ocserv

63e760ec · nanahira · 18b52faa · 18b52faa · 63e760ec · 63e760ec
Commit 63e760ec authored Sep 25, 2021 by nanahira
5 changed files
--- a/ocserv/data/users
+++ b/ocserv/data/users
-/home/nanahira/ansible/hlsj-fileserver/output/smb/
\ No newline at end of file
--- a/ocserv/docker-compose.yml.j2
+++ b/ocserv/docker-compose.yml.j2
@@ -8,5 +8,6 @@ services:
    volumes:
      - ./templates/ocserv.conf:/etc/ocserv/ocserv.conf:ro
      - {{certs_path}}:/etc/ssl/railgun/certs:ro
-      - ./data/users/{{userdata_name}}/ocpasswd:/etc/ocserv/ocpasswd:ro
      - ./data/dhparam.pem:/etc/ssl/railgun/dhparam.pem:ro
+      - ./templates/radius-servers:/etc/radcli/servers:ro
+      - ./templates/radiusclient.conf:/etc/radcli/radiusclient.conf:ro
--- a/ocserv/templates/ocserv.conf.j2
+++ b/ocserv/templates/ocserv.conf.j2
-auth = "plain[passwd=/etc/ocserv/ocpasswd]"
+auth = "radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]"
 tcp-port = {{port}}
 udp-port = {{port}}
 run-as-user = nobody

--- a/ocserv/templates/radius-servers.j2
+++ b/ocserv/templates/radius-servers.j2
+## Server Name or Client/Server pair		Key		
+## ----------------				---------------
+#
+#portmaster.elemental.net			hardlyasecret
+#portmaster2.elemental.net			donttellanyone
+#
+## uncomment the following line for simple testing of radlogin
+## with freeradius-server
+#
+#localhost/localhost				testing123
+{{radius_host}}				{{radius_secret}}
--- a/ocserv/templates/radiusclient.conf.j2
+++ b/ocserv/templates/radiusclient.conf.j2
+# RADIUS settings
+
+# The name to be used to identify this NAS (server). If set it will
+# be used in NAS-Identifier field and will override any such setting
+# by the application.
+#
+#nas-identifier	my-server-name
+
+# Override the IP (or IPv6) address of the NAS.
+#nas-ip 	10.100.5.3
+#nas-ip 	::1
+
+# RADIUS server to use for authentication requests.
+# optionally you can specify a the port number on which is remote
+# RADIUS listens separated by a colon from the hostname. if
+# no port is specified /etc/services is consulted of the radius
+# service. if this fails also a compiled in default is used.
+# For IPv6 addresses use the '[IPv6]:port:secret' format, or
+# simply '[IPv6]'. You may specify more than a single server
+# in a comma-separated list.
+#
+authserver 	{{radius_host}}:{{radius_port}}
+#authserver 	127.1.1.1:9999,172.17.0.1
+
+# RADIUS server to use for accouting requests. All that is
+# written for authserver applies, in acctserver as well. 
+#
+acctserver 	{{radius_host}}:{{radius_port}}
+
+# File holding shared secrets used for the communication
+# between the RADIUS client and server. When multiple
+# server
+servers		/etc/radcli/servers
+
+# Dictionary of allowed attributes and values. That depends
+# heavily on the features of your server. A default dictionary
+# is installed in /usr/share/radcli/dictionary
+dictionary 	/etc/radcli/dictionary
+
+# default authentication realm to append to all usernames if no
+# realm was explicitly specified by the user
+# the radiusd directly form Livingston doesnt use any realms, so leave
+# it blank then
+default_realm
+
+# time to wait for a reply from the RADIUS server
+radius_timeout	10
+
+# resend request this many times before trying the next server
+radius_retries	3
+
+# local address from which radius packets have to be sent
+bindaddr *
+
+# Transport Protocol Support
+# Available options - 'tcp', 'udp', 'tls' and 'dtls'. 
+# If commented out, udp will be used.
+#serv-type   udp
+
+
+# To enable verbose debugging messages in syslog, enable the following
+#clientdebug 1