1805 |
clement.si |
1 |
#
|
|
|
2 |
# Main Configuration File
|
|
|
3 |
#
|
|
|
4 |
# it can be default or whatever language. Only greek are supported
|
|
|
5 |
# from non latin alphabet languages
|
|
|
6 |
# These attribute only apply for ldap not for sql
|
|
|
7 |
#
|
|
|
8 |
general_prefered_lang: en
|
|
|
9 |
general_prefered_lang_name: English
|
|
|
10 |
#
|
|
|
11 |
# The charset which will be added as a meta tag in all pages
|
|
|
12 |
#
|
|
|
13 |
general_charset: utf-8
|
|
|
14 |
#
|
|
|
15 |
# Uncomment this if normal attributes (not the ;lang-xx ones) in ldap
|
|
|
16 |
# are utf8 encoded.
|
|
|
17 |
#
|
|
|
18 |
#general_decode_normal_attributes: yes
|
|
|
19 |
#
|
|
|
20 |
# The directory where dialupadmin is installed
|
|
|
21 |
#
|
|
|
22 |
general_base_dir: /usr/share/freeradius-web
|
|
|
23 |
#
|
|
|
24 |
# The base directory of the freeradius radius installation
|
|
|
25 |
#
|
|
|
26 |
general_radiusd_base_dir: /usr
|
|
|
27 |
general_domain: localdomain
|
|
|
28 |
#
|
|
|
29 |
# Set it to yes to use sessions and cache the various mappings
|
|
|
30 |
# You can also set use_session = 1 in config.php to also cache
|
|
|
31 |
# the admin.conf
|
|
|
32 |
#
|
|
|
33 |
# ---- IMPORTANT -- IMPORTANT -- IMPORTANT ----
|
|
|
34 |
#Remember to use the 'Clear Cache' page if you use sessions and do any changes
|
|
|
35 |
#in any of the configuration files.
|
|
|
36 |
#
|
|
|
37 |
general_use_session: no
|
|
|
38 |
#
|
|
|
39 |
# This is used by the failed logins page. It states the default back time
|
|
|
40 |
# in minutes.
|
|
|
41 |
#
|
|
|
42 |
general_most_recent_fl: 30
|
|
|
43 |
|
|
|
44 |
#
|
|
|
45 |
# Realm setup
|
|
|
46 |
#
|
|
|
47 |
# Set general_strip_realms to yes in order to stip realms from usernames.
|
|
|
48 |
# By default realms are not striped
|
1832 |
richard |
49 |
general_strip_realms: no
|
1805 |
clement.si |
50 |
#
|
|
|
51 |
# The delimiter used in realms. Default is @
|
|
|
52 |
#
|
|
|
53 |
general_realm_delimiter: @
|
|
|
54 |
#
|
|
|
55 |
# The format of the realms. Can be either suffix (realm is after the username)
|
|
|
56 |
# or prefix (realm is before the username). Default is suffix
|
|
|
57 |
#
|
|
|
58 |
general_realm_format: suffix
|
|
|
59 |
#
|
|
|
60 |
|
|
|
61 |
#
|
|
|
62 |
# Determines if the administrator will be able to see and change the user password through
|
|
|
63 |
# the user edit page
|
|
|
64 |
general_show_user_password: yes
|
|
|
65 |
|
|
|
66 |
general_raddb_dir: /etc/raddb
|
|
|
67 |
general_ldap_attrmap: %{general_raddb_dir}/ldap.attrmap
|
|
|
68 |
# Need to fix admin.conf file parser
|
|
|
69 |
#general_clients_conf: %{general_raddb_dir}/clients.conf
|
|
|
70 |
general_clients_conf: /etc/raddb/clients.conf
|
|
|
71 |
general_sql_attrmap: /etc/freeradius-web/sql.attrmap
|
|
|
72 |
general_accounting_attrs_file: /etc/freeradius-web/accounting.attrs
|
|
|
73 |
general_extra_ldap_attrmap: /etc/freeradius-web/extra.ldap-attrmap
|
|
|
74 |
general_username_mappings_file: /etc/freeradius-web/username.mappings
|
|
|
75 |
#
|
|
|
76 |
# it can be either ldap or sql
|
|
|
77 |
# This affects the user base not accounting. Accounting is always in sql
|
|
|
78 |
#
|
|
|
79 |
general_lib_type: sql
|
|
|
80 |
#
|
|
|
81 |
# Define which attributes will be visible in the user edit page
|
|
|
82 |
#
|
|
|
83 |
general_user_edit_attrs_file: /etc/freeradius-web/user_edit.attrs
|
|
|
84 |
#
|
|
|
85 |
# Used by the Accounting Report Generator
|
|
|
86 |
#
|
|
|
87 |
general_sql_attrs_file: /etc/freeradius-web/sql.attrs
|
|
|
88 |
#
|
|
|
89 |
# Set default values for various attributes
|
|
|
90 |
#
|
|
|
91 |
general_default_file: /etc/freeradius-web/default.vals
|
|
|
92 |
#general_ld_library_path: /usr/local/snmpd/lib
|
|
|
93 |
#
|
|
|
94 |
# can be 'snmp' (for snmpfinger) or empty to query the radacct table without first
|
|
|
95 |
# querying the nas
|
|
|
96 |
# This is used by the online users page
|
|
|
97 |
#
|
|
|
98 |
# general_finger_type: snmp
|
|
|
99 |
#
|
|
|
100 |
# Defines the nas type. This is only used by snmpfinger
|
|
|
101 |
# cisco, usrhiper and lucent are supported for now
|
|
|
102 |
#
|
|
|
103 |
general_nas_type: cisco
|
|
|
104 |
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
|
|
|
105 |
#
|
|
|
106 |
# Used by the 'Disconnect User' button in the Clear Open Sessions page
|
|
|
107 |
# Uses the Cisco AAA Session MIB or a telnet session
|
|
|
108 |
#
|
|
|
109 |
general_sessionclear_bin: %{general_base_dir}/bin/clearsession
|
|
|
110 |
#
|
|
|
111 |
# Can be one of telnet or snmp
|
|
|
112 |
#
|
|
|
113 |
general_sessionclear_method: snmp
|
|
|
114 |
general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
|
|
|
115 |
#
|
|
|
116 |
# this information is used from the server check page
|
|
|
117 |
#
|
|
|
118 |
general_test_account_login: test
|
|
|
119 |
general_test_account_password: testpass
|
|
|
120 |
#
|
|
|
121 |
# These are used as default values for the user test page
|
|
|
122 |
#
|
|
|
123 |
general_radius_server: localhost
|
|
|
124 |
general_radius_server_port: 1812
|
|
|
125 |
#
|
|
|
126 |
# can be either pap or chap
|
|
|
127 |
#
|
|
|
128 |
general_radius_server_auth_proto: pap
|
|
|
129 |
#
|
|
|
130 |
# sorry, single valued for now. Should become something like
|
|
|
131 |
# password[server-name]: xxxxx
|
|
|
132 |
#
|
|
|
133 |
general_radius_server_secret: XXXXXX
|
|
|
134 |
general_auth_request_file: /etc/freeradius-web/auth.request
|
|
|
135 |
#
|
|
|
136 |
# can be one of crypt,md5,clear
|
|
|
137 |
#
|
|
|
138 |
general_encryption_method: crypt
|
|
|
139 |
#
|
|
|
140 |
# can be either asc (older dates first) or desc (recent dates first)
|
|
|
141 |
# This is used in the user accounting and badusers pages
|
|
|
142 |
#
|
|
|
143 |
general_accounting_info_order: desc
|
|
|
144 |
#
|
|
|
145 |
# Use the totacct table in the user statistics page instead of the radacct
|
|
|
146 |
# table. That will make the page run quicker. totacct should have data for
|
|
|
147 |
# this to work :-)
|
|
|
148 |
#
|
|
|
149 |
general_stats_use_totacct: yes
|
|
|
150 |
#
|
|
|
151 |
# If set to yes then we only allow each administrator to examine it's own entries
|
|
|
152 |
# in the badusers table
|
|
|
153 |
#
|
|
|
154 |
general_restrict_badusers_access: no
|
|
|
155 |
#
|
|
|
156 |
# If set to yes then we restrict access to the nas administration page only to those
|
|
|
157 |
# users which are allowed by their username mapping (nasadmin is set to yes)
|
|
|
158 |
#
|
|
|
159 |
general_restrict_nasadmin_access: no
|
|
|
160 |
|
|
|
161 |
|
|
|
162 |
INCLUDE: /etc/freeradius-web/naslist.conf
|
|
|
163 |
|
|
|
164 |
INCLUDE: /etc/freeradius-web/captions.conf
|
|
|
165 |
|
|
|
166 |
#
|
|
|
167 |
# The ldap server to connect to.
|
|
|
168 |
# Both ldap_server and ldap_write_server can be a space-separated
|
|
|
169 |
# list of ldap hostnames. In that case the library will try to connect
|
|
|
170 |
# to the servers in the order that they appear. If the first host is down
|
|
|
171 |
# ldap_connect will ask for the second ldap host and so on.
|
|
|
172 |
#
|
|
|
173 |
ldap_server: ldap.%{general_domain}
|
|
|
174 |
#
|
|
|
175 |
# There are many cases where we have a small write master and
|
|
|
176 |
# a lot of fast read only replicas. If that is the case uncomment
|
|
|
177 |
# ldap_write_server and point it to the write master. It will be
|
|
|
178 |
# used only when writing to the directory, not when reading
|
|
|
179 |
#
|
|
|
180 |
#ldap_write_server: master.%{general_domain}
|
|
|
181 |
ldap_base: dc=company,dc=com
|
|
|
182 |
ldap_binddn: cn=Directory Manager
|
|
|
183 |
ldap_bindpw: XXXXXXX
|
|
|
184 |
ldap_default_new_entry_suffix: ou=dialup,ou=guests,%{ldap_base}
|
|
|
185 |
ldap_default_dn: uid=default-dialup,%{ldap_base}
|
|
|
186 |
ldap_regular_profile_attr: dialupregularprofile
|
|
|
187 |
#
|
|
|
188 |
# If set to yes then the HTTP credentials (http authentication)
|
|
|
189 |
# will be used to bind to the ldap server instead of ldap_binddn
|
|
|
190 |
# and ldap_bindpw. That way multiple admins with different rights
|
|
|
191 |
# on the ldap database can connect through one dialup_admin interface.
|
|
|
192 |
# The ldap_binddn and ldap_bindpw are still needed to find the DN
|
|
|
193 |
# to bind with (http authentication will only provide us with a
|
|
|
194 |
# username). As a result the ldap_binddn should be able to do a search
|
|
|
195 |
# with a filter of (uid=<username>). Normally, the anonymous (empty DN)
|
|
|
196 |
# user can do that.
|
|
|
197 |
#ldap_use_http_credentials: yes
|
|
|
198 |
#
|
|
|
199 |
# If we are using http credentials we can map a specific username to the
|
|
|
200 |
# directory manager (which usually does not correspond to a specific username)
|
|
|
201 |
#
|
|
|
202 |
#ldap_directory_manager: cn=Directory Manager
|
|
|
203 |
#ldap_map_to_directory_manager: admin
|
|
|
204 |
#
|
|
|
205 |
# Uncomment to enable ldap debug
|
|
|
206 |
#
|
|
|
207 |
ldap_debug: true
|
|
|
208 |
#
|
|
|
209 |
# Allow for defining the ldap filter used when searching for a user
|
|
|
210 |
# Variables supported:
|
|
|
211 |
# %u: username
|
|
|
212 |
# %U: username provided though http authentication
|
|
|
213 |
# %mu: mappings for userdb
|
|
|
214 |
# %ma: mappings for accounting
|
|
|
215 |
# %mn: mappings for nasdb
|
|
|
216 |
# %mN: mappings for nas administration
|
|
|
217 |
#
|
|
|
218 |
# One use of this would be to restrict access to only the user's belonging to
|
|
|
219 |
# a specific administrator like this:
|
|
|
220 |
# ldap_filter: (&(uid=%u)(manager=uid=%U,ou=admins,o=company,c=com))
|
|
|
221 |
#
|
|
|
222 |
#ldap_filter: (uid=%u)
|
|
|
223 |
#
|
|
|
224 |
# If ldap_userdn is set then we use that for user dns, we don't perform an ldap
|
|
|
225 |
# search. This can be somewhat faster. The variables supported for ldap_filter
|
|
|
226 |
# are also supported here
|
|
|
227 |
#
|
|
|
228 |
#ldap_userdn: uid=%u,%{ldap_base}
|
|
|
229 |
|
|
|
230 |
|
|
|
231 |
#
|
|
|
232 |
# can be one of mysql,pg,oracle,sqlrelay where:
|
|
|
233 |
# mysq: MySQL database (port 3306)
|
|
|
234 |
# pg: PostgreSQL database (port 5432)
|
|
|
235 |
# oracle: Oracle database (port 1521)
|
|
|
236 |
# sqlrelay: SQL Relay
|
|
|
237 |
#
|
|
|
238 |
sql_type: mysql
|
|
|
239 |
sql_server: localhost
|
|
|
240 |
sql_port: 3306
|
|
|
241 |
sql_username: radius
|
1831 |
raphael.pi |
242 |
sql_password: HAeXEjS0
|
1805 |
clement.si |
243 |
sql_database: radius
|
|
|
244 |
sql_accounting_table: radacct
|
|
|
245 |
sql_badusers_table: badusers
|
|
|
246 |
sql_check_table: radcheck
|
|
|
247 |
sql_reply_table: radreply
|
|
|
248 |
sql_user_info_table: userinfo
|
|
|
249 |
sql_groupcheck_table: radgroupcheck
|
|
|
250 |
sql_groupreply_table: radgroupreply
|
|
|
251 |
sql_usergroup_table: radusergroup
|
|
|
252 |
sql_total_accounting_table: totacct
|
|
|
253 |
sql_nas_table: nas
|
|
|
254 |
#
|
|
|
255 |
# If set to true then we show all the available groups with the groups
|
|
|
256 |
# that the user is a member of highlighted in the user edit page.
|
|
|
257 |
# Otherwise we only show the groups he is a member of.
|
|
|
258 |
sql_show_all_groups: true
|
|
|
259 |
#
|
|
|
260 |
# This variable is used by the scripts in the bin folder
|
|
|
261 |
# It should contain the path to the sql binary used to run
|
|
|
262 |
# sql commands (mysql, psql, oracle and sqlrelay are only supported for now)
|
|
|
263 |
sql_command: /usr/bin/mysql
|
|
|
264 |
#sql_command: /usr/bin/psql
|
|
|
265 |
#sql_command: /usr/bin/sqlplus
|
|
|
266 |
#
|
|
|
267 |
# This variable is used by the scripts in the bin folder
|
|
|
268 |
# It should contain the snmp type and path to the binary
|
|
|
269 |
# used to run snmp commands.
|
|
|
270 |
# (ucd = UCD-Snmp and net = Net-Snmp are only supported for now)
|
|
|
271 |
general_snmp_type: net
|
|
|
272 |
general_snmpwalk_command: /usr/bin/snmpwalk
|
|
|
273 |
general_snmpget_command: /usr/bin/snmpget
|
|
|
274 |
#
|
|
|
275 |
# Uncomment to enable sql debug
|
|
|
276 |
#
|
|
|
277 |
sql_debug: false
|
|
|
278 |
#
|
|
|
279 |
# If set to yes then the HTTP credentials (http authentication)
|
|
|
280 |
# will be used to connect to the sql server instead of sql_username
|
|
|
281 |
# and sql_password. That way multiple admins with different rights
|
|
|
282 |
# on the sql database can connect through one dialup_admin interface.
|
|
|
283 |
#sql_use_http_credentials: yes
|
|
|
284 |
#
|
|
|
285 |
# If set the query will be added to all of the queries on the accounting
|
|
|
286 |
# table
|
|
|
287 |
# Variables supported:
|
|
|
288 |
# %u: username
|
|
|
289 |
# %U: username provided though http authentication
|
|
|
290 |
# %mu: mappings for userdb
|
|
|
291 |
# %ma: mappings for accounting
|
|
|
292 |
# %mn: mappings for nasdb
|
|
|
293 |
# %mN: mappings for nas administration
|
|
|
294 |
#sql_accounting_extra_query: %ma
|
|
|
295 |
|
|
|
296 |
|
|
|
297 |
#
|
|
|
298 |
# true or false
|
|
|
299 |
#
|
|
|
300 |
sql_use_user_info_table: true
|
|
|
301 |
sql_use_operators: true
|
|
|
302 |
#
|
|
|
303 |
# Set this to the value of the default_user_profile in your
|
|
|
304 |
# sql.conf if that one is set. If it is not set leave blank
|
|
|
305 |
# or commented out
|
|
|
306 |
#sql_default_user_profile: DEFAULT
|
|
|
307 |
#
|
|
|
308 |
#
|
|
|
309 |
sql_password_attribute: Crypt-Password
|
|
|
310 |
sql_date_format: Y-m-d
|
|
|
311 |
sql_full_date_format: Y-m-d H:i:s
|
|
|
312 |
#
|
|
|
313 |
# Used in the accounting report generator so that we
|
|
|
314 |
# don't return too many results
|
|
|
315 |
#
|
|
|
316 |
sql_row_limit: 40
|
|
|
317 |
#
|
|
|
318 |
# These options are used by the log_badlogins script and by the
|
|
|
319 |
# mysql driver
|
|
|
320 |
#
|
|
|
321 |
# Set the sql connect timeout (secs)
|
|
|
322 |
sql_connect_timeout: 3
|
|
|
323 |
# Give a space separated list of extra mysql servers to connect to when
|
|
|
324 |
# logging bad logins or adding users in the badusers table
|
|
|
325 |
#sql_extra_servers: sql2.company.com sql3.company.com
|
|
|
326 |
|
|
|
327 |
#
|
|
|
328 |
# Default values for the various user limits in case the counter module
|
|
|
329 |
# is used to impose such limits.
|
|
|
330 |
# The value should be the user limit in seconds or none for nothing
|
|
|
331 |
# Check out conf/sql.attrmap or extra.ldap-attrmap (depending on if you are
|
|
|
332 |
# using sql or ldap) for per user attributes. The mapping should be made to
|
|
|
333 |
# the attributes configured in the counter module. The attributes used by
|
|
|
334 |
# dialupadmin will always be the ones appearing in the attribute mapping files
|
|
|
335 |
# so you should make sure they are mapped to the correct attributes
|
|
|
336 |
#
|
|
|
337 |
#counter_default_daily: 14400
|
|
|
338 |
#counter_default_weekly: 72000
|
|
|
339 |
counter_default_daily: none
|
|
|
340 |
counter_default_weekly: none
|
|
|
341 |
counter_default_monthly: none
|
|
|
342 |
#
|
|
|
343 |
# Since calculating monthly usage can be quite expensive we make
|
|
|
344 |
# it configurable
|
|
|
345 |
# This is not needed if the monthly limit is not none
|
|
|
346 |
#counter_monthly_calculate_usage: true
|
|
|
347 |
|
|
|
348 |
# some of the date/time related functions need to know what timezone we are in
|
|
|
349 |
|
|
|
350 |
timezone: Europe/Luxembourg
|
|
|
351 |
|