diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..570291c --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +uauth (0.0.1-1) unstable; urgency=low + + * source package automatically created by stdeb 0.8.2 + + -- Serghei Mihai Tue, 24 Mar 2015 00:42:56 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..c85ef13 --- /dev/null +++ b/debian/control @@ -0,0 +1,26 @@ +Source: uauth +Maintainer: Serghei Mihai +Section: python +Priority: optional +Build-Depends: python-setuptools (>= 0.6b3), python-all (>= 2.6.6-3), debhelper (>= 9) +Standards-Version: 3.9.1 +X-Python-Version: >= 2.7 + +Package: python-uauth +Architecture: all +Depends: ${misc:Depends}, ${python:Depends}, + python-requests, + python-gadjo, python-ldap, + python-django (>=1.7), + python-unidecode, python-django-mellon, + python-django-tables2 +Description: Captive portal in the Cloud (Python-module) + +Package: u-auth +Architecture: all +Depends: ${misc:Depends}, + python-uauth (= ${binary:Version}), + gunicorn, slapd, freeradius-ldap, + ldapvi +Recommends: nginx, postgresql +Description: Captive potail in the Cloud diff --git a/debian/debian_config.py b/debian/debian_config.py new file mode 100644 index 0000000..8698793 --- /dev/null +++ b/debian/debian_config.py @@ -0,0 +1,26 @@ +# This file is sourced by "execfile" from u-auth.settings + +import os + +from django.conf import global_settings + +DEBUG = False +TEMPLATE_DEBUG = False + +PROJECT_NAME = 'u-auth' + +EMAIL_SUBJECT_PREFIX = '[%s] ' % PROJECT_NAME + +ETC_DIR = '/etc/%s' % PROJECT_NAME +VAR_DIR = '/var/lib/%s' % PROJECT_NAME + +# collecstatic destination +STATIC_ROOT = os.path.join(VAR_DIR, 'collectstatic') + +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + +METADATAS_DIR = os.path.join(VAR_DIR, 'metadatas') + +SECRET_KEY = file('/etc/%s/secret' % PROJECT_NAME).read() + +execfile(os.path.join(ETC_DIR, 'settings.py')) diff --git a/debian/lib/reset-slapd b/debian/lib/reset-slapd new file mode 100755 index 0000000..1e04f4a --- /dev/null +++ b/debian/lib/reset-slapd @@ -0,0 +1,80 @@ +#!/bin/sh +# initial configuration of slapd + +set -e + +LDIFDIR=/usr/share/u-auth +SERVICE="/usr/sbin/service slapd" + +echo "" +echo " *************" +echo " * * La configuration et toutes les données" +echo " * ATTENTION * de l'annuaire LDAP vont être définitivement" +echo " * * effacées. Avez-vous fait un backup ?" +echo " *************" + +echo "" +echo "Confirmez la MISE A ZÉRO COMPLÈTE de l'annuaire LDAP." +echo "" +echo -n "Tapez oui en toutes lettres : " +read ok +if [ "x$ok" != "xoui" ]; then + exit 3 +fi + +${SERVICE} stop || true + + +BACKUPDIR="/var/backup/reset-ldap-`date +%Y%m%dT%H:%M:%S`" +mkdir -p "$BACKUPDIR" +echo Old configuration saved in $BACKUPDIR +cp -R /var/lib/ldap /etc/ldap/slapd.d/ "$BACKUPDIR" + +echo -n "Effacement de la configuration" +rm -rf /etc/ldap/slapd.d/* +echo -n " et des données .." +rm -rf /var/lib/ldap/* +echo "ok" + +if ! grep "^\s*profile\s\+config\s*$" /etc/ldapvi.conf > /dev/null 2>&1; then + echo "(ajout du 'profile config' dans /etc/ldapvi.conf)" + cat << EOLDAPVI >> /etc/ldapvi.conf + +profile config +host: ldapi:// +sasl-mech: EXTERNAL +base: cn=config + +EOLDAPVI +fi + + + +mkdir /var/lib/ldap/config-accesslog/ + +echo "Installation de la nouvelle configuration .. " +slapadd -n0 -F/etc/ldap/slapd.d -l${LDIFDIR}/config.ldif +echo "ok" + +echo "Installation des schémas .. " +slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/core.ldif +slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/cosine.ldif +slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/inetorgperson.ldif +echo "ok" + +chown -R openldap:openldap /etc/ldap/slapd.d /var/lib/ldap + +if [ ! -s /etc/ldap/ssl/slapd.pem -o ! -s /etc/ldap/ssl/slapd.key ]; then + echo "Pose de certificats SSL par défaut (invalides)" + mkdir -p /etc/ldap/ssl + cp -v ${LDIFDIR}/ssl.pem /etc/ldap/ssl/slapd.pem + cp -v ${LDIFDIR}/ssl.key /etc/ldap/ssl/slapd.key + chown -R root:openldap /etc/ldap/ssl + chmod 0755 /etc/ldap/ssl + chmod 0644 /etc/ldap/ssl/slapd.pem + chmod 0640 /etc/ldap/ssl/slapd.key + echo "ok" +fi + +${SERVICE} start + diff --git a/debian/lib/reset-slapd.help b/debian/lib/reset-slapd.help new file mode 100644 index 0000000..4838a6d --- /dev/null +++ b/debian/lib/reset-slapd.help @@ -0,0 +1,4 @@ +mise à zéro complète + +Attention, cela efface complétement la configuration et +les données actuelles du serveur LDAP (slapd). diff --git a/debian/lib/setup-radius b/debian/lib/setup-radius new file mode 100755 index 0000000..d747156 --- /dev/null +++ b/debian/lib/setup-radius @@ -0,0 +1,18 @@ +#!/bin/sh +# Do initial configuration of freeradius + +set -e + +CONF_DIR = '/etc/freeradius' +BASEDIR=`dirname $0` + +service freeradius stop + +cp "$CONF_DIR/sites-available/default" "$CONF_DIR/sites-available/default.backup" +cp "$BASEDIR/radius-default.conf" "$CONF_DIR/sites-available/default" + +service freeradius start + + + + diff --git a/debian/lib/setup-radius.help b/debian/lib/setup-radius.help new file mode 100644 index 0000000..08723c7 --- /dev/null +++ b/debian/lib/setup-radius.help @@ -0,0 +1 @@ +activation et parametrage du module ldap dans radius \ No newline at end of file diff --git a/debian/lib/setup-slapd b/debian/lib/setup-slapd new file mode 100755 index 0000000..a66f399 --- /dev/null +++ b/debian/lib/setup-slapd @@ -0,0 +1,309 @@ +#!/bin/sh +# Do initial configuration of slapd + +set -e + +LDIFDIR=/usr/share/u-auth + +BACKUPDIR="/var/backup/reset-ldap-`date +%Y%m%dT%H:%M:%S`" +mkdir -p "$BACKUPDIR" +echo Old configuration saved in $BACKUPDIR +cp -R /var/lib/ldap /etc/ldap/slapd.d/ "$BACKUPDIR" +rm -rf /var/lib/ldap/* +mkdir /var/lib/ldap/config-accesslog/ + +echo Load overlay modules, configure auditlog for cn=config +slapadd -n0 -F/etc/ldap/slapd.d -l${LDIFDIR}/radius.ldif + +echo "Suffixe de la base à créer (exemple : dc=univ-psl,dc=fr) :" +echo -n "-> " +read SUFFIX +echo + +if [ -d "/var/lib/ldap/$SUFFIX" ]; then + echo "ERR: le répertoire '/var/lib/ldap/$SUFFIX' existe déjà" >&2 + exit 1 +fi + +if ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config olcSuffix=$SUFFIX 2>/dev/null | grep -q '^result: [1-9]'; then + echo "ERR: le suffixe $SUFFIX existe déjà" >&2 + exit 2 +fi + +echo "Choisir un mot de passe administrateur (uid=admin,ou=people,$SUFFIX) :" +echo -n "-> " +stty -echo +read PASSWORD +stty echo +echo +echo "Une nouvelle fois :" +echo -n "-> " +stty -echo +read PASSWORD2 +stty echo +echo +if [ x"$PASSWORD" != x"$PASSWORD2" ]; then + echo "ERR: mots de passe différents" >&2 + exit 3 +fi +echo + +echo "Nom de l'organisation (ou=...) :" +echo "uniquement des majuscules, sans accent" +echo "Exemple: ENS" +echo -n "-> " +read ORGANIZATION +echo + + +echo "Récapitulatif :" +echo " Suffixe : $SUFFIX" +echo " Nom : $ORGANIZATION" +echo "DN établissement : ou=$ORGANIZATION,$SUFFIX" +echo +echo "Créer cette base ? (taper oui)" +echo -n "-> " +read OK +echo + +if [ "x$OK" != "xoui" ]; then + exit 4 +fi + +DC=`echo $SUFFIX | sed 's/dc=\([^,]*\).*/\1/'` + +DBDIR=/var/lib/ldap/$SUFFIX +DBACCESSLOGDIR=/var/lib/ldap/$SUFFIX/accesslog/ + +mkdir -p "$DBDIR" "$DBACCESSLOGDIR" + +chown -R openldap:openldap /etc/ldap/slapd.d /var/lib/ldap + +LDIF=`tempfile --prefix=newdb --suffix=.ldif` +cat << EOF > $LDIF +# LDAPVI syntax +add olcDatabase={1}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: {1}mdb +olcSuffix: $SUFFIX +olcDbDirectory: /var/lib/ldap/$SUFFIX/ +olcRootDN: uid=admin,ou=people,$SUFFIX +olcRootPW: $PASSWORD +olcLastMod: TRUE +olcAddContentACL: FALSE +olcMonitoring: TRUE +olcSyncUseSubentry: FALSE +olcMaxDerefDepth: 0 +olcLimits: {0}dn.exact="uid=admin,ou=people,$SUFFIX" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited +olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited +olcReadOnly: FALSE +# Index +olcDbIndex: objectClass,member,owner eq +olcDbIndex: mail,givenName,uid,cn,sn,displayName pres,eq,approx,sub +# Accès super-utilisateur +olcAccess: {0}to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by group.exact="cn=admin,ou=groups,$SUFFIX" manage + by * break +# Branche people +olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword,labeledURI + by self write + by * break +# Les accès aux autres attributs utilisateurs +olcAccess: {2}to dn.one="ou=people,$SUFFIX" + by users read + by anonymous auth + by * none +# Branche groups +# Le propriétaire du groupe +olcAccess: {3}to dn.one="ou=groups,$SUFFIX" + by set="this/owner & user" manage + by * break +# Les utilisateurs en général sur les attributs descriptifs +olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=cn,description,owner + by users read + by * break + +# Create accesslog DIT +add olcDatabase={1}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcSuffix: cn=accesslog,$SUFFIX +olcDbDirectory: /var/lib/ldap/$SUFFIX/accesslog/ +olcAccess: {0}to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by group=cn=admin,ou=groupes,$SUFFIX manage + by * break + +add olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: {0}syncprov +olcSpCheckpoint: 100 10 +olcSpSessionlog: 100 + +# Log all writes to the db +add olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config +objectClass: olcAccesslogConfig +objectClass: olcOverlayConfig +objectClass: olcConfig +objectClass: top +olcOverlay: {1}accesslog +olcAccessLogDB: cn=accesslog,$SUFFIX +olcAccessLogOps: writes +# log are conserved one year and purged every day +olcAccessLogPurge: 365+00:00 1+00:00 +# Keep a copy of everything +olcAccessLogOld: objectClass=* + +add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +olcOverlay: {2}refint +olcRefintAttribute: member +olcRefintNothing: $SUFFIX + +add olcOverlay={3}constraint,olcDatabase={2}mdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcConstraintConfig +olcOverlay: {3}constraint +# un seul cn pour les utilisateurs +olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" +#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" +olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)" +olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)" +olcConstraintAttribute: dc regex "^[a-z0-9-]*$" +olcConstraintAttribute: mail count 1 +olcConstraintAttribute: mail + regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$" +# olcConstraintAttribute: mailForwardingAddress + regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid + +add $SUFFIX +objectClass: organization +objectClass: dcObject +dc: $DC +o: $ORGANIZATION + +add ou=people,$SUFFIX +objectClass: organizationalUnit +ou: people + +add uid=admin,ou=people,$SUFFIX +objectClass: inetOrgPerson +uid: admin +cn: Administrateur annuaire +displayName: Administrateur annuaire +givenName: Administrateur +sn: annuaire +userPassword: $PASSWORD + +add ou=$ORGANIZATION,$SUFFIX +objectClass: organizationalUnit +ou: $ORGANIZATION + +EOF + + +echo "Chargement de la définition de la nouvelle base annuaire ($LDIF) :" +ldapvi --verbose --profile config --ldapmodify --ldapvi --add $LDIF +# slapadd -n0 -F/etc/ldap/slapd.d -l${LDIF} +echo "OK" + +chown -R openldap.openldap /etc/ldap/slapd.d /var/lib/ldap + +LDAP_SETUP=`tempfile --prefix=ldap --suffix=.conf` +cat << EOF > $LDAP_SETUP +ldap { + # + # Note that this needs to match the name in the LDAP + # server certificate, if you're using ldaps. + server = "localhost" + identity = "uid=admin,ou=people,$SUFFIX" + password = "$PASSWORD" + basedn = "$ORGANIZATION,$SUFFIX" + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + #base_filter = "(objectclass=radiusprofile)" + + ldap_connections_number = 5 + + # How many times the connection can be used before + # being re-established. This is useful for things + # like load balancers, which may exhibit sticky + # behaviour without it. (0) is unlimited. + max_uses = 0 + + # Port to connect on, defaults to 389. Setting this to + # 636 will enable LDAPS if start_tls (see below) is not + # able to be used. + #port = 389 + + # seconds to wait for LDAP query to finish. default: 20 + timeout = 4 + + # seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = 3 + + # + # seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = 1 + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = ${confdir}/ldap.attrmap + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + edir_account_policy_check = no + + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. + # + # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + + + # Keepalive configuration. This MAY NOT be supported by your + # LDAP library. If these configuration entries appear in the + # output of "radiusd -X", then they are supported. Otherwise, + # they are unsupported, and changing them will do nothing. + # + keepalive { + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = 60 + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = 3 + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = 3 + } +} +EOF + + +service freeradius stop + +cp /etc/freeradius/modules/ldap /etc/freeradius/modules/ldap.backup +mv $LDAP_SETUP /etc/freeradius/modules/ldap + +service freeradius start diff --git a/debian/lib/setup-slapd.help b/debian/lib/setup-slapd.help new file mode 100644 index 0000000..1ec6b46 --- /dev/null +++ b/debian/lib/setup-slapd.help @@ -0,0 +1,3 @@ +création d'une nouvelle base, avec un nouveau suffixe + +Paramètrage de freeradius pour la connexion à cette base \ No newline at end of file diff --git a/debian/lib/u-auth b/debian/lib/u-auth new file mode 100755 index 0000000..9638b6d --- /dev/null +++ b/debian/lib/u-auth @@ -0,0 +1,46 @@ +#!/bin/sh + +ME=`basename $0` +COMMANDDIR=`dirname $0`/lib +test -d ${COMMANDDIR} || COMMANDDIR=/usr/lib/`basename $0` + +help() { + msg="$1" + test -n "$msg" && echo $msg + echo "syntaxe: $ME commande ..." + echo "" + echo "commandes disponibles:" + echo " help cette aide" + for fcom in $COMMANDDIR/*.help + do + com=`basename $fcom .help` + descr=`head -1 $fcom` + echo " "$com" "$descr + done + test -n "$msg" && exit 1 + exit 0 +} + +helpcmd() { + command=$1 + xcommand=$COMMANDDIR/$command + test -x $xcommand || help "ERR: commande inconnue ($command)" + echo "$ME $command" + cat $xcommand.help +} + +command=$1 +test -z $command && help "ERR: commande manquante" +shift + +case $command in + help) + test -z "$1" && help + helpcmd $1 + ;; + *) + xcommand=$COMMANDDIR/$command + test -x $xcommand || help "ERR: commande inconnue ($command)" + $xcommand "$@" + ;; +esac diff --git a/debian/nginx-example.conf b/debian/nginx-example.conf new file mode 100644 index 0000000..37a51a8 --- /dev/null +++ b/debian/nginx-example.conf @@ -0,0 +1,58 @@ +server { + listen 443; + server_name u-auth.example.org; + + ssl on; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + access_log /var/log/nginx/u-auth.example.org-access.log combined; + error_log /var/log/nginx/u-auth.example.org-error.log; + + location ~ ^/static/(.+)$ { + root /; + try_files /var/lib/u-auth/static/$1 + /var/lib/u-auth/collectstatic/$1 + =404; + } + + location ~ ^/media/(.+)$ { + alias /var/lib/u-auth/media/$1; + } + + location / { + proxy_pass http://unix:/var/run/u-auth/u-auth.sock; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-SSL on; + proxy_set_header X-Forwarded-Protocol ssl; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} + +server { + listen 80; + server_name u-auth.example.org; + + access_log /var/log/nginx/u-auth.example.org-access.log combined; + error_log /var/log/nginx/u-auth.example.org-error.log; + + location ~ ^/static/(.+)$ { + root /; + try_files /var/lib/u-auth/static/$1 + /var/lib/u-auth/collectstatic/$1 + =404; + } + + location ~ ^/media/(.+)$ { + alias /var/lib/u-auth/media/$1; + } + + location / { + proxy_pass http://unix:/var/run/u-auth/u-auth.sock; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} \ No newline at end of file diff --git a/debian/python-uauth.dirs b/debian/python-uauth.dirs new file mode 100644 index 0000000..a08cbbc --- /dev/null +++ b/debian/python-uauth.dirs @@ -0,0 +1 @@ +/usr/lib/u-auth diff --git a/debian/python-uauth.docs b/debian/python-uauth.docs new file mode 100644 index 0000000..ccea8df --- /dev/null +++ b/debian/python-uauth.docs @@ -0,0 +1,2 @@ +COPYING +README \ No newline at end of file diff --git a/debian/python-uauth.install b/debian/python-uauth.install new file mode 100644 index 0000000..dfc926c --- /dev/null +++ b/debian/python-uauth.install @@ -0,0 +1,2 @@ +usr/bin/manage.py /usr/lib/u-auth +usr/lib/python2*/*-packages diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..263a654 --- /dev/null +++ b/debian/rules @@ -0,0 +1,7 @@ +#!/usr/bin/make -f + +# This file was automatically generated by stdeb 0.8.2 at +# Tue, 24 Mar 2015 00:42:56 +0100 +%: + dh $@ --with python2 + diff --git a/debian/settings.py b/debian/settings.py new file mode 100644 index 0000000..c44906e --- /dev/null +++ b/debian/settings.py @@ -0,0 +1,17 @@ +DEBUG = False +TEMPLATE_DEBUG = False + +ALLOWED_HOSTS = [ + '*', +] + +LANGUAGE_CODE = 'fr-fr' +TIME_ZONE = 'Europe/Paris' + +# LDAP_CONF = { +# 'url': 'ldap://localhost', +# 'bind_dn': 'cn=admin,dc=dev,dc=entrouvert,dc=org', +# 'options': {}, +# 'bind_passwd': 'changeme', +# 'dn': 'ou=users,dc=dev,dc=entrouvert,dc=org', +# } diff --git a/debian/share/config.ldif b/debian/share/config.ldif new file mode 100644 index 0000000..3b9995f --- /dev/null +++ b/debian/share/config.ldif @@ -0,0 +1,76 @@ +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/slapd/slapd.args +olcPidFile: /var/run/slapd/slapd.pid +olcToolThreads: 1 +olcLogLevel: none +olcServerId: 1 + +dn: cn=module{0},cn=config +objectClass: olcModuleList +cn: module{0} +olcModulePath: /usr/lib/ldap +olcModuleLoad: {0}back_hdb +olcModuleLoad: {1}back_monitor +olcModuleLoad: {2}back_mdb +olcModuleLoad: {3}accesslog +olcModuleLoad: {4}unique +olcModuleLoad: {5}refint +olcModuleLoad: {6}constraint +olcModuleLoad: {7}syncprov + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +dn: olcDatabase={-1}frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: {-1}frontend +olcAccess: {0}to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by * break +olcAccess: {1}to dn.exact="" by * read +olcAccess: {2}to dn.base="cn=Subschema" by * read +olcSizeLimit: 500 + +dn: olcDatabase={0}config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: {0}config +olcAccess: {0}to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by * break +olcRootDN: cn=admin,cn=config + +dn: olcDatabase={1}mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcSuffix: cn=config-accesslog +olcDbDirectory: /var/lib/ldap/config-accesslog/ +# Allow reading accesslog only by root +olcAccess: {0}to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read + by * break + +dn: olcDatabase={1}monitor,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMonitorConfig +olcDatabase: {1}monitor +# Allow reading monitoring only by root +olcAccess: {0}to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read + by * break + +# Log all writes to the configuration +dn: olcOverlay={0}accesslog,olcDatabase={0}config,cn=config +objectClass: olcAccesslogConfig +objectClass: olcOverlayConfig +objectClass: olcConfig +objectClass: top +olcOverlay: {0}accesslog +olcAccessLogDB: cn=config-accesslog +olcAccessLogOps: writes +# log are conserved one year and purged every day +olcAccessLogPurge: 365+00:00 1+00:00 +olcAccessLogOld: objectClass=olcConfig diff --git a/debian/share/radius-default.conf b/debian/share/radius-default.conf new file mode 100644 index 0000000..11b22ba --- /dev/null +++ b/debian/share/radius-default.conf @@ -0,0 +1,605 @@ +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# Any changes made here should also be made to the "inner-tunnel" +# virtual server. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + + # + # Security settings. Take a User-Name, and do some simple + # checks on it, for spaces and other invalid characters. If + # it looks like the user is trying to play games, reject it. + # + # This should probably be enabled by default. + # + # See policy.conf for the definition of the filter_username policy. + # +# filter_username + + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + preprocess + + # + # If you want to have a log of authentication requests, + # un-comment the following line, and the 'detail auth_log' + # section, above. + auth_log + + ldap + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. + digest + + # + # The WiMAX specification says that the Calling-Station-Id + # is 6 octets of the MAC. This definition conflicts with + # RFC 3580, and all common RADIUS practices. Un-commenting + # the "wimax" module here means that it will fix the + # Calling-Station-Id attribute to the normal format as + # specified in RFC 3580 Section 3.21 +# wimax + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # As of 2.0, the EAP module returns "ok" in the authorize stage + # for TTLS and PEAP. In 1.x, it never returned "ok" here, so + # this change is compatible with older configurations. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module in radiusd.conf. + # +# unix + + # + # Read the 'users' file +# files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf +# sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module. +# smbpasswd + + exec + # + # The ldap module will set Auth-Type to LDAP if it has not + # already been set + + # + # Enforce daily limits on time spent logged in. +# daily + + # + # Use the checkval module +# checkval + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap + + # + # If "status_server = yes", then Status-Server messages are passed + # through the following section, and ONLY the following section. + # This permits you to do DB queries, for example. If the modules + # listed here return "fail", then NO response is sent. + # +# Autz-Type Status-Server { +# +# } +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the apropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user (Auth-Type := Reject), +# or to or forcibly accept the user (Auth-Type := Accept). +# +# Note that Auth-Type := Accept will NOT work with EAP. +# +# Please do not put "unlang" configurations into the "authenticate" +# section. Put them in the "post-auth" section instead. That's what +# the post-auth section is for. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. + digest + + # + # Pluggable Authentication Modules. +# pam + + # + # See 'man getpwent' for information on how the 'unix' + # module checks the users password. Note that packets + # containing CHAP-Password attributes CANNOT be authenticated + # against /etc/passwd! See the FAQ for details. + # + # For normal "crypt" authentication, the "pap" module should + # be used instead of the "unix" module. The "unix" module should + # be used for authentication ONLY for compatibility with legacy + # FreeRADIUS configurations. + # + unix + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. + Auth-Type LDAP { + ldap + } + + # + # Allow EAP authentication. + eap + + # + # The older configurations sent a number of attributes in + # Access-Challenge packets, which wasn't strictly correct. + # If you want to filter out these attributes, uncomment + # the following lines. + # +# Auth-Type eap { +# eap { +# handled = 1 +# } +# if (handled && (Response-Packet-Type == Access-Challenge)) { +# attr_filter.access_challenge.post-auth +# handled # override the "updated" code from attr_filter +# } +# } +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. + # + # The start time is: NOW - delay - session_length + # + +# update request { +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. +# unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. +# radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf +# sql + + # + # If you receive stop packets with zero session length, + # they will NOT be logged in the database. The SQL module + # will print a message (only in debugging mode), and will + # return "noop". + # + # You can ignore these packets by uncommenting the following + # three lines. Otherwise, the server will not respond to the + # accounting request, and the NAS will retransmit. + # +# if (noop) { +# ok +# } + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + + # For Exec-Program and Exec-Program-Wait + exec + + # Filter attributes from the accounting response. + attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. + # +# Acct-Type Status-Server { +# +# } +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf +# sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Get an address from the IP Pool. +# main_pool + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and the 'detail reply_log' + # section, above. +# reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf +# sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + # For Exec-Program and Exec-Program-Wait + exec + + # + # Calculate the various WiMAX keys. In order for this to work, + # you will need to define the WiMAX NAI, usually via + # + # update request { + # WiMAX-MN-NAI = "%{User-Name}" + # } + # + # If you want various keys to be calculated, you will need to + # update the reply with "template" values. The module will see + # this, and replace the template values with the correct ones + # taken from the cryptographic calculations. e.g. + # + # update reply { + # WiMAX-FA-RK-Key = 0x00 + # WiMAX-MSK = "%{EAP-MSK}" + # } + # + # You may want to delete the MS-MPPE-*-Keys from the reply, + # as some WiMAX clients behave badly when those attributes + # are included. See "raddb/modules/wimax", configuration + # entry "delete_mppe_keys" for more information. + # +# wimax + + # If there is a client certificate (EAP-TLS, sometimes PEAP + # and TTLS), then some attributes are filled out after the + # certificate verification has been performed. These fields + # MAY be available during the authentication, or they may be + # available only in the "post-auth" section. + # + # The first set of attributes contains information about the + # issuing certificate which is being used. The second + # contains information about the client certificate (if + # available). +# +# update reply { +# Reply-Message += "%{TLS-Cert-Serial}" +# Reply-Message += "%{TLS-Cert-Expiration}" +# Reply-Message += "%{TLS-Cert-Subject}" +# Reply-Message += "%{TLS-Cert-Issuer}" +# Reply-Message += "%{TLS-Cert-Common-Name}" +# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" +# +# Reply-Message += "%{TLS-Client-Cert-Serial}" +# Reply-Message += "%{TLS-Client-Cert-Expiration}" +# Reply-Message += "%{TLS-Client-Cert-Subject}" +# Reply-Message += "%{TLS-Client-Cert-Issuer}" +# Reply-Message += "%{TLS-Client-Cert-Common-Name}" +# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" +# } + + # MacSEC requires the use of EAP-Key-Name. However, we don't + # want to send it for all EAP sessions. Therefore, the EAP + # modules put required data into the EAP-Session-Id attribute. + # This attribute is never put into a request or reply packet. + # + # Uncomment the next few lines to copy the required data into + # the EAP-Key-Name attribute +# if (reply:EAP-Session-Id) { +# update reply { +# EAP-Key-Name := "%{reply:EAP-Session-Id}" +# } +# } + + # If the WiMAX module did it's work, you may want to do more + # things here, like delete the MS-MPPE-*-Key attributes. + # + # if (updated) { + # update reply { + # MS-MPPE-Recv-Key !* 0x00 + # MS-MPPE-Send-Key !* 0x00 + # } + # } + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. +# sql + attr_filter.access_reject + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { +# attr_rewrite + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + +# attr_rewrite + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } +} diff --git a/debian/share/radius.ldif b/debian/share/radius.ldif new file mode 100644 index 0000000..6e3b64f --- /dev/null +++ b/debian/share/radius.ldif @@ -0,0 +1,210 @@ +# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. +# CRC32 f395ae99 +dn: cn=radius,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: radius +olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' D + ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN + GLE-VALUE ) +olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' D + ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN + GLE-VALUE ) +olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' + DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S + INGLE-VALUE ) +olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC + 'checkItem: Auth-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 + .115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DES + C 'replyItem: Callback-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 + 466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' + DESC 'replyItem: Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6 + .1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId + ' DESC 'checkItem: Called-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1. + 3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationI + d' DESC 'checkItem: Calling-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX + 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC 're + plyItem: Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.26 ) +olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddres + s' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC + 'replyItem: Filter-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 + .115.121.1.26 ) +olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTa + lkLink' DESC 'replyItem: Framed-AppleTalk-Link' EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTa + lkNetwork' DESC 'replyItem: Framed-AppleTalk-Network' EQUALITY caseIgnoreIA + 5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTa + lkZone' DESC 'replyItem: Framed-AppleTalk-Zone' EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompres + sion' DESC 'replyItem: Framed-Compression' EQUALITY caseIgnoreIA5Match SYNT + AX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddre + ss' DESC 'replyItem: Framed-IP-Address' EQUALITY caseIgnoreIA5Match SYNTAX + 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetma + sk' DESC 'replyItem: Framed-IP-Netmask' EQUALITY caseIgnoreIA5Match SYNTAX + 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetw + ork' DESC 'replyItem: Framed-IPX-Network' EQUALITY caseIgnoreIA5Match SYNTA + X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DE + SC 'replyItem: Framed-MTU' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 + 466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtoco + l' DESC 'replyItem: Framed-Protocol' EQUALITY caseIgnoreIA5Match SYNTAX 1.3 + .6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' + DESC 'replyItem: Framed-Route' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 ) +olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting + ' DESC 'replyItem: Framed-Routing' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6 + .1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DE + SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' + EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA + LUE ) +olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName + ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' + DESC 'replyItem: Idle-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' + DESC 'replyItem: Login-IP-Host' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1. + 4.1.1466.115.121.1.26 ) +olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup + ' DESC 'replyItem: Login-LAT-Group' EQUALITY caseIgnoreIA5Match SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' + DESC 'replyItem: Login-LAT-Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. + 1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' + DESC 'replyItem: Login-LAT-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. + 1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATServi + ce' DESC 'replyItem: Login-LAT-Service' EQUALITY caseIgnoreIA5Match SYNTAX + 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' + DESC 'replyItem: Login-Service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' + DESC 'replyItem: Login-TCP-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. + 1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry + ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DE + SC 'replyItem: Port-Limit' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 + 466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DE + SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE ) +olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC + '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- + VALUE ) +olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' + DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S + INGLE-VALUE ) +olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRe + alm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26 SINGLE-VALUE ) +olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC ' + ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V + ALUE ) +olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' + DESC 'replyItem: Service-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeou + t' DESC 'replyItem: Session-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3 + .6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationAc + tion' DESC 'replyItem: Termination-Action' EQUALITY caseIgnoreIA5Match SYNT + AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignm + entId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.26 ) +olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumT + ype' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26 ) +olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPasswor + d' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPrefere + nce' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26 ) +olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivate + GroupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.26 ) +olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerE + ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.26 ) +olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' D + ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' + EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientE + ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.26 ) +olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousU + se' DESC 'checkItem: Simultaneous-Use' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DE + SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING + LE-VALUE ) +olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' + DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S + INGLE-VALUE ) +olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName + ' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC + '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- + VALUE ) +olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' D + ESC 'checkItem: Expiration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1. + 1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DE + SC 'checkItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.26 ) +olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DE + SC 'replyItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 + 66.115.121.1.26 ) +olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress' + DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S + INGLE-VALUE ) +olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage' + DESC 'replyItem: Reply-Message' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' + SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ + radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNu + mber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiu + sClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFrame + dAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ r + adiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ rad + iusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ r + adiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupNam + e $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGr + oup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ rad + iusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetr + y $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ rad + iusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStri + pUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusPr + ofileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMe + diumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPriv + ateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCate + gory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ r + adiusReplyMessage ) ) +olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' D + ESC 'A Container Objectclass to be used for creating radius profile object' + SUP top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) ) diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/u-auth-manage b/debian/u-auth-manage new file mode 100644 index 0000000..458d963 --- /dev/null +++ b/debian/u-auth-manage @@ -0,0 +1,25 @@ +#!/bin/sh + +NAME=u-auth +MANAGE=/usr/lib/$NAME/manage.py + +# load Debian default configuration +export UAUTH_SETTINGS_FILE=/usr/lib/$NAME/debian_config.py + +# check user +if test x$1 = x"--forceuser" +then + shift +elif test $(id -un) != "$NAME" +then + echo "error: must use $0 with user ${NAME}" + exit 1 +fi + +if test $# -eq 0 +then + python ${MANAGE} help + exit 1 +fi + +python ${MANAGE} "$@" diff --git a/debian/u-auth.dirs b/debian/u-auth.dirs new file mode 100644 index 0000000..0e857be --- /dev/null +++ b/debian/u-auth.dirs @@ -0,0 +1,8 @@ +/etc/u-auth +/usr/lib/u-auth +/var/lib/u-auth/collectstatic +/var/lib/u-auth/static +/var/lib/u-auth/templates +/var/lib/u-auth/media +/var/lib/u-auth/metadatas +/var/log/u-auth diff --git a/debian/u-auth.docs b/debian/u-auth.docs new file mode 100644 index 0000000..68b8457 --- /dev/null +++ b/debian/u-auth.docs @@ -0,0 +1,3 @@ +COPYING +README +debian/nginx-example.conf diff --git a/debian/u-auth.init b/debian/u-auth.init new file mode 100644 index 0000000..165534c --- /dev/null +++ b/debian/u-auth.init @@ -0,0 +1,193 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: u-auth +# Required-Start: $network $local_fs +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Captive portal in the Cloud +# Description: Captive portal in the Cloud +### END INIT INFO + +# Author: Entr'ouvert + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="Captive portal in the Cloud" +NAME=u-auth +DAEMON=/usr/bin/gunicorn +RUN_DIR=/run/$NAME +PIDFILE=$RUN_DIR/$NAME.pid +LOG_DIR=/var/log/$NAME +SCRIPTNAME=/etc/init.d/$NAME +BIND=unix:$RUN_DIR/$NAME.sock +WORKERS=5 +TIMEOUT=30 + +UAUTH_SETTINGS_FILE=/usr/lib/$NAME/debian_config.py +MANAGE_SCRIPT="/usr/bin/$NAME-manage" + +USER=$NAME +GROUP=$NAME + +# Exit if the package is not installed +[ -x $MANAGE_SCRIPT ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +DAEMON_ARGS=${DAEMON_ARGS:-"--pid $PIDFILE \ +--user $USER --group $GROUP \ +--daemon \ +--access-logfile $LOG_DIR/gunicorn-access.log \ +--log-file $LOG_DIR/gunicorn-error.log \ +--bind=$BIND \ +--workers=$WORKERS \ +--worker-class=sync \ +--timeout=$TIMEOUT \ +--name $NAME \ +uauth.wsgi:application"} + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +# Create /run directory +if [ ! -d $RUN_DIR ]; then + install -d -m 755 -o $USER -g $GROUP $RUN_DIR +fi + +# environment for wsgi +export UAUTH_SETTINGS_FILE + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name `basename $DAEMON` + return 0 +} + +do_migrate() { + log_action_msg "Applying migrations (migrate).." + su $USER -p -c "$MANAGE_SCRIPT migrate" + log_action_msg "done" +} + +do_collectstatic() { + log_action_msg "Collect static files (collectstatic).." + su $USER -p -c "$MANAGE_SCRIPT collectstatic --noinput" + log_action_msg "done" +} + +case "$1" in + start) + log_daemon_msg "Starting $DESC " "$NAME" + do_migrate + do_collectstatic + do_start + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + log_daemon_msg "Reloading $DESC" "$NAME" + do_collectstatic + do_migrate + do_reload + log_end_msg $? + ;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_migrate + do_collectstatic + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac diff --git a/debian/u-auth.install b/debian/u-auth.install new file mode 100644 index 0000000..2abfc2b --- /dev/null +++ b/debian/u-auth.install @@ -0,0 +1,10 @@ +debian/u-auth-manage /usr/bin +debian/lib/u-auth /usr/lib/u-auth/ +debian/lib/setup-radius /usr/lib/u-auth/ +debian/lib/setup-slapd /usr/lib/u-auth/ +debian/lib/reset-slapd /usr/lib/u-auth/ +debian/share/config.ldif /usr/share/u-auth +debian/share/radius-default.conf /usr/share/u-auth +debian/share/radius.ldif /usr/share/u-auth +debian/settings.py /etc/u-auth +debian/debian_config.py /usr/lib/u-auth \ No newline at end of file diff --git a/debian/u-auth.postinst b/debian/u-auth.postinst new file mode 100644 index 0000000..44c03eb --- /dev/null +++ b/debian/u-auth.postinst @@ -0,0 +1,48 @@ +#! /bin/sh + +set -e + +NAME="u-auth" +USER=$NAME +GROUP=$NAME +CONFIG_DIR="/etc/$NAME" + +case "$1" in + configure) + + # make sure the administrative user exists + if ! getent passwd $USER >/dev/null; then + adduser --disabled-password --quiet --system \ + --no-create-home --home /var/lib/$NAME \ + --gecos "$NAME user" --group $USER + fi + # ensure dirs ownership + chown $USER:$GROUP /var/log/$NAME + chown $USER:$GROUP /var/lib/$NAME/collectstatic + chown $USER:$GROUP /var/lib/$NAME/static + chown $USER:$GROUP /var/lib/$NAME/media + # create a secret file + SECRET_FILE=$CONFIG_DIR/secret + if [ ! -f $SECRET_FILE ]; then + echo -n "Generating Django secret..." >&2 + cat /dev/urandom | tr -dc [:alnum:]-_\!\%\^:\; | head -c70 > $SECRET_FILE + chown root:$GROUP $SECRET_FILE + chmod 0440 $SECRET_FILE + fi + + /usr/lib/u-auth setup-slapd + /usr/lib/u-auth setup-radius + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0