Subversion Repositories ALCASAR

Rev

Rev 2419 | Rev 2421 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log

Rev 2419 Rev 2420
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2419 2017-09-30 17:40:32Z richard $ 
2
#  $Id: alcasar.sh 2420 2017-10-01 18:56:46Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
Line 1068... Line 1068...
1068
radius ()
1068
radius ()
1069
{
1069
{
1070
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1070
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1071
	chown -R radius:radius /etc/raddb
1071
	chown -R radius:radius /etc/raddb
1072
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1072
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1073
# Set radius.conf parameters
1073
# Set radius global parameters (radius.conf)
1074
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1074
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1075
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1075
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1076
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1076
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1077
# remove the proxy function
-
 
1078
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
1077
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
1079
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
-
 
1080
 
-
 
1081
# remove EAP module
-
 
1082
#	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
-
 
1083
# listen on loopback (should be modified later if EAP enabled)
-
 
1084
#	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
-
 
1085
 
-
 
1086
# enable the  SQL module (and SQL counter)
-
 
1087
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
-
 
1088
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
-
 
1089
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
-
 
1090
# only include modules for ALCASAR needs
-
 
1091
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1078
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
1092
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
-
 
1093
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
-
 
1094
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
-
 
1095
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
-
 
1096
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
-
 
1097
# remvove virtual server and copy our conf file
-
 
1098
	rm -f /etc/raddb/sites-enabled/*
-
 
1099
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
-
 
1100
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
-
 
1101
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
-
 
1102
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
-
 
1103
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
-
 
1104
 
-
 
1105
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
-
 
1106
#	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
-
 
1107
 
1079
 
1108
# client.conf configuration (coova on 127.0.0.1)
1080
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1109
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1081
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1110
	cat << EOF > /etc/raddb/clients.conf
1082
	cat << EOF > /etc/raddb/clients.conf
1111
client 127.0.0.1 {
1083
client 127.0.0.1 {
1112
	secret = $secretradius
1084
	secret = $secretradius
1113
	shortname = localhost
1085
	shortname = localhost
1114
}
1086
}
1115
EOF
1087
EOF
-
 
1088
 
-
 
1089
# Set Virtual server (remvove all except "alcasar virtual site")
-
 
1090
	rm -f /etc/raddb/sites-enabled/*
-
 
1091
    cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
-
 
1092
	chown radius:apache /etc/raddb/sites-available/alcasar
-
 
1093
	chmod 660 /etc/raddb/sites-available/alcasar
-
 
1094
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
-
 
1095
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) 
-
 
1096
 
1116
# sql.conf modification
1097
# Set modules 
-
 
1098
# Set only usefull modules for ALCASAR
-
 
1099
    rm -rf  /etc/raddb/mods-enabled/*
-
 
1100
    for mods in sql sqlcounter attr_filter expiration logintime ldap pap
-
 
1101
        do
-
 
1102
        ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
-
 
1103
        done
-
 
1104
# Configure SQL mod (TODO :and SQL counter)
1117
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1105
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
-
 
1106
    cp $DIR_CONF/radius/sql /etc/raddb/mods-available/sql
-
 
1107
    chown radius:radius /etc/raddb/mods-available/sql
1118
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1108
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1119
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1109
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1120
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1110
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
-
 
1111
 
-
 
1112
#	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
-
 
1113
#	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1121
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1114
#	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
-
 
1115
#	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
-
 
1116
#	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
-
 
1117
#	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
-
 
1118
#	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
-
 
1119
#	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
-
 
1120
 
1122
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1121
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. 
1123
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1122
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1124
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1123
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
-
 
1124
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1125
# counter.conf modification (change the Max-All-Session-Time counter)
1125
# sqlcounter.conf modifications (change the Max-All-Session-Time counter)
1126
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1126
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1127
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1127
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1128
	chown -R radius:radius /etc/raddb/sql/mysql/*
-
 
1129
# make certain that mysql is up before radius start
1128
# make certain that mysql is up before radius start
1130
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1129
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1131
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1130
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1132
	/usr/bin/systemctl daemon-reload
1131
	/usr/bin/systemctl daemon-reload
-
 
1132
 
-
 
1133
 # Allow apache to change some conf files (ie : ldap on/off)
-
 
1134
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
-
 
1135
	
1133
} # End radius ()
1136
} # End radius ()
1134
 
1137
 
1135
##################################################################################
1138
##################################################################################
1136
##			Fonction "chilli"					##
1139
##			Fonction "chilli"					##
1137
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1140
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
Line 1982... Line 1985...
1982
/var/log/firewall/*                     root.apache     640
1985
/var/log/firewall/*                     root.apache     640
1983
/etc/security/msec/perm.local           root.root       640
1986
/etc/security/msec/perm.local           root.root       640
1984
/etc/security/msec/level.local          root.root       640
1987
/etc/security/msec/level.local          root.root       640
1985
/etc/freeradius-web                     root.apache     750
1988
/etc/freeradius-web                     root.apache     750
1986
/etc/freeradius-web/admin.conf          root.apache     640
1989
/etc/freeradius-web/admin.conf          root.apache     640
1987
/etc/raddb/dictionnary                  root.apache     640
-
 
1988
/etc/raddb/ldap.attrmap                 root.radius     640
-
 
1989
/etc/raddb/hints                        root.radius     640
1990
/etc/raddb/client.conf                  radius.radius   640
1990
/etc/raddb/huntgroups                   root.radius     640
-
 
1991
/etc/raddb/attrs.access_reject          root.radius     640
-
 
1992
/etc/raddb/attrs.accounting_response    root.radius     640
-
 
1993
/etc/raddb/acct_users                   root.radius     640
1991
/etc/raddb/radius.conf                  radius.radius   640
1994
/etc/raddb/preproxy_users               root.radius     640
-
 
1995
/etc/raddb/modules/ldap                 radius.apache   660
1992
/etc/raddb/mods-available/ldap          radius.apache   660
1996
/etc/raddb/sites-available/alcasar      radius.apache   660
1993
/etc/raddb/sites-available/alcasar      radius.apache   660
1997
/etc/pki/*                              root.apache     750
1994
/etc/pki/*                              root.apache     750
1998
/var/log/netflow/porttracker            root.apache     770
1995
/var/log/netflow/porttracker            root.apache     770
1999
/var/log/netflow/porttracker/*          root.apache     660
1996
/var/log/netflow/porttracker/*          root.apache     660
2000
EOF
1997
EOF