* Add a few help pages for the nomadix radius attributes by Ulrich Walcher
* Update the HOWTO with instructions about the ldap configuration directives and the scripts in the bin folder
* Update the AUTHORS file
+* Check for the binaries used (mysql/snmpwalk) in the scripts in the bin folder before using them
+* Update the HOWTO file
+* Use the general_domain variable from the admin.conf file in log_badlogins instead of a new one
+* Add a sql_command directive in admin.conf containing the path to the mysql binary. That can be used by the
+ scripts in the bin folder instead of setting a variable in each script
+* Add a general_nas_type and a per nas type directive and pass that to snmpfinger. Updated snmpfinger to also
+ support lucent equipment apart from cisco
Ver 1.63:
* Do an eval on the attribute description strings in the user_edit page. That will allow the login-time creation
page to work properly.
use POSIX;
$conf=shift||'/usr/local/dialup_admin/conf/admin.conf';
-$mysql='/usr/local/mysql/bin/mysql';
$back_days = 35;
+
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
+ $mysql = $val if ($key eq 'sql_command');
}
close CONF;
+die "sql_command directive is not set in admin.conf\n" if ($mysql eq '');
+die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql);
+
$sql_password = ($sql_password eq '') ? '' : "-p$sql_password";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
# CHANGE THESE TO MATCH YOUR SETUP
#
#$regexp = 'from client localhost port 135|from client blabla ';
-$domain='company.com';
-$mysql='/usr/local/mysql/bin/mysql';
$tmpfile='/var/tmp/mysql.input';
#
#
$realm_strip = $val if ($key eq 'general_strip_realms');
$realm_del = $val if ($key eq 'general_realm_delimiter');
$realm_for = $val if ($key eq 'general_realm_format');
+ $domain = $val if ($key eq 'general_domain');
$sql_timeout = $val if ($key eq 'sql_connect_timeout');
$sql_extra = $val if ($key eq 'sql_extra_servers');
+ $mysql = $val if ($key eq 'sql_command');
}
close CONF;
$realm_del = '@' if ($realm_del eq '');
$pass = ($sql_password ne '') ? "-p$sql_password" : '';
die "SQL server not defined\n" if ($sql_server eq '');
+die "sql_command directive is not set in admin.conf\n" if ($mysql eq '');
+die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql);
+
$opt = "-O connect_timeout=$sql_timeout" if ($sql_timeout);
@servers = (split /\s+/,$sql_extra) if ($sql_extra ne '');
unshift @servers, $sql_server;
# the current month day
$conf=shift||'/usr/local/dialupadmin/conf/admin.conf';
-$mysql='/usr/local/mysql/bin/mysql';
+
open CONF, "<$conf"
or die "Could not open configuration file\n";
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
+ $mysql = $val if ($key eq 'sql_command');
}
close CONF;
+die "sql_command directive is not set in admin.conf\n" if ($mysql eq '');
+die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql);
+
$sql_password = ($sql_password == '') ? '' : "-p $sql_password";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$SNMPWALK="/usr/bin/snmpwalk";
$host=shift;
$comm=shift || 'public';
+$type=shift || 'cisco';
-$walk =`$SNMPWALK $host $comm .iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2`;
-if ($walk =~ /^$/){
- $walk =`$SNMPWALK $host $comm .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18`;
- $walk.=`$SNMPWALK $host $comm .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3`;
+die "Could not find snmpwalk binary. Please make sure that the \$SNMPWALK variable points to the right location\n" if (! -x $SNMPWALK);
+
+if ($type eq 'cisco'){
+ $walk =`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2`;
+ if ($walk =~ /^$/){
+ $walk =`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18`;
+ $walk.=`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3`;
+ }
+}
+elsif ($type eq 'lucent'){
+ $walk =`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.529.10.4.1.12`;
}
while($walk=~/\"([\w\-]+?)\"/g){
$conf=shift||'/usr/local/dialupadmin/conf/admin.conf';
-$mysql='/usr/local/mysql/bin/mysql';
+
open CONF, "<$conf"
or die "Could not open configuration file\n";
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
+ $mysql = $val if ($key eq 'sql_command');
}
close CONF;
+die "sql_command directive is not set in admin.conf\n" if ($mysql eq '');
+die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql);
+
$sql_password = ($sql_password == '') ? '' : "-p $sql_password";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
use POSIX;
$conf=shift||'/usr/local/dialup_admin/conf/admin.conf';
-$mysql='/usr/local/mysql/bin/mysql';
$back_days = 90;
+
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
+ $mysql = $val if ($key eq 'sql_command');
}
close CONF;
+die "sql_command directive is not set in admin.conf\n" if ($mysql eq '');
+die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql);
+
$sql_password = ($sql_password eq '') ? '' : "-p$sql_password";
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
# This is used by the online users page
#
general_finger_type: snmp
+#
+# Defines the nas type. This is only used by snmpfinger
+# cisco and lucent are supported for now
+#
+general_nas_type: cisco
general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient
#
sql_usergroup_table: usergroup
sql_total_accounting_table: totacct
#
+# This variable is used by the scripts in the bin folder
+# It should contain the path to the sql binary used to run
+# sql commands (mysql is only supported for now)
+sql_command: /usr/local/bin/mysql
+#
# Uncomment to enable sql debug
#
#sql_debug: true
#
# If it is not set, general_finger_type is assumed
nas2_finger_type: database
+# nas type can also be set per NAS
+nas2_type: cisco
nas3_name: nas3.%{general_domain}
nas3_model: Cisco 5300 access server
nas3_ip: 147.122.122.124
2.2 The bin/ scripts
2.2.1 The snmpfinger script
2.2.2 The log_badlogins script
+ 2.2.3 The clean_radacct script
+ 2.2.4 The truncate_radacct script
+ 2.2.5 The tot_stats script
+ 2.2.6 The monthly_tot_stats script
2.3 User Attributes
2.4 Finishing Off
Dialup Admin has it's own web page hosted at Sourceforge at
http://sourceforge.net/projects/dialup-admin/
+Though that page is not updated very often. The primary store for dialupadmin
+is the freeradius CVS tree so the latest version will always be contained there
Finally one could get the cvs version of Dialup Admin by issuing the
following commands:
On the next restart of apache the dialup/ directory is only accessable by a
username/password verification which in our case is administrator:password
+The HTTP authentication we have just configured can be used by dialupadmin
+when connecting to the ldap and sql databases (see sections on sql and ldap
+options).
+
At this point when we connect to the url http://localhost/dialup we should
see the Dialup Admin pages
mysql> CREATE DATABASE radius;
mysql> exit
+This step is only necessary if you haven't already created a corresponding database
+for the freeradius server.
+
At dialup_admin/sql there are four files containg the SQL command to create
the required tables. This is done as follows:
shell> mysql -h mysql.host.com -u username -p radius < totacct.sql
shell> mysql -h mysql.host.com -u username -p radius < userinfo.sql
+The userinfo table though is only needed if you want to keep your user database in sql.
+If you keep your users in ldap then it's not needed.
+
NOTE: Remember we named our database "radius". Have you named it somewhat
different replace the "radius" argument on the above commands with
the name you used
This is the most important part of this document since the configuration must
match your needs.
The configuration file is located at dialup_admin/conf/admin.conf
-However due to the fact that i haven't work with LDAP there are no
-documentations regarding this issue. Any contributions are welcome.
[2.1] Configuration Options
> general_lib_type: sql
-This can have as values either ldap or sql. Since I haven't worked with LDAP
-we stick with the 'sql' argument
+This can have as values either ldap or sql.
For the following values there shouldn't be any need for changes
> general_finger_type: snmp
-What should be the default quering method of the nas.
+What should be the default quering method of the nas. It can be 'snmp' (for snmpfinger)
+or empty to query the radacct table without first querying the nas
> general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger
This probably does not need to be changed
+For now snmpfinger will only work with Cisco equipment.
> general_radclient_bin: /usr/local/bin/radclient
> sql_extra_servers: sql2.company.com sql3.company.com
The above options are used by bin/log_badlogins (See Section 2.x.x)
+The sql_connect_timeout is also used by the mysql driver and the sql_extra_servers
+is also used when adding users in the badusers table
> sql_debug: false
That way multiple admins with different rights on the sql database can
connect through one dialup_admin interface.
+> sql_command: /usr/local/bin/mysql
+This variable is used by the scripts in the bin folder
+It should contain the path to the sql binary used to run
+sql commands (mysql is only supported for now)
+
[2.1.10] Limits Timers
> general_use_session: yes
-Set it to yes to use sessions and cache the various mappings You can also
+Set it to yes to use sessions and cache the various mappings. You can also
set use_session = 1 in config.php3 to also cache the admin.conf
NOTE: Remember to use the 'Clear Cache' page if you use sessions and
Of cource the proper file locations must be set
+Also log_badlogins will concatenate the client shortname and the general_domain variable
+defined in admin.conf in order to find the nas ip address. So it is important to make sure
+that $client_shortname.$domain resolves to the correct nas ip address.
+regular expression matching is also supported. If the $regexp variable is set then
+only failed login lines matching the regular expression will be logged.
+
[2.2.3] The clean_radacct script
The clean_radacct script can be used to clear the database of stale open sessions
First of all check conf/user_edit.atts and see if the attribute you are
interested in is commented out. If it is just enable it by uncommenting it.
If the attribute is not included in the file add it.
-If you use SQL check conf/sql.attrmap.
+
+If you use SQL check conf/sql.attrmap. Attributes that are not contained in this file
+are assumed to be reply items and map to the same name as the one used by dialup_admin
+
If you use LDAP check ${freeradius_install_dir}/etc/raddb/ldap.attrmap
and check if the attribute is included in the attribute mapping.
$portnum = $nas . '_port_num';
$finger_type = $nas . '_finger_type';
+
if ($config[$name] == ''){
$i--;
break;
putenv("LD_LIBRARY_PATH=$config[general_ld_library_path]");
$extra = "";
if ($config[$finger_type] != 'database' && $config[general_finger_type] == 'snmp'){
- $users=exec("$config[general_snmpfinger_bin] $name_data $community_data");
+ $nas_type = $nas . '_type';
+ if ($config[$nas_type] == '')
+ $nas_type = $config[general_nas_type];
+ else
+ $nas_type = $config[$nas_type];
+ if ($nas_type == '')
+ $nas_type = 'cisco';
+
+ $users=exec("$config[general_snmpfinger_bin] $name_data $community_data $nas_type");
if (strlen($users))
$extra = "AND UserName IN ($users)";
}
projects / freeradius-dialup-admin.git / commitdiff