From: kkalev Date: Sun, 2 Nov 2003 13:57:35 +0000 (+0000) Subject: * Check for the binaries used (mysql/snmpwalk) in the scripts in the bin folder befor... X-Git-Url: https://git.entuzijast.net/?a=commitdiff_plain;h=7b2081b4f446d9c630dc453303aa3b6a0b86ef13;p=freeradius-dialup-admin.git * Check for the binaries used (mysql/snmpwalk) in the scripts in the bin folder before using them * Update the HOWTO file * Use the general_domain variable from the admin.conf file in log_badlogins instead of a new one * Add a sql_command directive in admin.conf containing the path to the mysql binary. That can be used by the scripts in the bin folder instead of setting a variable in each script * Add a general_nas_type and a per nas type directive and pass that to snmpfinger. Updated snmpfinger to also support lucent equipment apart from cisco --- diff --git a/Changelog b/Changelog index 8e6365b..7b51fe1 100644 --- a/Changelog +++ b/Changelog @@ -22,6 +22,13 @@ Ver 1.65: * Add a few help pages for the nomadix radius attributes by Ulrich Walcher * Update the HOWTO with instructions about the ldap configuration directives and the scripts in the bin folder * Update the AUTHORS file +* Check for the binaries used (mysql/snmpwalk) in the scripts in the bin folder before using them +* Update the HOWTO file +* Use the general_domain variable from the admin.conf file in log_badlogins instead of a new one +* Add a sql_command directive in admin.conf containing the path to the mysql binary. That can be used by the + scripts in the bin folder instead of setting a variable in each script +* Add a general_nas_type and a per nas type directive and pass that to snmpfinger. Updated snmpfinger to also + support lucent equipment apart from cisco Ver 1.63: * Do an eval on the attribute description strings in the user_edit page. That will allow the login-time creation page to work properly. diff --git a/bin/clean_radacct b/bin/clean_radacct index 1bb228c..339ba51 100755 --- a/bin/clean_radacct +++ b/bin/clean_radacct @@ -6,9 +6,9 @@ use POSIX; $conf=shift||'/usr/local/dialup_admin/conf/admin.conf'; -$mysql='/usr/local/mysql/bin/mysql'; $back_days = 35; + open CONF, "<$conf" or die "Could not open configuration file\n"; while(){ @@ -19,9 +19,13 @@ while(){ $sql_password = $val if ($key eq 'sql_password'); $sql_database = $val if ($key eq 'sql_database'); $sql_accounting_table = $val if ($key eq 'sql_accounting_table'); + $mysql = $val if ($key eq 'sql_command'); } close CONF; +die "sql_command directive is not set in admin.conf\n" if ($mysql eq ''); +die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql); + $sql_password = ($sql_password eq '') ? '' : "-p$sql_password"; ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; diff --git a/bin/log_badlogins b/bin/log_badlogins index 0b2cec3..d517073 100755 --- a/bin/log_badlogins +++ b/bin/log_badlogins @@ -24,8 +24,6 @@ $all_file=shift||'no'; # CHANGE THESE TO MATCH YOUR SETUP # #$regexp = 'from client localhost port 135|from client blabla '; -$domain='company.com'; -$mysql='/usr/local/mysql/bin/mysql'; $tmpfile='/var/tmp/mysql.input'; # # @@ -43,8 +41,10 @@ while(){ $realm_strip = $val if ($key eq 'general_strip_realms'); $realm_del = $val if ($key eq 'general_realm_delimiter'); $realm_for = $val if ($key eq 'general_realm_format'); + $domain = $val if ($key eq 'general_domain'); $sql_timeout = $val if ($key eq 'sql_connect_timeout'); $sql_extra = $val if ($key eq 'sql_extra_servers'); + $mysql = $val if ($key eq 'sql_command'); } close CONF; $realm_del = '@' if ($realm_del eq ''); @@ -52,6 +52,9 @@ $realm_for = 'suffix' if ($realm_for eq ''); $pass = ($sql_password ne '') ? "-p$sql_password" : ''; die "SQL server not defined\n" if ($sql_server eq ''); +die "sql_command directive is not set in admin.conf\n" if ($mysql eq ''); +die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql); + $opt = "-O connect_timeout=$sql_timeout" if ($sql_timeout); @servers = (split /\s+/,$sql_extra) if ($sql_extra ne ''); unshift @servers, $sql_server; diff --git a/bin/monthly_tot_stats b/bin/monthly_tot_stats index 4eeafea..5385720 100755 --- a/bin/monthly_tot_stats +++ b/bin/monthly_tot_stats @@ -7,7 +7,7 @@ use POSIX; # the current month day $conf=shift||'/usr/local/dialupadmin/conf/admin.conf'; -$mysql='/usr/local/mysql/bin/mysql'; + open CONF, "<$conf" or die "Could not open configuration file\n"; @@ -19,9 +19,13 @@ while(){ $sql_password = $val if ($key eq 'sql_password'); $sql_database = $val if ($key eq 'sql_database'); $sql_accounting_table = $val if ($key eq 'sql_accounting_table'); + $mysql = $val if ($key eq 'sql_command'); } close CONF; +die "sql_command directive is not set in admin.conf\n" if ($mysql eq ''); +die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql); + $sql_password = ($sql_password == '') ? '' : "-p $sql_password"; ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; diff --git a/bin/snmpfinger b/bin/snmpfinger index f28eb71..77d8368 100755 --- a/bin/snmpfinger +++ b/bin/snmpfinger @@ -3,11 +3,19 @@ $SNMPWALK="/usr/bin/snmpwalk"; $host=shift; $comm=shift || 'public'; +$type=shift || 'cisco'; -$walk =`$SNMPWALK $host $comm .iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2`; -if ($walk =~ /^$/){ - $walk =`$SNMPWALK $host $comm .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18`; - $walk.=`$SNMPWALK $host $comm .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3`; +die "Could not find snmpwalk binary. Please make sure that the \$SNMPWALK variable points to the right location\n" if (! -x $SNMPWALK); + +if ($type eq 'cisco'){ + $walk =`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2`; + if ($walk =~ /^$/){ + $walk =`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.9.2.9.2.1.18`; + $walk.=`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.9.10.19.1.3.1.1.3`; + } +} +elsif ($type eq 'lucent'){ + $walk =`$SNMPWALK -v2c -c $comm $host .iso.org.dod.internet.private.enterprises.529.10.4.1.12`; } while($walk=~/\"([\w\-]+?)\"/g){ diff --git a/bin/tot_stats b/bin/tot_stats index 46a1de0..2b38881 100755 --- a/bin/tot_stats +++ b/bin/tot_stats @@ -7,7 +7,7 @@ use POSIX; $conf=shift||'/usr/local/dialupadmin/conf/admin.conf'; -$mysql='/usr/local/mysql/bin/mysql'; + open CONF, "<$conf" or die "Could not open configuration file\n"; @@ -19,9 +19,13 @@ while(){ $sql_password = $val if ($key eq 'sql_password'); $sql_database = $val if ($key eq 'sql_database'); $sql_accounting_table = $val if ($key eq 'sql_accounting_table'); + $mysql = $val if ($key eq 'sql_command'); } close CONF; +die "sql_command directive is not set in admin.conf\n" if ($mysql eq ''); +die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql); + $sql_password = ($sql_password == '') ? '' : "-p $sql_password"; ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; diff --git a/bin/truncate_radacct b/bin/truncate_radacct index f957b08..4176616 100755 --- a/bin/truncate_radacct +++ b/bin/truncate_radacct @@ -6,9 +6,9 @@ use POSIX; $conf=shift||'/usr/local/dialup_admin/conf/admin.conf'; -$mysql='/usr/local/mysql/bin/mysql'; $back_days = 90; + open CONF, "<$conf" or die "Could not open configuration file\n"; while(){ @@ -19,9 +19,13 @@ while(){ $sql_password = $val if ($key eq 'sql_password'); $sql_database = $val if ($key eq 'sql_database'); $sql_accounting_table = $val if ($key eq 'sql_accounting_table'); + $mysql = $val if ($key eq 'sql_command'); } close CONF; +die "sql_command directive is not set in admin.conf\n" if ($mysql eq ''); +die "Could not find mysql binary. Please make sure that the \$mysql variable points to the right location\n" if (! -x $mysql); + $sql_password = ($sql_password eq '') ? '' : "-p$sql_password"; ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime; diff --git a/conf/admin.conf b/conf/admin.conf index 831f160..561b6d6 100644 --- a/conf/admin.conf +++ b/conf/admin.conf @@ -92,6 +92,11 @@ general_default_file: %{general_base_dir}/conf/default.vals # This is used by the online users page # general_finger_type: snmp +# +# Defines the nas type. This is only used by snmpfinger +# cisco and lucent are supported for now +# +general_nas_type: cisco general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger general_radclient_bin: %{general_radiusd_base_dir}/bin/radclient # @@ -210,6 +215,11 @@ sql_groupreply_table: radgroupreply sql_usergroup_table: usergroup sql_total_accounting_table: totacct # +# This variable is used by the scripts in the bin folder +# It should contain the path to the sql binary used to run +# sql commands (mysql is only supported for now) +sql_command: /usr/local/bin/mysql +# # Uncomment to enable sql debug # #sql_debug: true diff --git a/conf/naslist.conf b/conf/naslist.conf index 93d4f59..4096d25 100644 --- a/conf/naslist.conf +++ b/conf/naslist.conf @@ -18,6 +18,8 @@ nas2_community: public # # If it is not set, general_finger_type is assumed nas2_finger_type: database +# nas type can also be set per NAS +nas2_type: cisco nas3_name: nas3.%{general_domain} nas3_model: Cisco 5300 access server nas3_ip: 147.122.122.124 diff --git a/doc/HOWTO b/doc/HOWTO index 1299548..3e8afb5 100644 --- a/doc/HOWTO +++ b/doc/HOWTO @@ -31,6 +31,10 @@ Version 0.1 Sun Oct 26 04:03:00 EET 2003 2.2 The bin/ scripts 2.2.1 The snmpfinger script 2.2.2 The log_badlogins script + 2.2.3 The clean_radacct script + 2.2.4 The truncate_radacct script + 2.2.5 The tot_stats script + 2.2.6 The monthly_tot_stats script 2.3 User Attributes 2.4 Finishing Off @@ -67,6 +71,8 @@ which is the current FreeRadius package at the time of writting. Dialup Admin has it's own web page hosted at Sourceforge at http://sourceforge.net/projects/dialup-admin/ +Though that page is not updated very often. The primary store for dialupadmin +is the freeradius CVS tree so the latest version will always be contained there Finally one could get the cvs version of Dialup Admin by issuing the following commands: @@ -151,6 +157,10 @@ Note: The -c argument should not be used from that point on since it creates On the next restart of apache the dialup/ directory is only accessable by a username/password verification which in our case is administrator:password +The HTTP authentication we have just configured can be used by dialupadmin +when connecting to the ldap and sql databases (see sections on sql and ldap +options). + At this point when we connect to the url http://localhost/dialup we should see the Dialup Admin pages @@ -168,6 +178,9 @@ shell> mysql -h mysql.host.com -u username -p mysql> CREATE DATABASE radius; mysql> exit +This step is only necessary if you haven't already created a corresponding database +for the freeradius server. + At dialup_admin/sql there are four files containg the SQL command to create the required tables. This is done as follows: @@ -176,6 +189,9 @@ shell> mysql -h mysql.host.com -u username -p radius < mtotacct.sql shell> mysql -h mysql.host.com -u username -p radius < totacct.sql shell> mysql -h mysql.host.com -u username -p radius < userinfo.sql +The userinfo table though is only needed if you want to keep your user database in sql. +If you keep your users in ldap then it's not needed. + NOTE: Remember we named our database "radius". Have you named it somewhat different replace the "radius" argument on the above commands with the name you used @@ -186,8 +202,6 @@ NOTE: Remember we named our database "radius". Have you named it somewhat This is the most important part of this document since the configuration must match your needs. The configuration file is located at dialup_admin/conf/admin.conf -However due to the fact that i haven't work with LDAP there are no -documentations regarding this issue. Any contributions are welcome. [2.1] Configuration Options @@ -243,8 +257,7 @@ Options that specifies the way dialup admin handles users. SQL or LDAP > general_lib_type: sql -This can have as values either ldap or sql. Since I haven't worked with LDAP -we stick with the 'sql' argument +This can have as values either ldap or sql. For the following values there shouldn't be any need for changes @@ -264,11 +277,13 @@ regarding the Online Users. > general_finger_type: snmp -What should be the default quering method of the nas. +What should be the default quering method of the nas. It can be 'snmp' (for snmpfinger) +or empty to query the radacct table without first querying the nas > general_snmpfinger_bin: %{general_base_dir}/bin/snmpfinger This probably does not need to be changed +For now snmpfinger will only work with Cisco equipment. > general_radclient_bin: /usr/local/bin/radclient @@ -504,6 +519,8 @@ The row limit used in the accounting page in order to limit the output > sql_extra_servers: sql2.company.com sql3.company.com The above options are used by bin/log_badlogins (See Section 2.x.x) +The sql_connect_timeout is also used by the mysql driver and the sql_extra_servers +is also used when adding users in the badusers table > sql_debug: false @@ -516,6 +533,11 @@ to connect to the sql server instead of sql_username and sql_password. That way multiple admins with different rights on the sql database can connect through one dialup_admin interface. +> sql_command: /usr/local/bin/mysql +This variable is used by the scripts in the bin folder +It should contain the path to the sql binary used to run +sql commands (mysql is only supported for now) + [2.1.10] Limits Timers @@ -539,7 +561,7 @@ Use the totacct table for statistics > general_use_session: yes -Set it to yes to use sessions and cache the various mappings You can also +Set it to yes to use sessions and cache the various mappings. You can also set use_session = 1 in config.php3 to also cache the admin.conf NOTE: Remember to use the 'Clear Cache' page if you use sessions and @@ -602,6 +624,12 @@ bin/log_badlogins /var/log/radius/radius.log /usr/local/dialup_admin/conf/admin. Of cource the proper file locations must be set +Also log_badlogins will concatenate the client shortname and the general_domain variable +defined in admin.conf in order to find the nas ip address. So it is important to make sure +that $client_shortname.$domain resolves to the correct nas ip address. +regular expression matching is also supported. If the $regexp variable is set then +only failed login lines matching the regular expression will be logged. + [2.2.3] The clean_radacct script The clean_radacct script can be used to clear the database of stale open sessions @@ -638,7 +666,10 @@ a day to create the corresponding entries in the mtotacct table. First of all check conf/user_edit.atts and see if the attribute you are interested in is commented out. If it is just enable it by uncommenting it. If the attribute is not included in the file add it. -If you use SQL check conf/sql.attrmap. + +If you use SQL check conf/sql.attrmap. Attributes that are not contained in this file +are assumed to be reply items and map to the same name as the one used by dialup_admin + If you use LDAP check ${freeradius_install_dir}/etc/raddb/ldap.attrmap and check if the attribute is included in the attribute mapping. diff --git a/htdocs/user_finger.php3 b/htdocs/user_finger.php3 index e1a64f4..8da1c10 100644 --- a/htdocs/user_finger.php3 +++ b/htdocs/user_finger.php3 @@ -56,6 +56,7 @@ if ($link){ $portnum = $nas . '_port_num'; $finger_type = $nas . '_finger_type'; + if ($config[$name] == ''){ $i--; break; @@ -76,7 +77,15 @@ if ($link){ putenv("LD_LIBRARY_PATH=$config[general_ld_library_path]"); $extra = ""; if ($config[$finger_type] != 'database' && $config[general_finger_type] == 'snmp'){ - $users=exec("$config[general_snmpfinger_bin] $name_data $community_data"); + $nas_type = $nas . '_type'; + if ($config[$nas_type] == '') + $nas_type = $config[general_nas_type]; + else + $nas_type = $config[$nas_type]; + if ($nas_type == '') + $nas_type = 'cisco'; + + $users=exec("$config[general_snmpfinger_bin] $name_data $community_data $nas_type"); if (strlen($users)) $extra = "AND UserName IN ($users)"; }