IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-28 01:41:14 -06:00
Code Issues Packages Projects Releases Wiki Activity
54b3842aba
freeipa/ipa-radius-server/share/radius.radiusd.conf.template

286 lines
5.6 KiB
Plaintext
Raw Blame History

#
# WARNING: This file is automatically generated, do not edit
#
# $CONFIG_FILE_VERSION_INFO
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = $${localstatedir}/log/radius
raddbdir = $${sysconfdir}/raddb
radacctdir = $${logdir}/radacct
confdir = $${raddbdir}
run_dir = $${localstatedir}/run/radiusd
db_dir = $${localstatedir}/lib/radiusd
log_file = $${logdir}/radius.log
libdir = /usr/lib
pidfile = $${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = $${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$$INCLUDE $${confdir}/proxy.conf
$$INCLUDE $${confdir}/clients.conf
snmp = no
$$INCLUDE $${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = $${logdir}/radwtmp
}
$$INCLUDE $${confdir}/eap.conf
mschap {
}
ldap {
server = "$LDAP_SERVER"
use_sasl = yes
sasl_mech = "GSSAPI"
krb_keytab = "$RADIUS_KEYTAB"
krb_principal = "$RADIUS_PRINCIPAL"
basedn = "$RADIUS_USER_BASE_DN"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
profile_attribute = "radiusProfileDn"
default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX
# FIXME: we'll want to toggle the access_attr feature on/off,
# but it needs a control, so disable it for now.
#access_attr = "$ACCESS_ATTRIBUTE"
#access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
dictionary_mapping = $${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
clients_basedn = "$CLIENTS_BASEDN"
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = $${confdir}/huntgroups
hints = $${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = $${confdir}/users
acctusersfile = $${confdir}/acct_users
preproxy_usersfile = $${confdir}/preproxy_users
compat = no
}
detail {
detailfile = $${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
radutmp {
filename = $${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = $${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = $${confdir}/attrs
}
counter daily {
filename = $${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
FROM radacct WHERE UserName='%{%k}' AND \
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = $${db_dir}/db.ippool
ip-index = $${db_dir}/db.ipindex
override = no
maximum-timeout = 0
}
krb5 {
keytab = "$RADIUS_KEYTAB"
service_principal = "$RADIUS_PRINCIPAL"
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
suffix
eap
#files
ldap
}
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
Auth-Type Kerberos {
krb5
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
Reference in New Issue View Git Blame Copy Permalink