diff options
Diffstat (limited to '')
| -rw-r--r-- | raddb/mods-available/cache | 150 | ||||
| -rw-r--r-- | raddb/mods-available/cache_auth | 116 |
2 files changed, 266 insertions, 0 deletions
diff --git a/raddb/mods-available/cache b/raddb/mods-available/cache new file mode 100644 index 0000000..cf0054f --- /dev/null +++ b/raddb/mods-available/cache @@ -0,0 +1,150 @@ +# -*- text -*- +# +# $Id$ + +# +# A module to cache attributes. The idea is that you can look +# up information in a database, and then cache it. Repeated +# requests for the same information will then have the cached +# values added to the request. +# +# The module can cache a fixed set of attributes per key. +# It can be listed in "authorize", "post-auth", "pre-proxy" +# and "post-proxy". +# +# If you want different things cached for authorize and post-auth, +# you will need to define two instances of the "cache" module. +# +# The module returns "ok" if it found or created a cache entry. +# The module returns "updated" if it merged a cached entry. +# The module returns "noop" if it did nothing. +# The module returns "fail" on error. +# +cache { + # The backend datastore used to store the cache entries. + # Current datastores are + # rlm_cache_rbtree - An in memory, non persistent rbtree based datastore. + # Useful for caching data locally. + # rlm_cache_memcached - A non persistent "webscale" distributed datastore. + # Useful if the cached data need to be shared between + # a cluster of RADIUS servers. + # rlm_cache_redis - uses Redis. +# driver = "rlm_cache_rbtree" + + # + # Some drivers accept specific options, to set them a + # config section with the the name as the driver should be added + # to the cache instance. + # + # Driver specific options are: + # +# memcached { +# # Memcached configuration options, as documented here: +# # http://docs.libmemcached.org/libmemcached_configuration.html#memcached +# options = "--SERVER=localhost" +# +# pool { +# start = ${thread[pool].start_servers} +# min = ${thread[pool].min_spare_servers} +# max = ${thread[pool].max_servers} +# spare = ${thread[pool].max_spare_servers} +# uses = 0 +# lifetime = 0 +# idle_timeout = 60 +# } +# } + + # + # See mods-available/redis for documentation on the following + # configuration items. They are identical here. + # + # Note that the "pool" section can re-use the normal Redis + # connections. This is done by setting the "pool" configuration + # item to the name of the Redis module. The other configuration + # items should then be the same as for the original "redis" module. + # +# redis { +# server = ... +# port = +# database = +# query_timeout = ... +# pool = redis +# } + + # The key used to index the cache. It is dynamically expanded + # at run time. + key = "%{User-Name}" + + # The TTL of cache entries, in seconds. Entries older than this + # will be expired. + # + # This value should be between 10 and 86400. + ttl = 10 + + # If yes the following attributes will be added to the request: + # * &request:Cache-Entry-Hits - The number of times this entry + # has been retrieved. + # + # Note: Not supported by the rlm_cache_memcached module. + add_stats = no + + # + # The list of attributes to cache for a particular key. + # + # Each key gets the same set of cached attributes. The attributes + # are dynamically expanded at run time. + # + # The semantics of this construct are identical to an unlang + # update block, except the left hand side of the expression + # represents the cache entry. see man unlang for more information + # on update blocks. + # + # Note: Only request, reply, control and session-state lists + # are available in cache entries. Attempting to store attributes + # in other lists will raise an error during config validation. + # + update { + # <list>:<attribute> <op> <value> + + # Cache all instances of Reply-Message in the reply list + &reply:Reply-Message += &reply:Reply-Message[*] + + # Add our own to show when the cache was last updated + &reply:Reply-Message += "Cache last updated at %t" + + &reply:Class := "%{randstr:ssssssssssssssssssssssssssssssss}" + } + + # This module supports a number of runtime configuration parameters + # represented by attributes in the &control: list. + # + # &control:Cache-TTL - Sets the TTL of an entry to be created, or + # modifies the TTL of an existing entry. + # - Setting a Cache-TTL of > 0 means set the TTL of the entry to + # the new value (and reset the expiry timer). + # - Setting a Cache-TTL of < 0 means expire the existing entry + # (without merging) and create a new one with TTL set to + # value * -1. + # - Setting a Cache-TTL of 0 means expire the existing entry + # (without merging) and don't create a new one. + # + # &control:Cache-Status-Only - If present and set to 'yes' will + # prevent a new entry from being created, and existing entries from + # being merged. It will also alter the module's return codes. + # - The module will return "ok" if a cache entry was found. + # - The module will return "notfound" if no cache entry was found. + # + # &control:Cache-Read-Only - If present and set to 'yes' will + # prevent a new entry from being created, but will allow existing + # entries to be merged. It will also alter the module's return codes. + # - The module will return "updated" if a cache entry was found. + # - The module will return "notfound" if no cache was found. + # + # &control:Cache-Merge - If present and set to 'yes' will merge new + # cache entries into the current request. Useful if results + # of execs or expansions are stored directly in the cache. + # + # All runtime configuration attributes will be removed from the + # &control: list after the cache module is called. + +} diff --git a/raddb/mods-available/cache_auth b/raddb/mods-available/cache_auth new file mode 100644 index 0000000..7485f36 --- /dev/null +++ b/raddb/mods-available/cache_auth @@ -0,0 +1,116 @@ +# -*- text -*- +# +# $Id$ + +# This file contains a collection of cache module configurations +# which have been designed to be used to cache accepts, rejects, and +# LDAP User DNs. The main use of these modules is Google Secure +# LDAP. +# +# In scenarios where there is repeated authentication requests for the same +# user within a short time frame (e.g. 802.1x wifi), these modules can help to +# compensate for slow responses from poor LDAP servers (i.e. Google). +# +# See also mods-available/ldap_google, and sites-available/google-ldap-auth. +# +# The configurations in this file can be used for non-Google LDAP +# servers, too. +# + + +# +# This instance of the cache module caches successful +# authentications. +# +# The TTL controls how often the authentication will be cached. +# +# In addition, if group membership is used as part of the policy, the +# &control:LDAP-Group attribute should be added to the "update: section here. +# +# If a user's authentication is found in the cache, then any data +# which is normally retrieved from LDAP for local policies must also +# be stored in the cache via the "update" section. +# +cache cache_auth_accept { + driver = "rlm_cache_rbtree" + key = "%{md5:%{%{Stripped-User-Name}:-%{User-Name}}%{User-Password}}" + ttl = 7200 + update { + # + # We need to cache something, so we just cache + # a random attribute. This attribute is not used + # for anything else, just as a "place-holder" to + # contain a cache entry. + # + # If you add other attributes to this update section, then + # this attribute can be deleted. + # + &control:User-Category = "success" + } +} + + +# +# This instance of the cache module caches failed authentications. +# +# In many cases, rejected users will repeatedly try to authenticate. +# These repeated authentication attempts can cause significant load +# on the system. By caching the reject, we can avoid hitting the database. +# +# We index the cache by a hash of the client's MAC and the user name +# and password. If a user corrects their user name or password, then +# that authentication attempt won't hit the cache, and their +# credentials will be immediately checked against the database. +# +# The TTL controls how long a combination of device / user and +# password wil be rejected without looking at the database. Once the +# cache entry expires, the server will delete the cache entry, and +# contact the database. +# +cache cache_auth_reject { + driver = "rlm_cache_rbtree" + key = "%{md5:%{Calling-Station-Id}%{Stripped-User-Name}%{User-Password}}" + ttl = 3600 + update { + # + # We need to cache something, so we just cache + # a random attribute. This attribute is not used + # for anything else, just as a "place-holder" to + # contain a cache entry. + # + &control:User-Category = "failure" + } +} + + +# +# An instance of the cache module which caches the LDAP user DN. +# +# If LDAP authentication is being used for a simple auth / reject without +# any need to retrieve other attributes (e.g. group membership), each LDAP +# bind authentication is three steps +# +# - bind as admin user +# - lookup user's DN +# - bind as user using retrieved DN +# +# By caching the DN after the first LDAP querry, the first two steps +# are skipped on subsequent authentications. +# +# If an alternative attribute name is being used for the user DN, you +# should change the update section here appropriately. But that is +# likely rare. +# +# In scenarios where DNs may change, consideration should be given as +# to whether use of this cache may create issues. i.e. if the cache +# doesn't help, then don't use it. +# +cache cache_ldap_user_dn { + driver = "rlm_cache_rbtree" + key = "%{Stripped-User-Name}" + ttl = 86400 + update { + &control:LDAP-UserDN = &control:LDAP-UserDN + } +} + |