1070,42 → 1070,14 |
cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/ |
chown -R radius:radius /etc/raddb |
[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default |
# Set radius.conf parameters |
# Set radius global parameters (radius.conf) |
$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf |
# remove the proxy function |
$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function |
$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function |
|
# remove EAP module |
# $SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf |
# listen on loopback (should be modified later if EAP enabled) |
# $SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf |
|
# enable the SQL module (and SQL counter) |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf |
# only include modules for ALCASAR needs |
$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf |
$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*\# daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf |
$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf |
# remvove virtual server and copy our conf file |
rm -f /etc/raddb/sites-enabled/* |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar |
chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap) |
chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
|
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide' |
# touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default} |
|
# client.conf configuration (coova on 127.0.0.1) |
# Set "client.conf" to describe radius clients (coova on 127.0.0.1) |
[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default |
cat << EOF > /etc/raddb/clients.conf |
client 127.0.0.1 { |
1113,23 → 1085,54 |
shortname = localhost |
} |
EOF |
# sql.conf modification |
[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default |
$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf |
$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf |
$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf |
$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf |
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) |
[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default |
cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf |
# counter.conf modification (change the Max-All-Session-Time counter) |
|
# Set Virtual server (remvove all except "alcasar virtual site") |
rm -f /etc/raddb/sites-enabled/* |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar |
chown radius:apache /etc/raddb/sites-available/alcasar |
chmod 660 /etc/raddb/sites-available/alcasar |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) |
|
# Set modules |
# Set only usefull modules for ALCASAR |
rm -rf /etc/raddb/mods-enabled/* |
for mods in sql sqlcounter attr_filter expiration logintime ldap pap |
do |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
done |
# Configure SQL mod (TODO :and SQL counter) |
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default |
cp $DIR_CONF/radius/sql /etc/raddb/mods-available/sql |
chown radius:radius /etc/raddb/mods-available/sql |
$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql |
$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql |
|
# $SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf |
# $SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*\# daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf |
# $SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf |
|
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf |
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf |
# sqlcounter.conf modifications (change the Max-All-Session-Time counter) |
[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default |
cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf |
chown -R radius:radius /etc/raddb/sql/mysql/* |
# make certain that mysql is up before radius start |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service |
/usr/bin/systemctl daemon-reload |
|
# Allow apache to change some conf files (ie : ldap on/off) |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
|
} # End radius () |
|
################################################################################## |
1984,15 → 1987,9 |
/etc/security/msec/level.local root.root 640 |
/etc/freeradius-web root.apache 750 |
/etc/freeradius-web/admin.conf root.apache 640 |
/etc/raddb/dictionnary root.apache 640 |
/etc/raddb/ldap.attrmap root.radius 640 |
/etc/raddb/hints root.radius 640 |
/etc/raddb/huntgroups root.radius 640 |
/etc/raddb/attrs.access_reject root.radius 640 |
/etc/raddb/attrs.accounting_response root.radius 640 |
/etc/raddb/acct_users root.radius 640 |
/etc/raddb/preproxy_users root.radius 640 |
/etc/raddb/modules/ldap radius.apache 660 |
/etc/raddb/client.conf radius.radius 640 |
/etc/raddb/radius.conf radius.radius 640 |
/etc/raddb/mods-available/ldap radius.apache 660 |
/etc/raddb/sites-available/alcasar radius.apache 660 |
/etc/pki/* root.apache 750 |
/var/log/netflow/porttracker root.apache 770 |