4 files changed, 656 insertions, 0 deletions
diff --git a/raddb/mods-available/sql b/raddb/mods-available/sql
new file mode 100644
index 0000000..0f435ad
--- /dev/null
+++ b/raddb/mods-available/sql
@@ -0,0 +1,376 @@
+# -*- text -*-
+##
+## mods-available/sql -- SQL modules
+##
+##	$Id$
+
+######################################################################
+#
+#  Configuration for the SQL module
+#
+#  The database schemas and queries are located in subdirectories:
+#
+#	sql/<DB>/main/schema.sql	Schema
+#	sql/<DB>/main/queries.conf	Authorisation and Accounting queries
+#
+#  Where "DB" is mysql, mssql, oracle, or postgresql.
+#
+#  The name used to query SQL is sql_user_name, which is set in the file
+#
+#     raddb/mods-config/sql/main/${dialect}/queries.conf
+#
+#  If you are using realms, that configuration should be changed to use
+#  the Stripped-User-Name attribute.  See the comments around sql_user_name
+#  for more information.
+#
+
+sql {
+	#
+	#  The dialect of SQL being used.
+	#
+	#  Allowed dialects are:
+	#
+	#	mssql
+	#	mysql
+	#	oracle
+	#	postgresql
+	#	sqlite
+	#	mongo
+	#
+	dialect = "sqlite"
+
+	#
+	#  The driver module used to execute the queries.  Since we
+	#  don't know which SQL drivers are being used, the default is
+	#  "rlm_sql_null", which just logs the queries to disk via the
+	#  "logfile" directive, below.
+	#
+	#  In order to talk to a real database, delete the next line,
+	#  and uncomment the one after it.
+	#
+	#  If the dialect is "mssql", then the driver should be set to
+	#  one of the following values, depending on your system:
+	#
+	#	rlm_sql_db2
+	#	rlm_sql_firebird
+	#	rlm_sql_freetds
+	#	rlm_sql_iodbc
+	#	rlm_sql_unixodbc
+	#
+	driver = "rlm_sql_null"
+#	driver = "rlm_sql_${dialect}"
+
+	#
+	#  Driver-specific subsections.  They will only be loaded and
+	#  used if "driver" is something other than "rlm_sql_null".
+	#  When a real driver is used, the relevant driver
+	#  configuration section is loaded, and all other driver
+	#  configuration sections are ignored.
+	#
+	sqlite {
+		# Path to the sqlite database
+		filename = "/tmp/freeradius.db"
+
+		# How long to wait for write locks on the database to be
+		# released (in ms) before giving up.
+		busy_timeout = 200
+
+		# If the file above does not exist and bootstrap is set
+		# a new database file will be created, and the SQL statements
+		# contained within the bootstrap file will be executed.
+		bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
+	}
+
+	mysql {
+		# If any of the files below are set, TLS encryption is enabled
+		tls {
+			ca_file = "/etc/ssl/certs/my_ca.crt"
+			ca_path = "/etc/ssl/certs/"
+			certificate_file = "/etc/ssl/certs/private/client.crt"
+			private_key_file = "/etc/ssl/certs/private/client.key"
+			cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
+
+			tls_required = yes
+			tls_check_cert = no
+			tls_check_cert_cn = no
+		}
+
+		# If yes, (or auto and libmysqlclient reports warnings are
+		# available), will retrieve and log additional warnings from
+		# the server if an error has occured. Defaults to 'auto'
+		warnings = auto
+	}
+
+	postgresql {
+
+		# unlike MySQL, which has a tls{} connection configuration, postgresql
+		# uses its connection parameters - see the radius_db option below in
+		# this file
+
+		# Send application_name to the postgres server
+		# Only supported in PG 9.0 and greater. Defaults to no.
+		send_application_name = yes
+
+		#
+		#  The default application name is "FreeRADIUS - .." with the current version.
+		#  The application name can be customized here to any non-zero value.
+		#
+#		application_name = ""
+	}
+
+	#
+	#	Configuration for Mongo.
+	#
+	#	Note that the Mongo driver is experimental.  The FreeRADIUS developers
+	#	are unable to help with the syntax of the Mongo queries.  Please see
+	#	the Mongo documentation for that syntax.
+	#
+	#	The Mongo driver supports only the following methods:
+	#
+	#		aggregate
+	#		findAndModify
+	#		findOne
+	#		insert
+	#
+	#	For examples, see the query files:
+	#
+	#		raddb/mods-config/sql/main/mongo/queries.conf
+	#		raddb/mods-config/sql/main/ippool/queries.conf
+	#
+	#	In order to use findAndModify with an aggretation pipleline, make
+	#	sure that you are running MongoDB version 4.2 or greater. FreeRADIUS
+	#	assumes that the paramaters passed to the methods are supported by the
+	#	version of MongoDB which it is connected to.
+	#
+	mongo {
+		#
+		#  The application name to use.
+		#
+		appname = "freeradius"
+
+		#
+		#  The TLS parameters here map directly to the Mongo TLS configuration
+		#
+		tls {
+			certificate_file = /path/to/file
+			certificate_password = "password"
+			ca_file = /path/to/file
+			ca_dir = /path/to/directory
+			crl_file = /path/to/file
+			weak_cert_validation = false
+			allow_invalid_hostname = false
+		}
+	}
+
+	# Connection info:
+	#
+#	server = "localhost"
+#	port = 3306
+#	login = "radius"
+#	password = "radpass"
+
+	# Connection info for Mongo
+	# Authentication Without SSL
+	#	server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=false"
+
+	# Authentication With SSL
+	#	server = "mongodb://USER:PASSWORD@192.16.0.2:PORT/DATABASE?authSource=admin&ssl=true"
+
+	# Authentication with Certificate
+	# Use this command for retrieve Derived username:
+	# openssl x509 -in mycert.pem -inform PEM -subject -nameopt RFC2253
+	# server = mongodb://<DERIVED USERNAME>@192.168.0.2:PORT/DATABASE?authSource=$external&ssl=true&authMechanism=MONGODB-X509
+
+	# Database table configuration for everything except Oracle
+	radius_db = "radius"
+
+	# If you are using Oracle then use this instead
+#	radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
+
+	# If you're using postgresql this can also be used instead of the connection info parameters
+#	radius_db = "dbname=radius host=localhost user=radius password=raddpass"
+
+        # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
+        # use SSL connections then use this form of connection info parameter
+#	radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" 
+
+	# If you want both stop and start records logged to the
+	# same SQL table, leave this as is.  If you want them in
+	# different tables, put the start table in acct_table1
+	# and stop table in acct_table2
+	acct_table1 = "radacct"
+	acct_table2 = "radacct"
+
+	# Allow for storing data after authentication
+	postauth_table = "radpostauth"
+
+	# Tables containing 'check' items
+	authcheck_table = "radcheck"
+	groupcheck_table = "radgroupcheck"
+
+	# Tables containing 'reply' items
+	authreply_table = "radreply"
+	groupreply_table = "radgroupreply"
+
+	# Table to keep group info
+	usergroup_table = "radusergroup"
+
+	# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
+	# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
+#	read_groups = yes
+
+	# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
+	# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
+#	read_profiles = yes
+
+	# Remove stale session if checkrad does not see a double login
+	delete_stale_sessions = yes
+
+	# Write SQL queries to a logfile. This is potentially useful for tracing
+	# issues with authorization queries.  See also "logfile" directives in
+	# mods-config/sql/main/*/queries.conf.  You can enable per-section logging
+	# by enabling "logfile" there, or global logging by enabling "logfile" here.
+	#
+	# Per-section logging can be disabled by setting "logfile = ''"
+#	logfile = ${logdir}/sqllog.sql
+
+	#  Set the maximum query duration and connection timeout
+	#  for rlm_sql_mysql.
+#	query_timeout = 5
+
+	#  As of v3, the "pool" section has replaced the
+	#  following v2 configuration items:
+	#
+	#  num_sql_socks
+	#  connect_failure_retry_delay
+	#  lifetime
+	#  max_queries
+
+	#
+	#  The connection pool is used to pool outgoing connections.
+	#
+	# When the server is not threaded, the connection pool
+	# limits are ignored, and only one connection is used.
+	#
+	# If you want to have multiple SQL modules re-use the same
+	# connection pool, use "pool = name" instead of a "pool"
+	# section.  e.g.
+	#
+	#	sql sql1 {
+	#	    ...
+	#	    pool {
+	#	    	 ...
+	#	    }
+	#	}
+	#
+	#	# sql2 will use the connection pool from sql1
+	#	sql sql2 {
+	#	     ...
+	#	     pool = sql1
+	#	}
+	#
+	pool {
+		#  Connections to create during module instantiation.
+		#  If the server cannot create specified number of
+		#  connections during instantiation it will exit.
+		#  Set to 0 to allow the server to start without the
+		#  database being available.
+		start = ${thread[pool].start_servers}
+
+		#  Minimum number of connections to keep open
+		min = ${thread[pool].min_spare_servers}
+
+		#  Maximum number of connections
+		#
+		#  If these connections are all in use and a new one
+		#  is requested, the request will NOT get a connection.
+		#
+		#  Setting 'max' to LESS than the number of threads means
+		#  that some threads may starve, and you will see errors
+		#  like 'No connections available and at max connection limit'
+		#
+		#  Setting 'max' to MORE than the number of threads means
+		#  that there are more connections than necessary.
+		max = ${thread[pool].max_servers}
+
+		#  Spare connections to be left idle
+		#
+		#  NOTE: Idle connections WILL be closed if "idle_timeout"
+		#  is set.  This should be less than or equal to "max" above.
+		spare = ${thread[pool].max_spare_servers}
+
+		#  Number of uses before the connection is closed
+		#
+		#  0 means "infinite"
+		uses = 0
+
+		#  The number of seconds to wait after the server tries
+		#  to open a connection, and fails.  During this time,
+		#  no new connections will be opened.
+		retry_delay = 30
+
+		# The lifetime (in seconds) of the connection
+		lifetime = 0
+
+		#  idle timeout (in seconds).  A connection which is
+		#  unused for this length of time will be closed.
+		idle_timeout = 60
+
+		#  NOTE: All configuration settings are enforced.  If a
+		#  connection is closed because of "idle_timeout",
+		#  "uses", or "lifetime", then the total number of
+		#  connections MAY fall below "min".  When that
+		#  happens, it will open a new connection.  It will
+		#  also log a WARNING message.
+		#
+		#  The solution is to either lower the "min" connections,
+		#  or increase lifetime/idle_timeout.
+
+		#  Maximum number of times an operation can be retried
+		#  if it returns an error which indicates the connection
+		#  needs to be restarted.  This includes timeouts.
+		max_retries = 5
+	}
+
+	# Set to 'yes' to read radius clients from the database ('nas' table)
+	# Clients will ONLY be read on server startup.
+	#
+	#  A client can be link to a virtual server via the SQL
+	#  module.  This link is done via the following process:
+	#
+	#  If there is no listener in a virtual server, SQL clients
+	#  are added to the global list for that virtual server.
+	#
+	#  If there is a listener, and the first listener does not
+	#  have a "clients=..." configuration item, SQL clients are
+	#  added to the global list.
+	#
+	#  If there is a listener, and the first one does have a
+	#  "clients=..." configuration item, SQL clients are added to
+	#  that list.  The client { ...} ` configured in that list are
+	#  also added for that listener.
+	#
+	#  The only issue is if you have multiple listeners in a
+	#  virtual server, each with a different client list, then
+	#  the SQL clients are added only to the first listener.
+	#
+#	read_clients = yes
+
+	# Table to keep radius client info
+	client_table = "nas"
+
+	#
+	# The group attribute specific to this instance of rlm_sql
+	#
+
+	# This entry should be used for additional instances (sql foo {})
+	# of the SQL module.
+#	group_attribute = "${.:instance}-SQL-Group"
+
+	# This entry should be used for the default instance (sql {})
+	# of the SQL module.
+	group_attribute = "SQL-Group"
+
+	# Read database-specific queries
+	$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
+}
diff --git a/raddb/mods-available/sql_map b/raddb/mods-available/sql_map
new file mode 100644
index 0000000..93b2636
--- /dev/null
+++ b/raddb/mods-available/sql_map
@@ -0,0 +1,49 @@
+#  Configuration for the SQL based Map (rlm_sql_map)
+sql_map {
+	# SQL instance to use (from mods-available/sql)
+	#
+	#  If you have multiple sql instances, such as "sql sql1 {...}",
+	#  use the *instance* name here: sql1.
+	sql_module_instance = "sql"
+
+	#  This is duplicative of info available in the SQL module, but
+	#  we have to list it here as we do not yet support nested
+	#  reference expansions.
+	dialect = "mysql"
+
+	# Name of the check item attribute to be used as a key in the SQL queries
+	query = "SELECT ... FROM ... "
+
+	#
+	#  Mapping of SQL columns to RADIUS dictionary attributes.
+	#
+
+	#  WARNING: Although this format is almost identical to the unlang
+	#  update section format, it does *NOT* mean that you can use other
+	#  unlang constructs in module configuration files.
+	#
+	#  Configuration items are in the format:
+	# 	<radius attr> <op> <sql column number>
+	#
+	#  Where:
+	#  	<radius attr>:	Is the destination RADIUS attribute
+	# 			with any valid list and request qualifiers.
+	#  	<op>: 		Is any assignment attribute (=, :=, +=, -=).
+	#  	<column num>:	The column number (not name), starting from 0
+	#
+	#  Request and list qualifiers may also be placed after the 'update'
+	#  section name to set defaults destination requests/lists
+	#  for unqualified RADIUS attributes.
+	#
+	update {
+		control:Password-With-Header	+= 0
+#		control:NT-Password		:= 1
+#		reply:Reply-Message		:= 2
+#		reply:Tunnel-Type		:= 3
+#		reply:Tunnel-Medium-Type	:= 4
+#		reply:Tunnel-Private-Group-ID	:= 5
+	}
+
+	# If the 'query' results in multiple rows, it creates the <radius attr>[*] array entry.
+#	multiple_rows = yes
+}
diff --git a/raddb/mods-available/sqlcounter b/raddb/mods-available/sqlcounter
new file mode 100644
index 0000000..a2b206e
--- /dev/null
+++ b/raddb/mods-available/sqlcounter
@@ -0,0 +1,122 @@
+#  Rather than maintaining separate (GDBM) databases of
+#  accounting info for each counter, this module uses the data
+#  stored in the raddacct table by the sql modules. This
+#  module NEVER does any database INSERTs or UPDATEs.  It is
+#  totally dependent on the SQL module to process Accounting
+#  packets.
+#
+#  The sql-module-instance' parameter holds the instance of the sql
+#  module to use when querying the SQL database. Normally it
+#  is just "sql".  If you define more and one SQL module
+#  instance (usually for failover situations), you can
+#  specify which module has access to the Accounting Data
+#  (radacct table).
+#
+#  The 'reset' parameter defines when the counters are all
+#  reset to zero.  It can be hourly, daily, weekly, monthly or
+#  never.  It can also be user defined. It should be of the
+#  form:
+#  	num[hdwm] where:
+#  	h: hours, d: days, w: weeks, m: months
+#  	If the letter is ommited days will be assumed. In example:
+#  	reset = 10h (reset every 10 hours)
+#  	reset = 12  (reset every 12 days)
+#
+#  The 'reset_day' parameter defines which day of the month the
+#  'monthly' counter should be reset; valid values are 1 to 28.
+#
+#  The 'key' parameter specifies the unique identifier for the
+#  counter records (usually 'User-Name').
+#
+#  The 'query' parameter specifies the SQL query used to get
+#  the current Counter value from the database. There are four
+#  parameters that can be used in the query:
+#
+#	%%b	unix time value of beginning of reset period.
+#	%%e	unix time value of end of reset period.
+#	%%k	value of 'key' parameter.
+#	%%r	day of month the counter should be reset.
+#
+#  The 'check_name' parameter is the name of the 'check'
+#  attribute to use to access the counter in the 'users' file
+#  or SQL radcheck or radgroupcheck tables.
+#
+#  DEFAULT  Max-Daily-Session > 3600, Auth-Type = Reject
+#      Reply-Message = "You've used up more than one hour today"
+#
+#  The "dailycounter" (or any other sqlcounter module) should be added
+#  to "post-auth" section.  It will then update the Session-Timeout
+#  attribute in the reply.  If there is no Session-Timeout attribute,
+#  the module will add one.  If there is an attribute, the sqlcounter
+#  module will make sure that the value is no higher than the limit.
+#
+sqlcounter dailycounter {
+	sql_module_instance = sql
+	dialect = ${modules.sql.dialect}
+
+	counter_name = Daily-Session-Time
+	check_name = Max-Daily-Session
+	reply_name = Session-Timeout
+
+	key = User-Name
+	reset = daily
+
+	$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+sqlcounter weeklycounter {
+	sql_module_instance = sql
+	dialect = ${modules.sql.dialect}
+
+	counter_name = Weekly-Session-Time
+	check_name = Max-Weekly-Session
+	reply_name = Session-Timeout
+
+	key = User-Name
+	reset = weekly
+
+	$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+sqlcounter monthlycounter {
+	sql_module_instance = sql
+	dialect = ${modules.sql.dialect}
+
+	counter_name = Monthly-Session-Time
+	check_name = Max-Monthly-Session
+	reply_name = Session-Timeout
+	key = User-Name
+	reset = monthly
+	reset_day = 1
+
+	$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+sqlcounter noresetcounter {
+	sql_module_instance = sql
+	dialect = ${modules.sql.dialect}
+
+	counter_name = Max-All-Session-Time
+	check_name = Max-All-Session
+	key = User-Name
+	reset = never
+
+	$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
+
+#
+#  Set an account to expire T seconds after first login.
+#  Requires the Expire-After attribute to be set, in seconds.
+#  You may need to edit raddb/dictionary to add the Expire-After
+#  attribute.
+sqlcounter expire_on_login {
+	sql_module_instance = sql
+	dialect = ${modules.sql.dialect}
+
+	counter_name = Expire-After-Initial-Login
+	check_name = Expire-After
+	key = User-Name
+	reset = never
+
+	$INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
+}
diff --git a/raddb/mods-available/sqlippool b/raddb/mods-available/sqlippool
new file mode 100644
index 0000000..f17a989
--- /dev/null
+++ b/raddb/mods-available/sqlippool
@@ -0,0 +1,109 @@
+#  Configuration for the SQL based IP Pool module (rlm_sqlippool)
+#
+#  The database schemas are available at:
+#
+#       raddb/mods-config/sql/ippool/<DB>/schema.sql
+#
+#  $Id$
+
+sqlippool {
+	# SQL instance to use (from mods-available/sql)
+	#
+	#  If you have multiple sql instances, such as "sql sql1 {...}",
+	#  use the *instance* name here: sql1.
+	sql_module_instance = "sql"
+
+	#  This is duplicative of info available in the SQL module, but
+	#  we have to list it here as we do not yet support nested
+	#  reference expansions.
+	dialect = "mysql"
+
+	# Name of the check item attribute to be used as a key in the SQL queries
+	pool_name = "Pool-Name"
+
+	# SQL table to use for ippool range and lease info
+	ippool_table = "radippool"
+
+	# IP lease duration. (Leases expire even if Acct Stop packet is lost)
+	#
+	#  Note that you SHOULD also set Session-Timeout to this value!
+	#  That way the NAS will automatically kick the user offline when the
+	#  lease expires.
+	#
+	lease_duration = 3600
+
+	#
+	# Timeout between each consecutive 'allocate_clear' queries (default: 1s)
+	# This will avoid having too many deadlock issues, especially on MySQL backend.
+	#
+	allocate_clear_timeout = 1
+
+	#
+	#  The attribute to use for IP address assignment.  The
+	#  default is Framed-IP-Address.  You can change this to any
+	#  attribute which is IPv4 or IPv6.
+	#
+	#  e.g. Framed-IPv6-Prefix, or Delegated-IPv6-Prefix.
+	#
+	#  All of the default queries use this attribute_name.  So you
+	#  can do IPv6 address assignment simply by putting IPv6
+	#  addresses into the pool, and changing the following line to
+	#  "Framed-IPv6-Prefix"
+	#
+	#  Note that you MUST use separate pools for each attribute.  i.e. one pool
+	#  for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc.
+	#
+	#  This means configuring separate "sqlippool" instances, and different
+	#  "ippool_table" in SQL.  Then, populate the pool with addresses and
+	#  it will all just work.
+	#
+	attribute_name = Framed-IP-Address
+
+	#
+	#  Assign the IP address, even if the above attribute already exists
+	#  in the reply.
+	#
+#	allow_duplicates = no
+
+	#  The attribute in which an IP address hint may be supplied
+	req_attribute_name = Framed-IP-Address
+
+	# Attribute which should be considered unique per NAS
+	#
+	#  Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
+	#  Using Calling-Station-Id works for NAS that send fixed NAS-Port
+	#  ONLY change this if you know what you are doing!
+	pool_key = "%{NAS-Port}"
+	# pool_key = "%{Calling-Station-Id}"
+
+	################################################################
+	#
+	#  WARNING: MySQL (MyISAM) has certain limitations that means it can
+	#           hand out the same IP address to 2 different users.
+	#
+	#           We suggest using an SQL DB with proper transaction
+	#           support, such as PostgreSQL, or using MySQL
+	#	     with InnoDB.
+	#
+	################################################################
+
+	#  These messages are added to the "control" items, as
+	#  Module-Success-Message.  They are not logged anywhere else,
+	#  unlike previous versions.  If you want to have them logged
+	#  to a file, see the "linelog" module, and create an entry
+	#  which writes Module-Success-Message message.
+	#
+	messages {
+		exists = "Existing IP: %{reply:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+		success = "Allocated IP: %{reply:${..attribute_name}} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+		clear = "Released IP %{request:${..attribute_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
+
+		failed = "IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+
+		nopool = "No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+	}
+
+	$INCLUDE ${modconfdir}/sql/ippool/${dialect}/queries.conf
+}