From 6e2a5993ce470341bed0e0c6ba8e44de3712d50e Mon Sep 17 00:00:00 2001 From: Cullum Smith Date: Sat, 26 Oct 2024 00:07:03 -0400 Subject: more icinga stuff --- .../etc/raddb/mods-available/eap.radius_server | 8 ++ .../etc/raddb/mods-available/ldap.radius_server | 107 +++++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 files/usr/local/etc/raddb/mods-available/ldap.radius_server (limited to 'files/usr/local/etc/raddb/mods-available') diff --git a/files/usr/local/etc/raddb/mods-available/eap.radius_server b/files/usr/local/etc/raddb/mods-available/eap.radius_server index 5c1aafd..789bc0e 100644 --- a/files/usr/local/etc/raddb/mods-available/eap.radius_server +++ b/files/usr/local/etc/raddb/mods-available/eap.radius_server @@ -39,4 +39,12 @@ eap { tls { tls = tls-common } + + ttls { + tls = tls-common + default_eap_type = md5 + copy_request_to_tunnel = no + use_tunneled_reply = no + virtual_server = "inner-tunnel" + } } diff --git a/files/usr/local/etc/raddb/mods-available/ldap.radius_server b/files/usr/local/etc/raddb/mods-available/ldap.radius_server new file mode 100644 index 0000000..09442f0 --- /dev/null +++ b/files/usr/local/etc/raddb/mods-available/ldap.radius_server @@ -0,0 +1,107 @@ +ldap { + $(printf " server = '%s'\n" ${ldap_hosts}) + + base_dn = '${users_basedn}' + + sasl { + mech = 'GSSAPI' + realm = '${realm}' + } + + update { + control:Password-With-Header += 'userPassword' + control: += 'radiusControlAttribute' + request: += 'radiusRequestAttribute' + reply: += 'radiusReplyAttribute' + } + + user_dn = "LDAP-UserDn" + + user { + base_dn = "\${..base_dn}" + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + } + + group { + base_dn = '${groups_basedn}' + filter = '(objectClass=groupOfMembers)' + name_attribute = cn + membership_filter = "(member=%{control:\${..user_dn}})" + membership_attribute = 'memberOf' + cacheable_name = 'yes' + cacheable_dn = 'yes' + allow_dangling_group_ref = 'yes' + } + + profile { } + + client { + base_dn = "\${..base_dn}" + filter = '(objectClass=radiusClient)' + + template { } + + attribute { + ipaddr = 'radiusClientIdentifier' + secret = 'radiusClientSecret' + } + } + + read_clients = no + + accounting { + reference = "%{tolower:type.%{Acct-Status-Type}}" + + type { + start { + update { + description := "Online at %S" + } + } + + interim-update { + update { + description := "Last seen at %S" + } + } + + stop { + update { + description := "Offline at %S" + } + } + } + } + + post-auth { + update { + description := "Authenticated at %S" + } + } + + options { + chase_referrals = yes + rebind = yes + res_timeout = 10 + srv_timelimit = 3 + net_timeout = 1 + idle = 60 + probes = 3 + interval = 3 + ldap_debug = 0x0000 + } + + tls { } + + pool { + start = \${thread[pool].start_servers} + min = \${thread[pool].min_spare_servers} + max = \${thread[pool].max_servers} + + spare = \${thread[pool].max_spare_servers} + uses = 0 + retry_delay = 30 + lifetime = 0 + idle_timeout = 60 + } +} -- cgit v1.2.3