aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server')
-rw-r--r--roles/space_server/files/radius/radiusd.conf184
1 files changed, 149 insertions, 35 deletions
diff --git a/roles/space_server/files/radius/radiusd.conf b/roles/space_server/files/radius/radiusd.conf
index b345830..921e009 100644
--- a/roles/space_server/files/radius/radiusd.conf
+++ b/roles/space_server/files/radius/radiusd.conf
@@ -1,17 +1,41 @@
# -*- text -*-
##
-## radiusd.conf -- FreeRADIUS server configuration file - 3.0.15
+## radiusd.conf -- FreeRADIUS server configuration file - 3.0.21
##
## http://www.freeradius.org/
-## $Id: a83c1f6874e69df8692ebce57174bf0dd52fd502 $
+## $Id: e8aee3c00193127177cd65e31156c1d0f4b124d3 $
##
######################################################################
#
-# Read "man radiusd" before editing this file. See the section
-# titled DEBUGGING. It outlines a method where you can quickly
-# obtain the configuration you want, without running into
-# trouble.
+# The format of this (and other) configuration file is
+# documented in "man unlang". There are also READMEs in many
+# subdirectories:
+#
+# raddb/README.rst
+# How to upgrade from v2.
+#
+# raddb/mods-available/README.rst
+# How to use mods-available / mods-enabled.
+# All of the modules are in individual files,
+# along with configuration items and full documentation.
+#
+# raddb/sites-available/README
+# virtual servers, "listen" sections, clients, etc.
+# The "sites-available" directory contains many
+# worked examples of common configurations.
+#
+# raddb/certs/README
+# How to create certificates for EAP or RadSec.
+#
+# Every configuration item in the server is documented
+# extensively in the comments in the example configuration
+# files.
+#
+# Before editing this (or any other) configuration file, PLEASE
+# read "man radiusd". See the section titled DEBUGGING. It
+# outlines a method where you can quickly create the
+# configuration you want, with minimal effort.
#
# Run the server in debugging mode, and READ the output.
#
@@ -26,30 +50,36 @@
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
+# More documentation on "radiusd -X" is available on the wiki:
+# https://wiki.freeradius.org/radiusd-X
+#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
-
-######################################################################
#
-# The location of other config files and logfiles are declared
-# in this file.
+# Guidelines for posting to the mailing list are on the wiki:
+# https://wiki.freeradius.org/list-help
+#
+# Please read those guidelines before posting to the list.
#
-# Also general configuration for modules can be done in this
-# file, it is exported through the API to modules that ask for
-# it.
+# Further documentation is available in the "doc" directory
+# of the server distribution, or on the wiki at:
+# https://wiki.freeradius.org/
#
-# See "man radiusd.conf" for documentation on the format of this
-# file. Note that the individual configuration items are NOT
-# documented in that "man" page. They are only documented here,
-# in the comments.
+# New users to RADIUS should read the Technical Guide. That guide
+# explains how RADIUS works, how FreeRADIUS works, and what each
+# part of a RADIUS system does. It is not just "configure FreeRADIUS"!
+# https://networkradius.com/doc/FreeRADIUS-Technical-Guide.pdf
#
-# The "unlang" policy language can be used to create complex
-# if / else policies. See "man unlang" for details.
+# More documentation on dictionaries, modules, unlang, etc. is also
+# available on the Network RADIUS web site:
+# https://networkradius.com/freeradius-documentation/
#
+######################################################################
+
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
@@ -207,7 +237,7 @@ max_request_time = 30
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
-# Useful range of values: 2 to 10
+# Useful range of values: 2 to 30
#
cleanup_delay = 5
@@ -297,12 +327,31 @@ log {
#
stripped_names = no
- # Log authentication requests to the log file.
+ # Log all (accept and reject) authentication results to the log file.
+ #
+ # This is the same as setting "auth_accept = yes" and
+ # "auth_reject = yes"
#
# allowed values: {no, yes}
#
auth = yes
+ # Log Access-Accept results to the log file.
+ #
+ # This is only used if "auth = no"
+ #
+ # allowed values: {no, yes}
+ #
+# auth_accept = no
+
+ # Log Access-Reject results to the log file.
+ #
+ # This is only used if "auth = no"
+ #
+ # allowed values: {no, yes}
+ #
+# auth_reject = no
+
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
@@ -332,6 +381,60 @@ log {
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
+#
+# ENVIRONMENT VARIABLES
+#
+# You can reference environment variables using an expansion like
+# `$ENV{PATH}`. However it is sometimes useful to be able to also set
+# environment variables. This section lets you do that.
+#
+# The main purpose of this section is to allow administrators to keep
+# RADIUS-specific configuration in the RADIUS configuration files.
+# For example, if you need to set an environment variable which is
+# used by a module. You could put that variable into a shell script,
+# but that's awkward. Instead, just list it here.
+#
+# Note that these environment variables are set AFTER the
+# configuration file is loaded. So you cannot set FOO here, and
+# expect to reference it via `$ENV{FOO}` in another configuration file.
+# You should instead just use a normal configuration variable for
+# that.
+#
+ENV {
+ #
+ # Set environment varable `FOO` to value '/bar/baz'.
+ #
+ # NOTE: Note that you MUST use '='. You CANNOT use '+=' to append
+ # values.
+ #
+# FOO = '/bar/baz'
+
+ #
+ # Delete environment variable `BAR`.
+ #
+# BAR
+
+ #
+ # `LD_PRELOAD` is special. It is normally set before the
+ # application runs, and is interpreted by the dynamic linker.
+ # Which means you cannot set it inside of an application, and
+ # expect it to load libraries.
+ #
+ # Since this functionality is useful, we extend it here.
+ #
+ # You can set
+ #
+ # LD_PRELOAD = /path/to/library.so
+ #
+ # and the server will load the named libraries. Multiple
+ # libraries can be loaded by specificing multiple individual
+ # `LD_PRELOAD` entries.
+ #
+ #
+# LD_PRELOAD = /path/to/library1.so
+# LD_PRELOAD = /path/to/library2.so
+}
+
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
@@ -541,7 +644,7 @@ thread pool {
#
# For more information, see 'max_request_time', above.
#
- max_servers = 32
+ max_servers = 8
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
@@ -575,12 +678,8 @@ thread pool {
#
# max_queue_size = 65536
- # There may be memory leaks or resource allocation problems with
- # the server. If so, set this value to 300 or so, so that the
- # resources will be cleaned up periodically.
- #
- # This should only be necessary if there are serious bugs in the
- # server which have not yet been fixed.
+ # Clean up old threads periodically. For no reason other than
+ # it might be useful.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
@@ -647,6 +746,21 @@ modules {
#
#
+ # Some modules have ordering issues. e.g. "sqlippool" uses
+ # the configuration from "sql". In that case, the "sql"
+ # module must be read off of disk before the "sqlippool".
+ # However, the directory inclusion below just reads the
+ # directory from start to finish. Which means that the
+ # modules are read off of disk randomly.
+ #
+ # As of 3.0.18, you can list individual modules *before* the
+ # directory inclusion. Those modules will be loaded first.
+ # Then, when the directory is read, those modules will be
+ # skipped and not read twice.
+ #
+# $INCLUDE mods-enabled/sql
+
+ #
# As of 3.0, modules are in mods-enabled/. Files matching
# the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are
# initialized ONLY if they are referenced in a processing
@@ -658,14 +772,14 @@ modules {
# Instantiation
#
-# This section orders the loading of the modules. Modules
-# listed here will get loaded BEFORE the later sections like
-# authorize, authenticate, etc. get examined.
+# This section sets the instantiation order of the modules. listed
+# here will get started up BEFORE the sections like authorize,
+# authenticate, etc. get examined.
#
-# This section is not strictly needed. When a section like
-# authorize refers to a module, it's automatically loaded and
-# initialized. However, some modules may not be listed in any
-# of the following sections, so they can be listed here.
+# This section is not strictly needed. When a section like authorize
+# refers to a module, the module is automatically loaded and
+# initialized. However, some modules may not be listed in any of the
+# processing sections, so they should be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initialized. If one module needs