From 4f325be6b9a217575510fe2de31a4788728b75d4 Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Thu, 22 Sep 2016 11:53:31 -0500 Subject: [PATCH 01/13] replace stale file with symlink to correct file --- roles/httpd/templates/xs-console.conf.j2 | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) mode change 100644 => 120000 roles/httpd/templates/xs-console.conf.j2 diff --git a/roles/httpd/templates/xs-console.conf.j2 b/roles/httpd/templates/xs-console.conf.j2 deleted file mode 100644 index 6fbc4451..00000000 --- a/roles/httpd/templates/xs-console.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -Alias /top /usr/share/xs-config/cfg/html/top - -# XS public web pages - must be publically accessible - - Require all granted - - -Alias /doc /usr/share/xs-config/cfg/html/doc - - - Require all granted - - -scriptalias /cgi /usr/share/xs-config/cfg/html/top/cgi - - - Require all granted - diff --git a/roles/httpd/templates/xs-console.conf.j2 b/roles/httpd/templates/xs-console.conf.j2 new file mode 120000 index 00000000..0148dab1 --- /dev/null +++ b/roles/httpd/templates/xs-console.conf.j2 @@ -0,0 +1 @@ +/opt/schoolserver/xsce/roles/xsce-admin/templates/console/xs-console.conf.j2 \ No newline at end of file From 7d77d539cf6175520dff562a952fcfa14456d357 Mon Sep 17 00:00:00 2001 From: George Hunt Date: Sat, 1 Oct 2016 10:07:47 -0400 Subject: [PATCH 02/13] select the long temp support version of elgg, which does not require php 5.5 --- roles/elgg/defaults/main.yml | 2 +- roles/elgg/tasks/main.yml | 35 +++++++++++++++++++-------- roles/elgg/templates/elggdb.sql.j2 | 38 +++++++++++++++--------------- 3 files changed, 45 insertions(+), 30 deletions(-) diff --git a/roles/elgg/defaults/main.yml b/roles/elgg/defaults/main.yml index 70fa9ab7..fc287779 100644 --- a/roles/elgg/defaults/main.yml +++ b/roles/elgg/defaults/main.yml @@ -1,5 +1,5 @@ elgg_xx: elgg -elgg_version: "2.1" +elgg_version: "1.12.12" # elgg_mysql_password: defined in default_vars elgg_url: /elgg diff --git a/roles/elgg/tasks/main.yml b/roles/elgg/tasks/main.yml index 97a7c595..3bd42300 100644 --- a/roles/elgg/tasks/main.yml +++ b/roles/elgg/tasks/main.yml @@ -1,14 +1,29 @@ -- name: Determine if software is already downloaded - stat: path=/opt/elgg/install.php +- name: download current version from our copy + get_url: url={{ xsce_download_url }}/elgg-{{ elgg_version }}.zip + dest={{ downloads_dir }} + when: not {{ use_cache }} and not {{ no_network }} + tags: + - download2 + +- name: Determine if software is already expanded + stat: path=/opt/elgg/index.php register: elgg -- name: Get the ELGG software - git: name=https://github.com/Elgg/Elgg - version={{ elgg_version }} +- name: Expand it to our location + unarchive: dest=/opt/ + src={{ downloads_dir }}/elgg-{{ elgg_version }}.zip + when: elgg.stat.exists is defined and not elgg.stat.exists + +- name: change ownership + file: path=/opt/elgg-{{elgg_version }} + owner=apache + recurse=yes + +- name: Create a link to the versioned elgg folder + file: src=./elgg-{{ elgg_version }} dest=/opt/elgg - when: not {{ use_cache }} and not {{ no_network }} and elgg.stat.exists is defined and not elgg.stat.exists - tags: - - download2 + state=link + force=true # elggdb.sql obtained with mysqldump --skip-add-drop-table elggdb > elggdb.sql @@ -47,7 +62,7 @@ copy: src="/opt/{{ elgg_xx }}/install/config/htaccess.dist" dest="/opt/{{ elgg_xx }}/.htaccess" mode=0644 - owner=root + owner=apache group=root - name: Modify .htaccess to have RewriteBase as our directory @@ -72,7 +87,7 @@ when: mysql_enabled and elgg_enabled - name: Change permissions on engine directory so apache can write - file: path=/opt/elgg/engine/ owner=apache mode=0755 state=directory + file: path=/opt/elgg/ owner=apache mode=0755 state=directory - name: Create an upload directory that Apache can write in or elgg file: path={{ elgg_upload_path }} state=directory owner=apache diff --git a/roles/elgg/templates/elggdb.sql.j2 b/roles/elgg/templates/elggdb.sql.j2 index 381ad0f9..ff3a043b 100644 --- a/roles/elgg/templates/elggdb.sql.j2 +++ b/roles/elgg/templates/elggdb.sql.j2 @@ -1,8 +1,8 @@ --- MySQL dump 10.14 Distrib 5.5.41-MariaDB, for Linux (x86_64) +-- MySQL dump 10.14 Distrib 5.5.47-MariaDB, for Linux (x86_64) -- --- Host: {{ dbhost }} Database: {{ dbname }} +-- Host: localhost Database: elggdb -- ------------------------------------------------------ --- Server version 5.5.41-MariaDB +-- Server version 5.5.47-MariaDB /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; @@ -143,7 +143,7 @@ CREATE TABLE `elgg_config` ( LOCK TABLES `elgg_config` WRITE; /*!40000 ALTER TABLE `elgg_config` DISABLE KEYS */; -INSERT INTO `elgg_config` VALUES ('view','s:7:\"default\";',1),('language','s:2:\"en\";',1),('default_access','s:1:\"2\";',1),('allow_registration','b:1;',1),('walled_garden','b:0;',1),('allow_user_default_access','s:0:\"\";',1),('default_limit','i:10;',1); +INSERT INTO `elgg_config` VALUES ('view','s:7:\"default\";',1),('language','s:2:\"en\";',1),('default_access','s:1:\"2\";',1),('allow_registration','b:1;',1),('walled_garden','b:0;',1),('allow_user_default_access','s:0:\"\";',1),('default_limit','i:10;',1),('search_ft_min_word_len','s:1:\"4\";',1),('search_ft_max_word_len','s:2:\"84\";',1); /*!40000 ALTER TABLE `elgg_config` ENABLE KEYS */; UNLOCK TABLES; @@ -166,7 +166,7 @@ CREATE TABLE `elgg_datalists` ( LOCK TABLES `elgg_datalists` WRITE; /*!40000 ALTER TABLE `elgg_datalists` DISABLE KEYS */; -INSERT INTO `elgg_datalists` VALUES ('installed','1424199649'),('path','/'),('dataroot','/library/elgg/'),('default_site','1'),('version','2014130300'),('simplecache_enabled','1'),('system_cache_enabled','1'),('simplecache_lastupdate','1424199649'),('processed_upgrades','b:0;'),('admin_registered','1'),('__site_secret__','zUTiG3U5P2q74q2v6YftbkDiBm0-BIXl'); +INSERT INTO `elgg_datalists` VALUES ('installed','1475289209'),('dataroot','/library/elgg/'),('default_site','1'),('version','2015041400'),('simplecache_enabled','1'),('system_cache_enabled','1'),('simplecache_lastupdate','1475289209'),('path','/opt/elgg-1.12.12/'),('processed_upgrades','a:62:{i:0;s:14:\"2008100701.php\";i:1;s:14:\"2008101303.php\";i:2;s:14:\"2009022701.php\";i:3;s:14:\"2009041701.php\";i:4;s:14:\"2009070101.php\";i:5;s:14:\"2009102801.php\";i:6;s:14:\"2010010501.php\";i:7;s:14:\"2010033101.php\";i:8;s:14:\"2010040201.php\";i:9;s:14:\"2010052601.php\";i:10;s:14:\"2010060101.php\";i:11;s:14:\"2010060401.php\";i:12;s:14:\"2010061501.php\";i:13;s:14:\"2010062301.php\";i:14;s:14:\"2010062302.php\";i:15;s:14:\"2010070301.php\";i:16;s:14:\"2010071001.php\";i:17;s:14:\"2010071002.php\";i:18;s:14:\"2010111501.php\";i:19;s:14:\"2010121601.php\";i:20;s:14:\"2010121602.php\";i:21;s:14:\"2010121701.php\";i:22;s:14:\"2010123101.php\";i:23;s:14:\"2011010101.php\";i:24;s:61:\"2011021800-1.8_svn-goodbye_walled_garden-083121a656d06894.php\";i:25;s:61:\"2011022000-1.8_svn-custom_profile_fields-390ac967b0bb5665.php\";i:26;s:60:\"2011030700-1.8_svn-blog_status_metadata-4645225d7b440876.php\";i:27;s:51:\"2011031300-1.8_svn-twitter_api-12b832a5a7a3e1bd.php\";i:28;s:57:\"2011031600-1.8_svn-datalist_grows_up-0b8aec5a55cc1e1c.php\";i:29;s:61:\"2011032000-1.8_svn-widgets_arent_plugins-61836261fa280a5c.php\";i:30;s:59:\"2011032200-1.8_svn-admins_like_widgets-7f19d2783c1680d3.php\";i:31;s:14:\"2011052801.php\";i:32;s:60:\"2011061200-1.8b1-sites_need_a_site_guid-6d9dcbf46c0826cc.php\";i:33;s:62:\"2011092500-1.8.0.1-forum_reply_river_view-5758ce8d86ac56ce.php\";i:34;s:54:\"2011123100-1.8.2-fix_friend_river-b17e7ff8345c2269.php\";i:35;s:53:\"2011123101-1.8.2-fix_blog_status-b14c2a0e7b9e7d55.php\";i:36;s:50:\"2012012000-1.8.3-ip_in_syslog-87fe0f068cf62428.php\";i:37;s:50:\"2012012100-1.8.3-system_cache-93100e7d55a24a11.php\";i:38;s:59:\"2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php\";i:39;s:58:\"2012041801-1.8.3-multiple_user_tokens-852225f7fd89f6c5.php\";i:40;s:59:\"2013010200-1.9.0_dev-river_target_guid-66cbcae057cfa3ad.php\";i:41;s:62:\"2013010400-1.9.0_dev-comments_to_entities-faba94768b055b08.php\";i:42;s:61:\"2013021000-1.9.0_dev-web_services_plugin-85a61b4884b9b9e3.php\";i:43;s:60:\"2013022000-1.9.0-datadir_dates_to_guids-efb02ff11b9d6444.php\";i:44;s:59:\"2013030600-1.8.13-update_user_location-8999eb8bf1bdd9a3.php\";i:45;s:62:\"2013051700-1.8.15-add_missing_group_index-52a63a3a3ffaced2.php\";i:46;s:53:\"2013052900-1.8.15-ipv6_in_syslog-f5c2cc0196e9e731.php\";i:47;s:50:\"2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php\";i:48;s:63:\"2013062200-1.9.0_dev-new_remember_me_table-da1bfc6f36c7952e.php\";i:49;s:54:\"2013062700-1.9.0_dev-add_db_queue-e6af82afc6d3eee3.php\";i:50;s:50:\"2014012000-1.8.18-remember_me-9a8a433685cf7be9.php\";i:51;s:61:\"2014031100-1.9.0_dev-elgg_upgrade_object-5577af53c93abd1a.php\";i:52;s:55:\"2014032200-1.9.0_dev-tinymce_to_ck-bbd2daa1912deaef.php\";i:53;s:60:\"2014042500-1.9.0_dev-site-notifications-0aae171afb7a00d8.php\";i:54;s:61:\"2014050600-1.9.0_dev-replies_to_entities-094ea0e36bc027d3.php\";i:55;s:60:\"2014070600-1.9.0_rc.3-river_enabled_col-bef9e6f0533ac338.php\";i:56;s:60:\"2014090900-1.9.0-fix_processed_upgrades-183ad189c71872d8.php\";i:57;s:62:\"2014111600-1.9.4-recheck_comments_upgrade-9da270072a5b0cad.php\";i:58;s:58:\"2014111800-1.10.0-add_new_hash_column-536087bbb2dbc82b.php\";i:59;s:56:\"2014130300-1.10.0-add_default_limit-fcef9e7ce01e26a4.php\";i:60;s:62:\"2015031300-1.11.0_dev-comment-access-sync-50c9764e5845315c.php\";i:61;s:59:\"2015041400-1.11.0_dev-trim_metastrings-d9a9fdfa28a981a3.php\";}'),('admin_registered','1'),('__site_secret__','zEtnDchxCARZxpQunLzmbcv6BOOpOMh9'); /*!40000 ALTER TABLE `elgg_datalists` ENABLE KEYS */; UNLOCK TABLES; @@ -197,7 +197,7 @@ CREATE TABLE `elgg_entities` ( KEY `access_id` (`access_id`), KEY `time_created` (`time_created`), KEY `time_updated` (`time_updated`) -) ENGINE=MyISAM AUTO_INCREMENT=43 DEFAULT CHARSET=utf8; +) ENGINE=MyISAM AUTO_INCREMENT=44 DEFAULT CHARSET=utf8; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -206,7 +206,7 @@ CREATE TABLE `elgg_entities` ( LOCK TABLES `elgg_entities` WRITE; /*!40000 ALTER TABLE `elgg_entities` DISABLE KEYS */; -INSERT INTO `elgg_entities` VALUES (1,'site',0,0,1,0,2,1424199649,1424199649,1424199649,'yes'),(2,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(3,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(4,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(5,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(6,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(7,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(8,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(9,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(10,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(11,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(12,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(13,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(14,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(15,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(16,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(17,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(18,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(19,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(20,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(21,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(22,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(23,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(24,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(25,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(26,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(27,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(28,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(29,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(30,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(31,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(32,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(33,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(34,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(35,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(36,'object',1,1,1,1,2,1424199649,1424199649,1424199649,'yes'),(37,'user',0,0,1,0,2,1424199685,1424199685,1424199685,'yes'),(38,'object',3,37,1,37,0,1424199685,1424199685,1424199685,'yes'),(39,'object',3,37,1,37,0,1424199685,1424199685,1424199685,'yes'),(40,'object',3,37,1,37,0,1424199685,1424199685,1424199685,'yes'),(41,'object',3,37,1,37,0,1424199685,1424199685,1424199685,'yes'),(42,'object',3,37,1,37,0,1424199685,1424199685,1424199685,'yes'); +INSERT INTO `elgg_entities` VALUES (1,'site',0,0,1,0,2,1475289209,1475289209,1475289209,'yes'),(2,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(3,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(4,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(5,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(6,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(7,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(8,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(9,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(10,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(11,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(12,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(13,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(14,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(15,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(16,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(17,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(18,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(19,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(20,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(21,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(22,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(23,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(24,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(25,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(26,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(27,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(28,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(29,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(30,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(31,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(32,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(33,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(34,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(35,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(36,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(37,'object',1,1,1,1,2,1475289209,1475289209,1475289209,'yes'),(38,'user',0,0,1,0,2,1475289252,1475289252,1475289252,'yes'),(39,'object',3,38,1,38,0,1475289252,1475289252,1475289252,'yes'),(40,'object',3,38,1,38,0,1475289252,1475289252,1475289252,'yes'),(41,'object',3,38,1,38,0,1475289252,1475289252,1475289252,'yes'),(42,'object',3,38,1,38,0,1475289252,1475289252,1475289252,'yes'),(43,'object',3,38,1,38,0,1475289252,1475289252,1475289252,'yes'); /*!40000 ALTER TABLE `elgg_entities` ENABLE KEYS */; UNLOCK TABLES; @@ -226,7 +226,7 @@ CREATE TABLE `elgg_entity_relationships` ( UNIQUE KEY `guid_one` (`guid_one`,`relationship`,`guid_two`), KEY `relationship` (`relationship`), KEY `guid_two` (`guid_two`) -) ENGINE=MyISAM AUTO_INCREMENT=24 DEFAULT CHARSET=utf8; +) ENGINE=MyISAM AUTO_INCREMENT=25 DEFAULT CHARSET=utf8; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -235,7 +235,7 @@ CREATE TABLE `elgg_entity_relationships` ( LOCK TABLES `elgg_entity_relationships` WRITE; /*!40000 ALTER TABLE `elgg_entity_relationships` DISABLE KEYS */; -INSERT INTO `elgg_entity_relationships` VALUES (1,3,'active_plugin',1,1424199649),(2,4,'active_plugin',1,1424199649),(3,6,'active_plugin',1,1424199649),(4,13,'active_plugin',1,1424199649),(5,14,'active_plugin',1,1424199649),(6,15,'active_plugin',1,1424199649),(7,16,'active_plugin',1,1424199649),(8,17,'active_plugin',1,1424199649),(9,19,'active_plugin',1,1424199649),(10,20,'active_plugin',1,1424199649),(11,21,'active_plugin',1,1424199649),(12,22,'active_plugin',1,1424199649),(13,23,'active_plugin',1,1424199649),(14,24,'active_plugin',1,1424199649),(15,25,'active_plugin',1,1424199649),(16,26,'active_plugin',1,1424199650),(17,27,'active_plugin',1,1424199650),(18,28,'active_plugin',1,1424199650),(19,29,'active_plugin',1,1424199650),(20,32,'active_plugin',1,1424199650),(21,34,'active_plugin',1,1424199650),(22,36,'active_plugin',1,1424199650),(23,37,'member_of_site',1,1424199685); +INSERT INTO `elgg_entity_relationships` VALUES (1,2,'active_plugin',1,1475289209),(2,3,'active_plugin',1,1475289209),(3,4,'active_plugin',1,1475289209),(4,6,'active_plugin',1,1475289209),(5,13,'active_plugin',1,1475289209),(6,14,'active_plugin',1,1475289209),(7,15,'active_plugin',1,1475289209),(8,16,'active_plugin',1,1475289209),(9,17,'active_plugin',1,1475289209),(10,19,'active_plugin',1,1475289209),(11,20,'active_plugin',1,1475289209),(12,22,'active_plugin',1,1475289209),(13,23,'active_plugin',1,1475289209),(14,24,'active_plugin',1,1475289209),(15,25,'active_plugin',1,1475289209),(16,26,'active_plugin',1,1475289209),(17,27,'active_plugin',1,1475289209),(18,28,'active_plugin',1,1475289209),(19,29,'active_plugin',1,1475289209),(20,30,'active_plugin',1,1475289209),(21,33,'active_plugin',1,1475289209),(22,35,'active_plugin',1,1475289209),(23,37,'active_plugin',1,1475289209),(24,38,'member_of_site',1,1475289252); /*!40000 ALTER TABLE `elgg_entity_relationships` ENABLE KEYS */; UNLOCK TABLES; @@ -370,7 +370,7 @@ CREATE TABLE `elgg_metadata` ( LOCK TABLES `elgg_metadata` WRITE; /*!40000 ALTER TABLE `elgg_metadata` DISABLE KEYS */; -INSERT INTO `elgg_metadata` VALUES (1,1,1,2,'text',0,2,1424199649,'yes'),(2,37,3,4,'text',37,2,1424199685,'yes'),(3,37,5,4,'text',0,2,1424199685,'yes'),(4,37,6,7,'text',0,2,1424199685,'yes'); +INSERT INTO `elgg_metadata` VALUES (1,1,1,2,'text',0,2,1475289209,'yes'),(2,38,3,4,'text',38,2,1475289252,'yes'),(3,38,5,4,'text',0,2,1475289252,'yes'),(4,38,6,7,'text',0,2,1475289252,'yes'); /*!40000 ALTER TABLE `elgg_metadata` ENABLE KEYS */; UNLOCK TABLES; @@ -394,7 +394,7 @@ CREATE TABLE `elgg_metastrings` ( LOCK TABLES `elgg_metastrings` WRITE; /*!40000 ALTER TABLE `elgg_metastrings` DISABLE KEYS */; -INSERT INTO `elgg_metastrings` VALUES (1,'email'),(2,'elgg@schoolserver.lan'),(3,'notification:method:email'),(4,'1'),(5,'validated'),(6,'validated_method'),(7,'admin_user'),(8,'toId'),(9,'37'),(10,'readYet'),(11,'0'),(12,'msg'); +INSERT INTO `elgg_metastrings` VALUES (1,'email'),(2,'admin@schoolserver.lan'),(3,'notification:method:email'),(4,'1'),(5,'validated'),(6,'validated_method'),(7,'admin_user'),(8,'toId'),(9,'38'),(10,'readYet'),(11,'0'),(12,'msg'); /*!40000 ALTER TABLE `elgg_metastrings` ENABLE KEYS */; UNLOCK TABLES; @@ -419,7 +419,7 @@ CREATE TABLE `elgg_objects_entity` ( LOCK TABLES `elgg_objects_entity` WRITE; /*!40000 ALTER TABLE `elgg_objects_entity` DISABLE KEYS */; -INSERT INTO `elgg_objects_entity` VALUES (2,'aalborg_theme',''),(3,'blog',''),(4,'bookmarks',''),(5,'categories',''),(6,'ckeditor',''),(7,'custom_index',''),(8,'dashboard',''),(9,'developers',''),(10,'diagnostics',''),(11,'embed',''),(12,'externalpages',''),(13,'file',''),(14,'garbagecollector',''),(15,'groups',''),(16,'htmlawed',''),(17,'invitefriends',''),(18,'legacy_urls',''),(19,'likes',''),(20,'logbrowser',''),(21,'logrotate',''),(22,'members',''),(23,'messageboard',''),(24,'messages',''),(25,'notifications',''),(26,'pages',''),(27,'profile',''),(28,'reportedcontent',''),(29,'search',''),(30,'site_notifications',''),(31,'tagcloud',''),(32,'thewire',''),(33,'twitter_api',''),(34,'uservalidationbyemail',''),(35,'web_services',''),(36,'zaudio',''),(38,'',''),(39,'',''),(40,'',''),(41,'',''),(42,'',''); +INSERT INTO `elgg_objects_entity` VALUES (2,'aalborg_theme',''),(3,'blog',''),(4,'bookmarks',''),(5,'categories',''),(6,'ckeditor',''),(7,'custom_index',''),(8,'dashboard',''),(9,'developers',''),(10,'diagnostics',''),(11,'embed',''),(12,'externalpages',''),(13,'file',''),(14,'garbagecollector',''),(15,'groups',''),(16,'htmlawed',''),(17,'invitefriends',''),(18,'legacy_urls',''),(19,'likes',''),(20,'logbrowser',''),(21,'login_as',''),(22,'logrotate',''),(23,'members',''),(24,'messageboard',''),(25,'messages',''),(26,'notifications',''),(27,'pages',''),(28,'profile',''),(29,'reportedcontent',''),(30,'search',''),(31,'site_notifications',''),(32,'tagcloud',''),(33,'thewire',''),(34,'twitter_api',''),(35,'uservalidationbyemail',''),(36,'web_services',''),(37,'zaudio',''),(39,'',''),(40,'',''),(41,'',''),(42,'',''),(43,'',''); /*!40000 ALTER TABLE `elgg_objects_entity` ENABLE KEYS */; UNLOCK TABLES; @@ -438,7 +438,7 @@ CREATE TABLE `elgg_private_settings` ( UNIQUE KEY `entity_guid` (`entity_guid`,`name`), KEY `name` (`name`), KEY `value` (`value`(50)) -) ENGINE=MyISAM AUTO_INCREMENT=57 DEFAULT CHARSET=utf8; +) ENGINE=MyISAM AUTO_INCREMENT=58 DEFAULT CHARSET=utf8; /*!40101 SET character_set_client = @saved_cs_client */; -- @@ -447,7 +447,7 @@ CREATE TABLE `elgg_private_settings` ( LOCK TABLES `elgg_private_settings` WRITE; /*!40000 ALTER TABLE `elgg_private_settings` DISABLE KEYS */; -INSERT INTO `elgg_private_settings` VALUES (1,2,'elgg:internal:priority','35'),(2,3,'elgg:internal:priority','1'),(3,4,'elgg:internal:priority','2'),(4,5,'elgg:internal:priority','3'),(5,6,'elgg:internal:priority','4'),(6,7,'elgg:internal:priority','5'),(7,8,'elgg:internal:priority','6'),(8,9,'elgg:internal:priority','7'),(9,10,'elgg:internal:priority','8'),(10,11,'elgg:internal:priority','9'),(11,12,'elgg:internal:priority','10'),(12,13,'elgg:internal:priority','11'),(13,14,'elgg:internal:priority','12'),(14,15,'elgg:internal:priority','13'),(15,16,'elgg:internal:priority','14'),(16,17,'elgg:internal:priority','15'),(17,18,'elgg:internal:priority','16'),(18,19,'elgg:internal:priority','17'),(19,20,'elgg:internal:priority','18'),(20,21,'elgg:internal:priority','19'),(21,22,'elgg:internal:priority','20'),(22,23,'elgg:internal:priority','21'),(23,24,'elgg:internal:priority','22'),(24,25,'elgg:internal:priority','23'),(25,26,'elgg:internal:priority','24'),(26,27,'elgg:internal:priority','25'),(27,28,'elgg:internal:priority','26'),(28,29,'elgg:internal:priority','27'),(29,30,'elgg:internal:priority','28'),(30,31,'elgg:internal:priority','29'),(31,32,'elgg:internal:priority','30'),(32,33,'elgg:internal:priority','31'),(33,34,'elgg:internal:priority','32'),(34,35,'elgg:internal:priority','33'),(35,36,'elgg:internal:priority','34'),(36,32,'limit','140'),(37,38,'handler','control_panel'),(38,38,'context','admin'),(39,38,'column','1'),(40,38,'order','0'),(41,39,'handler','admin_welcome'),(42,39,'context','admin'),(43,39,'order','10'),(44,39,'column','1'),(45,40,'handler','online_users'),(46,40,'context','admin'),(47,40,'column','2'),(48,40,'order','0'),(49,41,'handler','new_users'),(50,41,'context','admin'),(51,41,'order','10'),(52,41,'column','2'),(53,42,'handler','content_stats'),(54,42,'context','admin'),(55,42,'order','20'),(56,42,'column','2'); +INSERT INTO `elgg_private_settings` VALUES (1,2,'elgg:internal:priority','36'),(2,3,'elgg:internal:priority','1'),(3,4,'elgg:internal:priority','2'),(4,5,'elgg:internal:priority','3'),(5,6,'elgg:internal:priority','4'),(6,7,'elgg:internal:priority','5'),(7,8,'elgg:internal:priority','6'),(8,9,'elgg:internal:priority','7'),(9,10,'elgg:internal:priority','8'),(10,11,'elgg:internal:priority','9'),(11,12,'elgg:internal:priority','10'),(12,13,'elgg:internal:priority','11'),(13,14,'elgg:internal:priority','12'),(14,15,'elgg:internal:priority','13'),(15,16,'elgg:internal:priority','14'),(16,17,'elgg:internal:priority','15'),(17,18,'elgg:internal:priority','16'),(18,19,'elgg:internal:priority','17'),(19,20,'elgg:internal:priority','18'),(20,21,'elgg:internal:priority','19'),(21,22,'elgg:internal:priority','20'),(22,23,'elgg:internal:priority','21'),(23,24,'elgg:internal:priority','22'),(24,25,'elgg:internal:priority','23'),(25,26,'elgg:internal:priority','24'),(26,27,'elgg:internal:priority','25'),(27,28,'elgg:internal:priority','26'),(28,29,'elgg:internal:priority','27'),(29,30,'elgg:internal:priority','28'),(30,31,'elgg:internal:priority','29'),(31,32,'elgg:internal:priority','30'),(32,33,'elgg:internal:priority','31'),(33,34,'elgg:internal:priority','32'),(34,35,'elgg:internal:priority','33'),(35,36,'elgg:internal:priority','34'),(36,37,'elgg:internal:priority','35'),(37,33,'limit','140'),(38,39,'handler','control_panel'),(39,39,'context','admin'),(40,39,'column','1'),(41,39,'order','0'),(42,40,'handler','admin_welcome'),(43,40,'context','admin'),(44,40,'order','10'),(45,40,'column','1'),(46,41,'handler','online_users'),(47,41,'context','admin'),(48,41,'column','2'),(49,41,'order','0'),(50,42,'handler','new_users'),(51,42,'context','admin'),(52,42,'order','10'),(53,42,'column','2'),(54,43,'handler','content_stats'),(55,43,'context','admin'),(56,43,'order','20'),(57,43,'column','2'); /*!40000 ALTER TABLE `elgg_private_settings` ENABLE KEYS */; UNLOCK TABLES; @@ -541,7 +541,7 @@ CREATE TABLE `elgg_sites_entity` ( LOCK TABLES `elgg_sites_entity` WRITE; /*!40000 ALTER TABLE `elgg_sites_entity` DISABLE KEYS */; -INSERT INTO `elgg_sites_entity` VALUES (1,'School Server Community','','http://schoolserver/elgg/'); +INSERT INTO `elgg_sites_entity` VALUES (1,'My New Community','','http://schoolserver.lan/elgg/'); /*!40000 ALTER TABLE `elgg_sites_entity` ENABLE KEYS */; UNLOCK TABLES; @@ -583,7 +583,7 @@ CREATE TABLE `elgg_system_log` ( LOCK TABLES `elgg_system_log` WRITE; /*!40000 ALTER TABLE `elgg_system_log` DISABLE KEYS */; -INSERT INTO `elgg_system_log` VALUES (1,2,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(2,3,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(3,4,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(4,5,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(5,6,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(6,7,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(7,8,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(8,9,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(9,10,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(10,11,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(11,12,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(12,13,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(13,14,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(14,15,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(15,16,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(16,17,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(17,18,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(18,19,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(19,20,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(20,21,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(21,22,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(22,23,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(23,24,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(24,25,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(25,26,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(26,27,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(27,28,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(28,29,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(29,30,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(30,31,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(31,32,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(32,33,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(33,34,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(34,35,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(35,36,'ElggPlugin','object','plugin','create',0,1,2,'yes',1424199649,'172.18.100.204'),(36,1,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199649,'172.18.100.204'),(37,16,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199650,'172.18.100.204'),(38,17,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199650,'172.18.100.204'),(39,18,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199650,'172.18.100.204'),(40,19,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199650,'172.18.100.204'),(41,20,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199650,'172.18.100.204'),(42,21,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199650,'172.18.100.204'),(43,22,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1424199650,'172.18.100.204'),(44,23,'ElggRelationship','relationship','member_of_site','create',0,0,2,'yes',1424199685,'172.18.100.204'),(45,37,'ElggUser','user','','create',0,0,2,'yes',1424199685,'172.18.100.204'),(46,2,'ElggMetadata','metadata','notification:method:email','create',0,37,2,'yes',1424199685,'172.18.100.204'),(47,38,'ElggWidget','object','widget','create',0,37,2,'yes',1424199685,'172.18.100.204'),(48,39,'ElggWidget','object','widget','create',0,37,2,'yes',1424199685,'172.18.100.204'),(49,40,'ElggWidget','object','widget','create',0,37,2,'yes',1424199685,'172.18.100.204'),(50,41,'ElggWidget','object','widget','create',0,37,2,'yes',1424199685,'172.18.100.204'),(51,42,'ElggWidget','object','widget','create',0,37,2,'yes',1424199685,'172.18.100.204'),(52,37,'ElggUser','user','','make_admin',0,0,2,'yes',1424199685,'172.18.100.204'),(53,3,'ElggMetadata','metadata','validated','create',0,0,2,'yes',1424199685,'172.18.100.204'),(54,4,'ElggMetadata','metadata','validated_method','create',0,0,2,'yes',1424199685,'172.18.100.204'),(55,37,'ElggUser','user','','login:before',0,0,2,'yes',1424199685,'172.18.100.204'),(56,37,'ElggUser','user','','login',37,0,2,'yes',1424199685,'172.18.100.204'),(57,37,'ElggUser','user','','login:after',37,0,2,'yes',1424199685,'172.18.100.204'); +INSERT INTO `elgg_system_log` VALUES (1,2,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(2,3,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(3,4,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(4,5,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(5,6,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(6,7,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(7,8,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(8,9,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(9,10,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(10,11,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(11,12,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(12,13,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(13,14,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(14,15,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(15,16,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(16,17,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(17,18,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(18,19,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(19,20,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(20,21,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(21,22,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(22,23,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(23,24,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(24,25,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(25,26,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(26,27,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(27,28,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(28,29,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(29,30,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(30,31,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(31,32,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(32,33,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(33,34,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(34,35,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(35,36,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(36,37,'ElggPlugin','object','plugin','create',0,1,2,'yes',1475289209,'172.18.100.205'),(37,1,'ElggRelationship','relationship','active_plugin','create',0,0,2,'yes',1475289209,'172.18.100.205'),(38,24,'ElggRelationship','relationship','member_of_site','create',0,0,2,'yes',1475289252,'172.18.100.205'),(39,38,'ElggUser','user','','create',0,0,2,'yes',1475289252,'172.18.100.205'),(40,2,'ElggMetadata','metadata','notification:method:email','create',0,38,2,'yes',1475289252,'172.18.100.205'),(41,39,'ElggWidget','object','widget','create',0,38,2,'yes',1475289252,'172.18.100.205'),(42,40,'ElggWidget','object','widget','create',0,38,2,'yes',1475289252,'172.18.100.205'),(43,41,'ElggWidget','object','widget','create',0,38,2,'yes',1475289252,'172.18.100.205'),(44,42,'ElggWidget','object','widget','create',0,38,2,'yes',1475289252,'172.18.100.205'),(45,43,'ElggWidget','object','widget','create',0,38,2,'yes',1475289252,'172.18.100.205'),(46,38,'ElggUser','user','','make_admin',0,0,2,'yes',1475289252,'172.18.100.205'),(47,3,'ElggMetadata','metadata','validated','create',0,0,2,'yes',1475289252,'172.18.100.205'),(48,4,'ElggMetadata','metadata','validated_method','create',0,0,2,'yes',1475289252,'172.18.100.205'),(49,38,'ElggUser','user','','login:before',0,0,2,'yes',1475289252,'172.18.100.205'),(50,38,'ElggUser','user','','login',38,0,2,'yes',1475289252,'172.18.100.205'),(51,38,'ElggUser','user','','login:after',38,0,2,'yes',1475289252,'172.18.100.205'),(52,38,'ElggUser','user','','logout:before',38,0,2,'yes',1475289302,'172.18.100.205'),(53,38,'ElggUser','user','','logout',38,0,2,'yes',1475289302,'172.18.100.205'),(54,38,'ElggUser','user','','logout:after',0,0,2,'yes',1475289302,'172.18.100.205'),(55,38,'ElggUser','user','','login:before',0,0,2,'yes',1475289313,'172.18.100.205'),(56,38,'ElggUser','user','','login',38,0,2,'yes',1475289313,'172.18.100.205'),(57,38,'ElggUser','user','','login:after',38,0,2,'yes',1475289313,'172.18.100.205'); /*!40000 ALTER TABLE `elgg_system_log` ENABLE KEYS */; UNLOCK TABLES; @@ -653,7 +653,7 @@ CREATE TABLE `elgg_users_entity` ( LOCK TABLES `elgg_users_entity` WRITE; /*!40000 ALTER TABLE `elgg_users_entity` DISABLE KEYS */; -INSERT INTO `elgg_users_entity` VALUES (37,'Admin','Admin','','','$2y$10$Diq0CiisgUYec08AfePVseHXXqE04y/FDWABr2dZPLrEqY.qxWvXa','admin@schoolserver.lan','en','no','yes',1424199691,1424199691,1424199685,0); +INSERT INTO `elgg_users_entity` VALUES (38,'School Server','Admin','','','$2y$10$zlirLmRcu5JMpj8NA/Tir.MY4DJQqvK7dAck0ujfBlmFW2UWwCZ/y','admin@schoolserver.lan','en','no','yes',1475289554,1475289554,1475289313,1475289252); /*!40000 ALTER TABLE `elgg_users_entity` ENABLE KEYS */; UNLOCK TABLES; @@ -702,7 +702,7 @@ CREATE TABLE `elgg_users_sessions` ( LOCK TABLES `elgg_users_sessions` WRITE; /*!40000 ALTER TABLE `elgg_users_sessions` DISABLE KEYS */; -INSERT INTO `elgg_users_sessions` VALUES ('pu0sji7jfhbvlkb5pp6irrku40',1424199692,'guid|i:37;msg|a:0:{}__elgg_session|s:32:\"5fe6c2d5e6c4d97d1155f5ba44270f63\";'); +INSERT INTO `elgg_users_sessions` VALUES ('l74sjfekegmkddl6i5ji36pci7',1475289303,'_sf2_attributes|a:2:{s:14:\"__elgg_session\";s:22:\"EczXso_g6GlfGaa0T7DO98\";s:3:\"msg\";a:0:{}}_sf2_flashes|a:0:{}_sf2_meta|a:3:{s:1:\"u\";i:1475289302;s:1:\"c\";i:1475289302;s:1:\"l\";s:1:\"0\";}'),('3gof2j0qojcjhh1mmrd8vmms66',1475289554,'_sf2_attributes|a:3:{s:14:\"__elgg_session\";s:22:\"EczXso_g6GlfGaa0T7DO98\";s:3:\"msg\";a:0:{}s:4:\"guid\";i:38;}_sf2_flashes|a:0:{}_sf2_meta|a:3:{s:1:\"u\";i:1475289554;s:1:\"c\";i:1475289302;s:1:\"l\";s:1:\"0\";}'); /*!40000 ALTER TABLE `elgg_users_sessions` ENABLE KEYS */; UNLOCK TABLES; /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; @@ -715,4 +715,4 @@ UNLOCK TABLES; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2015-02-17 14:02:41 +-- Dump completed on 2016-10-01 9:53:53 From a6686da5425e79ce65a16fe08f64235bb2783055 Mon Sep 17 00:00:00 2001 From: George Hunt Date: Sat, 1 Oct 2016 11:34:32 -0400 Subject: [PATCH 03/13] settings.php needs to be a template --- roles/elgg/defaults/main.yml | 4 +- roles/elgg/tasks/main.yml | 2 +- roles/elgg/templates/settings.php.j2 | 212 +++++++++++++++++++++++++++ 3 files changed, 215 insertions(+), 3 deletions(-) create mode 100644 roles/elgg/templates/settings.php.j2 diff --git a/roles/elgg/defaults/main.yml b/roles/elgg/defaults/main.yml index fc287779..8a617ccb 100644 --- a/roles/elgg/defaults/main.yml +++ b/roles/elgg/defaults/main.yml @@ -9,8 +9,8 @@ elgg_enabled: False # following variables used in elgg engine/settings.php template timezone: America/New_York -dbuser: elgguser -dbpassword: "{{ elgg_mysql_password }}" +dbuser: Admin +dbpassword: changeme dbname: elggdb dbhost: localhost dbprefix: elgg_ diff --git a/roles/elgg/tasks/main.yml b/roles/elgg/tasks/main.yml index 3bd42300..3bb35b6d 100644 --- a/roles/elgg/tasks/main.yml +++ b/roles/elgg/tasks/main.yml @@ -78,7 +78,7 @@ #- use template to fix up settings in engine/settings.php with our variables substituted into engine/settings.example.php - name: Substitute our parameters in engine/settings.example.php - template: src="/opt/{{ elgg_xx }}/engine/settings.example.php" + template: src="settings.php.j2" dest="/opt/{{ elgg_xx }}/engine/settings.php" owner=apache diff --git a/roles/elgg/templates/settings.php.j2 b/roles/elgg/templates/settings.php.j2 new file mode 100644 index 00000000..79abb6f1 --- /dev/null +++ b/roles/elgg/templates/settings.php.j2 @@ -0,0 +1,212 @@ +dbuser + */ +$CONFIG->dbuser = '{{dbuser}}'; + +/** + * The database password + * + * @global string $CONFIG->dbpass + */ +$CONFIG->dbpass = '{{dbpassword}}'; + +/** + * The database name + * + * @global string $CONFIG->dbname + */ +$CONFIG->dbname = '{{dbname}}'; + +/** + * The database host. + * + * For most installations, this is 'localhost' + * + * @global string $CONFIG->dbhost + */ +$CONFIG->dbhost = '{{dbhost}}'; + +/** + * The database prefix + * + * This prefix will be appended to all Elgg tables. If you're sharing + * a database with other applications, use a database prefix to namespace tables + * in order to avoid table name collisions. + * + * @global string $CONFIG->dbprefix + */ +$CONFIG->dbprefix = '{{deprefix}}'; + +/** + * Multiple database connections + * + * Elgg supports master/slave MySQL configurations. The master should be set as + * the 'write' connection and the slave(s) as the 'read' connection(s). + * + * To use, uncomment the below configuration and update for your site. + */ +//$CONFIG->db['split'] = true; + +//$CONFIG->db['write']['dbuser'] = ""; +//$CONFIG->db['write']['dbpass'] = ""; +//$CONFIG->db['write']['dbname'] = ""; +//$CONFIG->db['write']['dbhost'] = ""; + +//$CONFIG->db['read'][0]['dbuser'] = ""; +//$CONFIG->db['read'][0]['dbpass'] = ""; +//$CONFIG->db['read'][0]['dbname'] = ""; +//$CONFIG->db['read'][0]['dbhost'] = ""; +//$CONFIG->db['read'][1]['dbuser'] = ""; +//$CONFIG->db['read'][1]['dbpass'] = ""; +//$CONFIG->db['read'][1]['dbname'] = ""; +//$CONFIG->db['read'][1]['dbhost'] = ""; + +/** + * Memcache setup (optional) + * This is where you may optionally set up memcache. + * + * Requirements: + * 1) One or more memcache servers (http://www.danga.com/memcached/) + * 2) PHP memcache wrapper (http://php.net/manual/en/memcache.setup.php) + * + * Note: Multiple server support is only available on server 1.2.1 + * or higher with PECL library > 2.0.0 + */ +//$CONFIG->memcache = true; +// +//$CONFIG->memcache_servers = array ( +// array('server1', 11211), +// array('server2', 11211) +//); + + +/** + * Better caching performance + * + * Configuring the location of your data directory and enabling simplecache in + * the settings.php file improves caching performance. It allows Elgg to skip + * connecting to the database when serving cached JavaScript and CSS files. If + * you uncomment and configure these settings, you will not be able to change + * them from the Elgg advanced settings page. + */ +//$CONFIG->dataroot = ""; +//$CONFIG->simplecache_enabled = true; + + +/** + * Cookie configuration + * + * Elgg uses 2 cookies: a PHP session cookie and an extended login cookie + * (also called the remember me cookie). See the PHP manual for documentation on + * each of these parameters. Possible options: + * + * - Set the session name to share the session across applications. + * - Set the path because Elgg is not installed in the root of the web directory. + * - Set the secure option to true if you only serve the site over HTTPS. + * - Set the expire option on the remember me cookie to change its lifetime + * + * To use, uncomment the appropriate sections below and update for your site. + * + * @global array $CONFIG->cookies + */ +// get the default parameters from php.ini +//$CONFIG->cookies['session'] = session_get_cookie_params(); +//$CONFIG->cookies['session']['name'] = "Elgg"; +// optionally overwrite the defaults from php.ini below +//$CONFIG->cookies['session']['path'] = "/"; +//$CONFIG->cookies['session']['domain'] = ""; +//$CONFIG->cookies['session']['secure'] = false; +//$CONFIG->cookies['session']['httponly'] = false; + +// extended session cookie +//$CONFIG->cookies['remember_me'] = session_get_cookie_params(); +//$CONFIG->cookies['remember_me']['name'] = "elggperm"; +//$CONFIG->cookies['remember_me']['expire'] = strtotime("+30 days"); +// optionally overwrite the defaults from php.ini below +//$CONFIG->cookies['remember_me']['path'] = "/"; +//$CONFIG->cookies['remember_me']['domain'] = ""; +//$CONFIG->cookies['remember_me']['secure'] = false; +//$CONFIG->cookies['remember_me']['httponly'] = false; + + +/** + * Use non-standard headers for broken MTAs. + * + * The default header EOL for headers is \r\n. This causes problems + * on some broken MTAs. Setting this to true will cause Elgg to use + * \n, which will fix some problems sending email on broken MTAs. + * + * @global bool $CONFIG->broken_mta + */ +$CONFIG->broken_mta = false; + +/** + * Disable the database query cache + * + * Elgg stores each query and its results in a query cache. + * On large sites or long-running scripts, this cache can grow to be + * large. To disable query caching, set this to true. + * + * @global bool $CONFIG->db_disable_query_cache + */ +$CONFIG->db_disable_query_cache = false; + +/** + * Minimum password length + * + * This value is used when validating a user's password during registration. + * + * @global int $CONFIG->min_password_length + */ +$CONFIG->min_password_length = 6; + +/** + * This is an optional script used to override Elgg's default handling of + * uncaught exceptions. + * + * This should be an absolute file path to a php script that will be called + * any time an uncaught exception is thrown. + * + * The script will have access to the following variables as part of the scope + * global $CONFIG + * $exception - the unhandled exception + * + * @warning - the database may not be available + * + * @global string $CONFIG->exception_include + */ +$CONFIG->exception_include = ''; From a58ae7ff193b11924b7fec020b0da683d170c79d Mon Sep 17 00:00:00 2001 From: George Hunt Date: Sat, 1 Oct 2016 12:22:37 -0400 Subject: [PATCH 04/13] corrections to template --- roles/elgg/templates/settings.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elgg/templates/settings.php.j2 b/roles/elgg/templates/settings.php.j2 index 79abb6f1..a9124440 100644 --- a/roles/elgg/templates/settings.php.j2 +++ b/roles/elgg/templates/settings.php.j2 @@ -69,7 +69,7 @@ $CONFIG->dbhost = '{{dbhost}}'; * * @global string $CONFIG->dbprefix */ -$CONFIG->dbprefix = '{{deprefix}}'; +$CONFIG->dbprefix = '{{dbprefix}}'; /** * Multiple database connections From bce1966c70b5230fbdc0db93ae14f6edd04c3dc5 Mon Sep 17 00:00:00 2001 From: George Hunt Date: Sat, 1 Oct 2016 12:37:42 -0400 Subject: [PATCH 05/13] only one change ownership required: --- roles/elgg/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/elgg/tasks/main.yml b/roles/elgg/tasks/main.yml index 3bb35b6d..67be1687 100644 --- a/roles/elgg/tasks/main.yml +++ b/roles/elgg/tasks/main.yml @@ -86,9 +86,6 @@ template: src=elgg.conf dest=/etc/httpd/conf.d/elgg.conf when: mysql_enabled and elgg_enabled -- name: Change permissions on engine directory so apache can write - file: path=/opt/elgg/ owner=apache mode=0755 state=directory - - name: Create an upload directory that Apache can write in or elgg file: path={{ elgg_upload_path }} state=directory owner=apache From 6d36229c52ab956a6a695c96a6e21fd12265e992 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 2 Oct 2016 01:33:57 +0530 Subject: [PATCH 06/13] Freeradius initial implementation --- roles/network/defaults/main.yml | 5 + roles/network/files/radius/default | 879 ++++++++++++++++++ roles/network/files/radius/radiusd.conf | 768 +++++++++++++++ roles/network/tasks/coova-chilli.yml | 0 roles/network/tasks/daloradius.yml | 0 roles/network/tasks/main.yml | 6 + roles/network/tasks/radius.yml | 93 ++ roles/network/templates/chilli/config.j2 | 207 +++++ roles/network/templates/chilli/ifup.sh | 4 + .../templates/daloradius/daloradius.conf.j2 | 8 + .../network/templates/radius/chillispot.conf | 10 + .../network/templates/radius/clients.conf.j2 | 268 ++++++ roles/network/templates/radius/inner-tunnel | 390 ++++++++ roles/network/templates/radius/schema.sql.j2 | 150 +++ roles/network/templates/radius/setup.sql.j2 | 24 + roles/network/templates/radius/sql.j2 | 220 +++++ 16 files changed, 3032 insertions(+) create mode 100644 roles/network/files/radius/default create mode 100755 roles/network/files/radius/radiusd.conf create mode 100644 roles/network/tasks/coova-chilli.yml create mode 100644 roles/network/tasks/daloradius.yml create mode 100644 roles/network/tasks/radius.yml create mode 100644 roles/network/templates/chilli/config.j2 create mode 100755 roles/network/templates/chilli/ifup.sh create mode 100644 roles/network/templates/daloradius/daloradius.conf.j2 create mode 100644 roles/network/templates/radius/chillispot.conf create mode 100644 roles/network/templates/radius/clients.conf.j2 create mode 100644 roles/network/templates/radius/inner-tunnel create mode 100755 roles/network/templates/radius/schema.sql.j2 create mode 100755 roles/network/templates/radius/setup.sql.j2 create mode 100644 roles/network/templates/radius/sql.j2 diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml index a45c4ec4..1b3d9aef 100644 --- a/roles/network/defaults/main.yml +++ b/roles/network/defaults/main.yml @@ -9,3 +9,8 @@ host_wifi_mode: g host_channel: 6 host_wireless_n: False host_country_code: US +captive_portal: True +freeradius_db_password: g0adm1n +freeradius_admin_user: xsce-admin +freeradius_admin_password: g0adm1n +freeradius_secret: g0adm1n diff --git a/roles/network/files/radius/default b/roles/network/files/radius/default new file mode 100644 index 00000000..e8928fc8 --- /dev/null +++ b/roles/network/files/radius/default @@ -0,0 +1,879 @@ +###################################################################### +# +# As of 2.0.0, FreeRADIUS supports virtual hosts using the +# "server" section, and configuration directives. +# +# Virtual hosts should be put into the "sites-available" +# directory. Soft links should be created in the "sites-enabled" +# directory to these files. This is done in a normal installation. +# +# If you are using 802.1X (EAP) authentication, please see also +# the "inner-tunnel" virtual server. You will likely have to edit +# that, too, for authentication to work. +# +# $Id: 77c271c4820c2d609b7d0a6bc2b65636d73730bc $ +# +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. See also "man unlang", which documents the format +# of this file. +# +# This configuration is designed to work in the widest possible +# set of circumstances, with the widest possible number of +# authentication methods. This means that in general, you should +# need to make very few changes to this file. +# +# The best way to configure the server for your local system +# is to CAREFULLY edit this file. Most attempts to make large +# edits to this file will BREAK THE SERVER. Any edits should +# be small, and tested by running the server with "radiusd -X". +# Once the edits have been verified to work, save a copy of these +# configuration files somewhere. (e.g. as a "tar" file). Then, +# make more edits, and test, as above. +# +# There are many "commented out" references to modules such +# as ldap, sql, etc. These references serve as place-holders. +# If you need the functionality of that module, then configure +# it in radiusd.conf, and un-comment the references to it in +# this file. In most cases, those small changes will result +# in the server being able to connect to the DB, and to +# authenticate users. +# +###################################################################### + +server default { +# +# If you want the server to listen on additional addresses, or on +# additional ports, you can use multiple "listen" sections. +# +# Each section make the server listen for only one type of packet, +# therefore authentication and accounting have to be configured in +# different sections. +# +# The server ignore all "listen" section if you are using '-i' and '-p' +# on the command line. +# +listen { + # Type of packets to listen for. + # Allowed values are: + # auth listen for authentication packets + # acct listen for accounting packets + # proxy IP to use for sending proxied packets + # detail Read from the detail file. For examples, see + # raddb/sites-available/copy-acct-to-home-server + # status listen for Status-Server packets. For examples, + # see raddb/sites-available/status + # coa listen for CoA-Request and Disconnect-Request + # packets. For examples, see the file + # raddb/sites-available/coa + # + type = auth + + # Note: "type = proxy" lets you control the source IP used for + # proxying packets, with some limitations: + # + # * A proxy listener CANNOT be used in a virtual server section. + # * You should probably set "port = 0". + # * Any "clients" configuration will be ignored. + # + # See also proxy.conf, and the "src_ipaddr" configuration entry + # in the sample "home_server" section. When you specify the + # source IP address for packets sent to a home server, the + # proxy listeners are automatically created. + + # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. + # Out of several options the first one will be used. + # + # Allowed values are: + # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) + # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) + # hostname (radius.example.com, + # A record for ipv4addr, + # AAAA record for ipv6addr, + # A or AAAA record for ipaddr) + # wildcard (*) + # + # ipv4addr = * + # ipv6addr = * + ipaddr = * + + # Port on which to listen. + # Allowed values are: + # integer port number (1812) + # 0 means "use /etc/services for the proper port" + port = 0 + + # Some systems support binding to an interface, in addition + # to the IP address. This feature isn't strictly necessary, + # but for sites with many IP addresses on one interface, + # it's useful to say "listen on all addresses for eth0". + # + # If your system does not support this feature, you will + # get an error if you try to use it. + # +# interface = eth0 + + # Per-socket lists of clients. This is a very useful feature. + # + # The name here is a reference to a section elsewhere in + # radiusd.conf, or clients.conf. Having the name as + # a reference allows multiple sockets to use the same + # set of clients. + # + # If this configuration is used, then the global list of clients + # is IGNORED for this "listen" section. Take care configuring + # this feature, to ensure you don't accidentally disable a + # client you need. + # + # See clients.conf for the configuration of "per_socket_clients". + # +# clients = per_socket_clients + + # + # Connection limiting for sockets with "proto = tcp". + # + # This section is ignored for other kinds of sockets. + # + limit { + # + # Limit the number of simultaneous TCP connections to the socket + # + # The default is 16. + # Setting this to 0 means "no limit" + max_connections = 16 + + # The per-socket "max_requests" option does not exist. + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". + lifetime = 0 + + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been received over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + # + # We STRONGLY RECOMMEND that you set an idle timeout. + # + idle_timeout = 30 + } +} + +# +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + ipaddr = * +# ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients + + limit { + # The number of packets received can be rate limited via the + # "max_pps" configuration item. When it is set, the server + # tracks the total number of packets received in the previous + # second. If the count is greater than "max_pps", then the + # new packet is silently discarded. This helps the server + # deal with overload situations. + # + # The packets/s counter is tracked in a sliding window. This + # means that the pps calculation is done for the second + # before the current packet was received. NOT for the current + # wall-clock second, and NOT for the previous wall-clock second. + # + # Useful values are 0 (no limit), or 100 to 10000. + # Values lower than 100 will likely cause the server to ignore + # normal traffic. Few systems are capable of handling more than + # 10K packets/s. + # + # It is most useful for accounting systems. Set it to 50% + # more than the normal accounting load, and you can be sure that + # the server will never get overloaded + # +# max_pps = 0 + + # Only for "proto = tcp". These are ignored for "udp" sockets. + # +# idle_timeout = 0 +# lifetime = 0 +# max_connections = 0 + } +} + +# IPv6 versions of the above - read their full config to understand options +listen { + type = auth + ipv6addr = :: # any. ::1 == localhost + port = 0 +# interface = eth0 +# clients = per_socket_clients + limit { + max_connections = 16 + lifetime = 0 + idle_timeout = 30 + } +} + +listen { + ipv6addr = :: + port = 0 + type = acct +# interface = eth0 +# clients = per_socket_clients + + limit { +# max_pps = 0 +# idle_timeout = 0 +# lifetime = 0 +# max_connections = 0 + } +} + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# Any changes made here should also be made to the "inner-tunnel" +# virtual server. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # Take a User-Name, and perform some checks on it, for spaces and other + # invalid characters. If the User-Name appears invalid, reject the + # request. + # + # See policy.d/filter for the definition of the filter_username policy. + # + # filter_username + + # + # The preprocess module takes care of sanitizing some bizarre + # attributes in the request, and turning them into attributes + # which are more standard. + # + # It takes care of processing the 'raddb/hints' and the + # 'raddb/huntgroups' files. + preprocess + + # If you intend to use CUI and you require that the Operator-Name + # be set for CUI generation and you want to generate CUI also + # for your local clients then uncomment the operator-name + # below and set the operator-name for your clients in clients.conf +# operator-name + + # + # If you want to generate CUI for some clients that do not + # send proper CUI requests, then uncomment the + # cui below and set "add_cui = yes" for these clients in clients.conf +# cui + + # + # If you want to have a log of authentication requests, + # un-comment the following line, and the 'detail auth_log' + # section, above. + auth_log + + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authenticate' section. + digest + + # + # The WiMAX specification says that the Calling-Station-Id + # is 6 octets of the MAC. This definition conflicts with + # RFC 3580, and all common RADIUS practices. Un-commenting + # the "wimax" module here means that it will fix the + # Calling-Station-Id attribute to the normal format as + # specified in RFC 3580 Section 3.21 +# wimax + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + suffix +# ntdomain + + # + # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP + # authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # As of 2.0, the EAP module returns "ok" in the authorize stage + # for TTLS and PEAP. In 1.x, it never returned "ok" here, so + # this change is compatible with older configurations. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module in radiusd.conf. + # + unix + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf + sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'smbpasswd' module. +# smbpasswd + + # + # The ldap module reads passwords from the LDAP database. + -ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + # + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap + + # + # If "status_server = yes", then Status-Server messages are passed + # through the following section, and ONLY the following section. + # This permits you to do DB queries, for example. If the modules + # listed here return "fail", then NO response is sent. + # +# Autz-Type Status-Server { +# +# } + chillispot_max_bytes + noresetcounter +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the appropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user (Auth-Type := Reject), +# or to or forcibly accept the user (Auth-Type := Accept). +# +# Note that Auth-Type := Accept will NOT work with EAP. +# +# Please do not put "unlang" configurations into the "authenticate" +# section. Put them in the "post-auth" section instead. That's what +# the post-auth section is for. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # If you have a Cisco SIP server authenticating against + # FreeRADIUS, uncomment the following line, and the 'digest' + # line in the 'authorize' section. + digest + + # + # Pluggable Authentication Modules. +# pam + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. + # + # We do NOT recommend using this. LDAP servers are databases. + # They are NOT authentication servers. FreeRADIUS is an + # authentication server, and knows what to do with authentication. + # LDAP servers do not. + # +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap + + # + # The older configurations sent a number of attributes in + # Access-Challenge packets, which wasn't strictly correct. + # If you want to filter out these attributes, uncomment + # the following lines. + # +# Auth-Type eap { +# eap { +# handled = 1 +# } +# if (handled && (Response-Packet-Type == Access-Challenge)) { +# attr_filter.access_challenge.post-auth +# handled # override the "updated" code from attr_filter +# } +# } +} + + +# +# Pre-accounting. Decide which accounting type to use. +# +preacct { + preprocess + + # + # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets + # into a single 64bit counter Acct-[Input|Output]-Octets64. + # +# acct_counters64 + + # + # Session start times are *implied* in RADIUS. + # The NAS never sends a "start time". Instead, it sends + # a start packet, *possibly* with an Acct-Delay-Time. + # The server is supposed to conclude that the start time + # was "Acct-Delay-Time" seconds in the past. + # + # The code below creates an explicit start time, which can + # then be used in other modules. It will be *mostly* correct. + # Any errors are due to the 1-second resolution of RADIUS, + # and the possibility that the time on the NAS may be off. + # + # The start time is: NOW - delay - session_length + # + +# update request { +# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + + + # + # Ensure that we have a semi-unique identifier for every + # request, and many NAS boxes are broken. + acct_unique + + # + # Look for IPASS-style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. + # + # Accounting requests are generally proxied to the same + # home server as authentication requests. +# IPASS + suffix +# ntdomain + + # + # Read the 'acct_users' file + files +} + +# +# Accounting. Log the accounting data. +# +accounting { + # Update accounting packet by adding the CUI attribute + # recorded from the corresponding Access-Accept + # use it only if your NAS boxes do not support CUI themselves +# cui + # + # Create a 'detail'ed log of the packets. + # Note that accounting requests which are proxied + # are also logged in the detail file. + detail +# daily + + # Update the wtmp file + # + # If you don't use "radlast", you can delete this line. + unix + + # + # For Simultaneous-Use tracking. + # + # Due to packet losses in the network, the data here + # may be incorrect. There is little we can do about it. + radutmp +# sradutmp + + # Return an address to the IP Pool when we see a stop record. +# main_pool + + # + # Log traffic to an SQL database. + # + # See "Accounting queries" in sql.conf + sql + + # + # If you receive stop packets with zero session length, + # they will NOT be logged in the database. The SQL module + # will print a message (only in debugging mode), and will + # return "noop". + # + # You can ignore these packets by uncommenting the following + # three lines. Otherwise, the server will not respond to the + # accounting request, and the NAS will retransmit. + # +# if (noop) { +# ok +# } + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # Cisco VoIP specific bulk accounting +# pgsql-voip + + # For Exec-Program and Exec-Program-Wait + exec + + # Filter attributes from the accounting response. + attr_filter.accounting_response + + # + # See "Autz-Type Status-Server" for how this works. + # +# Acct-Type Status-Server { +# +# } +} + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf + sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +post-auth { + # Get an address from the IP Pool. +# main_pool + + + # Create the CUI value and add the attribute to Access-Accept. + # Uncomment the line below if *returning* the CUI. +# cui + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and enable the + # 'detail reply_log' module. + reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf + sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you want to modify the user's object + # in LDAP after a successful login. + # +# ldap + + # For Exec-Program and Exec-Program-Wait + exec + + # + # Calculate the various WiMAX keys. In order for this to work, + # you will need to define the WiMAX NAI, usually via + # + # update request { + # WiMAX-MN-NAI = "%{User-Name}" + # } + # + # If you want various keys to be calculated, you will need to + # update the reply with "template" values. The module will see + # this, and replace the template values with the correct ones + # taken from the cryptographic calculations. e.g. + # + # update reply { + # WiMAX-FA-RK-Key = 0x00 + # WiMAX-MSK = "%{EAP-MSK}" + # } + # + # You may want to delete the MS-MPPE-*-Keys from the reply, + # as some WiMAX clients behave badly when those attributes + # are included. See "raddb/modules/wimax", configuration + # entry "delete_mppe_keys" for more information. + # +# wimax + + + # If there is a client certificate (EAP-TLS, sometimes PEAP + # and TTLS), then some attributes are filled out after the + # certificate verification has been performed. These fields + # MAY be available during the authentication, or they may be + # available only in the "post-auth" section. + # + # The first set of attributes contains information about the + # issuing certificate which is being used. The second + # contains information about the client certificate (if + # available). +# +# update reply { +# Reply-Message += "%{TLS-Cert-Serial}" +# Reply-Message += "%{TLS-Cert-Expiration}" +# Reply-Message += "%{TLS-Cert-Subject}" +# Reply-Message += "%{TLS-Cert-Issuer}" +# Reply-Message += "%{TLS-Cert-Common-Name}" +# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" +# +# Reply-Message += "%{TLS-Client-Cert-Serial}" +# Reply-Message += "%{TLS-Client-Cert-Expiration}" +# Reply-Message += "%{TLS-Client-Cert-Subject}" +# Reply-Message += "%{TLS-Client-Cert-Issuer}" +# Reply-Message += "%{TLS-Client-Cert-Common-Name}" +# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" +# } + + # Insert class attribute (with unique value) into response, + # aids matching auth and acct records, and protects against duplicate + # Acct-Session-Id. Note: Only works if the NAS has implemented + # RFC 2865 behaviour for the class attribute, AND if the NAS + # supports long Class attributes. Many older or cheap NASes + # only support 16-octet Class attributes. +# insert_acct_class + + # MacSEC requires the use of EAP-Key-Name. However, we don't + # want to send it for all EAP sessions. Therefore, the EAP + # modules put required data into the EAP-Session-Id attribute. + # This attribute is never put into a request or reply packet. + # + # Uncomment the next few lines to copy the required data into + # the EAP-Key-Name attribute +# if (reply:EAP-Session-Id) { +# update reply { +# EAP-Key-Name := "%{reply:EAP-Session-Id}" +# } +# } + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. + -sql + attr_filter.access_reject + + # Insert EAP-Failure message if the request was + # rejected by policy instead of because of an + # authentication failure + eap + + # Remove reply message if the response contains an EAP-Message + remove_reply_message_if_eap + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { + # Before proxing the request add an Operator-Name attribute identifying + # if the operator-name is found for this client. + # No need to uncomment this if you have already enabled this in + # the authorize section. +# operator-name + + # The client requests the CUI by sending a CUI attribute + # containing one zero byte. + # Uncomment the line below if *requesting* the CUI. +# cui + + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } +} +} diff --git a/roles/network/files/radius/radiusd.conf b/roles/network/files/radius/radiusd.conf new file mode 100755 index 00000000..ffea1f16 --- /dev/null +++ b/roles/network/files/radius/radiusd.conf @@ -0,0 +1,768 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file - 3.0.4 +## +## http://www.freeradius.org/ +## $Id: 307ae108f579b9c339e6ba819387ff7ad8baff87 $ +## + +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". + +###################################################################### +# +# The location of other config files and logfiles are declared +# in this file. +# +# Also general configuration for modules can be done in this +# file, it is exported through the API to modules that ask for +# it. +# +# See "man radiusd.conf" for documentation on the format of this +# file. Note that the individual configuration items are NOT +# documented in that "man" page. They are only documented here, +# in the comments. +# +# The "unlang" policy language can be used to create complex +# if / else policies. See "man unlang" for details. +# + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = /usr/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +db_dir = ${localstatedir}/lib/radiusd + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib64/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` +# +pidfile = ${run_dir}/${name}.pid + +# panic_action: Command to execute if the server dies unexpectedly. +# +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +# PATTACH CAN BE USED AS AN ATTACK VECTOR. +# +# The panic action is a command which will be executed if the server +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +# SIGABRT or SIGFPE. +# +# This can be used to start an interactive debugging session so +# that information regarding the current state of the server can +# be acquired. +# +# The following string substitutions are available: +# - %e The currently executing program e.g. /sbin/radiusd +# - %p The PID of the currently executing program e.g. 12345 +# +# Standard ${} substitutions are also allowed. +# +# An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +# Again, don't use that on a production system. +# +# An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +# +# That command can be used on a production system. +# + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as separate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 1024 + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = files + + # + # Highlight important messages sent to stderr and stdout. + # + # Option will be ignored (disabled) if output if TERM is not + # an xterm or output is not to a TTY. + # + colourise = yes + + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log + + # + # If this configuration parameter is set, then log messages for + # a *request* go to this file, rather than to radius.log. + # + # i.e. This is a log file per request, once the server has accepted + # the request as being from a valid client. Messages that are + # not associated with a request still go to radius.log. + # + # Not all log messages in the server core have been updated to use + # this new internal API. As a result, some messages will still + # go to radius.log. Please submit patches to fix this behavior. + # + # The file name is expanded dynamically. You should ONLY user + # server-side attributes for the filename (e.g. things you control). + # Using this feature MAY also slow down the server substantially, + # especially if you do thinks like SQL calls as part of the + # expansion of the filename. + # + # The name of the log file should use attributes that don't change + # over the lifetime of a request, such as User-Name, + # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log + # messages will be distributed over multiple files. + # + # Logging can be enabled for an individual request by a special + # dynamic expansion macro: %{debug: 1}, where the debug level + # for this request is set to '1' (or 2, 3, etc.). e.g. + # + # ... + # update control { + # Tmp-String-0 = "%{debug:1}" + # } + # ... + # + # The attribute that the value is assigned to is unimportant, + # and should be a "throw-away" attribute with no side effects. + # + #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no + + # Log authentication requests to the log file. + # + # allowed values: {no, yes} + # + auth = no + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = no + auth_goodpass = no + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +# msg_goodpass = "" +# msg_badpass = "" + + # The message when the user exceeds the Simultaneous-Use limit. + # + msg_denied = "You are already logged in - access denied" +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # chroot: directory where the server does "chroot". + # + # The chroot is done very early in the process of starting + # the server. After the chroot has been performed it + # switches to the "user" listed below (which MUST be + # specified). If "group" is specified, it switches to that + # group, too. Any other groups listed for the specified + # "user" in "/etc/group" are also added as part of this + # process. + # + # The current working directory (chdir / cd) is left + # *outside* of the chroot until all of the modules have been + # initialized. This allows the "raddb" directory to be left + # outside of the chroot. Once the modules have been + # initialized, it does a "chdir" to ${logdir}. This means + # that it should be impossible to break out of the chroot. + # + # If you are worried about security issues related to this + # use of chdir, then simply ensure that the "raddb" directory + # is inside of the chroot, end be sure to do "cd raddb" + # BEFORE starting the server. + # + # If the server is statically linked, then the only files + # that have to exist in the chroot are ${run_dir} and + # ${logdir}. If you do the "cd raddb" as discussed above, + # then the "raddb" directory has to be inside of the chroot + # directory, too. + # +# chroot = /path/to/chroot/directory + + # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # + user = radiusd + group = radiusd + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # + allow_core_dumps = no + + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes + + # IMPORTANT: Don't do this. You really should update to recent versions of OpenSSL + allow_vulnerable_openssl = yes + +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE clients.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 + + # Automatically limit the number of accounting requests. + # This configuration item tracks how many requests per second + # the server can handle. It does this by tracking the + # packets/s received by the server for processing, and + # comparing that to the packets/s handled by the child + # threads. + # + + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # + auto_limit_acct = no +} + +###################################################################### +# +# SNMP notifications. Uncomment the following line to enable +# snmptraps. Note that you MUST also configure the full path +# to the "snmptrap" command in the "trigger.conf" file. +# +#$INCLUDE trigger.conf + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # As of 3.0, modules are in mods-enabled/. Files matching + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are + # initialized ONLY if they are referenced in a processing + # section, such as authorize, authenticate, accounting, + # pre/post-proxy, etc. + # + $INCLUDE mods-enabled/ +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initialized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +# After the modules listed here have been loaded, all of the modules +# in the "mods-enabled" directory will be loaded. Loading the +# "mods-enabled" directory means that unlike Version 2, you usually +# don't need to list modules here. +# +instantiate { + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} + + chillispot_max_bytes + noresetcounter +} + +###################################################################### +# +# Policies are virtual modules, similar to those defined in the +# "instantiate" section above. +# +# Defining a policy in one of the policy.d files means that it can be +# referenced in multiple places as a *name*, rather than as a series of +# conditions to match, and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +###################################################################### +policy { + $INCLUDE policy.d/ +} + +###################################################################### +# +# Load virtual servers. +# +# This next $INCLUDE line loads files in the directory that +# match the regular expression: /[a-zA-Z0-9_.]+/ +# +# It allows you to define new virtual servers simply by placing +# a file into the raddb/sites-enabled/ directory. +# +$INCLUDE sites-enabled/ + +###################################################################### +# +# All of the other configuration sections like "authorize {}", +# "authenticate {}", "accounting {}", have been moved to the +# the file: +# +# raddb/sites-available/default +# +# This is the "default" virtual server that has the same +# configuration as in version 1.0.x and 1.1.x. The default +# installation enables this virtual server. You should +# edit it to create policies for your local site. +# +# For more documentation on virtual servers, see: +# +# raddb/sites-available/README +# +###################################################################### diff --git a/roles/network/tasks/coova-chilli.yml b/roles/network/tasks/coova-chilli.yml new file mode 100644 index 00000000..e69de29b diff --git a/roles/network/tasks/daloradius.yml b/roles/network/tasks/daloradius.yml new file mode 100644 index 00000000..e69de29b diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index 78e07d8a..b38a1d49 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -86,6 +86,12 @@ tags: - network +- include: radius.yml + when: not xsce_prepped + tags: + - radius + - network + - name: ask systemd to reread the unit files, picks up changes done shell: systemctl daemon-reload when: not installing diff --git a/roles/network/tasks/radius.yml b/roles/network/tasks/radius.yml new file mode 100644 index 00000000..f5c40345 --- /dev/null +++ b/roles/network/tasks/radius.yml @@ -0,0 +1,93 @@ +- name: Install radius packages + yum: name={{ item }} + state=installed + with_items: + - freeradius + - freeradius-mysql + - freeradius-utils + tags: + - download + +- name: Create a new database with name radius + mysql_db: name=radius state=present + +- name: Copy database dump file setup.sql to remote host... + template: src=radius/setup.sql.j2 dest=/tmp/setup.sql + +- name: ... and restore it to database radius + mysql_db: name=radius state=import target=/tmp/setup.sql + +- name: Copy database dump file schema.sql to remote host and restore it to database radius + template: src=radius/schema.sql.j2 dest=/tmp/schema.sql + +- name: ... and restore it to database radius + mysql_db: name=radius state=import target=/tmp/schema.sql + +- name: Copy config file templates + template: src={{ item.src }} + dest={{ item.dest }} + owner={{ item.owner }} + group={{ item.group }} + mode={{ item.mode }} + with_items: + - src: 'radius/sql.j2' + dest: '/etc/raddb/mods-available/sql' + owner: 'root' + group: 'root' + mode: '0755' + - src: 'radius/clients.conf.j2' + dest: '/etc/raddb/clients.conf' + owner: 'root' + group: 'root' + mode: '0755' + - src: 'radius/inner-tunnel' + dest: '/etc/raddb/sites-available/inner-tunnel' + owner: 'root' + group: 'root' + mode: '0755' + - src: 'radius/chillispot.conf' + dest: '/etc/raddb/mods-config/sql/counter/mysql/chillispot.conf' + owner: 'root' + group: 'root' + mode: '0755' + +- name: Copy config files + file: src={{ item.src }} + dest={{ item.dest }} + owner={{ item.owner }} + group={{ item.group }} + mode={{ item.mode }} + with_items: + - src: 'radius/default' + dest: '/etc/raddb/sites-available/default' + owner: 'root' + group: 'root' + mode: '0755' + - src: 'radius/radiusd.conf' + dest: '/etc/raddb/radiusd.conf' + owner: 'root' + group: 'root' + mode: '0755' + + +- name: Add coovachilli counters + lineinfile: dest=/etc/raddb/mods-available/sqlcounter line="$INCLUDE ${modconfdir}/sql/counter/${modules.sql.dialect}/chillispot.conf" + +- name: Symlink sql mod + file: src=/etc/raddb/mods-available/sql dest=/etc/raddb/mods-enabled/sql state=link + +- name: Symlink sqlcounter mod + file: src=/etc/raddb/mods-available/sqlcounter dest=/etc/raddb/mods-enabled/sqlcounter state=link + +- name: Change ownership of config and log directories + shell: touch /var/log/radius/radutmp; chown -R radiusd:radiusd /etc/raddb; chown -R radiusd:radiusd /var/log/radius + +- name: Create Admin user in radius MySQL database + shell: echo "INSERT INTO radcheck (UserName, Attribute, Value, Op) VALUES ('{{ freeradius_admin_user }}', 'Cleartext-Password', '{{ freeradius_admin_password }}', ':=');" | mysql -u root -p{{ mysql_root_password }} radius + +- name: Include Coovachilli + include: coova-chilli.yml + +- name: Include Daloradius + include: daloradius.yml + diff --git a/roles/network/templates/chilli/config.j2 b/roles/network/templates/chilli/config.j2 new file mode 100644 index 00000000..174872cd --- /dev/null +++ b/roles/network/templates/chilli/config.j2 @@ -0,0 +1,207 @@ +# -*- mode: shell-script; -*- +# +# Coova-Chilli Default Configurations. +# To customize, copy this file to /etc/chilli/config +# and edit to your liking. This is included in shell scripts +# that configure chilli and related programs before file 'config'. + + +### +# Local Network Configurations +# + +HS_WANIF=enp3s0 # WAN Interface toward the Internet +HS_LANIF=br0 # Subscriber Interface for client devices +#HS_NETWORK=10.1.0.0 # HotSpot Network (must include HS_UAMLISTEN) +HS_NETWORK=172.18.100.0 # HotSpot Network (must include HS_UAMLISTEN) +HS_NETMASK=255.255.0.0 # HotSpot Network Netmask +#HS_UAMLISTEN=10.1.0.1 # HotSpot IP Address (on subscriber network) +HS_UAMLISTEN=172.18.96.1 # HotSpot IP Address (on subscriber network) +HS_UAMPORT=3990 # HotSpot UAM Port (on subscriber network) +HS_UAMUIPORT=4990 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal) + +# HS_DYNIP= +# HS_DYNIP_MASK=255.255.255.0 +# HS_STATIP= +# HS_STATIP_MASK=255.255.255.0 +# HS_DNS_DOMAIN= + +# OpenDNS Servers +HS_DNS1=172.18.96.1 +HS_DNS2=172.18.96.1 +#HS_DNS1=208.67.222.222 +#HS_DNS2=208.67.220.220 + +### +# HotSpot settings for simple Captive Portal +# +HS_NASID=nas01 +HS_RADIUS=localhost +HS_RADIUS2=localhost +# HS_UAMALLOW=www.coova.org +HS_RADSECRET=testing123 # Set to be your RADIUS shared secret +HS_UAMSECRET=change-me # Set to be your UAM secret +HS_UAMALIASNAME=chilli + +# Configure RADIUS proxy support (for 802.1x + captive portal support) +# HS_RADPROXY=on +# HS_RADPROXY_LISTEN=127.0.0.1 +# HS_RADPROXY_CLIENT=127.0.0.1 +# HS_RADPROXY_PORT=1645 +# HS_RADPROXY_SECRET=$HS_RADSECRET +# Example OpenWrt /etc/config/wireless entry for hostapd +# option encryption wpa2 +# option server $HS_RADPROXY_LISTEN +# option port $HS_RADPROXY_PORT +# option key $HS_RADPROXY_SECRET + + +# To alternatively use a HTTP URL for AAA instead of RADIUS +# Enable http for AAA and then specify the url to send the AAA Request +# HS_AAA=http +# HS_UAMAAAURL=http://my-site/script.php + +# Put entire domains in the walled-garden with DNS inspection +# HS_UAMDOMAINS=".paypal.com,.paypalobjects.com" + +# Optional initial redirect and RADIUS settings +# HS_SSID= # To send to the captive portal +# HS_NASMAC= # To explicitly set Called-Station-Id +# HS_NASIP= # To explicitly set NAS-IP-Address + +# The server to be used in combination with HS_UAMFORMAT to +# create the final chilli 'uamserver' url configuration. +HS_UAMSERVER=$HS_UAMLISTEN + +# Use HS_UAMFORMAT to define the actual captive portal url. +# Shell variable replacement takes place when evaluated, so here +# HS_UAMSERVER is escaped and later replaced by the pre-defined +# HS_UAMSERVER to form the actual "--uamserver" option in chilli. +HS_UAMFORMAT=http://\$HS_UAMLISTEN:\$HS_UAMUIPORT/www/login.chi + +# Same principal goes for HS_UAMHOMEPAGE. +HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html + +# This option will be configured to be the WISPr LoginURL as well +# as provide "uamService" to the ChilliController. The UAM Service is +# described in: http://www.coova.org/CoovaChilli/UAMService +# +# HS_UAMSERVICE= + + +### +# Features not activated per-default (default to off) +# +# HS_RADCONF=off # Get some configurations from RADIUS or a URL ('on' and 'url' respectively) +# +# HS_ANYIP=on # Allow any IP address on subscriber LAN +# +# HS_MACAUTH=on # To turn on MAC Authentication +# +# HS_MACAUTHDENY=on # Put client in 'drop' state on MAC Auth Access-Reject +# +# HS_MACAUTHMODE=local # To allow MAC Authentication based on macallowed, not RADIUS +# +# HS_MACALLOW="..." # List of MAC addresses to authenticate (comma seperated) +# +# HS_USELOCALUSERS=on # To use the /etc/chilli/localusers file +# +# HS_OPENIDAUTH=on # To inform the RADIUS server to allow OpenID Auth +# +# HS_WPAGUESTS=on # To inform the RADIUS server to allow WPA Guests +# +# HS_DNSPARANOIA=on # To drop DNS packets containing something other +# # than A, CNAME, SOA, or MX records +# +# HS_OPENIDAUTH=on # To inform the RADIUS server to allow OpenID Auth +# # Will also configure the embedded login forms for OpenID +# +# HS_USE_MAP=on # Short hand for allowing the required google +# # sites to use Google maps (adds many google sites!) +# +### +# Other feature settings and their defaults +# +# HS_DEFSESSIONTIMEOUT=0 # Default session-timeout if not defined by RADIUS (0 for unlimited) +# +# HS_DEFIDLETIMEOUT=0 # Default idle-timeout if not defined by RADIUS (0 for unlimited) +# +# HS_DEFBANDWIDTHMAXDOWN=0 # Default WISPr-Bandwidth-Max-Down if not defined by RADIUS (0 for unlimited) +# +# HS_DEFBANDWIDTHMAXUP=0 # Default WISPr-Bandwidth-Max-Up if not defined by RADIUS (0 for unlimited) + +### +# Centralized configuration options examples +# +# HS_RADCONF=url # requires curl +# HS_RADCONF_URL=https://coova.org/app/ap/config + +# HS_RADCONF=on # gather the CoovaChilli-Config attributes in +# # Administrative-User login +# HS_RADCONF_SERVER=rad01.coova.org # RADIUS Server +# HS_RADCONF_SECRET=coova-anonymous # RADIUS Shared Secret +# HS_RADCONF_AUTHPORT=1812 # Auth port +# HS_RADCONF_USER=coovachilli # Username +# HS_RADCONF_PWD=coovachilli # Password + + +### +# Firewall issues +# +# Uncomment the following to add ports to the allowed local ports list +# The up.sh script will allow these local ports to be used, while the default +# is to block all unwanted traffic to the tun/tap. +# +HS_TCP_PORTS="80 443 8008 3000" +HS_UDP_PORTS="1701" + +### +# Standard configurations +# +HS_MODE=hotspot +HS_TYPE=coovachilli +# HS_RADAUTH=1812 +# HS_RADACCT=1813 +HS_ADMUSR=radius +HS_ADMPWD=radpass + + +### +# Post-Auth proxy settings +# +# HS_POSTAUTH_PROXY= +# HS_POSTAUTH_PROXYPORT= + +# Directory specifying where internal web pages can be served +# by chilli with url /www/. Only extentions like .html +# .jpg, .gif, .png, .js are allowed. See below for using .chi as a +# CGI extension. +HS_WWWDIR=/etc/chilli/www + +# Using this option assumes 'haserl' is installed per-default +# but, and CGI type program can ran from wwwsh to process requests +# to chilli with url /www/filename.chi +HS_WWWBIN=/etc/chilli/wwwsh + +# Some configurations used in certain user interfaces +# +HS_PROVIDER=Coova +HS_PROVIDER_LINK=http://coova.github.io/ + + +### +# WISPr RADIUS Attribute support +# + +HS_LOC_NAME="My HotSpot" # WISPr Location Name and used in portal + +# WISPr settings (to form a proper WISPr-Location-Id) +# HS_LOC_NETWORK="My Network" # Network name +# HS_LOC_AC=408 # Phone area code +# HS_LOC_CC=1 # Phone country code +# HS_LOC_ISOCC=US # ISO Country code + +# Embedded miniportal +# HS_REG_MODE="tos" # or self, other +# HS_RAD_PROTO="pap" # or mschapv2, chap +# HS_USE_MAP=on diff --git a/roles/network/templates/chilli/ifup.sh b/roles/network/templates/chilli/ifup.sh new file mode 100755 index 00000000..7b0ef278 --- /dev/null +++ b/roles/network/templates/chilli/ifup.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# +#Allow IP masquerading through this box +/usr/sbin/iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE diff --git a/roles/network/templates/daloradius/daloradius.conf.j2 b/roles/network/templates/daloradius/daloradius.conf.j2 new file mode 100644 index 00000000..7a5f1788 --- /dev/null +++ b/roles/network/templates/daloradius/daloradius.conf.j2 @@ -0,0 +1,8 @@ +RewriteEngine on + +Alias /daloradius /opt/schoolserver/daloradius + + Options Indexes FollowSymLinks + AllowOverride All + Require all granted + diff --git a/roles/network/templates/radius/chillispot.conf b/roles/network/templates/radius/chillispot.conf new file mode 100644 index 00000000..224f06c7 --- /dev/null +++ b/roles/network/templates/radius/chillispot.conf @@ -0,0 +1,10 @@ +sqlcounter chillispot_max_bytes { +counter_name = Max-Total-Octets +check_name = ChilliSpot-Max-Total-Octets +reply_name = ChilliSpot-Max-Total-Octets +reply_message = "You have reached your bandwidth limit" +sql_module_instance = sql +key = User-Name +reset = never +query = "SELECT IFNULL((SUM(AcctInputOctets + AcctOutputOctets)),0) FROM radacct WHERE username = '%{${key}}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%%b'" +} diff --git a/roles/network/templates/radius/clients.conf.j2 b/roles/network/templates/radius/clients.conf.j2 new file mode 100644 index 00000000..99178e3c --- /dev/null +++ b/roles/network/templates/radius/clients.conf.j2 @@ -0,0 +1,268 @@ +# -*- text -*- +## +## clients.conf -- client configuration directives +## +## $Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $ + +####################################################################### +# +# Define RADIUS clients (usually a NAS, Access Point, etc.). + +# +# Defines a RADIUS client. +# +# '127.0.0.1' is another name for 'localhost'. It is enabled by default, +# to allow testing of the server after an initial installation. If you +# are not going to be permitting RADIUS queries from localhost, we suggest +# that you delete, or comment out, this entry. +# +# + +# +# Each client has a "short name" that is used to distinguish it from +# other clients. +# +# In version 1.x, the string after the word "client" was the IP +# address of the client. In 2.0, the IP address is configured via +# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x +# format is still accepted. +# +client localhost { + # Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for + # a client. + # + # ipaddr will accept IPv4 or IPv6 addresses with optional CIDR + # notation '/' to specify ranges. + # + # ipaddr will accept domain names e.g. example.org resolving + # them via DNS. + # + # If both A and AAAA records are found, A records will be + # used in preference to AAAA. + ipaddr = 127.0.0.1 + + # Same as ipaddr but allows v4 addresses only. Requires A + # record for domain names. +# ipv4addr = * # any. 127.0.0.1 == localhost + + # Same as ipaddr but allows v6 addresses only. Requires AAAA + # record for domain names. +# ipv6addr = :: # any. ::1 == localhost + + # + # A note on DNS: We STRONGLY recommend using IP addresses + # rather than host names. Using host names means that the + # server will do DNS lookups when it starts, making it + # dependent on DNS. i.e. If anything goes wrong with DNS, + # the server won't start! + # + # The server also looks up the IP address from DNS once, and + # only once, when it starts. If the DNS record is later + # updated, the server WILL NOT see that update. + # + + # + # The transport protocol. + # + # If unspecified, defaults to "udp", which is the traditional + # RADIUS transport. It may also be "tcp", in which case the + # server will accept connections from this client ONLY over TCP. + # + proto = * + + # + # The shared secret use to "encrypt" and "sign" packets between + # the NAS and FreeRADIUS. You MUST change this secret from the + # default, otherwise it's not a secret any more! + # + # The secret can be any string, up to 8k characters in length. + # + # Control codes can be entered vi octal encoding, + # e.g. "\101\102" == "AB" + # Quotation marks can be entered by escaping them, + # e.g. "foo\"bar" + # + # A note on security: The security of the RADIUS protocol + # depends COMPLETELY on this secret! We recommend using a + # shared secret that is composed of: + # + # upper case letters + # lower case letters + # numbers + # + # And is at LEAST 8 characters long, preferably 16 characters in + # length. The secret MUST be random, and should not be words, + # phrase, or anything else that is recognisable. + # + # The default secret below is only for testing, and should + # not be used in any real environment. + # + secret = {{ freeradius_secret }} + + # + # Old-style clients do not send a Message-Authenticator + # in an Access-Request. RFC 5080 suggests that all clients + # SHOULD include it in an Access-Request. The configuration + # item below allows the server to require it. If a client + # is required to include a Message-Authenticator and it does + # not, then the packet will be silently discarded. + # + # allowed values: yes, no + require_message_authenticator = no + + # + # The short name is used as an alias for the fully qualified + # domain name, or the IP address. + # + # It is accepted for compatibility with 1.x, but it is no + # longer necessary in >= 2.0 + # +# shortname = localhost + + # + # the following three fields are optional, but may be used by + # checkrad.pl for simultaneous use checks + # + + # + # The nas_type tells 'checkrad.pl' which NAS-specific method to + # use to query the NAS for simultaneous use. + # + # Permitted NAS types are: + # + # cisco + # computone + # livingston + # juniper + # max40xx + # multitech + # netserver + # pathras + # patton + # portslave + # tc + # usrhiper + # other # for all other types + + # + nas_type = other # localhost isn't usually a NAS... + + # + # The following two configurations are for future use. + # The 'naspasswd' file is currently used to store the NAS + # login name and password, which is used by checkrad.pl + # when querying the NAS for simultaneous use. + # +# login = !root +# password = someadminpas + + # + # As of 2.0, clients can also be tied to a virtual server. + # This is done by setting the "virtual_server" configuration + # item, as in the example below. + # +# virtual_server = home1 + + # + # A pointer to the "home_server_pool" OR a "home_server" + # section that contains the CoA configuration for this + # client. For an example of a coa home server or pool, + # see raddb/sites-available/originate-coa +# coa_server = coa + + # + # Response window for proxied packets. If non-zero, + # then the lower of (home, client) response_window + # will be used. + # + # i.e. it can be used to lower the response_window + # packets from one client to a home server. It cannot + # be used to raise the response_window. + # +# response_window = 10.0 + + # + # Connection limiting for clients using "proto = tcp". + # + # This section is ignored for clients sending UDP traffic + # + limit { + # + # Limit the number of simultaneous TCP connections from a client + # + # The default is 16. + # Setting this to 0 means "no limit" + max_connections = 16 + + # The per-socket "max_requests" option does not exist. + + # + # The lifetime, in seconds, of a TCP connection. After + # this lifetime, the connection will be closed. + # + # Setting this to 0 means "forever". + lifetime = 0 + + # + # The idle timeout, in seconds, of a TCP connection. + # If no packets have been received over the connection for + # this time, the connection will be closed. + # + # Setting this to 0 means "no timeout". + # + # We STRONGLY RECOMMEND that you set an idle timeout. + # + idle_timeout = 30 + } +} + +# IPv6 Client +client localhost_ipv6 { + ipv6addr = ::1 + secret = {{ freeradius_secret }} +} + +# All IPv6 Site-local clients +#client sitelocal_ipv6 { +# ipv6addr = fe80::/16 +# secret = testing123 +#} + +#client example.org { +# ipaddr = radius.example.org +# secret = testing123 +#} + +# +# You can now specify one secret for a network of clients. +# When a client request comes in, the BEST match is chosen. +# i.e. The entry from the smallest possible network. +# +#client private-network-1 { +# ipaddr = 192.0.2.0/24 +# secret = testing123-1 +#} + +#client private-network-2 { +# ipaddr = 198.51.100.0/24 +# secret = testing123-2 +#} + +####################################################################### +# +# Per-socket client lists. The configuration entries are exactly +# the same as above, but they are nested inside of a section. +# +# You can have as many per-socket client lists as you have "listen" +# sections, or you can re-use a list among multiple "listen" sections. +# +# Un-comment this section, and edit a "listen" section to add: +# "clients = per_socket_clients". That IP address/port combination +# will then accept ONLY the clients listed in this section. +# +#clients per_socket_clients { +# client socket_client { +# ipaddr = 192.0.2.4 +# secret = testing123 +# } +#} diff --git a/roles/network/templates/radius/inner-tunnel b/roles/network/templates/radius/inner-tunnel new file mode 100644 index 00000000..3bc965d7 --- /dev/null +++ b/roles/network/templates/radius/inner-tunnel @@ -0,0 +1,390 @@ +# -*- text -*- +###################################################################### +# +# This is a virtual server that handles *only* inner tunnel +# requests for EAP-TTLS and PEAP types. +# +# $Id: 1b937282988730ae181e345588f9c2678b197dbc $ +# +###################################################################### + +server inner-tunnel { + +# +# This next section is here to allow testing of the "inner-tunnel" +# authentication methods, independently from the "default" server. +# It is listening on "localhost", so that it can only be used from +# the same machine. +# +# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If it works, you have configured the inner tunnel correctly. To check +# if PEAP will work, use: +# +# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123 +# +# If that works, PEAP should work. If that command doesn't work, then +# +# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS. +# +# Do NOT do any PEAP tests. It won't help. Instead, concentrate +# on fixing the inner tunnel configuration. DO NOTHING ELSE. +# +listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth +} + + +# Authorization. First preprocess (hints and huntgroups files), +# then realms, and finally look in the "users" file. +# +# The order of the realm modules will determine the order that +# we try to find a matching realm. +# +# Make *sure* that 'preprocess' comes before any realm if you +# need to setup hints for the remote radius server +authorize { + # + # The chap module will set 'Auth-Type := CHAP' if we are + # handling a CHAP request and Auth-Type has not already been set + chap + + # + # If the users are logging in with an MS-CHAP-Challenge + # attribute for authentication, the mschap module will find + # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' + # to the request, which will cause the server to then use + # the mschap module for authentication. + mschap + + # + # Pull crypt'd passwords from /etc/passwd or /etc/shadow, + # using the system API's to get the password. If you want + # to read /etc/passwd or /etc/shadow directly, see the + # passwd module, above. + # +# unix + + # + # Look for IPASS style 'realm/', and if not found, look for + # '@realm', and decide whether or not to proxy, based on + # that. +# IPASS + + # + # If you are using multiple kinds of realms, you probably + # want to set "ignore_null = yes" for all of them. + # Otherwise, when the first style of realm doesn't match, + # the other styles won't be checked. + # + # Note that proxying the inner tunnel authentication means + # that the user MAY use one identity in the outer session + # (e.g. "anonymous", and a different one here + # (e.g. "user@example.com"). The inner session will then be + # proxied elsewhere for authentication. If you are not + # careful, this means that the user can cause you to forward + # the authentication to another RADIUS server, and have the + # accounting logs *not* sent to the other server. This makes + # it difficult to bill people for their network activity. + # + suffix +# ntdomain + + # + # The "suffix" module takes care of stripping the domain + # (e.g. "@example.com") from the User-Name attribute, and the + # next few lines ensure that the request is not proxied. + # + # If you want the inner tunnel request to be proxied, delete + # the next few lines. + # + update control { + Proxy-To-Realm := LOCAL + } + + # + # This module takes care of EAP-MSCHAPv2 authentication. + # + # It also sets the EAP-Type attribute in the request + # attribute list to the EAP type from the packet. + # + # The example below uses module failover to avoid querying all + # of the following modules if the EAP module returns "ok". + # Therefore, your LDAP and/or SQL servers will not be queried + # for the many packets that go back and forth to set up TTLS + # or PEAP. The load on those servers will therefore be reduced. + # + eap { + ok = return + } + + # + # Read the 'users' file + files + + # + # Look in an SQL database. The schema of the database + # is meant to mirror the "users" file. + # + # See "Authorization Queries" in sql.conf + sql + + # + # If you are using /etc/smbpasswd, and are also doing + # mschap authentication, the un-comment this line, and + # configure the 'etc_smbpasswd' module, above. +# etc_smbpasswd + + # + # The ldap module reads passwords from the LDAP database. + -ldap + + # + # Enforce daily limits on time spent logged in. +# daily + + expiration + logintime + + # + # If no other module has claimed responsibility for + # authentication, then try to use PAP. This allows the + # other modules listed above to add a "known good" password + # to the request, and to do nothing else. The PAP module + # will then see that password, and use it to do PAP + # authentication. + # + # This module should be listed last, so that the other modules + # get a chance to set Auth-Type for themselves. + # + pap + + chillispot_max_bytes + noresetcounter +} + + +# Authentication. +# +# +# This section lists which modules are available for authentication. +# Note that it does NOT mean 'try each module in order'. It means +# that a module from the 'authorize' section adds a configuration +# attribute 'Auth-Type := FOO'. That authentication type is then +# used to pick the appropriate module from the list below. +# + +# In general, you SHOULD NOT set the Auth-Type attribute. The server +# will figure it out on its own, and will do the right thing. The +# most common side effect of erroneously setting the Auth-Type +# attribute is that one authentication method will work, but the +# others will not. +# +# The common reasons to set the Auth-Type attribute by hand +# is to either forcibly reject the user, or forcibly accept him. +# +authenticate { + # + # PAP authentication, when a back-end database listed + # in the 'authorize' section supplies a password. The + # password can be clear-text, or encrypted. + Auth-Type PAP { + pap + } + + # + # Most people want CHAP authentication + # A back-end database listed in the 'authorize' section + # MUST supply a CLEAR TEXT password. Encrypted passwords + # won't work. + Auth-Type CHAP { + chap + } + + # + # MSCHAP authentication. + Auth-Type MS-CHAP { + mschap + } + + # + # Pluggable Authentication Modules. +# pam + + # Uncomment it if you want to use ldap for authentication + # + # Note that this means "check plain-text password against + # the ldap database", which means that EAP won't work, + # as it does not supply a plain-text password. + # + # We do NOT recommend using this. LDAP servers are databases. + # They are NOT authentication servers. FreeRADIUS is an + # authentication server, and knows what to do with authentication. + # LDAP servers do not. + # +# Auth-Type LDAP { +# ldap +# } + + # + # Allow EAP authentication. + eap +} + +###################################################################### +# +# There are no accounting requests inside of EAP-TTLS or PEAP +# tunnels. +# +###################################################################### + + +# Session database, used for checking Simultaneous-Use. Either the radutmp +# or rlm_sql module can handle this. +# The rlm_sql module is *much* faster +session { + radutmp + + # + # See "Simultaneous Use Checking Queries" in sql.conf + sql +} + + +# Post-Authentication +# Once we KNOW that the user has been authenticated, there are +# additional steps we can take. +# +# Note that the last packet of the inner-tunnel authentication +# MAY NOT BE the last packet of the outer session. So updating +# the outer reply MIGHT work, and sometimes MIGHT NOT. The +# exact functionality depends on both the inner and outer +# authentication methods. +# +# If you need to send a reply attribute in the outer session, +# the ONLY safe way is to set "use_tunneled_reply = yes", and +# then update the inner-tunnel reply. +post-auth { + # If you want privacy to remain, see the + # Chargeable-User-Identity attribute from RFC 4372. + # If you want to use it just uncomment the line below. +# cui-inner + + # + # If you want to have a log of authentication replies, + # un-comment the following line, and enable the + # 'detail reply_log' module. + reply_log + + # + # After authenticating the user, do another SQL query. + # + # See "Authentication Logging Queries" in sql.conf + sql + + # + # Instead of sending the query to the SQL server, + # write it into a log file. + # +# sql_log + + # + # Un-comment the following if you have set + # 'edir_account_policy_check = yes' in the ldap module sub-section of + # the 'modules' section. + # +# ldap + + # + # Access-Reject packets are sent through the REJECT sub-section of the + # post-auth section. + # + # Add the ldap module name (or instance) if you have set + # 'edir_account_policy_check = yes' in the ldap module configuration + # + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. + -sql + attr_filter.access_reject + } +} + +# +# When the server decides to proxy a request to a home server, +# the proxied request is first passed through the pre-proxy +# stage. This stage can re-write the request, or decide to +# cancel the proxy. +# +# Only a few modules currently have this method. +# +pre-proxy { + # Uncomment the following line if you want to change attributes + # as defined in the preproxy_users file. +# files + + # Uncomment the following line if you want to filter requests + # sent to remote servers based on the rules defined in the + # 'attrs.pre-proxy' file. +# attr_filter.pre-proxy + + # If you want to have a log of packets proxied to a home + # server, un-comment the following line, and the + # 'detail pre_proxy_log' section, above. +# pre_proxy_log +} + +# +# When the server receives a reply to a request it proxied +# to a home server, the request may be massaged here, in the +# post-proxy stage. +# +post-proxy { + + # If you want to have a log of replies from a home server, + # un-comment the following line, and the 'detail post_proxy_log' + # section, above. +# post_proxy_log + + # Uncomment the following line if you want to filter replies from + # remote proxies based on the rules defined in the 'attrs' file. +# attr_filter.post-proxy + + # + # If you are proxying LEAP, you MUST configure the EAP + # module, and you MUST list it here, in the post-proxy + # stage. + # + # You MUST also use the 'nostrip' option in the 'realm' + # configuration. Otherwise, the User-Name attribute + # in the proxied request will not match the user name + # hidden inside of the EAP packet, and the end server will + # reject the EAP request. + # + eap + + # + # If the server tries to proxy a request and fails, then the + # request is processed through the modules in this section. + # + # The main use of this section is to permit robust proxying + # of accounting packets. The server can be configured to + # proxy accounting packets as part of normal processing. + # Then, if the home server goes down, accounting packets can + # be logged to a local "detail" file, for processing with + # radrelay. When the home server comes back up, radrelay + # will read the detail file, and send the packets to the + # home server. + # + # With this configuration, the server always responds to + # Accounting-Requests from the NAS, but only writes + # accounting packets to disk if the home server is down. + # +# Post-Proxy-Type Fail { +# detail +# } + +} + +} # inner-tunnel server block diff --git a/roles/network/templates/radius/schema.sql.j2 b/roles/network/templates/radius/schema.sql.j2 new file mode 100755 index 00000000..7a262309 --- /dev/null +++ b/roles/network/templates/radius/schema.sql.j2 @@ -0,0 +1,150 @@ +########################################################################### +# $Id: c5185bee856646733a6bd9b341109cde0688b8f1 $ # +# # +# schema.sql rlm_sql - FreeRADIUS SQL Module # +# # +# Database schema for MySQL rlm_sql module # +# # +# To load: # +# mysql -uroot -prootpass radius < schema.sql # +# # +# Mike Machado # +########################################################################### +# +# Table structure for table 'radacct' +# + +CREATE TABLE radacct ( + radacctid bigint(21) NOT NULL auto_increment, + acctsessionid varchar(64) NOT NULL default '', + acctuniqueid varchar(32) NOT NULL default '', + username varchar(64) NOT NULL default '', + groupname varchar(64) NOT NULL default '', + realm varchar(64) default '', + nasipaddress varchar(15) NOT NULL default '', + nasportid varchar(15) default NULL, + nasporttype varchar(32) default NULL, + acctstarttime datetime NULL default NULL, + acctupdatetime datetime NULL default NULL, + acctstoptime datetime NULL default NULL, + acctinterval int(12) default NULL, + acctsessiontime int(12) unsigned default NULL, + acctauthentic varchar(32) default NULL, + connectinfo_start varchar(50) default NULL, + connectinfo_stop varchar(50) default NULL, + acctinputoctets bigint(20) default NULL, + acctoutputoctets bigint(20) default NULL, + calledstationid varchar(50) NOT NULL default '', + callingstationid varchar(50) NOT NULL default '', + acctterminatecause varchar(32) NOT NULL default '', + servicetype varchar(32) default NULL, + framedprotocol varchar(32) default NULL, + framedipaddress varchar(15) NOT NULL default '', + PRIMARY KEY (radacctid), + UNIQUE KEY acctuniqueid (acctuniqueid), + KEY username (username), + KEY framedipaddress (framedipaddress), + KEY acctsessionid (acctsessionid), + KEY acctsessiontime (acctsessiontime), + KEY acctstarttime (acctstarttime), + KEY acctinterval (acctinterval), + KEY acctstoptime (acctstoptime), + KEY nasipaddress (nasipaddress) +) ENGINE = INNODB; + +# +# Table structure for table 'radcheck' +# + +CREATE TABLE radcheck ( + id int(11) unsigned NOT NULL auto_increment, + username varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '==', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY username (username(32)) +); + +# +# Table structure for table 'radgroupcheck' +# + +CREATE TABLE radgroupcheck ( + id int(11) unsigned NOT NULL auto_increment, + groupname varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '==', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY groupname (groupname(32)) +); + +# +# Table structure for table 'radgroupreply' +# + +CREATE TABLE radgroupreply ( + id int(11) unsigned NOT NULL auto_increment, + groupname varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '=', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY groupname (groupname(32)) +); + +# +# Table structure for table 'radreply' +# + +CREATE TABLE radreply ( + id int(11) unsigned NOT NULL auto_increment, + username varchar(64) NOT NULL default '', + attribute varchar(64) NOT NULL default '', + op char(2) NOT NULL DEFAULT '=', + value varchar(253) NOT NULL default '', + PRIMARY KEY (id), + KEY username (username(32)) +); + + +# +# Table structure for table 'radusergroup' +# + +CREATE TABLE radusergroup ( + username varchar(64) NOT NULL default '', + groupname varchar(64) NOT NULL default '', + priority int(11) NOT NULL default '1', + KEY username (username(32)) +); + +# +# Table structure for table 'radpostauth' +# +CREATE TABLE radpostauth ( + id int(11) NOT NULL auto_increment, + username varchar(64) NOT NULL default '', + pass varchar(64) NOT NULL default '', + reply varchar(32) NOT NULL default '', + authdate timestamp NOT NULL, + PRIMARY KEY (id) +) ENGINE = INNODB; + +# +# Table structure for table 'nas' +# +CREATE TABLE nas ( + id int(10) NOT NULL auto_increment, + nasname varchar(128) NOT NULL, + shortname varchar(32), + type varchar(30) DEFAULT 'other', + ports int(5), + secret varchar(60) DEFAULT 'secret' NOT NULL, + server varchar(64), + community varchar(50), + description varchar(200) DEFAULT 'RADIUS Client', + PRIMARY KEY (id), + KEY nasname (nasname) +); diff --git a/roles/network/templates/radius/setup.sql.j2 b/roles/network/templates/radius/setup.sql.j2 new file mode 100755 index 00000000..efc7c257 --- /dev/null +++ b/roles/network/templates/radius/setup.sql.j2 @@ -0,0 +1,24 @@ +# -*- text -*- +## +## admin.sql -- MySQL commands for creating the RADIUS user. +## +## WARNING: You should change 'localhost' and 'radpass' +## to something else. Also update raddb/sql.conf +## with the new RADIUS password. +## +## $Id: aff0505a473c67b65cfc19fae079454a36d4e119 $ + +# +# Create default administrator for RADIUS +# +CREATE USER 'radius'@'localhost'; +SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('{{ freeradius_db_password }}'); + +# The server can read any table in SQL +GRANT SELECT ON radius.* TO 'radius'@'localhost'; + +# The server can write to the accounting and post-auth logging table. +# +# i.e. +GRANT ALL on radius.radacct TO 'radius'@'localhost'; +GRANT ALL on radius.radpostauth TO 'radius'@'localhost'; diff --git a/roles/network/templates/radius/sql.j2 b/roles/network/templates/radius/sql.j2 new file mode 100644 index 00000000..103d126d --- /dev/null +++ b/roles/network/templates/radius/sql.j2 @@ -0,0 +1,220 @@ +# -*- text -*- +## +## sql.conf -- SQL modules +## +## $Id: 29fb4b28e1b085d66415052dcdb5cc255392dcc3 $ + +###################################################################### +# +# Configuration for the SQL module +# +# The database schemas and queries are located in subdirectories: +# +# sql//main/schema.sql Schema +# sql//main/queries.conf Authorisation and Accounting queries +# +# Where "DB" is mysql, mssql, oracle, or postgresql. +# +# + +sql { + # The sub-module to use to execute queries. This should match + # the database you're attempting to connect to. + # + # * rlm_sql_mysql + # * rlm_sql_mssql + # * rlm_sql_oracle + # * rlm_sql_postgresql + # * rlm_sql_sqlite + # * rlm_sql_null (log queries to disk) + # + # anish driver = "rlm_sql_null" + driver = "rlm_sql_mysql" + +# +# Several drivers accept specific options, to set them, a +# config section with the the name as the driver should be added +# to the sql instance. +# +# Driver specific options are: +# +# sqlite { +# # Path to the sqlite database +# filename = "/tmp/freeradius.db" +# +# # If the file above does not exist and bootstrap is set +# # a new database file will be created, and the SQL statements +# # contained within the file will be executed. +# bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql" +# } +# +# mysql { +# # If any of the files below are set, TLS encryption is enabled +# tls { +# ca_file = "/etc/ssl/certs/my_ca.crt" +# ca_path = "/etc/ssl/certs/" +# certificate_file = "/etc/ssl/certs/private/client.crt" +# private_key_file = "/etc/ssl/certs/private/client.key" +# cipher = "DHE-RSA-AES256-SHA:AES128-SHA" +# } +# } +# +# postgresql { +# # Send application_name to the postgres server +# # Only supported in PG 9.0 and greater. Defaults to no. +# send_application_name = yes +# } +# + + # The dialect of SQL you want to use, this should usually match + # the driver you selected above. + # + # If you're using rlm_sql_null, then it should be the type of + # database the logged queries are going to be executed against. + # dialect = "sqlite" + dialect = "mysql" + + # Connection info: + # + server = "localhost" + port = 3306 + login = "radius" + password = {{ freeradius_db_password }} + + # Database table configuration for everything except Oracle + radius_db = "radius" + + # If you are using Oracle then use this instead +# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))" + + # If you're using postgresql this can also be used instead of the connection info parameters +# radius_db = "dbname=radius host=localhost user=radius password=raddpass" + + # If you want both stop and start records logged to the + # same SQL table, leave this as is. If you want them in + # different tables, put the start table in acct_table1 + # and stop table in acct_table2 + acct_table1 = "radacct" + acct_table2 = "radacct" + + # Allow for storing data after authentication + postauth_table = "radpostauth" + + # Tables containing 'check' items + authcheck_table = "radcheck" + groupcheck_table = "radgroupcheck" + + # Tables containing 'reply' items + authreply_table = "radreply" + groupreply_table = "radgroupreply" + + # Table to keep group info + usergroup_table = "radusergroup" + + # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. + # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. + read_groups = yes + + # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. + # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. + read_profiles = yes + + # Remove stale session if checkrad does not see a double login + delete_stale_sessions = yes + + # Write SQL queries to a logfile. This is potentially useful for tracing + # issues with authorization queries. + logfile = ${logdir}/sqllog.sql + + # As of version 3.0, the "pool" section has replaced the + # following configuration items: + # + # num_sql_socks + # connect_failure_retry_delay + # lifetime + # max_queries + + # + # The connection pool is new for 3.0, and will be used in many + # modules, for all kinds of connection-related activity. + # + # When the server is not threaded, the connection pool + # limits are ignored, and only one connection is used. + # + # If you want to have multiple SQL modules re-use the same + # connection pool, use "pool = name" instead of a "pool" + # section. e.g. + # + # sql1 { + # ... + # pool { + # ... + # } + # } + # + # # sql2 will use the connection pool from sql1 + # sql2 { + # ... + # pool = sql1 + # } + # + pool { + # Number of connections to start + start = 5 + + # Minimum number of connections to keep open + min = 4 + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like "No connections available and at max connection limit" + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + # + max = ${thread[pool].max_servers} + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. + spare = 3 + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = 0 + + # The lifetime (in seconds) of the connection + lifetime = 0 + + # idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + idle_timeout = 60 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + } + + # Set to 'yes' to read radius clients from the database ('nas' table) + # Clients will ONLY be read on server startup. + read_clients = yes + + # Table to keep radius client info + client_table = "nas" + + # Read database-specific queries + $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf +} From 5c89d9fc2559c84250d2642a0ee0bb4df477410d Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Sun, 2 Oct 2016 13:21:04 +0530 Subject: [PATCH 07/13] Captive portal: Repo update, and move to its own roles folder --- roles/0-once/tasks/fedora.yml | 1 + roles/0-once/tasks/prep.yml | 7 +++++ roles/0-once/templates/captive-portal.repo | 7 +++++ roles/6-generic-apps/meta/main.yml | 1 + roles/captive_portal/defaults/main.yml | 7 +++++ .../files/radius/default | 0 .../files/radius/radiusd.conf | 0 roles/captive_portal/tasks/coova-chilli.yml | 26 +++++++++++++++++++ .../tasks/daloradius.yml | 0 roles/captive_portal/tasks/main.yml | 8 ++++++ .../tasks/radius.yml | 3 +++ .../templates/chilli/config.j2 | 8 +++--- .../templates/chilli/ipup.sh.j2 | 4 +++ .../templates/daloradius/daloradius.conf.j2 | 0 .../templates/radius/chillispot.conf | 0 .../templates/radius/clients.conf.j2 | 0 .../templates/radius/inner-tunnel | 0 .../templates/radius/schema.sql.j2 | 0 .../templates/radius/setup.sql.j2 | 6 ++--- .../templates/radius/sql.j2 | 0 roles/kalite/tasks/install.yml | 4 +-- roles/network/defaults/main.yml | 5 ---- roles/network/tasks/coova-chilli.yml | 0 roles/network/tasks/main.yml | 6 ----- roles/network/templates/chilli/ifup.sh | 4 --- 25 files changed, 73 insertions(+), 24 deletions(-) create mode 100644 roles/0-once/templates/captive-portal.repo create mode 100644 roles/captive_portal/defaults/main.yml rename roles/{network => captive_portal}/files/radius/default (100%) rename roles/{network => captive_portal}/files/radius/radiusd.conf (100%) create mode 100644 roles/captive_portal/tasks/coova-chilli.yml rename roles/{network => captive_portal}/tasks/daloradius.yml (100%) create mode 100644 roles/captive_portal/tasks/main.yml rename roles/{network => captive_portal}/tasks/radius.yml (95%) rename roles/{network => captive_portal}/templates/chilli/config.j2 (96%) create mode 100755 roles/captive_portal/templates/chilli/ipup.sh.j2 rename roles/{network => captive_portal}/templates/daloradius/daloradius.conf.j2 (100%) rename roles/{network => captive_portal}/templates/radius/chillispot.conf (100%) rename roles/{network => captive_portal}/templates/radius/clients.conf.j2 (100%) rename roles/{network => captive_portal}/templates/radius/inner-tunnel (100%) rename roles/{network => captive_portal}/templates/radius/schema.sql.j2 (100%) rename roles/{network => captive_portal}/templates/radius/setup.sql.j2 (76%) rename roles/{network => captive_portal}/templates/radius/sql.j2 (100%) delete mode 100644 roles/network/tasks/coova-chilli.yml delete mode 100755 roles/network/templates/chilli/ifup.sh diff --git a/roles/0-once/tasks/fedora.yml b/roles/0-once/tasks/fedora.yml index dffd6858..6272b3f5 100644 --- a/roles/0-once/tasks/fedora.yml +++ b/roles/0-once/tasks/fedora.yml @@ -14,3 +14,4 @@ - /etc/yum.repos.d/fedora.repo - /etc/yum.repos.d/fedora-updates.repo - /etc/yum.repos.d/fedora-updates-testing.repo + diff --git a/roles/0-once/tasks/prep.yml b/roles/0-once/tasks/prep.yml index 2619c4b3..d2582a92 100644 --- a/roles/0-once/tasks/prep.yml +++ b/roles/0-once/tasks/prep.yml @@ -16,6 +16,13 @@ owner=root mode=0666 +- name: Install captive-portal repo + template: backup=yes + dest=/etc/yum.repos.d/captive-portal.repo + src=captive-portal.repo + owner=root + mode=0666 + - name: Install rpmfusion-free-updates repo -- for exfat template: dest=/etc/yum.repos.d/rpmfusion-free-updates.repo src=rpmfusion-free-updates.repo diff --git a/roles/0-once/templates/captive-portal.repo b/roles/0-once/templates/captive-portal.repo new file mode 100644 index 00000000..b2bc6b3d --- /dev/null +++ b/roles/0-once/templates/captive-portal.repo @@ -0,0 +1,7 @@ +[captive-portal] +name=captive-portal +failovermethod=priority +baseurl=http://people.sugarlabs.org/anish/captive-portal-repo/ +enabled=1 +metadata_expire=1d +gpgcheck=0 diff --git a/roles/6-generic-apps/meta/main.yml b/roles/6-generic-apps/meta/main.yml index 4c936932..3c70aa64 100644 --- a/roles/6-generic-apps/meta/main.yml +++ b/roles/6-generic-apps/meta/main.yml @@ -1,5 +1,6 @@ dependencies: - { role: mysql, tags: ['generic','mysql'], when: mysql_install } + - { role: captive_portal, tags: ['generic','radius','captive_portal'] } - { role: elgg, tags: ['generic','elgg'], when: elgg_install } - { role: owncloud, tags: ['generic','owncloud'], when: owncloud_install } - { role: dokuwiki, tags: ['generic','dokuwiki'], when: dokuwiki_install } diff --git a/roles/captive_portal/defaults/main.yml b/roles/captive_portal/defaults/main.yml new file mode 100644 index 00000000..17317c17 --- /dev/null +++ b/roles/captive_portal/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# The values here are default local variables. +captive_portal: True +freeradius_db_password: g0adm1n +freeradius_admin_user: xsce-admin +freeradius_admin_password: g0adm1n +freeradius_secret: g0adm1n diff --git a/roles/network/files/radius/default b/roles/captive_portal/files/radius/default similarity index 100% rename from roles/network/files/radius/default rename to roles/captive_portal/files/radius/default diff --git a/roles/network/files/radius/radiusd.conf b/roles/captive_portal/files/radius/radiusd.conf similarity index 100% rename from roles/network/files/radius/radiusd.conf rename to roles/captive_portal/files/radius/radiusd.conf diff --git a/roles/captive_portal/tasks/coova-chilli.yml b/roles/captive_portal/tasks/coova-chilli.yml new file mode 100644 index 00000000..69008a9d --- /dev/null +++ b/roles/captive_portal/tasks/coova-chilli.yml @@ -0,0 +1,26 @@ +- name: Install coova-chilli and dependencies + yum: name={{ item }} + state=installed + with_items: + - coova-chilli + - haserl + tags: + - download + +- name: Copy coova-chilli config files + template: src={{ item.src }} + dest={{ item.dest }} + owner={{ item.owner }} + group={{ item.group }} + mode={{ item.mode }} + with_items: + - src: 'chilli/config.j2' + dest: '/etc/chilli/config' + owner: 'root' + group: 'root' + mode: '0755' + - src: 'chilli/ipup.sh.j2' + dest: '/etc/chilli/ipup.sh' + owner: 'root' + group: 'root' + mode: '0755' diff --git a/roles/network/tasks/daloradius.yml b/roles/captive_portal/tasks/daloradius.yml similarity index 100% rename from roles/network/tasks/daloradius.yml rename to roles/captive_portal/tasks/daloradius.yml diff --git a/roles/captive_portal/tasks/main.yml b/roles/captive_portal/tasks/main.yml new file mode 100644 index 00000000..0a172d64 --- /dev/null +++ b/roles/captive_portal/tasks/main.yml @@ -0,0 +1,8 @@ +- include: radius.yml + when: not xsce_prepped + tags: + - radius + +- name: ask systemd to reread the unit files, picks up changes done + shell: systemctl daemon-reload + when: not installing diff --git a/roles/network/tasks/radius.yml b/roles/captive_portal/tasks/radius.yml similarity index 95% rename from roles/network/tasks/radius.yml rename to roles/captive_portal/tasks/radius.yml index f5c40345..f46fadaf 100644 --- a/roles/network/tasks/radius.yml +++ b/roles/captive_portal/tasks/radius.yml @@ -11,6 +11,9 @@ - name: Create a new database with name radius mysql_db: name=radius state=present +- name: Create the radius user + mysql_user: name=radius password={{ freeradius_db_password }} priv=*.*:SELECT state=present + - name: Copy database dump file setup.sql to remote host... template: src=radius/setup.sql.j2 dest=/tmp/setup.sql diff --git a/roles/network/templates/chilli/config.j2 b/roles/captive_portal/templates/chilli/config.j2 similarity index 96% rename from roles/network/templates/chilli/config.j2 rename to roles/captive_portal/templates/chilli/config.j2 index 174872cd..f9bf1391 100644 --- a/roles/network/templates/chilli/config.j2 +++ b/roles/captive_portal/templates/chilli/config.j2 @@ -10,8 +10,8 @@ # Local Network Configurations # -HS_WANIF=enp3s0 # WAN Interface toward the Internet -HS_LANIF=br0 # Subscriber Interface for client devices +HS_WANIF="{{ xsce_wan_iface }}" # WAN Interface toward the Internet +HS_LANIF="{{ xsce_lan_iface }}" # Subscriber Interface for client devices #HS_NETWORK=10.1.0.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETWORK=172.18.100.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK=255.255.0.0 # HotSpot Network Netmask @@ -39,7 +39,7 @@ HS_NASID=nas01 HS_RADIUS=localhost HS_RADIUS2=localhost # HS_UAMALLOW=www.coova.org -HS_RADSECRET=testing123 # Set to be your RADIUS shared secret +HS_RADSECRET={{ freeradius_secret }} # Set to be your RADIUS shared secret HS_UAMSECRET=change-me # Set to be your UAM secret HS_UAMALIASNAME=chilli @@ -152,7 +152,7 @@ HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html # The up.sh script will allow these local ports to be used, while the default # is to block all unwanted traffic to the tun/tap. # -HS_TCP_PORTS="80 443 8008 3000" +HS_TCP_PORTS="22 80 443 8008 3000" HS_UDP_PORTS="1701" ### diff --git a/roles/captive_portal/templates/chilli/ipup.sh.j2 b/roles/captive_portal/templates/chilli/ipup.sh.j2 new file mode 100755 index 00000000..bdf53372 --- /dev/null +++ b/roles/captive_portal/templates/chilli/ipup.sh.j2 @@ -0,0 +1,4 @@ +#!/bin/sh +# +#Allow IP masquerading through this box +/usr/sbin/iptables -t nat -A POSTROUTING -o "{{ xsce_wan_iface }}" -j MASQUERADE diff --git a/roles/network/templates/daloradius/daloradius.conf.j2 b/roles/captive_portal/templates/daloradius/daloradius.conf.j2 similarity index 100% rename from roles/network/templates/daloradius/daloradius.conf.j2 rename to roles/captive_portal/templates/daloradius/daloradius.conf.j2 diff --git a/roles/network/templates/radius/chillispot.conf b/roles/captive_portal/templates/radius/chillispot.conf similarity index 100% rename from roles/network/templates/radius/chillispot.conf rename to roles/captive_portal/templates/radius/chillispot.conf diff --git a/roles/network/templates/radius/clients.conf.j2 b/roles/captive_portal/templates/radius/clients.conf.j2 similarity index 100% rename from roles/network/templates/radius/clients.conf.j2 rename to roles/captive_portal/templates/radius/clients.conf.j2 diff --git a/roles/network/templates/radius/inner-tunnel b/roles/captive_portal/templates/radius/inner-tunnel similarity index 100% rename from roles/network/templates/radius/inner-tunnel rename to roles/captive_portal/templates/radius/inner-tunnel diff --git a/roles/network/templates/radius/schema.sql.j2 b/roles/captive_portal/templates/radius/schema.sql.j2 similarity index 100% rename from roles/network/templates/radius/schema.sql.j2 rename to roles/captive_portal/templates/radius/schema.sql.j2 diff --git a/roles/network/templates/radius/setup.sql.j2 b/roles/captive_portal/templates/radius/setup.sql.j2 similarity index 76% rename from roles/network/templates/radius/setup.sql.j2 rename to roles/captive_portal/templates/radius/setup.sql.j2 index efc7c257..44b853aa 100755 --- a/roles/network/templates/radius/setup.sql.j2 +++ b/roles/captive_portal/templates/radius/setup.sql.j2 @@ -11,11 +11,11 @@ # # Create default administrator for RADIUS # -CREATE USER 'radius'@'localhost'; -SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('{{ freeradius_db_password }}'); +# CREATE USER 'radius'@'localhost'; +# SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('{{ freeradius_db_password }}'); # The server can read any table in SQL -GRANT SELECT ON radius.* TO 'radius'@'localhost'; +# GRANT SELECT ON radius.* TO 'radius'@'localhost'; # The server can write to the accounting and post-auth logging table. # diff --git a/roles/network/templates/radius/sql.j2 b/roles/captive_portal/templates/radius/sql.j2 similarity index 100% rename from roles/network/templates/radius/sql.j2 rename to roles/captive_portal/templates/radius/sql.j2 diff --git a/roles/kalite/tasks/install.yml b/roles/kalite/tasks/install.yml index af52a4f7..328c9afa 100644 --- a/roles/kalite/tasks/install.yml +++ b/roles/kalite/tasks/install.yml @@ -37,14 +37,14 @@ - name: Download khan assessments get_url: url={{ khan_assessment_url }} dest={{ downloads_dir }}/khan_assessment.zip - async: 2000 + async: 4000 tags: - download2 - name: wait until the file becomes available wait_for: path={{ downloads_dir }}/khan_assessment.zip state=present - timeout=2000 + timeout=4000 - name: Install kalite with pip pip: name={{ item }} diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml index 1b3d9aef..a45c4ec4 100644 --- a/roles/network/defaults/main.yml +++ b/roles/network/defaults/main.yml @@ -9,8 +9,3 @@ host_wifi_mode: g host_channel: 6 host_wireless_n: False host_country_code: US -captive_portal: True -freeradius_db_password: g0adm1n -freeradius_admin_user: xsce-admin -freeradius_admin_password: g0adm1n -freeradius_secret: g0adm1n diff --git a/roles/network/tasks/coova-chilli.yml b/roles/network/tasks/coova-chilli.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index b38a1d49..78e07d8a 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -86,12 +86,6 @@ tags: - network -- include: radius.yml - when: not xsce_prepped - tags: - - radius - - network - - name: ask systemd to reread the unit files, picks up changes done shell: systemctl daemon-reload when: not installing diff --git a/roles/network/templates/chilli/ifup.sh b/roles/network/templates/chilli/ifup.sh deleted file mode 100755 index 7b0ef278..00000000 --- a/roles/network/templates/chilli/ifup.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -# -#Allow IP masquerading through this box -/usr/sbin/iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE From 3bf9fe437216eb3692a51a6b57c544b0b9f881c0 Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Mon, 3 Oct 2016 15:59:45 +0530 Subject: [PATCH 08/13] Enable radius when setup. Added daloradius --- roles/captive_portal/defaults/main.yml | 4 +++ roles/captive_portal/tasks/daloradius.yml | 35 +++++++++++++++++++ roles/captive_portal/tasks/main.yml | 24 +++++++++++++ roles/captive_portal/tasks/radius.yml | 4 +++ .../templates/daloradius/daloradius.conf.j2 | 4 +-- 5 files changed, 69 insertions(+), 2 deletions(-) diff --git a/roles/captive_portal/defaults/main.yml b/roles/captive_portal/defaults/main.yml index 17317c17..9ed1ca92 100644 --- a/roles/captive_portal/defaults/main.yml +++ b/roles/captive_portal/defaults/main.yml @@ -5,3 +5,7 @@ freeradius_db_password: g0adm1n freeradius_admin_user: xsce-admin freeradius_admin_password: g0adm1n freeradius_secret: g0adm1n +daloradius_src_file: daloradius +daloradius_path: /opt +freeradius_db_setup: False +daloradius_db_setup: False diff --git a/roles/captive_portal/tasks/daloradius.yml b/roles/captive_portal/tasks/daloradius.yml index e69de29b..4c346c7c 100644 --- a/roles/captive_portal/tasks/daloradius.yml +++ b/roles/captive_portal/tasks/daloradius.yml @@ -0,0 +1,35 @@ +- name: Get the daloradius software + get_url: url=http://people.sugarlabs.org/anish/daloradius-0.9-9.tar.gz dest={{ downloads_dir }}/{{ daloradius_src_file }} + when: not {{ use_cache }} and not {{ no_network }} + async: 300 + poll: 5 + tags: + - download2 + +- name: Copy it to permanent location /opt + unarchive: src={{ downloads_dir }}/{{ daloradius_src_file }} + dest={{ daloradius_path }} + +- name: Change ownership of daloradius directory + shell: chown -R apache:apache "{{ daloradius_path }}/daloradius-0.9-9/" + +- name: Change permissions of daloradius.conf.php + shell: chmod 644 "{{ daloradius_path }}/daloradius-0.9-9/library/daloradius.conf.php" + +- name: Copy database dump file mysql-daloradius.sql to remote host and restore it to database radius + template: src="{{ daloradius_path }}/daloradius-0.9-9/contrib/db/mysql-daloradius.sql" dest=/tmp/mysql-daloradius.sql + +- name: ... and restore it to database radius + mysql_db: name=radius state=import target=/tmp/mysql-daloradius.sql + +- name: Copy the daloradius apache conf file into apache conf directory + template: src=daloradius/daloradius.conf.j2 dest=/etc/httpd/conf.d/daloradius.conf + +- name: Edit daloradius.conf.php with correct values - CONFIG_DB_USER + lineinfile: dest="{{ daloradius_path }}/daloradius-0.9-9/library/daloradius.conf.php" regexp=CONFIG_DB_USER line="$configValues['CONFIG_DB_USER'] = 'radius';" + +- name: Edit daloradius.conf.php with correct values - CONFIG_DB_PASS + lineinfile: dest="{{ daloradius_path }}/daloradius-0.9-9/library/daloradius.conf.php" regexp=CONFIG_DB_PASS line="$configValues['CONFIG_DB_PASS'] = '{{ freeradius_db_password }}';" + +- name: Edit daloradius.conf.php with correct values - CONFIG_MAINT_TEST_USER_RADIUSSECRET + lineinfile: dest="{{ daloradius_path }}/daloradius-0.9-9/library/daloradius.conf.php" regexp=CONFIG_MAINT_TEST_USER_RADIUSSECRET line="$configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = '{{ freeradius_secret }}';" diff --git a/roles/captive_portal/tasks/main.yml b/roles/captive_portal/tasks/main.yml index 0a172d64..cbdd69a8 100644 --- a/roles/captive_portal/tasks/main.yml +++ b/roles/captive_portal/tasks/main.yml @@ -6,3 +6,27 @@ - name: ask systemd to reread the unit files, picks up changes done shell: systemctl daemon-reload when: not installing + +- name: Enable radiusd if squid, dansguardian disabled + service: name=radiusd enabled=yes + when: (not squid_enabled) and (not dansduardian_enabled) + +- name: Enable coova-chilli if squid, dansguardian disabled + service: name=chilli enabled=yes + when: (not squid_enabled) and (not dansduardian_enabled) + +- name: Disable dhcpd + service: name=dhcpd enabled=no + when: (not squid_enabled) and (not dansduardian_enabled) + +- name: Stop dhcpd + service: name=dhcpd state=stopped + +- name: Start radiusd + service: name=radiusd state=started + +- name: Start coova-chilli + service: name=chilli state=started + +- name: Restart apache + service: name=httpd state=restarted diff --git a/roles/captive_portal/tasks/radius.yml b/roles/captive_portal/tasks/radius.yml index f46fadaf..e9fab6d1 100644 --- a/roles/captive_portal/tasks/radius.yml +++ b/roles/captive_portal/tasks/radius.yml @@ -8,6 +8,10 @@ tags: - download +- name: Remove the radius database if it exists + mysql_db: name=radius state=absent + ignore_errors: yes + - name: Create a new database with name radius mysql_db: name=radius state=present diff --git a/roles/captive_portal/templates/daloradius/daloradius.conf.j2 b/roles/captive_portal/templates/daloradius/daloradius.conf.j2 index 7a5f1788..74519596 100644 --- a/roles/captive_portal/templates/daloradius/daloradius.conf.j2 +++ b/roles/captive_portal/templates/daloradius/daloradius.conf.j2 @@ -1,7 +1,7 @@ RewriteEngine on -Alias /daloradius /opt/schoolserver/daloradius - +Alias /daloradius /opt/daloradius-0.9-9 + Options Indexes FollowSymLinks AllowOverride All Require all granted From 23a9a47aba12a92c1d07c975ade0a27780672ad3 Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Mon, 3 Oct 2016 16:08:01 +0530 Subject: [PATCH 09/13] Remove spurious variables from captive_portal/defaults --- roles/captive_portal/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/captive_portal/defaults/main.yml b/roles/captive_portal/defaults/main.yml index 9ed1ca92..1f4a023d 100644 --- a/roles/captive_portal/defaults/main.yml +++ b/roles/captive_portal/defaults/main.yml @@ -7,5 +7,3 @@ freeradius_admin_password: g0adm1n freeradius_secret: g0adm1n daloradius_src_file: daloradius daloradius_path: /opt -freeradius_db_setup: False -daloradius_db_setup: False From c0441f8a91d8f7c98b6294f7a4637ab9df82654c Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Mon, 3 Oct 2016 16:09:47 +0530 Subject: [PATCH 10/13] Captive portal should only work when squid and dansguardian are disabled. Fix an issue --- roles/captive_portal/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/captive_portal/tasks/main.yml b/roles/captive_portal/tasks/main.yml index cbdd69a8..9d2317aa 100644 --- a/roles/captive_portal/tasks/main.yml +++ b/roles/captive_portal/tasks/main.yml @@ -21,12 +21,16 @@ - name: Stop dhcpd service: name=dhcpd state=stopped + when: (not squid_enabled) and (not dansduardian_enabled) - name: Start radiusd service: name=radiusd state=started + when: (not squid_enabled) and (not dansduardian_enabled) - name: Start coova-chilli service: name=chilli state=started + when: (not squid_enabled) and (not dansduardian_enabled) - name: Restart apache service: name=httpd state=restarted + when: (not squid_enabled) and (not dansduardian_enabled) From 3801373f6b029c5cfe5ee412e4c656a6e8d22c9b Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Tue, 4 Oct 2016 12:06:27 +0530 Subject: [PATCH 11/13] Fix typo with captive portal playbook --- roles/captive_portal/tasks/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/captive_portal/tasks/main.yml b/roles/captive_portal/tasks/main.yml index 9d2317aa..d752c1ae 100644 --- a/roles/captive_portal/tasks/main.yml +++ b/roles/captive_portal/tasks/main.yml @@ -9,28 +9,28 @@ - name: Enable radiusd if squid, dansguardian disabled service: name=radiusd enabled=yes - when: (not squid_enabled) and (not dansduardian_enabled) + when: (not squid_enabled) and (not dansguardian_enabled) - name: Enable coova-chilli if squid, dansguardian disabled service: name=chilli enabled=yes - when: (not squid_enabled) and (not dansduardian_enabled) + when: (not squid_enabled) and (not dansguardian_enabled) - name: Disable dhcpd service: name=dhcpd enabled=no - when: (not squid_enabled) and (not dansduardian_enabled) + when: (not squid_enabled) and (not dansguardian_enabled) - name: Stop dhcpd service: name=dhcpd state=stopped - when: (not squid_enabled) and (not dansduardian_enabled) + when: (not squid_enabled) and (not dansguardian_enabled) - name: Start radiusd service: name=radiusd state=started - when: (not squid_enabled) and (not dansduardian_enabled) + when: (not squid_enabled) and (not dansguardian_enabled) - name: Start coova-chilli service: name=chilli state=started - when: (not squid_enabled) and (not dansduardian_enabled) + when: (not squid_enabled) and (not dansguardian_enabled) - name: Restart apache service: name=httpd state=restarted - when: (not squid_enabled) and (not dansduardian_enabled) + when: (not squid_enabled) and (not dansguardian_enabled) From 506469d78c1ed266ff3fcd84e5ca8979e12988d1 Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Thu, 13 Oct 2016 09:06:21 +0530 Subject: [PATCH 12/13] Fixes to radius.service file and chilli config file --- roles/captive_portal/tasks/main.yml | 3 +++ roles/captive_portal/templates/chilli/config.j2 | 11 +++++++---- roles/captive_portal/templates/chilli/ipup.sh.j2 | 2 ++ 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/roles/captive_portal/tasks/main.yml b/roles/captive_portal/tasks/main.yml index d752c1ae..bb9da6a4 100644 --- a/roles/captive_portal/tasks/main.yml +++ b/roles/captive_portal/tasks/main.yml @@ -3,6 +3,9 @@ tags: - radius +- name: Edit freeradius service file to ensure that it starts after mysql + lineinfile: dest=/etc/systemd/system/multi-user.target.wants/radiusd.service regexp="^(After=.* network.target)" line="\1 mariadb.service" backrefs=yes + - name: ask systemd to reread the unit files, picks up changes done shell: systemctl daemon-reload when: not installing diff --git a/roles/captive_portal/templates/chilli/config.j2 b/roles/captive_portal/templates/chilli/config.j2 index f9bf1391..89963c89 100644 --- a/roles/captive_portal/templates/chilli/config.j2 +++ b/roles/captive_portal/templates/chilli/config.j2 @@ -9,8 +9,11 @@ ### # Local Network Configurations # - -HS_WANIF="{{ xsce_wan_iface }}" # WAN Interface toward the Internet +{% if xsce_wan_iface != "none" %} +HS_WANIF= # WAN Interface toward the Internet +{% else %} +HS_WANIF={{ xsce_wan_iface }} # WAN Interface toward the Internet +{% endif %} HS_LANIF="{{ xsce_lan_iface }}" # Subscriber Interface for client devices #HS_NETWORK=10.1.0.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETWORK=172.18.100.0 # HotSpot Network (must include HS_UAMLISTEN) @@ -162,8 +165,8 @@ HS_MODE=hotspot HS_TYPE=coovachilli # HS_RADAUTH=1812 # HS_RADACCT=1813 -HS_ADMUSR=radius -HS_ADMPWD=radpass +HS_ADMUSR={{ freeradius_admin_user }} +HS_ADMPWD={{ freeradius_admin_password }} ### diff --git a/roles/captive_portal/templates/chilli/ipup.sh.j2 b/roles/captive_portal/templates/chilli/ipup.sh.j2 index bdf53372..9478c3a3 100755 --- a/roles/captive_portal/templates/chilli/ipup.sh.j2 +++ b/roles/captive_portal/templates/chilli/ipup.sh.j2 @@ -1,4 +1,6 @@ #!/bin/sh # +{% if xsce_wan_iface != "none" %} #Allow IP masquerading through this box /usr/sbin/iptables -t nat -A POSTROUTING -o "{{ xsce_wan_iface }}" -j MASQUERADE +{% endif %} From ba1153333409f6cfb405a2b57e30e4efca26afb5 Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Thu, 13 Oct 2016 09:09:26 +0530 Subject: [PATCH 13/13] Allow SIP ports without chilli authentication --- roles/captive_portal/templates/chilli/config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/captive_portal/templates/chilli/config.j2 b/roles/captive_portal/templates/chilli/config.j2 index 89963c89..9868211a 100644 --- a/roles/captive_portal/templates/chilli/config.j2 +++ b/roles/captive_portal/templates/chilli/config.j2 @@ -155,7 +155,7 @@ HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html # The up.sh script will allow these local ports to be used, while the default # is to block all unwanted traffic to the tun/tap. # -HS_TCP_PORTS="22 80 443 8008 3000" +HS_TCP_PORTS="22 80 443 8008 3000 5060" HS_UDP_PORTS="1701" ###