summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/sql
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/mods-available/sql371
-rw-r--r--raddb/mods-available/sql_map49
-rw-r--r--raddb/mods-available/sqlcounter122
-rw-r--r--raddb/mods-available/sqlippool109
4 files changed, 651 insertions, 0 deletions
diff --git a/raddb/mods-available/sql b/raddb/mods-available/sql
new file mode 100644
index 0000000..7bcb664
--- /dev/null
+++ b/raddb/mods-available/sql
@@ -0,0 +1,371 @@
+# -*- text -*-
+##
+## mods-available/sql -- SQL modules
+##
+## $Id$
+
+######################################################################
+#
+# Configuration for the SQL module
+#
+# The database schemas and queries are located in subdirectories:
+#
+# sql/<DB>/main/schema.sql Schema
+# sql/<DB>/main/queries.conf Authorisation and Accounting queries
+#
+# Where "DB" is mysql, mssql, oracle, or postgresql.
+#
+# The name used to query SQL is sql_user_name, which is set in the file
+#
+# raddb/mods-config/sql/main/${dialect}/queries.conf
+#
+# If you are using realms, that configuration should be changed to use
+# the Stripped-User-Name attribute. See the comments around sql_user_name
+# for more information.
+#
+
+sql {
+ #
+ # The dialect of SQL being used.
+ #
+ # Allowed dialects are:
+ #
+ # mssql
+ # mysql
+ # oracle
+ # postgresql
+ # sqlite
+ # mongo
+ #
+ dialect = "sqlite"
+
+ #
+ # The driver module used to execute the queries. Since we
+ # don't know which SQL drivers are being used, the default is
+ # "rlm_sql_null", which just logs the queries to disk via the
+ # "logfile" directive, below.
+ #
+ # In order to talk to a real database, delete the next line,
+ # and uncomment the one after it.
+ #
+ # If the dialect is "mssql", then the driver should be set to
+ # one of the following values, depending on your system:
+ #
+ # rlm_sql_db2
+ # rlm_sql_firebird
+ # rlm_sql_freetds
+ # rlm_sql_iodbc
+ # rlm_sql_unixodbc
+ #
+ driver = "rlm_sql_null"
+# driver = "rlm_sql_${dialect}"
+
+ #
+ # Driver-specific subsections. They will only be loaded and
+ # used if "driver" is something other than "rlm_sql_null".
+ # When a real driver is used, the relevant driver
+ # configuration section is loaded, and all other driver
+ # configuration sections are ignored.
+ #
+ sqlite {
+ # Path to the sqlite database
+ filename = "/tmp/freeradius.db"
+
+ # How long to wait for write locks on the database to be
+ # released (in ms) before giving up.
+ busy_timeout = 200
+
+ # If the file above does not exist and bootstrap is set
+ # a new database file will be created, and the SQL statements
+ # contained within the bootstrap file will be executed.
+ bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
+ }
+
+ mysql {
+ # If any of the files below are set, TLS encryption is enabled
+ tls {
+ ca_file = "/etc/ssl/certs/my_ca.crt"
+ ca_path = "/etc/ssl/certs/"
+ certificate_file = "/etc/ssl/certs/private/client.crt"
+ private_key_file = "/etc/ssl/certs/private/client.key"
+ cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
+
+ tls_required = yes
+ tls_check_cert = no
+ tls_check_cert_cn = no
+ }
+
+ # If yes, (or auto and libmysqlclient reports warnings are
+ # available), will retrieve and log additional warnings from
+ # the server if an error has occured. Defaults to 'auto'
+ warnings = auto
+ }
+
+ postgresql {
+
+ # unlike MySQL, which has a tls{} connection configuration, postgresql
+ # uses its connection parameters - see the radius_db option below in
+ # this file
+
+ # Send application_name to the postgres server
+ # Only supported in PG 9.0 and greater. Defaults to no.
+ send_application_name = yes
+
+ #
+ # The default application name is "FreeRADIUS - .." with the current version.
+ # The application name can be customized here to any non-zero value.
+ #
+# application_name = ""
+ }
+
+ #
+ # Configuration for Mongo.
+ #
+ # Note that the Mongo driver is experimental. The FreeRADIUS developers
+ # are unable to help with the syntax of the Mongo queries. Please see
+ # the Mongo documentation for that syntax.
+ #
+ # The Mongo driver supports only the following methods:
+ #
+ # aggregate
+ # findAndModify
+ # findOne
+ # insert
+ #
+ # For examples, see the query files:
+ #
+ # raddb/mods-config/sql/main/mongo/queries.conf
+ # raddb/mods-config/sql/main/ippool/queries.conf
+ #
+ # In order to use findAndModify with an aggretation pipleline, make
+ # sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
+ # assumes that the paramaters passed to the methods are supported by the
+ # version of MongoDB which it is connected to.
+ #
+ mongo {
+ #
+ # The application name to use.
+ #
+ appname = "freeradius"
+
+ #
+ # The TLS parameters here map directly to the Mongo TLS configuration
+ #
+ tls {
+ certificate_file = /path/to/file
+ certificate_password = "password"
+ ca_file = /path/to/file
+ ca_dir = /path/to/directory
+ crl_file = /path/to/file
+ weak_cert_validation = false
+ allow_invalid_hostname = false
+ }
+ }
+
+ # Connection info:
+ #
+# server = "localhost"
+# port = 3306
+# login = "radius"
+# password = "radpass"
+
+ # Connection info for Mongo
+ # Authentication Without SSL
+ # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
+
+ # Authentication With SSL
+ # server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
+
+ # Authentication with Certificate
+ # Use this command for retrieve Derived username:
+ # openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
+ # server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
+
+ # Database table configuration for everything except Oracle
+ radius_db = "radius"
+
+ # If you are using Oracle then use this instead
+# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
+
+ # If you're using postgresql this can also be used instead of the connection info parameters
+# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
+
+ # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
+ # use SSL connections then use this form of connection info parameter
+# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
+
+ # If you want both stop and start records logged to the
+ # same SQL table, leave this as is. If you want them in
+ # different tables, put the start table in acct_table1
+ # and stop table in acct_table2
+ acct_table1 = "radacct"
+ acct_table2 = "radacct"
+
+ # Allow for storing data after authentication
+ postauth_table = "radpostauth"
+
+ # Tables containing 'check' items
+ authcheck_table = "radcheck"
+ groupcheck_table = "radgroupcheck"
+
+ # Tables containing 'reply' items
+ authreply_table = "radreply"
+ groupreply_table = "radgroupreply"
+
+ # Table to keep group info
+ usergroup_table = "radusergroup"
+
+ # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
+ # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
+# read_groups = yes
+
+ # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
+ # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
+# read_profiles = yes
+
+ # Remove stale session if checkrad does not see a double login
+ delete_stale_sessions = yes
+
+ # Write SQL queries to a logfile. This is potentially useful for tracing
+ # issues with authorization queries. See also "logfile" directives in
+ # mods-config/sql/main/*/queries.conf. You can enable per-section logging
+ # by enabling "logfile" there, or global logging by enabling "logfile" here.
+ #
+ # Per-section logging can be disabled by setting "logfile = ''"
+# logfile = ${logdir}/sqllog.sql
+
+ # Set the maximum query duration and connection timeout
+ # for rlm_sql_mysql.
+# query_timeout = 5
+
+ # As of v3, the "pool" section has replaced the
+ # following v2 configuration items:
+ #
+ # num_sql_socks
+ # connect_failure_retry_delay
+ # lifetime
+ # max_queries
+
+ #
+ # The connection pool is used to pool outgoing connections.
+ #
+ # When the server is not threaded, the connection pool
+ # limits are ignored, and only one connection is used.
+ #
+ # If you want to have multiple SQL modules re-use the same
+ # connection pool, use "pool = name" instead of a "pool"
+ # section. e.g.
+ #
+ # sql sql1 {
+ # ...
+ # pool {
+ # ...
+ # }
+ # }
+ #
+ # # sql2 will use the connection pool from sql1
+ # sql sql2 {
+ # ...
+ # pool = sql1
+ # }
+ #
+ pool {
+ # Connections to create during module instantiation.
+ # If the server cannot create specified number of
+ # connections during instantiation it will exit.
+ # Set to 0 to allow the server to start without the
+ # database being available.
+ start = ${thread[pool].start_servers}
+
+ # Minimum number of connections to keep open
+ min = ${thread[pool].min_spare_servers}
+
+ # Maximum number of connections
+ #
+ # If these connections are all in use and a new one
+ # is requested, the request will NOT get a connection.
+ #
+ # Setting 'max' to LESS than the number of threads means
+ # that some threads may starve, and you will see errors
+ # like 'No connections available and at max connection limit'
+ #
+ # Setting 'max' to MORE than the number of threads means
+ # that there are more connections than necessary.
+ max = ${thread[pool].max_servers}
+
+ # Spare connections to be left idle
+ #
+ # NOTE: Idle connections WILL be closed if "idle_timeout"
+ # is set. This should be less than or equal to "max" above.
+ spare = ${thread[pool].max_spare_servers}
+
+ # Number of uses before the connection is closed
+ #
+ # 0 means "infinite"
+ uses = 0
+
+ # The number of seconds to wait after the server tries
+ # to open a connection, and fails. During this time,
+ # no new connections will be opened.
+ retry_delay = 30
+
+ # The lifetime (in seconds) of the connection
+ lifetime = 0
+
+ # idle timeout (in seconds). A connection which is
+ # unused for this length of time will be closed.
+ idle_timeout = 60
+
+ # NOTE: All configuration settings are enforced. If a
+ # connection is closed because of "idle_timeout",
+ # "uses", or "lifetime", then the total number of
+ # connections MAY fall below "min". When that
+ # happens, it will open a new connection. It will
+ # also log a WARNING message.
+ #
+ # The solution is to either lower the "min" connections,
+ # or increase lifetime/idle_timeout.
+ }
+
+ # Set to 'yes' to read radius clients from the database ('nas' table)
+ # Clients will ONLY be read on server startup.
+ #
+ # A client can be link to a virtual server via the SQL
+ # module. This link is done via the following process:
+ #
+ # If there is no listener in a virtual server, SQL clients
+ # are added to the global list for that virtual server.
+ #
+ # If there is a listener, and the first listener does not
+ # have a "clients=..." configuration item, SQL clients are
+ # added to the global list.
+ #
+ # If there is a listener, and the first one does have a
+ # "clients=..." configuration item, SQL clients are added to
+ # that list. The client { ...} ` configured in that list are
+ # also added for that listener.
+ #
+ # The only issue is if you have multiple listeners in a
+ # virtual server, each with a different client list, then
+ # the SQL clients are added only to the first listener.
+ #
+# read_clients = yes
+
+ # Table to keep radius client info
+ client_table = "nas"
+
+ #
+ # The group attribute specific to this instance of rlm_sql
+ #
+
+ # This entry should be used for additional instances (sql foo {})
+ # of the SQL module.
+# group_attribute = "${.:instance}-SQL-Group"
+
+ # This entry should be used for the default instance (sql {})
+ # of the SQL module.
+ group_attribute = "SQL-Group"
+
+ # Read database-specific queries
+ $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
+}
diff --git a/raddb/mods-available/sql_map b/raddb/mods-available/sql_map
new file mode 100644
index 0000000..93b2636
--- /dev/null
+++ b/raddb/mods-available/sql_map
@@ -0,0 +1,49 @@
+# Configuration for the SQL based Map (rlm_sql_map)
+sql_map {
+ # SQL instance to use (from mods-available/sql)
+ #
+ # If you have multiple sql instances, such as "sql sql1 {...}",
+ # use the *instance* name here: sql1.
+ sql_module_instance = "sql"
+
+ # This is duplicative of info available in the SQL module, but
+ # we have to list it here as we do not yet support nested
+ # reference expansions.
+ dialect = "mysql"
+
+ # Name of the check item attribute to be used as a key in the SQL queries
+ query = "SELECT ... FROM ... "
+
+ #
+ # Mapping of SQL columns to RADIUS dictionary attributes.
+ #
+
+ # WARNING: Although this format is almost identical to the unlang
+ # update section format, it does *NOT* mean that you can use other
+ # unlang constructs in module configuration files.
+ #
+ # Configuration items are in the format:
+ # <radius attr> <op> <sql column number>
+ #
+ # Where:
+ # <radius attr>: Is the destination RADIUS attribute
+ # with any valid list and request qualifiers.
+ # <op>: Is any assignment attribute (=, :=, +=, -=).
+ # <column num>: The column number (not name), starting from 0
+ #
+ # Request and list qualifiers may also be placed after the 'update'
+ # section name to set defaults destination requests/lists
+ # for unqualified RADIUS attributes.
+ #
+ update {
+ control:Password-With-Header += 0
+# control:NT-Password := 1
+# reply:Reply-Message := 2
+# reply:Tunnel-Type := 3
+# reply:Tunnel-Medium-Type := 4
+# reply:Tunnel-Private-Group-ID := 5
+ }
+
+ # If the 'query' results in multiple rows, it creates the <radius attr>[*] array entry.
+# multiple_rows = yes
+}
diff --git a/raddb/mods-available/sqlcounter b/raddb/mods-available/sqlcounter
new file mode 100644
index 0000000..a2b206e
--- /dev/null
+++ b/raddb/mods-available/sqlcounter
@@ -0,0 +1,122 @@
+# Rather than maintaining separate (GDBM) databases of
+# accounting info for each counter, this module uses the data
+# stored in the raddacct table by the sql modules. This
+# module NEVER does any database INSERTs or UPDATEs. It is
+# totally dependent on the SQL module to process Accounting
+# packets.
+#
+# The sql-module-instance' parameter holds the instance of the sql
+# module to use when querying the SQL database. Normally it
+# is just "sql". If you define more and one SQL module
+# instance (usually for failover situations), you can
+# specify which module has access to the Accounting Data
+# (radacct table).
+#
+# The 'reset' parameter defines when the counters are all
+# reset to zero. It can be hourly, daily, weekly, monthly or
+# never. It can also be user defined. It should be of the
+# form:
+# num[hdwm] where:
+# h: hours, d: days, w: weeks, m: months
+# If the letter is ommited days will be assumed. In example:
+# reset = 10h (reset every 10 hours)
+# reset = 12 (reset every 12 days)
+#
+# The 'reset_day' parameter defines which day of the month the
+# 'monthly' counter should be reset; valid values are 1 to 28.
+#
+# The 'key' parameter specifies the unique identifier for the
+# counter records (usually 'User-Name').
+#
+# The 'query' parameter specifies the SQL query used to get
+# the current Counter value from the database. There are four
+# parameters that can be used in the query:
+#
+# %%b unix time value of beginning of reset period.
+# %%e unix time value of end of reset period.
+# %%k value of 'key' parameter.
+# %%r day of month the counter should be reset.
+#
+# The 'check_name' parameter is the name of the 'check'
+# attribute to use to access the counter in the 'users' file
+# or SQL radcheck or radgroupcheck tables.
+#
+# DEFAULT Max-Daily-Session > 3600, Auth-Type = Reject
+# Reply-Message = "You've used up more than one hour today"
+#
+# The "dailycounter" (or any other sqlcounter module) should be added
+# to "post-auth" section. It will then update the Session-Timeout
+# attribute in the reply. If there is no Session-Timeout attribute,
+# the module will add one. If there is an attribute, the sqlcounter
+# module will make sure that the value is no higher than the limit.
+#
+sqlcounter dailycounter {
+ sql_module_instance = sql
+ dialect = ${modules.sql.dialect}
+
+ counter_name = Daily-Session-Time
+ check_name = Max-Daily-Session
+ reply_name = Session-Timeout
+
+ key = User-Name
+ reset = daily
+
+ $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+sqlcounter weeklycounter {
+ sql_module_instance = sql
+ dialect = ${modules.sql.dialect}
+
+ counter_name = Weekly-Session-Time
+ check_name = Max-Weekly-Session
+ reply_name = Session-Timeout
+
+ key = User-Name
+ reset = weekly
+
+ $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+sqlcounter monthlycounter {
+ sql_module_instance = sql
+ dialect = ${modules.sql.dialect}
+
+ counter_name = Monthly-Session-Time
+ check_name = Max-Monthly-Session
+ reply_name = Session-Timeout
+ key = User-Name
+ reset = monthly
+ reset_day = 1
+
+ $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+sqlcounter noresetcounter {
+ sql_module_instance = sql
+ dialect = ${modules.sql.dialect}
+
+ counter_name = Max-All-Session-Time
+ check_name = Max-All-Session
+ key = User-Name
+ reset = never
+
+ $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+#
+# Set an account to expire T seconds after first login.
+# Requires the Expire-After attribute to be set, in seconds.
+# You may need to edit raddb/dictionary to add the Expire-After
+# attribute.
+sqlcounter expire_on_login {
+ sql_module_instance = sql
+ dialect = ${modules.sql.dialect}
+
+ counter_name = Expire-After-Initial-Login
+ check_name = Expire-After
+ key = User-Name
+ reset = never
+
+ $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
diff --git a/raddb/mods-available/sqlippool b/raddb/mods-available/sqlippool
new file mode 100644
index 0000000..f17a989
--- /dev/null
+++ b/raddb/mods-available/sqlippool
@@ -0,0 +1,109 @@
+# Configuration for the SQL based IP Pool module (rlm_sqlippool)
+#
+# The database schemas are available at:
+#
+# raddb/mods-config/sql/ippool/<DB>/schema.sql
+#
+# $Id$
+
+sqlippool {
+ # SQL instance to use (from mods-available/sql)
+ #
+ # If you have multiple sql instances, such as "sql sql1 {...}",
+ # use the *instance* name here: sql1.
+ sql_module_instance = "sql"
+
+ # This is duplicative of info available in the SQL module, but
+ # we have to list it here as we do not yet support nested
+ # reference expansions.
+ dialect = "mysql"
+
+ # Name of the check item attribute to be used as a key in the SQL queries
+ pool_name = "Pool-Name"
+
+ # SQL table to use for ippool range and lease info
+ ippool_table = "radippool"
+
+ # IP lease duration. (Leases expire even if Acct Stop packet is lost)
+ #
+ # Note that you SHOULD also set Session-Timeout to this value!
+ # That way the NAS will automatically kick the user offline when the
+ # lease expires.
+ #
+ lease_duration = 3600
+
+ #
+ # Timeout between each consecutive 'allocate_clear' queries (default: 1s)
+ # This will avoid having too many deadlock issues, especially on MySQL backend.
+ #
+ allocate_clear_timeout = 1
+
+ #
+ # The attribute to use for IP address assignment. The
+ # default is Framed-IP-Address. You can change this to any
+ # attribute which is IPv4 or IPv6.
+ #
+ # e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix.
+ #
+ # All of the default queries use this attribute_name. So you
+ # can do IPv6 address assignment simply by putting IPv6
+ # addresses into the pool, and changing the following line to
+ # "Framed-IPv6-Prefix"
+ #
+ # Note that you MUST use separate pools for each attribute. i.e. one pool
+ # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc.
+ #
+ # This means configuring separate "sqlippool" instances, and different
+ # "ippool_table" in SQL. Then, populate the pool with addresses and
+ # it will all just work.
+ #
+ attribute_name = Framed-IP-Address
+
+ #
+ # Assign the IP address, even if the above attribute already exists
+ # in the reply.
+ #
+# allow_duplicates = no
+
+ # The attribute in which an IP address hint may be supplied
+ req_attribute_name = Framed-IP-Address
+
+ # Attribute which should be considered unique per NAS
+ #
+ # Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
+ # Using Calling-Station-Id works for NAS that send fixed NAS-Port
+ # ONLY change this if you know what you are doing!
+ pool_key = "%{NAS-Port}"
+ # pool_key = "%{Calling-Station-Id}"
+
+ ################################################################
+ #
+ # WARNING: MySQL (MyISAM) has certain limitations that means it can
+ # hand out the same IP address to 2 different users.
+ #
+ # We suggest using an SQL DB with proper transaction
+ # support, such as PostgreSQL, or using MySQL
+ # with InnoDB.
+ #
+ ################################################################
+
+ # These messages are added to the "control" items, as
+ # Module-Success-Message. They are not logged anywhere else,
+ # unlike previous versions. If you want to have them logged
+ # to a file, see the "linelog" module, and create an entry
+ # which writes Module-Success-Message message.
+ #
+ messages {
+ exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+ success = "Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+ clear = "Released IP %{request:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
+
+ failed = "IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+ nopool = "No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+ }
+
+ $INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf
+}