webbuilder_pel7x64builder0
5 years ago
7 changed files with 2555 additions and 0 deletions
@ -0,0 +1,59 @@ |
|||||||
|
From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
||||||
|
Date: Mon, 8 Sep 2014 12:32:13 +0300 |
||||||
|
Subject: [PATCH] Adjust configuration to fit Red Hat specifics |
||||||
|
|
||||||
|
--- |
||||||
|
raddb/mods-available/eap | 4 ++-- |
||||||
|
raddb/radiusd.conf.in | 7 +++---- |
||||||
|
2 files changed, 5 insertions(+), 6 deletions(-) |
||||||
|
|
||||||
|
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap |
||||||
|
index 2621e183c..94494b2c6 100644 |
||||||
|
--- a/raddb/mods-available/eap |
||||||
|
+++ b/raddb/mods-available/eap |
||||||
|
@@ -533,7 +533,7 @@ |
||||||
|
# You should also delete all of the files |
||||||
|
# in the directory when the server starts. |
||||||
|
# |
||||||
|
- # tmpdir = /tmp/radiusd |
||||||
|
+ # tmpdir = /var/run/radiusd/tmp |
||||||
|
|
||||||
|
# The command used to verify the client cert. |
||||||
|
# We recommend using the OpenSSL command-line |
||||||
|
@@ -548,7 +548,7 @@ |
||||||
|
# deleted by the server when the command |
||||||
|
# returns. |
||||||
|
# |
||||||
|
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" |
||||||
|
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" |
||||||
|
} |
||||||
|
|
||||||
|
# OCSP Configuration |
||||||
|
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in |
||||||
|
index a83c1f687..e500cf97b 100644 |
||||||
|
--- a/raddb/radiusd.conf.in |
||||||
|
+++ b/raddb/radiusd.conf.in |
||||||
|
@@ -70,8 +70,7 @@ certdir = ${confdir}/certs |
||||||
|
cadir = ${confdir}/certs |
||||||
|
run_dir = ${localstatedir}/run/${name} |
||||||
|
|
||||||
|
-# Should likely be ${localstatedir}/lib/radiusd |
||||||
|
-db_dir = ${raddbdir} |
||||||
|
+db_dir = ${localstatedir}/lib/radiusd |
||||||
|
|
||||||
|
# |
||||||
|
# libdir: Where to find the rlm_* modules. |
||||||
|
@@ -398,8 +397,8 @@ security { |
||||||
|
# member. This can allow for some finer-grained access |
||||||
|
# controls. |
||||||
|
# |
||||||
|
-# user = radius |
||||||
|
-# group = radius |
||||||
|
+ user = radiusd |
||||||
|
+ group = radiusd |
||||||
|
|
||||||
|
# Core dumps are a bad thing. This should only be set to |
||||||
|
# 'yes' if you're debugging a problem with the server. |
||||||
|
-- |
||||||
|
2.13.2 |
@ -0,0 +1,75 @@ |
|||||||
|
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001 |
||||||
|
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
||||||
|
Date: Mon, 26 Sep 2016 19:48:36 +0300 |
||||||
|
Subject: [PATCH] Use system crypto policy by default |
||||||
|
|
||||||
|
--- |
||||||
|
raddb/mods-available/eap | 2 +- |
||||||
|
raddb/mods-available/inner-eap | 2 +- |
||||||
|
raddb/sites-available/abfab-tls | 2 +- |
||||||
|
raddb/sites-available/tls | 4 ++-- |
||||||
|
4 files changed, 5 insertions(+), 5 deletions(-) |
||||||
|
|
||||||
|
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap |
||||||
|
index 94494b2c6..9a8dc9327 100644 |
||||||
|
--- a/raddb/mods-available/eap |
||||||
|
+++ b/raddb/mods-available/eap |
||||||
|
@@ -912,7 +912,7 @@ |
||||||
|
# Note - for OpenSSL 1.1.0 and above you may need |
||||||
|
# to add ":@SECLEVEL=0" |
||||||
|
# |
||||||
|
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" |
||||||
|
+ # cipher_list = "PROFILE=SYSTEM" |
||||||
|
|
||||||
|
# PAC lifetime in seconds (default: seven days) |
||||||
|
# |
||||||
|
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap |
||||||
|
index 2b4df6267..af9aa88cd 100644 |
||||||
|
--- a/raddb/mods-available/inner-eap |
||||||
|
+++ b/raddb/mods-available/inner-eap |
||||||
|
@@ -68,7 +68,7 @@ eap inner-eap { |
||||||
|
# certificates. If so, edit this file. |
||||||
|
ca_file = ${cadir}/ca.pem |
||||||
|
|
||||||
|
- cipher_list = "DEFAULT" |
||||||
|
+ cipher_list = "PROFILE=SYSTEM" |
||||||
|
|
||||||
|
# You may want to set a very small fragment size. |
||||||
|
# The TLS data here needs to go inside of the |
||||||
|
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls |
||||||
|
index 5dbe143da..46b5fea78 100644 |
||||||
|
--- a/raddb/sites-available/abfab-tls |
||||||
|
+++ b/raddb/sites-available/abfab-tls |
||||||
|
@@ -19,7 +19,7 @@ listen { |
||||||
|
dh_file = ${certdir}/dh |
||||||
|
fragment_size = 8192 |
||||||
|
ca_path = ${cadir} |
||||||
|
- cipher_list = "DEFAULT" |
||||||
|
+ cipher_list = "PROFILE=SYSTEM" |
||||||
|
|
||||||
|
cache { |
||||||
|
enable = no |
||||||
|
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls |
||||||
|
index cf1cd7a8a..7dd59cb6f 100644 |
||||||
|
--- a/raddb/sites-available/tls |
||||||
|
+++ b/raddb/sites-available/tls |
||||||
|
@@ -197,7 +197,7 @@ listen { |
||||||
|
# Set this option to specify the allowed |
||||||
|
# TLS cipher suites. The format is listed |
||||||
|
# in "man 1 ciphers". |
||||||
|
- cipher_list = "DEFAULT" |
||||||
|
+ cipher_list = "PROFILE=SYSTEM" |
||||||
|
|
||||||
|
# If enabled, OpenSSL will use server cipher list |
||||||
|
# (possibly defined by cipher_list option above) |
||||||
|
@@ -499,7 +499,7 @@ home_server tls { |
||||||
|
# Set this option to specify the allowed |
||||||
|
# TLS cipher suites. The format is listed |
||||||
|
# in "man 1 ciphers". |
||||||
|
- cipher_list = "DEFAULT" |
||||||
|
+ cipher_list = "PROFILE=SYSTEM" |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
|
-- |
||||||
|
2.13.2 |
@ -0,0 +1,51 @@ |
|||||||
|
# You can use this to rotate the /var/log/radius/* files, simply copy |
||||||
|
# it to /etc/logrotate.d/radiusd |
||||||
|
|
||||||
|
# There are different detail-rotating strategies you can use. One is |
||||||
|
# to write to a single detail file per IP and use the rotate config |
||||||
|
# below. Another is to write to a daily detail file per IP with: |
||||||
|
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail |
||||||
|
# (or similar) in radiusd.conf, without rotation. If you go with the |
||||||
|
# second technique, you will need another cron job that removes old |
||||||
|
# detail files. You do not need to comment out the below for method #2. |
||||||
|
/var/log/radius/radacct/*/detail { |
||||||
|
monthly |
||||||
|
rotate 4 |
||||||
|
nocreate |
||||||
|
missingok |
||||||
|
compress |
||||||
|
} |
||||||
|
|
||||||
|
/var/log/radius/checkrad.log { |
||||||
|
monthly |
||||||
|
rotate 4 |
||||||
|
create |
||||||
|
missingok |
||||||
|
compress |
||||||
|
} |
||||||
|
|
||||||
|
/var/log/radius/radius.log { |
||||||
|
monthly |
||||||
|
rotate 4 |
||||||
|
create |
||||||
|
missingok |
||||||
|
compress |
||||||
|
postrotate |
||||||
|
/usr/bin/systemctl reload-or-try-restart radiusd |
||||||
|
endscript |
||||||
|
} |
||||||
|
|
||||||
|
/var/log/radius/radwtmp { |
||||||
|
monthly |
||||||
|
rotate 4 |
||||||
|
create |
||||||
|
compress |
||||||
|
missingok |
||||||
|
} |
||||||
|
/var/log/radius/sqltrace.sql { |
||||||
|
monthly |
||||||
|
rotate 4 |
||||||
|
create |
||||||
|
compress |
||||||
|
missingok |
||||||
|
} |
@ -0,0 +1,6 @@ |
|||||||
|
#%PAM-1.0 |
||||||
|
auth include password-auth |
||||||
|
account required pam_nologin.so |
||||||
|
account include password-auth |
||||||
|
password include password-auth |
||||||
|
session include password-auth |
@ -0,0 +1 @@ |
|||||||
|
D /var/run/radiusd 0710 radiusd radiusd - |
@ -0,0 +1,17 @@ |
|||||||
|
[Unit] |
||||||
|
Description=FreeRADIUS high performance RADIUS server. |
||||||
|
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=forking |
||||||
|
PIDFile=/var/run/radiusd/radiusd.pid |
||||||
|
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd |
||||||
|
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap |
||||||
|
ExecStartPre=/bin/chgrp -R radiusd /etc/raddb/certs/ |
||||||
|
ExecStartPre=/usr/sbin/radiusd -C |
||||||
|
ExecStart=/usr/sbin/radiusd -d /etc/raddb |
||||||
|
ExecReload=/usr/sbin/radiusd -C |
||||||
|
ExecReload=/bin/kill -HUP $MAINPID |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=multi-user.target |
Loading…
Reference in new issue