Wednesday, October 19, 2011

mod_geoip2 with Apache2

Step 1:

Download the GeoIP C Library from MaxMind
Download http://geolite.maxmind.com/
Name : GeoIP.tar.gz

Extract the library:
#tar zxvf GeoIP.tar.gz

#cd GeoIP-1.4.6/

#./configure

# make

# make install

Step 2:

Download the GeoIP Apache2 API from the below URL
http://geolite.maxmind.com/download/geoip/api/mod_geoip2/mod_geoip2_1.2.5.tar.gz

# tar zxvf mod_geoip2_1.2.5.tar.gz

# cd mod_geoip2_1.2.5

Install the API

#apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c

# chmod 755 /usr/lib/httpd/modules/mod_geoip.so

[activating module `geoip' in /etc/httpd/conf/httpd.conf]

Step : 3

Download the latest GeoLite country database in binary format

# wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

# gunzip GeoIP.dat.gz

# mkdir /usr/src/geo

# mv GeoIP.dat /usr/src/geo/

Step : 4

# vi /etc/httpd/conf/httpd.conf

Go all the way down to the end of file and add the following lines:


GeoIPEnable On
GeoIPDBFile /usr/src/geo/GeoIP.dat


Save it and exit

#service httpd restart

Now, its your mod_rewrite skills which can save you :)

Good Luck

or (If you are lazy)
wget http://203.130.201.244/centos/extras/5/i386/GeoIP-1.4.2-1.el5.i386.rpm
wget http://203.130.201.244/centos/extras/5/i386/mod_geoip-1.1.8-2.el5.i386.rpm
rpm -ivh GeoIP-1.4.2-1.el5.i386.rpm
rpm -ivh mod_geoip-1.1.8-2.el5.i386.rpm


/Pradyumna

Thursday, September 29, 2011

YUM configuration

I. Mount the ISO file using following command


#mount –o loop –t iso9660 /location/of/iso /var/ftp

Or

#mount –o loop /location/of/iso /var/ftp

II. Verify the mounting using following command

#df –h

III. Move *.repo files from the /etc/yum.repos.d

#mv /etc/yum.repos.d/* /root/Desktop


IV. Edit the /etc/yum.conf file put the following lines at the end.

#vi /etc/yum.conf

[My Repo]

name= My Local Repository

baseurl=ftp://youripaddress ----> for Centos 5

baseurl=ftp://youripaddress/Server ----> for RHEL 5

enable=1

gpgcheck=0

V. Clean up previous caching by following command. This is very

important when you are changing repo files or rpm on your repository.

#yum clean all

VI. Install rpm with the following command

#yum install httpd

Thursday, September 22, 2011

# Scripting

1. Hello World Bash Shell Script







First you need to find out where is your bash interpreter located. Enter the following into your command line:

$ which bash

Open up you favorite text editor and a create file called hello_world.sh. Insert the following lines to a file:
NOTE:Every bash shell script in this tutorial starts with shebang:"#!" which is not read as a comment. First line is also a place where you put your interpreter which is in this case: /bin/bash.
Here is our first bash shell script example:
#!/bin/bash
# declare STRING variable
STRING="Hello World"
#print variable on a screen
echo $STRING

Navigate to a directory where your hello_world.sh is located and make the file executable:
$ chmod +x hello_world.sh

Now you are ready to execute your first bash script:
./hello_world.sh


2. Simple Backup bash shell script
#!/bin/bash
tar -czf myhome_directory.tar.gz /home/linuxconfig






3. Variables
In this example we declare simple bash variable and print it on the screen ( stdout ) with echo command.
#!/bin/bash
STRING="HELLO WORLD!!!"
echo $STRING

Your backup script and variables:
#!/bin/bash
OF=myhome_directory_$(date +%Y%m%d).tar.gz
tar -czf $OF /home/linuxconfig

3.1. Global vs. Local variables
#!/bin/bash
#Define bash global variable
#This variable is global and can be used anywhere in this bash script
VAR="global variable"
function bash {
#Define bash local variable
#This variable is local to bash function only
local VAR="local variable"
echo $VAR
}
echo $VAR
bash
# Note the bash global variable did not change
# "local" is bash reserved word
echo $VAR

4. Passing arguments to the bash script
#!/bin/bash
# use predefined variables to access passed arguments
#echo arguments to the shell
echo $1 $2 $3 ' -> echo $1 $2 $3'

# We can also store arguments from bash command line in special array
args=("$@")
#echo arguments to the shell
echo ${args[0]} ${args[1]} ${args[2]} ' -> args=("$@"); echo ${args[0]} ${args[1]} ${args[2]}'

#use $@ to print out all arguments at once
echo $@ ' -> echo $@'

# use $# variable to print out
# number of arguments passed to the bash script
echo Number of arguments passed: $# ' -> echo Number of arguments passed: $#'
/arguments.sh Bash Scripting Tutorial

5. Executing shell commands with bash
#!/bin/bash
# use backticks " ` ` " to execute shell command
echo `uname -o`
# executing bash command without backticks
echo uname -o

6. Reading User Input
#!/bin/bash

echo -e "Hi, please type the word: \c "
read word
echo "The word you entered is: $word"
echo -e "Can you please enter two words? "
read word1 word2
echo "Here is your input: \"$word1\" \"$word2\""
echo -e "How do you feel about bash scripting? "
# read command now stores a reply into the default build-in variable $REPLY
read
echo "You said $REPLY, I'm glad to hear that! "
echo -e "What are your favorite colours ? "
# -a makes read command to read into an array
read -a colours
echo "My favorite colours are also ${colours[0]}, ${colours[1]} and ${colours[2]}:-)"

7. Bash Trap Command
#!/bin/bash
# bash trap command
trap bashtrap INT
# bash clear screen command
clear;
# bash trap function is executed when CTRL-C is pressed:
# bash prints message => Executing bash trap subrutine !
bashtrap()
{
echo "CTRL+C Detected !...executing bash trap !"
}
# for loop from 1/10 to 10/10
for a in `seq 1 10`; do
echo "$a/10 to Exit."
sleep 1;
done
echo "Exit Bash Trap Example!!!"

8. Arrays
8.1. Declare simple bash array
#!/bin/bash
#Declare array with 4 elements
ARRAY=( 'Debian Linux' 'Redhat Linux' Ubuntu Linux )
# get number of elements in the array
ELEMENTS=${#ARRAY[@]}

# echo each element in array
# for loop
for (( i=0;i<$ELEMENTS;i++)); do
echo ${ARRAY[${i}]}
done

8.2. Read file into bash array
#!/bin/bash
# Declare array
declare -a ARRAY
# Link filedescriptor 10 with stdin
exec 10<&0
# stdin replaced with a file supplied as a first argument
exec < $1
let count=0

while read LINE; do

ARRAY[$count]=$LINE
((count++))
done

echo Number of elements: ${#ARRAY[@]}
# echo array's content
echo ${ARRAY[@]}
# restore stdin from filedescriptor 10
# and close filedescriptor 10
exec 0<&10 10<&-

Bash script execution with an output:
linuxconfig.org $ cat bash.txt
Bash
Scripting
Tutorial
Guide
linuxconfig.org $ ./bash-script.sh bash.txt
Number of elements: 4
Bash Scripting Tutorial Guide
linuxconfig.org $
9. Bash if / else / fi statements
9.1. Simple Bash if/else statement
Please note the spacing inside the [ and ] brackets! Without the spaces, it won't work!
#!/bin/bash
directory="./BashScripting"

# bash check if directory exists
if [ -d $directory ]; then
echo "Directory exists"
else
echo "Directory does not exists"
fi

9.2. Nested if/else
#!/bin/bash

# Declare variable choice and assign value 4
choice=4
# Print to stdout
echo "1. Bash"
echo "2. Scripting"
echo "3. Tutorial"
echo -n "Please choose a word [1,2 or 3]? "
# Loop while the variable choice is equal 4
# bash while loop
while [ $choice -eq 4 ]; do

# read user input
read choice
# bash nested if/else
if [ $choice -eq 1 ] ; then

echo "You have chosen word: Bash"

else

if [ $choice -eq 2 ] ; then
echo "You have chosen word: Scripting"
else

if [ $choice -eq 3 ] ; then
echo "You have chosen word: Tutorial"
else
echo "Please make a choice between 1-3 !"
echo "1. Bash"
echo "2. Scripting"
echo "3. Tutorial"
echo -n "Please choose a word [1,2 or 3]? "
choice=4
fi
fi
fi
done

10. Bash Comparisons
10.1. Arithmetic Comparisons
-lt <
-gt >
-le <=
-ge >=
-eq ==
-ne !=
#!/bin/bash
# declare integers
NUM1=2
NUM2=2
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
else
echo "Values are NOT equal"
fi

#!/bin/bash
# declare integers
NUM1=2
NUM2=1
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
else
echo "Values are NOT equal"
fi

#!/bin/bash
# declare integers
NUM1=2
NUM2=1
if [ $NUM1 -eq $NUM2 ]; then
echo "Both Values are equal"
elif [ $NUM1 -gt $NUM2 ]; then
echo "NUM1 is greater then NUM2"
else
echo "NUM2 is greater then NUM1"
fi

10.2. String Comparisons
= equal
!= not equal
< less then
> greater then
-n s1 string s1 is not empty
-z s1 string s1 is empty
#!/bin/bash
#Declare string S1
S1="Bash"
#Declare string S2
S2="Scripting"
if [ $S1 = $S2 ]; then
echo "Both Strings are equal"
else
echo "Strings are NOT equal"
fi

#!/bin/bash
#Declare string S1
S1="Bash"
#Declare string S2
S2="Bash"
if [ $S1 = $S2 ]; then
echo "Both Strings are equal"
else
echo "Strings are NOT equal"
fi

11. Bash File Testing
-b filename Block special file
-c filename Special character file
-d directoryname Check for directory existence
-e filename Check for file existence
-f filename Check for regular file existence not a directory
-G filename Check if file exists and is owned by effective group ID.
-g filename true if file exists and is set-group-id.
-k filename Sticky bit
-L filename Symbolic link
-O filename True if file exists and is owned by the effective user id.
-r filename Check if file is a readable
-S filename Check if file is socket
-s filename Check if file is nonzero size
-u filename Check if file set-ser-id bit is set
-w filename Check if file is writable
-x filename Check if file is executable
#!/bin/bash
file="./file"
if [ -e $file ]; then
echo "File exists"
else
echo "File does not exists"
fi

Similarly for example we can use while loop to check if file does not exists. This script will sleep until file does exists. Note bash negator "!" which negates the -e option.
#!/bin/bash

while [ ! -e myfile ]; do
# Sleep until file does exists/is created
sleep 1
done
12. Loops
12.1. Bash for loop
#!/bin/bash

# bash for loop
for f in $( ls /var/ ); do
echo $f
done
Running for loop from bash shell command line:
$ for f in $( ls /var/ ); do echo $f; done

12.2. Bash while loop
#!/bin/bash
COUNT=6
# bash while loop
while [ $COUNT -gt 0 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT-1
done

12.3. Bash until loop
#!/bin/bash
COUNT=0
# bash until loop
until [ $COUNT -gt 5 ]; do
echo Value of count is: $COUNT
let COUNT=COUNT+1
done

12.4. Control bash loop with
Here is a example of while loop controlled by standard input. Until the redirection chain from STDOUT to STDIN to the read command exists the while loop continues.
#!/bin/bash
# This bash script will locate and replace spaces
# in the filenames
DIR="."
# Controlling a loop with bash read command by redirecting STDOUT as
# a STDIN to while loop
# find will not truncate filenames containing spaces
find $DIR -type f | while read file; do
# using POSIX class [:space:] to find space in the filename
if [[ "$file" = *[[:space:]]* ]]; then
# substitute space with "_" character and consequently rename the file
mv "$file" `echo $file | tr ' ' '_'`
fi;
# end of while loop
done

13. Bash Functions
!/bin/bash
# BASH FUNCTIONS CAN BE DECLARED IN ANY ORDER
function function_B {
echo Function B.
}
function function_A {
echo $1
}
function function_D {
echo Function D.
}
function function_C {
echo $1
}
# FUNCTION CALLS
# Pass parameter to function A
function_A "Function A."
function_B
# Pass parameter to function C
function_C "Function C."
function_D

14. Bash Select
#!/bin/bash

PS3='Choose one word: '

# bash select
select word in "linux" "bash" "scripting" "tutorial"
do
echo "The word you have selected is: $word"
# Break, otherwise endless loop
break
done

exit 0

15. Case statement conditional
#!/bin/bash
echo "What is your preferred programming / scripting language"
echo "1) bash"
echo "2) perl"
echo "3) phyton"
echo "4) c++"
echo "5) I do not know !"
read case;
#simple case bash structure
# note in this case $case is variable and does not have to
# be named case this is just an example
case $case in
1) echo "You selected bash";;
2) echo "You selected perl";;
3) echo "You selected phyton";;
4) echo "You selected c++";;
5) exit
esac

16. Bash quotes and quotations
Quotations and quotes are important part of bash and bash scripting. Here are some bash quotes and quotations basics.
16.1. Escaping Meta characters
Before we start with quotes and quotations we should know something about escaping meta characters. Escaping will suppress a special meaning of meta characters and therefore meta characters will be read by bash literally. To do this we need to use backslash "\" character. Example:
#!/bin/bash

#Declare bash string variable
BASH_VAR="Bash Script"

# echo variable BASH_VAR
echo $BASH_VAR

#when meta character such us "$" is escaped with "\" it will be read literally
echo \$BASH_VAR

# backslash has also special meaning and it can be suppressed with yet another "\"
echo "\\"

16.2. Single quotes
Single quotes in bash will suppress special meaning of every meta characters. Therefore meta characters will be read literally. It is not possible to use another single quote within two single quotes not even if the single quote is escaped by backslash.
#!/bin/bash

#Declare bash string variable
BASH_VAR="Bash Script"

# echo variable BASH_VAR
echo $BASH_VAR

# meta characters special meaning in bash is suppressed when using single quotes
echo '$BASH_VAR "$BASH_VAR"'

16.3. Double Quotes
Double quotes in bash will suppress special meaning of every meta characters except "$", "\" and "`". Any other meta characters will be read literally. It is also possible to use single quote within double quotes. If we need to use double quotes within double quotes bash can read them literally when escaping them with "\". Example:
#!/bin/bash

#Declare bash string variable
BASH_VAR="Bash Script"

# echo variable BASH_VAR
echo $BASH_VAR

# meta characters and its special meaning in bash is
# suppressed when using double quotes except "$", "\" and "`"

echo "It's $BASH_VAR and \"$BASH_VAR\" using backticks: `date`"

16.4. Bash quoting with ANSI-C style
There is also another type of quoting and that is ANSI-C. In this type of quoting characters escaped with "\" will gain special meaning according to the ANSI-C standard.
\a alert (bell) \b backspace
\e an escape character \f form feed
\n newline \r carriage return
\t horizontal tab \v vertical tab
\\ backslash \` single quote
\nnn octal value of characters ( see [http://www.asciitable.com/ ASCII table] ) \xnn hexadecimal value of characters ( see [http://www.asciitable.com/ ASCII table] )
The syntax fo ansi-c bash quoting is: $'' . Here is an example:
#!/bin/bash

# as a example we have used \n as a new line, \x40 is hex value for @
# and \56 is octal value for .
echo $'web: www.linuxconfig.org\nemail: web\x40linuxconfig\56org'

17. Arithmetic Operations
17.1. Bash Addition Calculator Example
#!/bin/bash

let RESULT1=$1+$2
echo $1+$2=$RESULT1 ' -> # let RESULT1=$1+$2'
declare -i RESULT2
RESULT2=$1+$2
echo $1+$2=$RESULT2 ' -> # declare -i RESULT2; RESULT2=$1+$2'
echo $1+$2=$(($1 + $2)) ' -> # $(($1 + $2))'

17.2. Bash Arithmetics
#!/bin/bash

echo '### let ###'
# bash addition
let ADDITION=3+5
echo "3 + 5 =" $ADDITION

# bash subtraction
let SUBTRACTION=7-8
echo "7 - 8 =" $SUBTRACTION

# bash multiplication
let MULTIPLICATION=5*8
echo "5 * 8 =" $MULTIPLICATION

# bash division
let DIVISION=4/2
echo "4 / 2 =" $DIVISION

# bash modulus
let MODULUS=9%4
echo "9 % 4 =" $MODULUS

# bash power of two
let POWEROFTWO=2**2
echo "2 ^ 2 =" $POWEROFTWO


echo '### Bash Arithmetic Expansion ###'
# There are two formats for arithmetic expansion: $[ expression ]
# and $(( expression #)) its your choice which you use

echo 4 + 5 = $((4 + 5))
echo 7 - 7 = $[ 7 - 7 ]
echo 4 x 6 = $((3 * 2))
echo 6 / 3 = $((6 / 3))
echo 8 % 7 = $((8 % 7))
echo 2 ^ 8 = $[ 2 ** 8 ]


echo '### Declare ###'

echo -e "Please enter two numbers \c"
# read user input
read num1 num2
declare -i result
result=$num1+$num2
echo "Result is:$result "

# bash convert binary number 10001
result=2#10001
echo $result

# bash convert octal number 16
result=8#16
echo $result

# bash convert hex number 0xE6A
result=16#E6A
echo $result

17.3. Round floating point number
#!/bin/bash
# get floating point number
floating_point_number=3.3446
echo $floating_point_number
# round floating point number with bash
for bash_rounded_number in $(printf %.0f $floating_point_number); do
echo "Rounded number with bash:" $bash_rounded_number
done

17.4. Bash floating point calculations
#!/bin/bash
# Simple linux bash calculator
echo "Enter input:"
read userinput
echo "Result with 2 digits after decimal point:"
echo "scale=2; ${userinput}" | bc
echo "Result with 10 digits after decimal point:"
echo "scale=10; ${userinput}" | bc
echo "Result as rounded integer:"
echo $userinput | bc

18. Redirections
18.1. STDOUT from bash script to STDERR
#!/bin/bash

echo "Redirect this STDOUT to STDERR" 1>&2
To proof that STDOUT is redirected to STDERR we can redirect script's output to file:

18.2. STDERR from bash script to STDOUT
#!/bin/bash

cat $1 2>&1
To proof that STDERR is redirected to STDOUT we can redirect script's output to file:

18.3. stdout to screen
The simple way to redirect a standard output ( stdout ) is to simply use any command, because by default stdout is automatically redirected to screen. First create a file "file1":
$ touch file1
$ ls file1
file1
As you can see from the example above execution of ls command produces STDOUT which by default is redirected to screen.
18.4. stdout to file
The override the default behavior of STDOUT we can use ">" to redirect this output to file:
$ ls file1 > STDOUT
$ cat STDOUT
file1
18.5. stderr to file
By default STDERR is displayed on the screen:
$ ls
file1 STDOUT
$ ls file2
ls: cannot access file2: No such file or directory
In the following example we will redirect the standard error ( stderr ) to a file and stdout to a screen as default. Please note that STDOUT is displayed on the screen, however STDERR is redirected to a file called STDERR:
$ ls
file1 STDOUT
$ ls file1 file2 2> STDERR
file1
$ cat STDERR
ls: cannot access file2: No such file or directory
18.6. stdout to stderr
It is also possible to redirect STDOUT and STDERR to the same file. In the next example we will redirect STDOUT to the same descriptor as STDERR. Both STDOUT and STDERR will be redirected to file "STDERR_STDOUT".
$ ls
file1 STDERR STDOUT
$ ls file1 file2 2> STDERR_STDOUT 1>&2
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
File STDERR_STDOUT now contains STDOUT and STDERR.
18.7. stderr to stdout
The above example can be reversed by redirecting STDERR to the same descriptor as SDTOUT:
$ ls
file1 STDERR STDOUT
$ ls file1 file2 > STDERR_STDOUT 2>&1
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
18.8. stderr and stdout to file
Previous two examples redirected both STDOUT and STDERR to a file. Another way to achieve the same effect is illustrated below:
$ ls
file1 STDERR STDOUT
$ ls file1 file2 &> STDERR_STDOUT
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1
or
ls file1 file2 >& STDERR_STDOUT
$ cat STDERR_STDOUT
ls: cannot access file2: No such file or directory
file1

OpenLDAP configuration On CentOS

OpenLDAP – Centos5 – Server Configuration
****

Usage: A quick and dirty guide for an OpenLDAP Server Configuration on Centos 5.5 64-bit Environment

****

1. install the software

[root@ldap ~]# yum install openldap-servers openldap-servers-overlays openldap-clients

****

2. make proper directories for your setup

[root@ldap openldap]# pwd
/etc/openldap

[root@ldap openldap]# mkdir /var/lib/ldap/bar.com

[root@ldap openldap]# ls -la
total 72
drwxr-xr-x 4 root root 4096 Mar 8 12:30 .
drwxr-xr-x 79 root root 4096 Mar 7 17:35 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig

[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/bar.com/DB_CONFIG

****

3. configure your slapd.conf

[root@ldap openldap]# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

# loglevel
#loglevel 768
loglevel stats acl

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema

# Allow LDAPv2 client connections. This is NOT the default.
#allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
TLSVerifyClient allow

# Access restricted for normal users
defaultaccess none

access to attrs=userPassword
by self write
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by anonymous auth
by * none

access to *
by dn=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” write
by self write
by * read

# enable monitoring
database monitor

# allow only rootdn to read the monitor
access to *
by dn.exact=”cn=LDAPMaster,dc=foo,dc=bar,dc=com” read
by * none

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix “dc=bar,dc=com”
rootdn “uid=LDAPMaster,dc=foo,dc=bar,dc=com”
rootpw {SSHA}Ai+3urKCuCoWgg/KPV

directory /var/lib/ldap/bar.com

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index sudoUser eq
#index nisMapName,nisMapEntry eq,pres,sub

###
#
modulepath /usr/lib64/openldap

# required if the overlay is built dynamically
#
# for dnylist by muda
moduleload dynlist.la
# for ppolicy by muda
moduleload ppolicy.la
#moduleload refint.la
#moduleload unique.la

# other overlay directives
#
# for dnylist by muda
overlay dynlist
# for ppolicy by muda
overlay ppolicy
#overlay refint
#overlay unique

# define the default policy – by muda
ppolicy_default “cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com”

#This would not return account locked in case the account is locked, for securty puppose – by muda
ppolicy_use_lockout

dynlist-attrset extensibleObject labeledURI member

#refint_attributes member
#refint_nothing “uid=muda,o=auth_user,dc=foo,dc=bar,dc=com”

****

4. install a http server with ssl support (not really needed but helpful)

[root@ldap private]# yum install httpd mod_ssl

****

5. create the proper directories which are needed for our CA

[root@ldap CA]# pwd
/etc/pki/CA

[root@ldap CA]# mkdir certs
[root@ldap CA]# mkdir crl
[root@ldap CA]# mkdir newcerts
[root@ldap CA]# touch index.txt

[root@ldap CA]# ls -la
total 52
drwx—— 6 root root 4096 Mar 8 13:28 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
drwx—— 2 root root 4096 Mar 8 13:28 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Dec 15 16:31 private

****

6. create the proper keys for the CA which is needed for our LDAP configuration

[root@ldap CA]# openssl req -config ../tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Generating a 1024 bit RSA private key
….++++++
………….++++++
writing new private key to ‘private/ca.key’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:Hosting
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:

[root@ldap private]# ln -s ca.key cakey.pem
[root@ldap private]# ls -la
total 28
drwx—— 2 root root 4096 Mar 8 13:36 .
drwx—— 6 root root 4096 Mar 8 13:28 ..
-rw——- 1 root root 963 Mar 8 13:31 ca.key
lrwxrwxrwx 1 root root 6 Mar 8 13:36 cakey.pem -> ca.key

[root@ldap CA]# ln -s certs/ca.crt cacert.pem
[root@ldap CA]# ls -la
total 56
drwx—— 6 root root 4096 Mar 8 13:38 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private

[root@ldap CA]# touch serial
[root@ldap CA]# ls -la
total 60
drwx—— 6 root root 4096 Mar 8 13:39 .
drwxr-xr-x 6 root root 4096 Jun 25 2010 ..
lrwxrwxrwx 1 root root 12 Mar 8 13:38 cacert.pem -> certs/ca.crt
drwx—— 2 root root 4096 Mar 8 13:31 certs
drwx—— 2 root root 4096 Mar 8 13:28 crl
-rw——- 1 root root 0 Mar 8 13:28 index.txt
drwx—— 2 root root 4096 Mar 8 13:28 newcerts
drwx—— 2 root root 4096 Mar 8 13:36 private

[root@ldap workspace.muda]# vi ../../CA/serial
insert ’00′

****

7. create the proper keys for TLS support which is needed for our LDAP configuration

[root@ldap workspace.muda]# openssl req -newkey rsa:2048 -keyout key.pem -keyform PEM -out req.pem -outform PEM -nodes
Generating a 2048 bit RSA private key
………………………………………………….+++
…………………………………………………………….+++
writing new private key to ‘key.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [UK]:
State or Province Name (full name) [London]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) [bar LTD]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:ldap1.foo.bar.com
Email Address []:webmaster@bar.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

****

8. sign the key with your CA

[root@ldap workspace.muda]# openssl ca -in req.pem -notext -out cert.pem -config ../openssl.cnf
Using configuration from ../openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0×2)
Validity
Not Before: Mar 8 14:07:44 2011 GMT
Not After : Mar 5 14:07:44 2021 GMT
Subject:
countryName = UK
stateOrProvinceName = London
organizationName = bar LTD
commonName = ldap1.foo.bar.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate

Certificate is to be certified until Mar 5 14:07:44 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@ldap workspace.muda]# ls -la
total 48
drwx—— 3 root root 4096 Mar 8 15:07 .
drwxr-xr-x 6 root root 4096 Mar 8 12:57 ..
drwx—— 2 root root 4096 Mar 8 13:58 backup
-rw——- 1 root root 1233 Mar 8 15:07 cert.pem
-rw——- 1 root root 1679 Mar 8 15:07 key.pem
-rw——- 1 root root 1017 Mar 8 15:07 req.pem

****

9. copy the keys to the proper locations

[root@ldap workspace.muda]# cp cert.pem /etc/openldap/slapdcert.pem
[root@ldap workspace.muda]# cp key.pem /etc/openldap/slapdkey.pem

[root@ldap workspace.muda]# chmod 400 /etc/openldap/slapd*.pem
[root@ldap workspace.muda]# chown ldap /etc/openldap/slapd*.pem

[root@ldap workspace.muda]# ls -la /etc/openldap/
total 88
drwxr-xr-x 4 root root 4096 Mar 8 15:10 .
drwxr-xr-x 81 root root 4096 Mar 8 12:53 ..
drwxr-xr-x 2 root root 4096 Nov 29 09:50 cacerts
-rw-r—– 1 root ldap 921 Nov 29 09:49 DB_CONFIG.example
-rw-r–r– 1 root root 327 Jun 25 2010 ldap.conf
-rw——- 1 root root 327 Mar 8 12:16 ldap.conf.orig
drwxr-xr-x 3 root root 4096 Mar 7 17:26 schema
-r——– 1 ldap root 1233 Mar 8 15:10 slapdcert.pem
-rw-r—– 1 root ldap 3167 Mar 8 12:30 slapd.conf
-rw——- 1 root root 3801 Mar 8 12:16 slapd.conf.orig
-r——– 1 ldap root 1679 Mar 8 15:11 slapdkey.pem

[root@ldap workspace.muda]# cd ../../CA/certs/
[root@ldap certs]# ls -la
total 24
drwx—— 2 root root 4096 Mar 8 13:31 .
drwx—— 6 root root 4096 Mar 8 15:07 ..
-rw——- 1 root root 1289 Mar 8 13:31 ca.crt

[root@ldap certs]# cp ca.crt /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chown ldap /etc/openldap/cacerts/cacert.pem
[root@ldap certs]# chmod 400 /etc/openldap/cacerts/cacert.pem

****

10. create the sudoers ldap schema

[root@ldap schema]# cat sudo.schema
#
# schema file for sudo
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME ‘sudoUser’
DESC ‘User(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME ‘sudoHost’
DESC ‘Host(s) who may run sudo’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME ‘sudoCommand’
DESC ‘Command(s) to be executed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME ‘sudoRunAs’
DESC ‘User(s) impersonated by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME ‘sudoOption’
DESC ‘Options(s) followed by sudo’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME ‘sudoRole’ SUP top STRUCTURAL
DESC ‘Sudoer Entries’
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
description )
)

[root@ldap schema]# ls -la
total 292
drwxr-xr-x 3 root root 4096 Mar 8 15:16 .
drwxr-xr-x 4 root root 4096 Mar 8 15:10 ..
-rw-r–r– 1 root root 8231 Nov 29 09:49 corba.schema
-rw-r–r– 1 root root 20591 Nov 29 09:49 core.ldif
-rw-r–r– 1 root root 19762 Nov 29 09:49 core.schema
-rw-r–r– 1 root root 74080 Nov 29 09:49 cosine.schema
-rw-r–r– 1 root root 1553 Nov 29 09:49 dyngroup.schema
-rw-r–r– 1 root root 6360 Nov 29 09:49 inetorgperson.schema
-rw-r–r– 1 root root 13984 Nov 29 09:49 java.schema
-rw-r–r– 1 root root 2471 Nov 29 09:49 misc.schema
-rw-r–r– 1 root root 7723 Nov 29 09:49 nis.schema
-rw-r–r– 1 root root 3391 Nov 29 09:49 openldap.ldif
-rw-r–r– 1 root root 1601 Nov 29 09:49 openldap.schema
-rw-r–r– 1 root root 19689 Nov 29 09:49 ppolicy.schema
-rw-r–r– 1 root root 2968 Nov 29 09:49 README
drwxr-xr-x 2 root root 4096 Mar 7 17:26 redhat
-rw——- 1 root root 1255 Mar 8 15:16 sudo.schema

[root@ldap schema]# chmod 644 sudo.schema

****

11. made some sanity work for proper user rights

[root@ldap bar.com]# pwd
/var/lib/ldap/bar.com

[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 root root 921 Mar 8 15:22 DB_CONFIG

[root@ldap bar.com]# chown ldap *
[root@ldap bar.com]# ls -la
total 88278
-rw——- 1 ldap root 921 Mar 8 15:22 DB_CONFIG

****

12. start the ldap service for the first config issues

[root@ldap schema]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]

****

13. start with the initial load setup

[root@ldap schema]# pwd
/etc/openldap/schema

[root@ldap schema]# cat sd_initial.ldif
dn: dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: bar AG
dc: bar

dn: dc=foo,dc=bar,dc=com
objectclass: dcObject
objectclass: organization
o: Hosting bar AG
dc: foo

dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster

****

14. load the initial with slapadd

[root@ldap schema]# slapadd -v -l sd_initial.ldif -b dc=foo,dc=bar,dc=com
added: “dc=bar,dc=com” (00000001)
added: “dc=foo,dc=bar,dc=com” (00000002)
added: “cn=LDAPMaster,dc=foo,dc=bar,dc=com” (00000003)

****

15. check for it with slapcat

[root@ldap schema]# slapcat -f /etc/openldap/slapd.conf -b “dc=bar,dc=com”
dn: dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: bar LTD
dc: bar
structuralObjectClass: organization
entryUUID: ef58d566-dddc-102f-8722-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000000#00#000000

dn: dc=foo,dc=bar,dc=com
objectClass: dcObject
objectClass: organization
o: Hosting bar LTD
dc: foo
structuralObjectClass: organization
entryUUID: ef59994c-dddc-102f-8723-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000001#00#000000

dn: cn=LDAPMaster,dc=foo,dc=bar,dc=com
objectClass: organizationalRole
cn: LDAPMaster
structuralObjectClass: organizationalRole
entryUUID: ef59ce1c-dddc-102f-8724-81ba417f62e8
creatorsName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
modifiersName: uid=LDAPMaster,dc=foo,dc=bar,dc=com
createTimestamp: 20110308143435Z
modifyTimestamp: 20110308143435Z
entryCSN: 20110308143435Z#000002#00#000000

****

15. check the ‘/etc/openldap/ldap.conf’

[root@ldap openldap]# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=foo,dc=bar,dc=com
URI ldap://ldap1.foo.bar.com

TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

****

16. check again for proper user rights (ldap) and fix it if necessary

[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 root root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 root root 1024 Mar 8 15:34 bar.com

[root@ldap ldap]# chown -R ldap *
[root@ldap ldap]# ls -la
total 8
drwx—— 3 ldap ldap 1024 Mar 8 12:34 .
drwxr-xr-x 22 root root 1024 Mar 8 12:53 ..
-rw-r–r– 1 ldap root 37 Mar 7 17:26 openldap-severs-update.log
drwx—— 2 ldap root 1024 Mar 8 15:34 bar.com

[root@ldap ldap]# cd bar.com/
[root@ldap bar.com]# ls -la
total 88278
drwx—— 2 ldap root 1024 Mar 8 15:34 .
drwx—— 3 ldap ldap 1024 Mar 8 12:34 ..
-rw——- 1 ldap root 8192 Mar 8 15:34 cn.bdb
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.001
-rw——- 1 ldap root 104857600 Mar 8 15:35 __db.002
-rw——- 1 ldap root 335552512 Mar 8 15:35 __db.003
-rw——- 1 ldap root 2359296 Mar 8 15:35 __db.004
-rw——- 1 ldap root 557056 Mar 8 15:35 __db.005
-rw——- 1 ldap root 24576 Mar 8 15:35 __db.006
-rw——- 1 ldap root 921 Mar 8 15:31 DB_CONFIG
-rw——- 1 ldap root 8192 Mar 8 15:34 dn2id.bdb
-rw——- 1 ldap root 32768 Mar 8 15:34 id2entry.bdb
-rw——- 1 ldap root 10485760 Mar 8 15:34 log.0000000001
-rw——- 1 ldap root 8192 Mar 8 15:34 objectClass.bdb

****

17. config the ldap base for our tree and load it

[root@ldap schema]# cat sd_base.ldif
# hostgroup
dn: ou=hosts,dc=foo,dc=bar,dc=com
ou: hosts
objectClass: organizationalunit

# sudoers group
dn: ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers

# authenticated groups
dn: o=auth_group,dc=foo,dc=bar,dc=com
o: auth_group
objectclass: organization

# authenticated users
dn: o=auth_user,dc=foo,dc=bar,dc=com
o: auth_user
objectclass: organization

# pw policy group
dn: ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: pwpolicies

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_base.ldif -vv

****

18. config the ldap group base for our tree and load it

[root@ldap schema]# cat sd_auth_group.ldif
dn: cn=testXusergrp,o=auth_group,dc=foo,dc=bar,dc=com
objectClass: posixGroup
objectClass: top
cn: testXusergrp
gidNumber: 5500
userPassword:: e2NyeXg=

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_group.ldif -vv

****

19. config the ldap user base for our tree and load it

[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=

19.1 alternative config the ldap user base for our tree and load it

I had a problem with the ‘objectClass:account’ because i need a entry for ‘mail’ to run a script for check if a account pwd came to expiration. So i changed the structural ‘objectClass’ to ‘inetOrgPerson’ which gives me the possibility to work with that (sn is a must, mail is a option).

Check: http://www.zytrax.com/books/ldap/ape/#inetorgperson

[root@ldap schema]# cat sd_auth_user.ldif
dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: Checkit TestUser
sn: checkit
mail: checkit@foo.bar.com
gidNumber: 5500
homeDirectory: /home/nfs/checkit
uid: checkit
uidNumber: 10001
description: testing user for ldap
loginShell: /bin/bash
shadowLastChange: 14853
shadowMax: 99999
shadowWarning: 7
userPassword:: e2NyeXB0fSQNzSDE=

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_auth_user.ldif -vv

HINT: You can do this with existing entries in your tree this should work:
You just have to write the LDIF in such a way that the removal and adding of account and inetOrgPerson happens in one go.

dn: uid=checkit,o=auth_user,dc=foo,dc=bar,dc=com
changetype: modify
add: objectclass
objectclass: inetOrgPerson
-
delete: objectclass
objectclass: account
-
add: sn
sn: checkit

****

20. config the ldap sudoers base for our tree and load it

[root@ldap schema]# cat sd_sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: defaults
description: Default sudoOption’s
sudoOption: !lecture
sudoOption: log_host
sudoOption: log_year
sudoOption: ignore_dot
sudoOption: logfile=/var/log/sudolog
sudoOption: passwd_tries=3
sudoOption: timestamp_timeout=5
sudoOption: passwd_timeout=1
sudoOption: syslog=authpriv
sudoOption: root_sudo
sudoOption: authenticate
sudoOption: ignore_local_sudoers

dn: cn=administration,ou=SUDOers,dc=foo,dc=bar,dc=com
objectClass: sudoRole
objectClass: top
cn: administration
description: Administration Role
sudoCommand: ALL
sudoCommand: !/usr/sbin/visudo
sudoCommand: !/bin/more *sudoers
sudoCommand: !/bin/cp *sudoers
sudoCommand: !/bin/mv *sudoers
sudoCommand: !/bin/cat *sudoers
sudoCommand: !/bin/su “”
sudoCommand: !/bin/su * root
sudoCommand: !/bin/su -
sudoCommand: !/bin/su -[! ]*
sudoCommand: !/bin/su root
sudoCommand: !/bin/vi *sudoers
sudoOption: !authenticate
sudoHost: ldap1.foo.bar.com
sudoRunAs: root
sudoUser: checkit

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_sudoers.ldif -vv

****

21. config the ldap password policy base for our tree and load it

[root@ldap schema]# cat sd_ppolicy.ldif
dn: cn=default,ou=pwpolicies,dc=foo,dc=bar,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: device
objectClass: pwdPolicyChecker
cn: default
pwdAttribute: userPassword
pwdInHistory: 7
pwdLockout: TRUE
pwdMaxAge: 2592000
pwdMaxFailure: 6
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE

[root@ldap schema]# ldapadd -h ldap1.foo.bar.com -x -D “uid=LDAPMaster,dc=foo,dc=bar,dc=com” -W -f sd_ppolicy.ldif -vv

****

22. Uncomment in the ppolicy.schema following section:

( 1.3.6.1.4.1.42.2.27.8.1.23
NAME ‘pwdPolicySubentry’
DESC ‘The pwdPolicy subentry in effect for this object’
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE directoryOperation )

****

23. script to check the ldap pwd expiration (with password policy support)

https://ltb-project.org/svn/ldap-scripts/trunk/checkLdapPwdExpiration.sh

****

24. download apache directory studio for further config

Friday, August 26, 2011

OpenLDAP TLS configuration !!

http://mindref.blogspot.com/2010/12/debian-openldap-ssl-tls-encryption.html

http://digiplan.eu.org/ldap-samba-howto-v4.html

http://edoceo.com/liber/network-openldap

Thursday, April 21, 2011

rdiff-backup step by step [Test env]

backup.sh
=========
BACKUP_HOSTS='server2.example.com'
BACKUP_DIR="/home/backup"
BACKUP_PATH="/"
EXCLUDES="/tmp /var/tmp /var/log /proc /mnt/cdrom /sys /boot /usr /mnt /opt /home"
#INCLUDES="/khan"
#EXCLUDES="**"
EXCLUDE_OPTIONS="--exclude-device-files"
SSH_USER='root'
MAXAGE="1M"
BINARY=/usr/local/bin/rdiff-backup
OTHER_OPTIONS="--print-statistics -v5"
TIMESTAMP= `date +%m%d_%H%M`
for i in $EXCLUDES; do
EXCLUDE_OPTIONS="$EXCLUDE_OPTIONS --exclude $i"
done
OPTIONS="$EXCLUDE_OPTIONS $OTHER_OPTIONS $INCLUDES"
for BACKUP_HOST in $BACKUP_HOSTS; do
SRC="${SSH_USER}@${BACKUP_HOST}::${BACKUP_PATH}"
DST="$BACKUP_DIR/${BACKUP_HOST}${BACKUP_PATH}"
if [[ -e "$DST" ]]; then
if [[ -d "$DST" ]]; then
mv $DST $DST.$TIMESTAMP
tar -cvf $DST.tar $DST
# mv $DST $DST.$TIMESTAMP
echo "Strange: '$DST' exists, but is not a directory"
# exit 1
fi
else
mkdir -p $DST
echo "created $DST"
fi

# Backup
echo "Doing this: $BINARY $OPTIONS $SRC $DST"
echo "Backing up $BACKUP_HOST"
$BINARY $OPTIONS $SRC $DST

# How did it go?
if [[ $? -eq 0 ]]; then
# It went well; removing stuff older than MAXAGE
$BINARY --force --remove-older-than $MAXAGE $DST
if [[ $? -eq 0 ]]; then
echo "Clean-up OK"
else
echo "running this failed (during clean-up):"
echo "$BINARY --force remove-older-than $MAXAGE $DST"
fi
else
echo "running this failed:"
echo "$BINARY $OPTIONS $SRC $DST"
fi
done

config
======
host server2
hostname server2.example.com
user root
identityfile /backup/.ssh/id_rsa
compression yes
cipher blowfish
protocol 2

ssh
===
ssh-keygen -t rsa

chmod -R go-rwx /backup/.ssh

ssh-copy-id -i ~/.ssh/id_rsa.pub root@server1.example.com

command="rdiff-backup --server --restrict-read-only /",from="backup.example.com",no-port-forwarding,no-X11-forwarding,no-pty

chmod -R go-rwx /root/.ssh

sshd_config: RSAAuthentication yes
PubkeyAuthentication yes

/etc/init.d/ssh restart

rdiff-backup server1_backup::/boot boot

http://ubuntuforums.org/showthread.php?t=791679

Tuesday, April 19, 2011

Rdiff-Backup #bash

http://wiki.rdiff-backup.org/wiki/index.php/ContribScripts

Monday, April 18, 2011

OPIE+SLES



http://www.antionline.com/archive/index.php/t-238351.html

http://administratosphere.wordpress.com/2007/12/13/using-opie-on-fedora-7/

LDAP Step By Step

http://dvm.zapto.org:8080/pyguicms-dev/articles/view/openldap

Thursday, April 14, 2011

Rdiff-backup

http://www.linuxjournal.com/article/10701?page=0,0 [ rdiff incremental]
http://arun121.blogspot.com/2009/10/remote-incremental-backup-with-rdiff.html [ incr backup]
http://www.susethailand.com/suseforum/index.php?topic=1403.0[suse+rdiff-backup]
http://blog.beyond-syntax.com/2007/10/automatic-backups-using-cron-and-tar/
http://www.linode.com/wiki/index.php/AutomatedRdiffBackup
http://defindit.com/readme_files/ssh.html
http://en.kioskea.net/faq/746-rdiff-backup-making-effective-and-incremental-backups
http://lpi.universe-network.net/doku.php?id=wiki:certification:lpic301

http://dave.thehorners.com/tech-talk/unix-linux-bsd-osx-etc/87-rdiff-backup-remote-incremental-backup
http://library.linode.com/linux-tools/rdiff-backup/
http://drup.org/unattended-rdiff-backup-howto [****]
http://administratosphere.wordpress.com/2007/12/13/using-opie-on-fedora-7/ [opie]
http://www.delta-xi.net/index.php?/archives/16-OTPs-Using-sKey-with-SSH-via-OPIE.html
http://www.spencerstirling.com/computergeek/rsync.html
http://www.rho.cc/index.php/linux2/46-1key/66-how-to-setup-opie-with-pam-on-linux
http://www.antionline.com/showthread.php?t=238351
https://help.ubuntu.com/community/SingleSignOn

RADIUS+OpenLDAP Pointers

http://networking-forum.com/viewtopic.php?f=64&t=20910 [ Radius+OpenLDAP]

http://blog.sgicc.com/ [ Radius+openldap]

ftp://ftp.cult.cu/software/doc_admin_unix/Administracion_Redes/ldap_system_administration/1565924916_ldapsa-chp-8-sect-4.html [oreilly]

http://www.texascollaborative.org/Perez-Matutis%20Module/subtopic_source_files/NOVELL_%20Cool%20Solutions_%20Configuring%20FreeRADIUS%20on%20Open%20Enterprise.pdf

http://www.novell.com/communities/node/12703/howto-openldap-24x-replication-sles11sp1 [ LDAP Replication on SuSE ]

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html [TLS]

http://www.tagelin.com/tips/CentralSignOn/index.jsp [ SSO with KRB5+OpenLDAP ]

http://freeradius.org/radiusd/doc/ldap_howto.txt [ LDAP How-to]


http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html

http://lizards.opensuse.org/2010/11/12/opensuse-11-3sles-11-integrating-freeradius-to-ldap-server/

http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate [ LDAP+SSL]

http://fbq.hamal.nl/index.php/archives/8 [ 2-Factor AUTH+FreeRADIUS]


http://www.watters.ws/mediawiki/index.php/Rdiff-backup_script [ rdiff-script]
http://www.linode.com/wiki/index.php/AutomatedRdiffBackup
http://librsync.sourceforge.net/ [ librsync]
http://download.savannah.gnu.org/releases/rdiff-backup/ [rdiff-tar]
http://www.how2forge.org/linux_rdiff_backup_p2 [automated ssh]
http://wiki.rdiff-backup.org/wiki/index.php/Installations#Concurrent_installation_of_different_versions_of_rdiff-backup
http://www.howtoforge.com/linux_rdiff_backup
http://blog.johnjosephbachir.org/2007/08/07/backing-up-my-home-directory-using-rdiff-backup/
http://idolinux.blogspot.com/2008/11/automate-rdiff-backup.html [ good script]
http://news.softpedia.com/news/Automated-Remote-Backups-with-rdiff-backup-45150.shtml
http://tombuntu.com/index.php/2009/08/22/powerful-remote-incremental-backup-with-rdiff-backup/ [***]
http://ww2.samhart.com/node/120 [***]
http://arstechnica.com/open-source/news/2006/02/linux-20060202.ars/2 [rdiff+incremental]
http://www.debianhelp.co.uk/rdiff.htm [***]
http://lateral.netmanagers.com.ar/stories/26.html [ good script]
http://everydaylht.com/howtos/system-administration/loggin-in-via-ssh-without-a-password/ [***]
http://magicmonster.com/kb/net/ssh/auto_login.html
http://blog.johnjosephbachir.org/2007/08/07/backing-up-my-home-directory-using-rdiff-backup/
http://ejohansson.se/articles/system-administration/rdiff-backup/ [***]
http://ejohansson.se/articles/system-administration/rdiff-backup/ [***]
http://www.howtoforge.com/linux_rdiff_backup_p2
http://thegrebs.com/docs/rdiff-backup.html [*****]
http://thegrebs.com/docs/rdiff-backup.html [*****]
http://www.clearfoundation.com/docs/howtos/setting_up_radius_to_use_ldap [****]
http://www.clearfoundation.com/docs/howtos/old_freeradius2_howto[****]
http://www.clearfoundation.com/docs/howtos/setting_up_freeradius2_to_use_ldap [****]
http://www.clearfoundation.com/docs/howtos/old_freeradius2_howto [****]

http://ubuntu-forums.blogspot.com/2010/06/mobile-otp.html [ Mobile-OTP]

R&D Conf Files on FreeRADIUS+OpenLDAP

slapd.conf
==========
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius1.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw {SSHA}IVscQaP3nNN6VeSCSwSxIfLZXThzaZIM
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none

radiusd.conf
------------
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##

######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".

######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the "authorize", "authenticate", "accounting", etc. sections.
# See "man unlang" for details.
#

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

#
# name of the running server. See also the "-n" command-line option.
name = radiusd

# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib/freeradius

# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid

# chroot: directory where the server does "chroot".
#
# The chroot is done very early in the process of starting the server.
# After the chroot has been performed it switches to the "user" listed
# below (which MUST be specified). If "group" is specified, it switchs
# to that group, too. Any other groups listed for the specified "user"
# in "/etc/group" are also added as part of this process.
#
# The current working directory (chdir / cd) is left *outside* of the
# chroot until all of the modules have been initialized. This allows
# the "raddb" directory to be left outside of the chroot. Once the
# modules have been initialized, it does a "chdir" to ${logdir}. This
# means that it should be impossible to break out of the chroot.
#
# If you are worried about security issues related to this use of chdir,
# then simply ensure that the "raddb" directory is inside of the chroot,
# end be sure to do "cd raddb" BEFORE starting the server.
#
# If the server is statically linked, then the only files that have
# to exist in the chroot are ${run_dir} and ${logdir}. If you do the
# "cd raddb" as discussed above, then the "raddb" directory has to be
# inside of the chroot directory, too.
#
#chroot = /path/to/chroot/directory

# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
# The server will also try to use "initgroups" to read /etc/groups.
# It will join all groups where "user" is a member. This can allow
# for some finer-grained access controls.
#
user = radiusd
group = radiusd

# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30

# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5

# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 1024

# listen: Make the server listen on a particular IP address, and send
# replies out from that address. This directive is most useful for
# hosts with multiple IP addresses on one interface.
#
# If you want the server to listen on additional addresses, or on
# additionnal ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
#
type = auth

# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * Only ONE proxy listener can be defined.
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.

# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = *

# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost

# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0

# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0

# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients
}

# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = *
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}

# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no

# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no

# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes

#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = files

#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log

#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you control).
# Using this feature MAY also slow down the server substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log

#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = daemon

# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no

# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = no

# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
}

# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200

#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1

#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
status_server = yes
}

# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf


# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#

# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf


# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 5

# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 32

# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10

# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# for an example.
#

#
# As of 2.0.5, most of the module configurations are in a
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
# are loaded. The modules are initialized ONLY if they are
# referenced in a processing section, such as authorize,
# authenticate, accounting, pre/post-proxy, etc.
#
$INCLUDE ${confdir}/modules/

# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf

# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
$INCLUDE sql.conf

#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
$INCLUDE sql/mysql/counter.conf
#$INCLUDE sql/postgresql/counter.conf

#
# IP addresses managed in an SQL table.
#
#$INCLUDE sqlippool.conf

# OTP token support. Not included by default.
# $INCLUDE otp.conf

}

# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec

#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# So the module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
expr

#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime

# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}

######################################################################
#
# Policies that can be applied in multiple places are listed
# globally. That way, they can be defined once, and referred
# to multiple times.
#
######################################################################
$INCLUDE policy.conf

######################################################################
#
# As of 2.0.0, the "authorize", "authenticate", etc. sections
# are in separate configuration files, per virtual host.
#
######################################################################

######################################################################
#
# Include all enabled virtual hosts.
#
# The following directory is searched for files that match
# the regex:
#
# /[a-zA-Z0-9_.]+/
#
# The files are then included here, just as if they were cut
# and pasted into this file.
#
# See "sites-enabled/default" for some additional documentation.
#
$INCLUDE sites-enabled/

radius.schema
-------------
objectIdentifier myOID 1.1
objectIdentifier mySNMP myOID:1
objectIdentifier myLDAP myOID:2
objectIdentifier myRadiusFlag myLDAP:1
objectIdentifier myObjectClass myLDAP:2

attributetype
( myRadiusFlag:1
NAME 'radiusAscendRouteIP'
DESC 'Ascend VSA Route IP'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
(myRadiusFlag:2
NAME 'radiusAscendIdleLimit'
DESC 'Ascend VSA Idle Limit'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
(myRadiusFlag:3
NAME 'radiusAscendLinkCompression'
DESC 'Ascend VSA Link Compression'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
(myRadiusFlag:4
NAME 'radiusAscendAssignIPPool'
DESC 'Ascend VSA AssignIPPool'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)


attributetype
(myRadiusFlag:5
NAME 'radiusAscendMetric'
DESC 'Ascend VSA Metric'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

#################################################

attributetype
( 1.3.6.1.4.1.3317.4.3.1.1
NAME 'radiusArapFeatures'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.2
NAME 'radiusArapSecurity'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.3
NAME 'radiusArapZoneAccess'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.44
NAME 'radiusAuthType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.4
NAME 'radiusCallbackId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.5
NAME 'radiusCallbackNumber'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.6
NAME 'radiusCalledStationId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.7
NAME 'radiusCallingStationId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.8
NAME 'radiusClass'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.45
NAME 'radiusClientIPAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.9
NAME 'radiusFilterId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.10
NAME 'radiusFramedAppleTalkLink'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.11
NAME 'radiusFramedAppleTalkNetwork'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.12
NAME 'radiusFramedAppleTalkZone'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.13
NAME 'radiusFramedCompression'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.14
NAME 'radiusFramedIPAddress'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.15
NAME 'radiusFramedIPNetmask'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.16
NAME 'radiusFramedIPXNetwork'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.17
NAME 'radiusFramedMTU'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.18
NAME 'radiusFramedProtocol'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.19
NAME 'radiusFramedRoute'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.20
NAME 'radiusFramedRouting'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.46
NAME 'radiusGroupName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.47
NAME 'radiusHint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.48
NAME 'radiusHuntgroupName'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.21
NAME 'radiusIdleTimeout'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.22
NAME 'radiusLoginIPHost'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.23
NAME 'radiusLoginLATGroup'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.24
NAME 'radiusLoginLATNode'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.25
NAME 'radiusLoginLATPort'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.26
NAME 'radiusLoginLATService'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.27
NAME 'radiusLoginService'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.28
NAME 'radiusLoginTCPPort'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.29
NAME 'radiusPasswordRetry'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.30
NAME 'radiusPortLimit'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.49
NAME 'radiusProfileDn'
DESC ''
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.31
NAME 'radiusPrompt'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.50
NAME 'radiusProxyToRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.51
NAME 'radiusReplicateToRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.52
NAME 'radiusRealm'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.32
NAME 'radiusServiceType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.33
NAME 'radiusSessionTimeout'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.34
NAME 'radiusTerminationAction'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.35
NAME 'radiusTunnelAssignmentId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.36
NAME 'radiusTunnelMediumType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.37
NAME 'radiusTunnelPassword'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.38
NAME 'radiusTunnelPreference'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.39
NAME 'radiusTunnelPrivateGroupId'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.40
NAME 'radiusTunnelServerEndpoint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.41
NAME 'radiusTunnelType'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.42
NAME 'radiusVSA'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.43
NAME 'radiusTunnelClientEndpoint'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)


#need to change asn1.id
attributetype
( 1.3.6.1.4.1.3317.4.3.1.53
NAME 'radiusSimultaneousUse'
DESC ''
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.54
NAME 'radiusLoginTime'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.55
NAME 'radiusUserCategory'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.56
NAME 'radiusStripUserName'
DESC ''
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.57
NAME 'dialupAccess'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.58
NAME 'radiusExpiration'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.59
NAME 'radiusCheckItem'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)

attributetype
( 1.3.6.1.4.1.3317.4.3.1.60
NAME 'radiusReplyItem'
DESC ''
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)


objectclass
( 1.3.6.1.4.1.3317.4.3.2.1
NAME 'radiusprofile'
SUP top AUXILIARY
DESC ''
MUST ( uid )
MAY ( userPassword $
radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
radiusCalledStationId $ radiusCallingStationId $ radiusClass $
radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
radiusFramedCompression $ radiusFramedIPAddress $
radiusFramedIPNetmask $ radiusFramedIPXNetwork $
radiusFramedMTU $ radiusFramedProtocol $
radiusCheckItem $ radiusReplyItem $
radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
radiusGroupName $ radiusHint $ radiusHuntgroupName $
radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
radiusSessionTimeout $ radiusStripUserName $
radiusTerminationAction $ radiusTunnelAssignmentId $
radiusTunnelClientEndpoint $ radiusIdleTimeout $
radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
radiusLoginTCPPort $ radiusPasswordRetry $ radiusPortLimit $
radiusPrompt $ radiusProfileDn $ radiusServiceType $
radiusSessionTimeout $ radiusSimultaneousUse $
radiusTerminationAction $ radiusTunnelAssignmentId $
radiusTunnelClientEndpoint $ radiusTunnelMediumType $
radiusTunnelPassword $ radiusTunnelPreference $
radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
radiusTunnelType $ radiusUserCategory $ radiusVSA $
radiusExpiration $ dialupAccess $
radiusAscendRouteIP $ radiusAscendIdleLimit $
radiusAscendLinkCompression $
radiusAscendAssignIPPool $ radiusAscendMetric )
)

inner-tunnel
------------
# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id$
#
######################################################################

server inner-tunnel {

#
# Un-comment the next section to perform test on the inner tunnel
# without needing an outer tunnel session. The tests will not be
# exactly the same as when TTLS or PEAP are used, but they will
# be close enough for many tests.
#
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}


# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap

#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
unix

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "user@example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain

#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
update control {
Proxy-To-Realm := LOCAL
}

#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}

#
# Read the 'users' file
files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql

#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap

#
# Enforce daily limits on time spent logged in.
# daily

#
# Use the checkval module
# checkval

expiration
logintime

#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}


# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# Pluggable Authentication Modules.
# pam

#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
ldap
}

#
# Allow EAP authentication.
eap
}

######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
# sql
}


# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Note that we do NOT assign IP addresses here.
# If you try to assign IP addresses for EAP authentication types,
# it WILL NOT WORK. You MUST use DHCP.

#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
# sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap

#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
attr_filter.access_reject
}

#
# The example policy below updates the outer tunnel reply
# (usually Access-Accept) with the User-Name from the inner
# tunnel User-Name. Since this section is processed in the
# context of the inner tunnel, "request" here means "inner
# tunnel request", and "outer.reply" means "outer tunnel
# reply attributes".
#
# This example is most useful when the outer session contains
# a User-Name of "anonymous@....", or a MAC address. If it
# is enabled, the NAS SHOULD use the inner tunnel User-Name
# in subsequent accounting packets. This makes it easier to
# track user sessions, as they will all be based on the real
# name, and not on "anonymous".
#
# The problem with doing this is that it ALSO exposes the
# real user name to any intermediate proxies. People use
# "anonymous" identifiers outside of the tunnel for a very
# good reason: it gives them more privacy. Setting the reply
# to contain the real user name removes ALL privacy from
# their session.
#
# If you want privacy to remain, see the
# Chargeable-User-Identity attribute from RFC 4372. In order
# to use that attribute, you will have to allocate a
# per-session identifier for the user, and store it in a
# long-term database (e.g. SQL). You should also use that
# attribute INSTEAD of the configuration below.
#
#update outer.reply {
# User-Name = "%{request:User-Name}"
#}

}

#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite

# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy

# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}

#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {

# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log

# attr_rewrite

# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy

#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap

#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }

}

} # inner-tunnel server block

initial.conf
------------
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco

dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people

dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user John
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg

final.ldif
----------
dn: dc=cisco,dc=com
objectClass: dcObject
objectClass: organization
o: cisco
dc: cisco
structuralObjectClass: organization
entryUUID: 323ab006-fa2b-102f-961c-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413150521Z
entryCSN: 20110413150521.364536Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413150521Z

dn: ou=people,dc=cisco,dc=com
objectClass: organizationalUnit
ou: people
description: people
structuralObjectClass: organizationalUnit
entryUUID: 323b614a-fa2b-102f-961d-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413150521Z
entryCSN: 20110413150521.369082Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413150521Z

dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user John
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword:: Z2dzZw==
structuralObjectClass: inetOrgPerson
entryUUID: 323b9ec6-fa2b-102f-961e-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413150521Z
entryCSN: 20110413150521.370657Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413150521Z

dn: uid=crazy,ou=People,dc=cisco,dc=com
uid: crazy
cn: crazy
sn: crazy
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
userPassword:: e2NyeXB0fSQyYSQxMCQ1NUhLY3d0bG9Md0VWN2ZnSWZyWnQuamh1WTB5OFZxNE9
UU3Fydnl5c2dERkQvbUZiMXllNg==
shadowLastChange: 15077
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1405
gidNumber: 100
homeDirectory: /home/crazy
structuralObjectClass: inetOrgPerson
entryUUID: bacdf62a-fa2c-102f-961f-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413151619Z
entryCSN: 20110413151619.996583Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413151619Z

dn: uid=stan,ou=People,dc=cisco,dc=com
uid: stan
cn: stan
sn: stan
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
userPassword:: e2NyeXB0fSQyYSQxMCQ1NUhLY3d0bG9Md0VWN2ZnSWZyWnQuamh1WTB5OFZxNE9
UU3Fydnl5c2dERkQvbUZiMXllNg==
userPassword:: Z2dzZw==
shadowLastChange: 15077
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1405
gidNumber: 100
homeDirectory: /home/stan
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
structuralObjectClass: inetOrgPerson
entryUUID: 7961e7cc-fa2d-102f-9620-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413152139Z
entryCSN: 20110413152139.733252Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413152139Z

dn: uid=dipu,ou=People,dc=cisco,dc=com
uid: dipu
cn: dipu
sn: dipu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
userPassword:: e2NyeXB0fSQyYSQxMCQ1NUhLY3d0bG9Md0VWN2ZnSWZyWnQuamh1WTB5OFZxNE9
UU3Fydnl5c2dERkQvbUZiMXllNg==
userPassword:: Z2dzZw==
shadowLastChange: 15077
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1405
gidNumber: 100
homeDirectory: /home/dipu
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
structuralObjectClass: inetOrgPerson
entryUUID: a2ebe470-fa2e-102f-9621-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413152958Z
entryCSN: 20110413152958.920877Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413152958Z

dn: uid=suman,ou=People,dc=cisco,dc=com
uid: suman
cn: suman
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
userPassword:: e1NTSEF9VEpybEFuNDZDWG0rblNKbTltbWV0NTdPNjhMMWVHMXc=
userPassword:: Z2dzZw==
shadowLastChange: 15077
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1406
gidNumber: 100
homeDirectory: /home/suman
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
structuralObjectClass: account
entryUUID: e9a37f26-fa2f-102f-9622-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413153907Z
entryCSN: 20110413153907.061388Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413153907Z

dn: uid=khan,ou=People,dc=cisco,dc=com
uid: khan
cn: khan
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQyYSQxMCR6aW5nTGh0eGE5RWtnT0oxWERiRkwubnZnQTl4aHhxbWR
Rd1ZuZ0FNWWtOaTQub2doZTdwbQ==
shadowLastChange: 15077
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1409
gidNumber: 100
homeDirectory: /home/khan
structuralObjectClass: account
entryUUID: 12c2beca-fa31-102f-9623-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110413154725Z
entryCSN: 20110413154725.549494Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110413154725Z

dn: uid=manish,ou=People,dc=cisco,dc=com
uid: manish
cn: manish
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
userPassword:: e2NyeXB0fSQyYSQxMCRLUDNXdHcwYndMV1BoWC92cUxPNGVlNnJmLkZ0OWZuUzZ
hWHpnTDJtRmN6VUxsdS9wcGR5Mg==
shadowLastChange: 15078
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1410
gidNumber: 100
homeDirectory: /home/manish
structuralObjectClass: account
entryUUID: 8ab6c2be-faa4-102f-9624-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110414053358Z
entryCSN: 20110414053358.921446Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110414053358Z

dn: uid=rich,ou=People,dc=cisco,dc=com
uid: rich
cn: rich
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
userPassword:: e2NyeXB0fSQyYSQxMCRLUDNXdHcwYndMV1BoWC92cUxPNGVlNnJmLkZ0OWZuUzZ
hWHpnTDJtRmN6VUxsdS9wcGR5Mg==
shadowLastChange: 15078
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1410
gidNumber: 100
homeDirectory: /home/rich
radiusGroupName: dial
radiusGroupName: isdn
structuralObjectClass: account
entryUUID: 6c35a4a2-faa6-102f-9625-95d3a39a08a4
creatorsName: cn=Manager,dc=cisco,dc=com
createTimestamp: 20110414054726Z
entryCSN: 20110414054726.737073Z#000000#000#000000
modifiersName: cn=Manager,dc=cisco,dc=com
modifyTimestamp: 20110414054726Z

default
-------
######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# $Id$
#
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################

#
# In 1.x, the "authorize", etc. sections were global in
# radiusd.conf. As of 2.0, they SHOULD be in a server section.
#
# The server section with no virtual server name is the "default"
# section. It is used when no server name is specified.
#
# We don't indent the rest of this file, because doing so
# would make it harder to read.
#

# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds the %{Client-IP-Address} attribute to the request.
preprocess

#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log

#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap

#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
# digest

#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS

#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
# ntdomain

#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# As of 2.0, the EAP module returns "ok" in the authorize stage
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
# this change is compatible with older configurations.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}

#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module in radiusd.conf.
#
unix

#
# Read the 'users' file
files

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql

#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap

#
# Enforce daily limits on time spent logged in.
# daily

#
# Use the checkval module
# checkval

expiration
logintime

#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap

#
# If "status_server = yes", then Status-Server messages are passed
# through the following section, and ONLY the following section.
# This permits you to do DB queries, for example. If the modules
# listed here return "fail", then NO response is sent.
#
# Autz-Type Status-Server {
#
# }
}


# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#

# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest

#
# Pluggable Authentication Modules.
# pam

#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
ldap
}

#
# Allow EAP authentication.
eap
}


#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess

#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique

#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain

#
# Read the 'acct_users' file
files
}

#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily

# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix

#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp

# Return an address to the IP Pool when we see a stop record.
# main_pool

#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
# sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

# Cisco VoIP specific bulk accounting
# pgsql-voip

# Filter attributes from the accounting response.
attr_filter.accounting_response

#
# See "Autz-Type Status-Server" for how this works.
#
# Acct-Type Status-Server {
#
# }
}


# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
# sql
}


# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool

#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
# reply_log

#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
# sql

#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log

#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap

exec

#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}

#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite

# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files

# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy

# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}

#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {

# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log

# attr_rewrite

# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy

#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap

#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }

}

stan.ldif
---------

dn: uid=stan,ou=People,dc=cisco,dc=com
uid: stan
cn: stan
sn: stan
objectClass: inetOrgPerson
#objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
userPassword: {crypt}$2a$10$55HKcwtloLwEV7fgIfrZt.jhuY0y8Vq4OTSqrvyysgDFD/mFb1ye6
shadowLastChange: 15077
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1405
gidNumber: 100
homeDirectory: /home/stan
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg

clients.conf
------------
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$

#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).

#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#

#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client localhost {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
ipaddr = 10.36.19.85

# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost

#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#

# One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to acheive the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
#

# netmask = 32

#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = testing123

#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no

#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
# shortname = localhost

#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#

#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types

#
nastype = other # localhost isn't usually a NAS...

#
# The following two configurations are for future use.
# The 'naspasswd' file is currently used to store the NAS
# login name and password, which is used by checkrad.pl
# when querying the NAS for simultaneous use.
#
# login = !root
# password = someadminpas

#
# As of 2.0, clients can also be tied to a virtual server.
# This is done by setting the "virtual_server" configuration
# item, as in the example below.
#
# virtual_server = home1
}

# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}

#client some.host.org {
# secret = testing123
# shortname = localhost
#}

#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
client 10.36.19.84 {
secret = testing123
shortname = server1
}


#client 10.10.10.10 {
# # secret and password are mapped through the "secrets" file.
# secret = testing123
# shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password = someadminpas
#}

#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}

Commands
===============
ldapadd -h localhost -W -D "cn=Manager,dc=cisco,dc=com" -f

ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"

radtest rich password 10.36.19.85 1 testing123