projects / feed / packages.git / blob
? search:


c486389b8c4dc3c71117bb7cab9527d7df4528d7
[feed/packages.git] / net / freeradius2 / patches / 002-config.patch
1 Index: freeradius-server-2.2.7/raddb/dictionary.in
2 ===================================================================
3 --- freeradius-server-2.2.7.orig/raddb/dictionary.in
4 +++ freeradius-server-2.2.7/raddb/dictionary.in
5 @@ -11,7 +11,7 @@
6 #
7 # The filename given here should be an absolute path.
8 #
9 -$INCLUDE @prefix@/share/freeradius/dictionary
10 +$INCLUDE @prefix@/share/freeradius2/dictionary
11
12 #
13 # Place additional attributes or $INCLUDEs here. They will
14 Index: freeradius-server-2.2.7/raddb/eap.conf
15 ===================================================================
16 --- freeradius-server-2.2.7.orig/raddb/eap.conf
17 +++ freeradius-server-2.2.7/raddb/eap.conf
18 @@ -27,7 +27,7 @@
19 # then that EAP type takes precedence over the
20 # default type configured here.
21 #
22 - default_eap_type = md5
23 + default_eap_type = peap
24
25 # A list is maintained to correlate EAP-Response
26 # packets with EAP-Request packets. After a
27 @@ -72,8 +72,8 @@
28 # for wireless connections. It is insecure, and does
29 # not provide for dynamic WEP keys.
30 #
31 - md5 {
32 - }
33 +# md5 {
34 +# }
35
36 # Cisco LEAP
37 #
38 @@ -87,8 +87,8 @@
39 # User-Password, or the NT-Password attributes.
40 # 'System' authentication is impossible with LEAP.
41 #
42 - leap {
43 - }
44 +# leap {
45 +# }
46
47 # Generic Token Card.
48 #
49 @@ -101,7 +101,7 @@
50 # the users password will go over the wire in plain-text,
51 # for anyone to see.
52 #
53 - gtc {
54 +# gtc {
55 # The default challenge, which many clients
56 # ignore..
57 #challenge = "Password: "
58 @@ -118,8 +118,8 @@
59 # configured for the request, and do the
60 # authentication itself.
61 #
62 - auth_type = PAP
63 - }
64 +# auth_type = PAP
65 +# }
66
67 ## EAP-TLS
68 #
69 @@ -215,7 +215,7 @@
70 # In these cases, fragment size should be
71 # 1024 or less.
72 #
73 - # fragment_size = 1024
74 + fragment_size = 1024
75
76 # include_length is a flag which is
77 # by default set to yes If set to
78 @@ -225,7 +225,7 @@
79 # message is included ONLY in the
80 # First packet of a fragment series.
81 #
82 - # include_length = yes
83 + include_length = yes
84
85 # Check the Certificate Revocation List
86 #
87 @@ -297,7 +297,7 @@
88 # for the server to print out an error message,
89 # and refuse to start.
90 #
91 - make_cert_command = "${certdir}/bootstrap"
92 + # make_cert_command = "${certdir}/bootstrap"
93
94 #
95 # Elliptical cryptography configuration
96 @@ -332,7 +332,7 @@
97 # You probably also want "use_tunneled_reply = yes"
98 # when using fast session resumption.
99 #
100 - cache {
101 + # cache {
102 #
103 # Enable it. The default is "no".
104 # Deleting the entire "cache" subsection
105 @@ -348,14 +348,14 @@
106 # enable resumption for just one user
107 # by setting the above attribute to "yes".
108 #
109 - enable = no
110 + # enable = no
111
112 #
113 # Lifetime of the cached entries, in hours.
114 # The sessions will be deleted after this
115 # time.
116 #
117 - lifetime = 24 # hours
118 + # lifetime = 24 # hours
119
120 #
121 # The maximum number of entries in the
122 @@ -364,8 +364,8 @@
123 # This could be set to the number of users
124 # who are logged in... which can be a LOT.
125 #
126 - max_entries = 255
127 - }
128 + # max_entries = 255
129 + # }
130
131 #
132 # As of version 2.1.10, client certificates can be
133 @@ -503,7 +503,7 @@
134 #
135 # in the control items for a request.
136 #
137 - ttls {
138 +# ttls {
139 # The tunneled EAP session needs a default
140 # EAP type which is separate from the one for
141 # the non-tunneled EAP module. Inside of the
142 @@ -511,7 +511,7 @@
143 # If the request does not contain an EAP
144 # conversation, then this configuration entry
145 # is ignored.
146 - default_eap_type = md5
147 +# default_eap_type = mschapv2
148
149 # The tunneled authentication request does
150 # not usually contain useful attributes
151 @@ -527,7 +527,7 @@
152 # is copied to the tunneled request.
153 #
154 # allowed values: {no, yes}
155 - copy_request_to_tunnel = no
156 +# copy_request_to_tunnel = yes
157
158 # The reply attributes sent to the NAS are
159 # usually based on the name of the user
160 @@ -540,7 +540,7 @@
161 # the tunneled request.
162 #
163 # allowed values: {no, yes}
164 - use_tunneled_reply = no
165 +# use_tunneled_reply = no
166
167 #
168 # The inner tunneled request can be sent
169 @@ -552,13 +552,13 @@
170 # the virtual server that processed the
171 # outer requests.
172 #
173 - virtual_server = "inner-tunnel"
174 +# virtual_server = "inner-tunnel"
175
176 # This has the same meaning as the
177 # same field in the "tls" module, above.
178 # The default value here is "yes".
179 # include_length = yes
180 - }
181 +# }
182
183 ##################################################
184 #
185 @@ -627,14 +627,14 @@
186
187 # the PEAP module also has these configuration
188 # items, which are the same as for TTLS.
189 - copy_request_to_tunnel = no
190 - use_tunneled_reply = no
191 + copy_request_to_tunnel = yes
192 + use_tunneled_reply = yes
193
194 # When the tunneled session is proxied, the
195 # home server may not understand EAP-MSCHAP-V2.
196 # Set this entry to "no" to proxy the tunneled
197 # EAP-MSCHAP-V2 as normal MSCHAPv2.
198 - # proxy_tunneled_request_as_eap = yes
199 + proxy_tunneled_request_as_eap = no
200
201 #
202 # The inner tunneled request can be sent
203 @@ -646,7 +646,8 @@
204 # the virtual server that processed the
205 # outer requests.
206 #
207 - virtual_server = "inner-tunnel"
208 + # virtual_server = "inner-tunnel"
209 + EAP-TLS-Require-Client-Cert = no
210
211 # This option enables support for MS-SoH
212 # see doc/SoH.txt for more info.
213 Index: freeradius-server-2.2.7/raddb/modules/counter
214 ===================================================================
215 --- freeradius-server-2.2.7.orig/raddb/modules/counter
216 +++ freeradius-server-2.2.7/raddb/modules/counter
217 @@ -69,7 +69,7 @@
218 # 'check-name' attribute.
219 #
220 counter daily {
221 - filename = ${db_dir}/db.daily
222 + filename = ${radacctdir}/db.daily
223 key = User-Name
224 count-attribute = Acct-Session-Time
225 reset = daily
226 Index: freeradius-server-2.2.7/raddb/modules/pap
227 ===================================================================
228 --- freeradius-server-2.2.7.orig/raddb/modules/pap
229 +++ freeradius-server-2.2.7/raddb/modules/pap
230 @@ -18,5 +18,5 @@
231 #
232 # http://www.openldap.org/faq/data/cache/347.html
233 pap {
234 - auto_header = no
235 + auto_header = yes
236 }
237 Index: freeradius-server-2.2.7/raddb/modules/radutmp
238 ===================================================================
239 --- freeradius-server-2.2.7.orig/raddb/modules/radutmp
240 +++ freeradius-server-2.2.7/raddb/modules/radutmp
241 @@ -12,7 +12,7 @@ radutmp {
242 # Where the file is stored. It's not a log file,
243 # so it doesn't need rotating.
244 #
245 - filename = ${logdir}/radutmp
246 + filename = ${radacctdir}/radutmp
247
248 # The field in the packet to key on for the
249 # 'user' name, If you have other fields which you want
250 Index: freeradius-server-2.2.7/raddb/modules/sradutmp
251 ===================================================================
252 --- freeradius-server-2.2.7.orig/raddb/modules/sradutmp
253 +++ freeradius-server-2.2.7/raddb/modules/sradutmp
254 @@ -10,7 +10,7 @@
255 # then name "sradutmp" to identify it later in the "accounting"
256 # section.
257 radutmp sradutmp {
258 - filename = ${logdir}/sradutmp
259 + filename = ${radacctdir}/sradutmp
260 perm = 0644
261 callerid = "no"
262 }
263 Index: freeradius-server-2.2.7/raddb/radiusd.conf.in
264 ===================================================================
265 --- freeradius-server-2.2.7.orig/raddb/radiusd.conf.in
266 +++ freeradius-server-2.2.7/raddb/radiusd.conf.in
267 @@ -66,7 +66,7 @@ name = radiusd
268
269 # Location of config and logfiles.
270 confdir = ${raddbdir}
271 -run_dir = ${localstatedir}/run/${name}
272 +run_dir = ${localstatedir}/run
273
274 # Should likely be ${localstatedir}/lib/radiusd
275 db_dir = ${raddbdir}
276 @@ -323,7 +323,7 @@ listen {
277 # If your system does not support this feature, you will
278 # get an error if you try to use it.
279 #
280 -# interface = eth0
281 + interface = br-lan
282
283 # Per-socket lists of clients. This is a very useful feature.
284 #
285 @@ -350,7 +350,7 @@ listen {
286 # ipv6addr = ::
287 port = 0
288 type = acct
289 -# interface = eth0
290 + interface = br-lan
291 # clients = per_socket_clients
292 }
293
294 @@ -576,8 +576,8 @@ security {
295 #
296 # allowed values: {no, yes}
297 #
298 -proxy_requests = yes
299 -$INCLUDE proxy.conf
300 +proxy_requests = no
301 +#$INCLUDE proxy.conf
302
303
304 # CLIENTS CONFIGURATION
305 @@ -774,7 +774,7 @@ instantiate {
306 # The entire command line (and output) must fit into 253 bytes.
307 #
308 # e.g. Framed-Pool = `%{exec:/bin/echo foo}`
309 - exec
310 +# exec
311
312 #
313 # The expression module doesn't do authorization,
314 @@ -791,15 +791,15 @@ instantiate {
315 # other xlat functions such as md5, sha1 and lc.
316 #
317 # We do not recommend removing it's listing here.
318 - expr
319 +# expr
320
321 #
322 # We add the counter module here so that it registers
323 # the check-name attribute before any module which sets
324 # it
325 # daily
326 - expiration
327 - logintime
328 +# expiration
329 +# logintime
330
331 # subsections here can be thought of as "virtual" modules.
332 #
333 @@ -823,7 +823,7 @@ instantiate {
334 # to multiple times.
335 #
336 ######################################################################
337 -$INCLUDE policy.conf
338 +#$INCLUDE policy.conf
339
340 ######################################################################
341 #
342 @@ -833,9 +833,9 @@ $INCLUDE policy.conf
343 # match the regular expression: /[a-zA-Z0-9_.]+/
344 #
345 # It allows you to define new virtual servers simply by placing
346 -# a file into the raddb/sites-enabled/ directory.
347 +# a file into the /etc/freeradius2/sites/ directory.
348 #
349 -$INCLUDE sites-enabled/
350 +$INCLUDE sites/
351
352 ######################################################################
353 #
354 @@ -843,7 +843,7 @@ $INCLUDE sites-enabled/
355 # "authenticate {}", "accounting {}", have been moved to the
356 # the file:
357 #
358 -# raddb/sites-available/default
359 +# /etc/freeradius2/sites/default
360 #
361 # This is the "default" virtual server that has the same
362 # configuration as in version 1.0.x and 1.1.x. The default
363 Index: freeradius-server-2.2.7/raddb/sites-available/default
364 ===================================================================
365 --- freeradius-server-2.2.7.orig/raddb/sites-available/default
366 +++ freeradius-server-2.2.7/raddb/sites-available/default
367 @@ -85,7 +85,7 @@ authorize {
368 #
369 # It takes care of processing the 'raddb/hints' and the
370 # 'raddb/huntgroups' files.
371 - preprocess
372 +# preprocess
373
374 #
375 # If you want to have a log of authentication requests,
376 @@ -96,7 +96,7 @@ authorize {
377 #
378 # The chap module will set 'Auth-Type := CHAP' if we are
379 # handling a CHAP request and Auth-Type has not already been set
380 - chap
381 +# chap
382
383 #
384 # If the users are logging in with an MS-CHAP-Challenge
385 @@ -104,13 +104,13 @@ authorize {
386 # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
387 # to the request, which will cause the server to then use
388 # the mschap module for authentication.
389 - mschap
390 +# mschap
391
392 #
393 # If you have a Cisco SIP server authenticating against
394 # FreeRADIUS, uncomment the following line, and the 'digest'
395 # line in the 'authenticate' section.
396 - digest
397 +# digest
398
399 #
400 # The WiMAX specification says that the Calling-Station-Id
401 @@ -133,7 +133,7 @@ authorize {
402 # Otherwise, when the first style of realm doesn't match,
403 # the other styles won't be checked.
404 #
405 - suffix
406 +# suffix
407 # ntdomain
408
409 #
410 @@ -197,8 +197,8 @@ authorize {
411 # Use the checkval module
412 # checkval
413
414 - expiration
415 - logintime
416 +# expiration
417 +# logintime
418
419 #
420 # If no other module has claimed responsibility for
421 @@ -279,7 +279,7 @@ authenticate {
422 # If you have a Cisco SIP server authenticating against
423 # FreeRADIUS, uncomment the following line, and the 'digest'
424 # line in the 'authorize' section.
425 - digest
426 +# digest
427
428 #
429 # Pluggable Authentication Modules.
430 @@ -296,7 +296,7 @@ authenticate {
431 # be used for authentication ONLY for compatibility with legacy
432 # FreeRADIUS configurations.
433 #
434 - unix
435 +# unix
436
437 # Uncomment it if you want to use ldap for authentication
438 #
439 @@ -332,8 +332,8 @@ authenticate {
440 #
441 # Pre-accounting. Decide which accounting type to use.
442 #
443 -preacct {
444 - preprocess
445 +#preacct {
446 +# preprocess
447
448 #
449 # Session start times are *implied* in RADIUS.
450 @@ -356,7 +356,7 @@ preacct {
451 #
452 # Ensure that we have a semi-unique identifier for every
453 # request, and many NAS boxes are broken.
454 - acct_unique
455 +# acct_unique
456
457 #
458 # Look for IPASS-style 'realm/', and if not found, look for
459 @@ -366,13 +366,13 @@ preacct {
460 # Accounting requests are generally proxied to the same
461 # home server as authentication requests.
462 # IPASS
463 - suffix
464 +# suffix
465 # ntdomain
466
467 #
468 # Read the 'acct_users' file
469 - files
470 -}
471 +# files
472 +#}
473
474 #
475 # Accounting. Log the accounting data.
476 @@ -382,7 +382,7 @@ accounting {
477 # Create a 'detail'ed log of the packets.
478 # Note that accounting requests which are proxied
479 # are also logged in the detail file.
480 - detail
481 +# detail
482 # daily
483
484 # Update the wtmp file
485 @@ -434,7 +434,7 @@ accounting {
486 exec
487
488 # Filter attributes from the accounting response.
489 - attr_filter.accounting_response
490 + #attr_filter.accounting_response
491
492 #
493 # See "Autz-Type Status-Server" for how this works.
494 @@ -460,7 +460,7 @@ session {
495 # Post-Authentication
496 # Once we KNOW that the user has been authenticated, there are
497 # additional steps we can take.
498 -post-auth {
499 +#post-auth {
500 # Get an address from the IP Pool.
501 # main_pool
502
503 @@ -490,7 +490,7 @@ post-auth {
504 # ldap
505
506 # For Exec-Program and Exec-Program-Wait
507 - exec
508 +# exec
509
510 #
511 # Calculate the various WiMAX keys. In order for this to work,
512 @@ -574,18 +574,18 @@ post-auth {
513 # Add the ldap module name (or instance) if you have set
514 # 'edir_account_policy_check = yes' in the ldap module configuration
515 #
516 - Post-Auth-Type REJECT {
517 - # log failed authentications in SQL, too.
518 +# Post-Auth-Type REJECT {
519 +# # log failed authentications in SQL, too.
520 # sql
521
522 # Insert EAP-Failure message if the request was
523 # rejected by policy instead of because of an
524 # authentication failure
525 - eap
526 +# eap
527
528 - attr_filter.access_reject
529 - }
530 -}
531 +# attr_filter.access_reject
532 +# }
533 +#}
534
535 #
536 # When the server decides to proxy a request to a home server,
537 @@ -595,7 +595,7 @@ post-auth {
538 #
539 # Only a few modules currently have this method.
540 #
541 -pre-proxy {
542 +#pre-proxy {
543 # attr_rewrite
544
545 # Uncomment the following line if you want to change attributes
546 @@ -611,14 +611,14 @@ pre-proxy {
547 # server, un-comment the following line, and the
548 # 'detail pre_proxy_log' section, above.
549 # pre_proxy_log
550 -}
551 +#}
552
553 #
554 # When the server receives a reply to a request it proxied
555 # to a home server, the request may be massaged here, in the
556 # post-proxy stage.
557 #
558 -post-proxy {
559 +#post-proxy {
560
561 # If you want to have a log of replies from a home server,
562 # un-comment the following line, and the 'detail post_proxy_log'
563 @@ -642,7 +642,7 @@ post-proxy {
564 # hidden inside of the EAP packet, and the end server will
565 # reject the EAP request.
566 #
567 - eap
568 +# eap
569
570 #
571 # If the server tries to proxy a request and fails, then the
572 @@ -664,5 +664,5 @@ post-proxy {
573 # Post-Proxy-Type Fail {
574 # detail
575 # }
576 -}
577 +#}
578
579 Index: freeradius-server-2.2.7/raddb/users
580 ===================================================================
581 --- freeradius-server-2.2.7.orig/raddb/users
582 +++ freeradius-server-2.2.7/raddb/users
583 @@ -169,22 +169,22 @@
584 # by the terminal server in which case there may not be a "P" suffix.
585 # The terminal server sends "Framed-Protocol = PPP" for auto PPP.
586 #
587 -DEFAULT Framed-Protocol == PPP
588 - Framed-Protocol = PPP,
589 - Framed-Compression = Van-Jacobson-TCP-IP
590 +#DEFAULT Framed-Protocol == PPP
591 +# Framed-Protocol = PPP,
592 +# Framed-Compression = Van-Jacobson-TCP-IP
593
594 #
595 # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
596 #
597 -DEFAULT Hint == "CSLIP"
598 - Framed-Protocol = SLIP,
599 - Framed-Compression = Van-Jacobson-TCP-IP
600 +#DEFAULT Hint == "CSLIP"
601 +# Framed-Protocol = SLIP,
602 +# Framed-Compression = Van-Jacobson-TCP-IP
603
604 #
605 # Default for SLIP: dynamic IP address, SLIP mode.
606 #
607 -DEFAULT Hint == "SLIP"
608 - Framed-Protocol = SLIP
609 +#DEFAULT Hint == "SLIP"
610 +# Framed-Protocol = SLIP
611
612 #
613 # Last default: rlogin to our main server.
Mirror of packages feed