summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/cache
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/mods-available/cache150
-rw-r--r--raddb/mods-available/cache_auth116
2 files changed, 266 insertions, 0 deletions
diff --git a/raddb/mods-available/cache b/raddb/mods-available/cache
new file mode 100644
index 0000000..cf0054f
--- /dev/null
+++ b/raddb/mods-available/cache
@@ -0,0 +1,150 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# A module to cache attributes. The idea is that you can look
+# up information in a database, and then cache it. Repeated
+# requests for the same information will then have the cached
+# values added to the request.
+#
+# The module can cache a fixed set of attributes per key.
+# It can be listed in "authorize", "post-auth", "pre-proxy"
+# and "post-proxy".
+#
+# If you want different things cached for authorize and post-auth,
+# you will need to define two instances of the "cache" module.
+#
+# The module returns "ok" if it found or created a cache entry.
+# The module returns "updated" if it merged a cached entry.
+# The module returns "noop" if it did nothing.
+# The module returns "fail" on error.
+#
+cache {
+ # The backend datastore used to store the cache entries.
+ # Current datastores are
+ # rlm_cache_rbtree - An in memory, non persistent rbtree based datastore.
+ # Useful for caching data locally.
+ # rlm_cache_memcached - A non persistent "webscale" distributed datastore.
+ # Useful if the cached data need to be shared between
+ # a cluster of RADIUS servers.
+ # rlm_cache_redis - uses Redis.
+# driver = "rlm_cache_rbtree"
+
+ #
+ # Some drivers accept specific options, to set them a
+ # config section with the the name as the driver should be added
+ # to the cache instance.
+ #
+ # Driver specific options are:
+ #
+# memcached {
+# # Memcached configuration options, as documented here:
+# # http://docs.libmemcached.org/libmemcached_configuration.html#memcached
+# options = "--SERVER=localhost"
+#
+# pool {
+# start = ${thread[pool].start_servers}
+# min = ${thread[pool].min_spare_servers}
+# max = ${thread[pool].max_servers}
+# spare = ${thread[pool].max_spare_servers}
+# uses = 0
+# lifetime = 0
+# idle_timeout = 60
+# }
+# }
+
+ #
+ # See mods-available/redis for documentation on the following
+ # configuration items. They are identical here.
+ #
+ # Note that the "pool" section can re-use the normal Redis
+ # connections. This is done by setting the "pool" configuration
+ # item to the name of the Redis module. The other configuration
+ # items should then be the same as for the original "redis" module.
+ #
+# redis {
+# server = ...
+# port =
+# database =
+# query_timeout = ...
+# pool = redis
+# }
+
+ # The key used to index the cache. It is dynamically expanded
+ # at run time.
+ key = "%{User-Name}"
+
+ # The TTL of cache entries, in seconds. Entries older than this
+ # will be expired.
+ #
+ # This value should be between 10 and 86400.
+ ttl = 10
+
+ # If yes the following attributes will be added to the request:
+ # * &request:Cache-Entry-Hits - The number of times this entry
+ # has been retrieved.
+ #
+ # Note: Not supported by the rlm_cache_memcached module.
+ add_stats = no
+
+ #
+ # The list of attributes to cache for a particular key.
+ #
+ # Each key gets the same set of cached attributes. The attributes
+ # are dynamically expanded at run time.
+ #
+ # The semantics of this construct are identical to an unlang
+ # update block, except the left hand side of the expression
+ # represents the cache entry. see man unlang for more information
+ # on update blocks.
+ #
+ # Note: Only request, reply, control and session-state lists
+ # are available in cache entries. Attempting to store attributes
+ # in other lists will raise an error during config validation.
+ #
+ update {
+ # <list>:<attribute> <op> <value>
+
+ # Cache all instances of Reply-Message in the reply list
+ &reply:Reply-Message += &reply:Reply-Message[*]
+
+ # Add our own to show when the cache was last updated
+ &reply:Reply-Message += "Cache last updated at %t"
+
+ &reply:Class := "%{randstr:ssssssssssssssssssssssssssssssss}"
+ }
+
+ # This module supports a number of runtime configuration parameters
+ # represented by attributes in the &control: list.
+ #
+ # &control:Cache-TTL - Sets the TTL of an entry to be created, or
+ # modifies the TTL of an existing entry.
+ # - Setting a Cache-TTL of > 0 means set the TTL of the entry to
+ # the new value (and reset the expiry timer).
+ # - Setting a Cache-TTL of < 0 means expire the existing entry
+ # (without merging) and create a new one with TTL set to
+ # value * -1.
+ # - Setting a Cache-TTL of 0 means expire the existing entry
+ # (without merging) and don't create a new one.
+ #
+ # &control:Cache-Status-Only - If present and set to 'yes' will
+ # prevent a new entry from being created, and existing entries from
+ # being merged. It will also alter the module's return codes.
+ # - The module will return "ok" if a cache entry was found.
+ # - The module will return "notfound" if no cache entry was found.
+ #
+ # &control:Cache-Read-Only - If present and set to 'yes' will
+ # prevent a new entry from being created, but will allow existing
+ # entries to be merged. It will also alter the module's return codes.
+ # - The module will return "updated" if a cache entry was found.
+ # - The module will return "notfound" if no cache was found.
+ #
+ # &control:Cache-Merge - If present and set to 'yes' will merge new
+ # cache entries into the current request. Useful if results
+ # of execs or expansions are stored directly in the cache.
+ #
+ # All runtime configuration attributes will be removed from the
+ # &control: list after the cache module is called.
+
+}
diff --git a/raddb/mods-available/cache_auth b/raddb/mods-available/cache_auth
new file mode 100644
index 0000000..7485f36
--- /dev/null
+++ b/raddb/mods-available/cache_auth
@@ -0,0 +1,116 @@
+# -*- text -*-
+#
+# $Id$
+
+# This file contains a collection of cache module configurations
+# which have been designed to be used to cache accepts, rejects, and
+# LDAP User DNs. The main use of these modules is Google Secure
+# LDAP.
+#
+# In scenarios where there is repeated authentication requests for the same
+# user within a short time frame (e.g. 802.1x wifi), these modules can help to
+# compensate for slow responses from poor LDAP servers (i.e. Google).
+#
+# See also mods-available/ldap_google, and sites-available/google-ldap-auth.
+#
+# The configurations in this file can be used for non-Google LDAP
+# servers, too.
+#
+
+
+#
+# This instance of the cache module caches successful
+# authentications.
+#
+# The TTL controls how often the authentication will be cached.
+#
+# In addition, if group membership is used as part of the policy, the
+# &control:LDAP-Group attribute should be added to the "update: section here.
+#
+# If a user's authentication is found in the cache, then any data
+# which is normally retrieved from LDAP for local policies must also
+# be stored in the cache via the "update" section.
+#
+cache cache_auth_accept {
+ driver = "rlm_cache_rbtree"
+ key = "%{md5:%{%{Stripped-User-Name}:-%{User-Name}}%{User-Password}}"
+ ttl = 7200
+ update {
+ #
+ # We need to cache something, so we just cache
+ # a random attribute. This attribute is not used
+ # for anything else, just as a "place-holder" to
+ # contain a cache entry.
+ #
+ # If you add other attributes to this update section, then
+ # this attribute can be deleted.
+ #
+ &control:User-Category = "success"
+ }
+}
+
+
+#
+# This instance of the cache module caches failed authentications.
+#
+# In many cases, rejected users will repeatedly try to authenticate.
+# These repeated authentication attempts can cause significant load
+# on the system. By caching the reject, we can avoid hitting the database.
+#
+# We index the cache by a hash of the client's MAC and the user name
+# and password. If a user corrects their user name or password, then
+# that authentication attempt won't hit the cache, and their
+# credentials will be immediately checked against the database.
+#
+# The TTL controls how long a combination of device / user and
+# password wil be rejected without looking at the database. Once the
+# cache entry expires, the server will delete the cache entry, and
+# contact the database.
+#
+cache cache_auth_reject {
+ driver = "rlm_cache_rbtree"
+ key = "%{md5:%{Calling-Station-Id}%{Stripped-User-Name}%{User-Password}}"
+ ttl = 3600
+ update {
+ #
+ # We need to cache something, so we just cache
+ # a random attribute. This attribute is not used
+ # for anything else, just as a "place-holder" to
+ # contain a cache entry.
+ #
+ &control:User-Category = "failure"
+ }
+}
+
+
+#
+# An instance of the cache module which caches the LDAP user DN.
+#
+# If LDAP authentication is being used for a simple auth / reject without
+# any need to retrieve other attributes (e.g. group membership), each LDAP
+# bind authentication is three steps
+#
+# - bind as admin user
+# - lookup user's DN
+# - bind as user using retrieved DN
+#
+# By caching the DN after the first LDAP querry, the first two steps
+# are skipped on subsequent authentications.
+#
+# If an alternative attribute name is being used for the user DN, you
+# should change the update section here appropriately. But that is
+# likely rare.
+#
+# In scenarios where DNs may change, consideration should be given as
+# to whether use of this cache may create issues. i.e. if the cache
+# doesn't help, then don't use it.
+#
+cache cache_ldap_user_dn {
+ driver = "rlm_cache_rbtree"
+ key = "%{Stripped-User-Name}"
+ ttl = 86400
+ update {
+ &control:LDAP-UserDN = &control:LDAP-UserDN
+ }
+}
+