')."
|
|
|
561 |
|
|
|
562 |
".$this->_writeModule($this->_sections['post-proxy']->attr_rewrite, '# attr_rewrite')."
|
|
|
563 |
|
|
|
564 |
# Uncomment the following line if you want to filter replies from
|
|
|
565 |
# remote proxies based on the rules defined in the 'attrs' file.
|
|
|
566 |
".$this->_writeModule($this->_sections['post-proxy']->getSection('attr_filter.post-proxy'), '# attr_filter.post-proxy')."
|
|
|
567 |
|
|
|
568 |
#
|
|
|
569 |
# If you are proxying LEAP, you MUST configure the EAP
|
|
|
570 |
# module, and you MUST list it here, in the post-proxy
|
|
|
571 |
# stage.
|
|
|
572 |
#
|
|
|
573 |
# You MUST also use the 'nostrip' option in the 'realm'
|
|
|
574 |
# configuration. Otherwise, the User-Name attribute
|
|
|
575 |
# in the proxied request will not match the user name
|
|
|
576 |
# hidden inside of the EAP packet, and the end server will
|
|
|
577 |
# reject the EAP request.
|
|
|
578 |
#
|
|
|
579 |
".$this->_writeModule($this->_sections['post-proxy']->eap, '# eap')."
|
|
|
580 |
|
|
|
581 |
#
|
|
|
582 |
# If the server tries to proxy a request and fails, then the
|
|
|
583 |
# request is processed through the modules in this section.
|
|
|
584 |
#
|
|
|
585 |
# The main use of this section is to permit robust proxying
|
|
|
586 |
# of accounting packets. The server can be configured to
|
|
|
587 |
# proxy accounting packets as part of normal processing.
|
|
|
588 |
# Then, if the home server goes down, accounting packets can
|
|
|
589 |
# be logged to a local \"detail\" file, for processing with
|
|
|
590 |
# radrelay. When the home server comes back up, radrelay
|
|
|
591 |
# will read the detail file, and send the packets to the
|
|
|
592 |
# home server.
|
|
|
593 |
#
|
|
|
594 |
# With this configuration, the server always responds to
|
|
|
595 |
# Accounting-Requests from the NAS, but only writes
|
|
|
596 |
# accounting packets to disk if the home server is down.
|
|
|
597 |
#
|
|
|
598 |
".$this->_writeModule($this->_sections['post-proxy']->getSection('Post-Proxy-Type'), '# Post-Proxy-Type Fail {
|
|
|
599 |
# detail
|
|
|
600 |
# }')."
|
|
|
601 |
|
|
|
602 |
}";
|
|
|
603 |
|
|
|
604 |
if ($savefile !== null){
|
|
|
605 |
// save config file
|
|
|
606 |
if (is_file($savefile)){
|
|
|
607 |
// save the file
|
|
|
608 |
if (!is_writable($savefile))
|
|
|
609 |
return false;
|
|
|
610 |
$updatedFile = fopen( $savefile, 'w' );
|
|
|
611 |
fwrite( $updatedFile, $config );
|
|
|
612 |
fclose( $updatedFile );
|
|
|
613 |
} else {
|
|
|
614 |
// create a new file
|
|
|
615 |
$newFile = fopen($savefile, 'w') or die("can't create file");
|
|
|
616 |
fwrite( $newFile, $config );
|
|
|
617 |
fclose( $newFile );
|
|
|
618 |
}
|
|
|
619 |
}
|
|
|
620 |
// test $returnconfig
|
|
|
621 |
if ($returnconfig){
|
|
|
622 |
return $config;
|
|
|
623 |
}else{
|
|
|
624 |
return true;
|
|
|
625 |
}
|
|
|
626 |
}
|
|
|
627 |
}
|