space_server: radius: update radiusd.conf

1 files changed, 149 insertions, 35 deletions

diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf
index b345830..921e009 100644
--- a/roles/space_server/files/radius/radiusd.conf
+++ b/roles/space_server/files/radius/radiusd.conf
@@ -1,17 +1,41 @@
 # -*- text -*-
 ##
-## radiusd.conf	-- FreeRADIUS server configuration file - 3.0.15
+## radiusd.conf	-- FreeRADIUS server configuration file - 3.0.21
 ##
 ##	http://www.freeradius.org/
-##	$Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $
+##	$Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $
 ##
 
 ######################################################################
 #
-#	Read "man radiusd" before editing this file.  See the section
-#	titled DEBUGGING.  It outlines a method where you can quickly
-#	obtain the configuration you want, without running into
-#	trouble.
+#	The format of this (and other) configuration file is
+#	documented in "man unlang".  There are also READMEs in many
+#	subdirectories:
+#
+#	  raddb/README.rst
+#		How to upgrade from v2.
+#
+#	  raddb/mods-available/README.rst
+#		How to use mods-available / mods-enabled.
+#		All of the modules are in individual files,
+#		along with configuration items and full documentation.
+#
+#	  raddb/sites-available/README
+#		virtual servers, "listen" sections, clients, etc.
+#		The "sites-available" directory contains many
+#		worked examples of common configurations.
+#
+#	  raddb/certs/README
+#		How to create certificates for EAP or RadSec.
+#
+#	Every configuration item in the server is documented
+#	extensively in the comments in the example configuration
+#	files.
+#
+#	Before editing this (or any other) configuration file, PLEASE
+#	read "man radiusd".  See the section titled DEBUGGING.  It
+#	outlines a method where you can quickly create the
+#	configuration you want, with minimal effort.
 #
 #	Run the server in debugging mode, and READ the output.
 #
@@ -26,30 +50,36 @@
 #	"warning", "error", "reject", or "failure".  The messages there
 #	will usually be enough to guide you to a solution.
 #
+#	More documentation on "radiusd -X" is available on the wiki:
+#		https://wiki.freeradius.org/radiusd-X
+#
 #	If you are going to ask a question on the mailing list, then
 #	explain what you are trying to do, and include the output from
 #	debugging mode (radiusd -X).  Failure to do so means that all
 #	of the responses to your question will be people telling you
 #	to "post the output of radiusd -X".
-
-######################################################################
 #
-#  	The location of other config files and logfiles are declared
-#  	in this file.
+#	Guidelines for posting to the mailing list are on the wiki:
+#		https://wiki.freeradius.org/list-help
+#
+#	Please read those guidelines before posting to the list.
 #
-#  	Also general configuration for modules can be done in this
-#  	file, it is exported through the API to modules that ask for
-#  	it.
+#	Further documentation is available in the "doc" directory
+#	of the server distribution, or on the wiki at:
+#		https://wiki.freeradius.org/
 #
-#	See "man radiusd.conf" for documentation on the format of this
-#	file.  Note that the individual configuration items are NOT
-#	documented in that "man" page.  They are only documented here,
-#	in the comments.
+#	New users to RADIUS should read the Technical Guide.  That guide
+#	explains how RADIUS works, how FreeRADIUS works, and what each
+#	part of a RADIUS system does.  It is not just "configure FreeRADIUS"!
+#		https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
 #
-#	The "unlang" policy language can be used to create complex
-#	if / else policies.  See "man unlang" for details.
+#	More documentation on dictionaries, modules, unlang, etc. is also
+#	available on the Network RADIUS web site:
+#		https://networkradius.com/freeradius-documentation/
 #
 
+######################################################################
+
 prefix = /usr
 exec_prefix = /usr
 sysconfdir = /etc
@@ -207,7 +237,7 @@ max_request_time = 30
 #  If this value is set too high, then the server will cache too many
 #  requests, and some new requests may get blocked.  (See 'max_requests'.)
 #
-#  Useful range of values: 2 to 10
+#  Useful range of values: 2 to 30
 #
 cleanup_delay = 5
 
@@ -297,12 +327,31 @@ log {
 	#
 	stripped_names = no
 
-	#  Log authentication requests to the log file.
+	#  Log all (accept and reject) authentication results to the log file.
+	#
+	#  This is the same as setting "auth_accept = yes" and
+	#  "auth_reject = yes"
 	#
 	#  allowed values: {no, yes}
 	#
 	auth = yes
 
+	#  Log Access-Accept results to the log file.
+	#
+	#  This is only used if "auth = no"
+	#
+	#  allowed values: {no, yes}
+	#
+#	auth_accept = no
+
+	#  Log Access-Reject results to the log file.
+	#
+	#  This is only used if "auth = no"
+	#
+	#  allowed values: {no, yes}
+	#
+#	auth_reject = no
+
 	#  Log passwords with the authentication requests.
 	#  auth_badpass  - logs password if it's rejected
 	#  auth_goodpass - logs password if it's correct
@@ -332,6 +381,60 @@ log {
 #  The program to execute to do concurrency checks.
 checkrad = ${sbindir}/checkrad
 
+#
+#  ENVIRONMENT VARIABLES
+#
+#  You can reference environment variables using an expansion like
+#  `$ENV{PATH}`.  However it is sometimes useful to be able to also set
+#  environment variables.  This section lets you do that.
+#
+#  The main purpose of this section is to allow administrators to keep
+#  RADIUS-specific configuration in the RADIUS configuration files.
+#  For example, if you need to set an environment variable which is
+#  used by a module.  You could put that variable into a shell script,
+#  but that's awkward.  Instead, just list it here.
+#
+#  Note that these environment variables are set AFTER the
+#  configuration file is loaded.  So you cannot set FOO here, and
+#  expect to reference it via `$ENV{FOO}` in another configuration file.
+#  You should instead just use a normal configuration variable for
+#  that.
+#
+ENV {
+	#
+	#  Set environment varable `FOO` to value '/bar/baz'.
+	#
+	#  NOTE: Note that you MUST use '='.  You CANNOT use '+=' to append
+	#  values.
+	#
+#	FOO = '/bar/baz'
+
+	#
+	#  Delete environment variable `BAR`.
+	#
+#	BAR
+
+	#
+	#  `LD_PRELOAD` is special.  It is normally set before the
+	#  application runs, and is interpreted by the dynamic linker.
+	#  Which means you cannot set it inside of an application, and
+	#  expect it to load libraries.
+	#
+	#  Since this functionality is useful, we extend it here.
+	#
+	#  You can set
+	#
+	#  LD_PRELOAD = /path/to/library.so
+	#
+	#  and the server will load the named libraries.  Multiple
+	#  libraries can be loaded by specificing multiple individual
+	#  `LD_PRELOAD` entries.
+	#
+	#
+#	LD_PRELOAD = /path/to/library1.so
+#	LD_PRELOAD = /path/to/library2.so
+}
+
 # SECURITY CONFIGURATION
 #
 #  There may be multiple methods of attacking on the server.  This
@@ -541,7 +644,7 @@ thread pool {
 	#
 	#  For more information, see 'max_request_time', above.
 	#
-	max_servers = 32
+	max_servers = 8
 
 	#  Server-pool size regulation.  Rather than making you guess
 	#  how many servers you need, FreeRADIUS dynamically adapts to
@@ -575,12 +678,8 @@ thread pool {
 	#
 #	max_queue_size = 65536
 
-	#  There may be memory leaks or resource allocation problems with
-	#  the server.  If so, set this value to 300 or so, so that the
-	#  resources will be cleaned up periodically.
-	#
-	#  This should only be necessary if there are serious bugs in the
-	#  server which have not yet been fixed.
+	#  Clean up old threads periodically.  For no reason other than
+	#  it might be useful.
 	#
 	#  '0' is a special value meaning 'infinity', or 'the servers never
 	#  exit'
@@ -647,6 +746,21 @@ modules {
 	#
 
 	#
+	#  Some modules have ordering issues.  e.g. "sqlippool" uses
+	#  the configuration from "sql".  In that case, the "sql"
+	#  module must be read off of disk before the "sqlippool".
+	#  However, the directory inclusion below just reads the
+	#  directory from start to finish.  Which means that the
+	#  modules are read off of disk randomly.
+	#
+	#  As of 3.0.18, you can list individual modules *before* the
+	#  directory inclusion.  Those modules will be loaded first.
+	#  Then, when the directory is read, those modules will be
+	#  skipped and not read twice.
+	#
+#	$INCLUDE mods-enabled/sql
+
+	#
 	#  As of 3.0, modules are in mods-enabled/.  Files matching
 	#  the regex /[a-zA-Z0-9_.]+/ are loaded.  The modules are
 	#  initialized ONLY if they are referenced in a processing
@@ -658,14 +772,14 @@ modules {
 
 # Instantiation
 #
-#  This section orders the loading of the modules.  Modules
-#  listed here will get loaded BEFORE the later sections like
-#  authorize, authenticate, etc. get examined.
+#  This section sets the instantiation order of the modules.  listed
+#  here will get started up BEFORE the sections like authorize,
+#  authenticate, etc. get examined.
 #
-#  This section is not strictly needed.  When a section like
-#  authorize refers to a module, it's automatically loaded and
-#  initialized.  However, some modules may not be listed in any
-#  of the following sections, so they can be listed here.
+#  This section is not strictly needed.  When a section like authorize
+#  refers to a module, the module is automatically loaded and
+#  initialized.  However, some modules may not be listed in any of the
+#  processing sections, so they should be listed here.
 #
 #  Also, listing modules here ensures that you have control over
 #  the order in which they are initialized.  If one module needs