From f37bee486aca3de86b594770f0b2b3ff8e96596a Mon Sep 17 00:00:00 2001 From: Jakub Jirutka Date: Tue, 18 May 2021 14:10:00 +0000 Subject: [PATCH] Adjust default config - Fix default location of db_dir and run_dir. - Remove pidfile - this is handled by OpenRC. - Change default sqlite db path to a reasonable location. - Change default cui sqlite location to $db_dir/. - Change default cache paths to /var/cache/radiusd. --- raddb/mods-available/cui | 2 +- raddb/mods-available/eap | 11 +++-------- raddb/mods-available/sql | 4 ++-- raddb/radiusd.conf.in | 21 +++++---------------- raddb/sites-available/abfab-tls | 4 ++-- raddb/sites-available/tls | 4 ++-- 6 files changed, 15 insertions(+), 31 deletions(-) diff --git a/raddb/mods-available/cui b/raddb/mods-available/cui index b72aa30..0dc4e1c 100644 --- a/raddb/mods-available/cui +++ b/raddb/mods-available/cui @@ -29,7 +29,7 @@ sql cuisql { driver = "rlm_sql_${dialect}" sqlite { - filename = ${radacctdir}/cui.sqlite + filename = ${db_dir}/cui.sqlite bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql } diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 239ac4c..66d59b4 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -534,20 +534,15 @@ eap { # state and the cached VPs. This will persist session # across server restarts. # - # The default directory is ${logdir}, for historical - # reasons. You should ${db_dir} instead. And check - # the value of db_dir in the main radiusd.conf file. - # It should not point to ${raddb} - # # The server will need write perms, and the directory # should be secured from anyone else. You might want # a script to remove old files from here periodically: # - # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \; # # This feature REQUIRES "name" option be set above. # - # persist_dir = "${logdir}/tlscache" + # persist_dir = "${cachedir}/tlscache" # # As of 3.0.20, it is possible to partially @@ -616,7 +611,7 @@ eap { # deleted by the server when the command # returns. # - # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } # OCSP Configuration diff --git a/raddb/mods-available/sql b/raddb/mods-available/sql index cfeac63..7ff51dd 100644 --- a/raddb/mods-available/sql +++ b/raddb/mods-available/sql @@ -69,7 +69,7 @@ sql { # sqlite { # Path to the sqlite database - filename = "/tmp/freeradius.db" + filename = "${db_dir}/freeradius.db" # How long to wait for write locks on the database to be # released (in ms) before giving up. @@ -84,7 +84,7 @@ sql { mysql { # If any of the files below are set, TLS encryption is enabled tls { - ca_file = "/etc/ssl/certs/my_ca.crt" + ca_file = "/etc/ssl/certs/ca-certificates.crt" ca_path = "/etc/ssl/certs/" certificate_file = "/etc/ssl/certs/private/client.crt" private_key_file = "/etc/ssl/certs/private/client.key" diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index 61cc3a4..29f716a 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -98,10 +98,10 @@ confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs -run_dir = ${localstatedir}/run/${name} +run_dir = /run/${name} -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} +db_dir = ${localstatedir}/lib/radiusd +cachedir = ${localstatedir}/cache/radiusd # # libdir: Where to find the rlm_* modules. @@ -137,17 +137,6 @@ db_dir = ${raddbdir} # libdir = @libdir@ -# pidfile: Where to place the PID of the RADIUS server. -# -# The server may be signalled while it's running by using this -# file. -# -# This file is written when ONLY running in daemon mode. -# -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` -# -pidfile = ${run_dir}/${name}.pid - # # correct_escapes: use correct backslash escaping # @@ -520,8 +509,8 @@ security { # member. This can allow for some finer-grained access # controls. # -# user = radius -# group = radius + user = radius + group = radius # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls index b8d0626..4eba0a3 100644 --- a/raddb/sites-available/abfab-tls +++ b/raddb/sites-available/abfab-tls @@ -25,7 +25,7 @@ listen { enable = no lifetime = 24 # hours name = "abfab-tls" - # persist_dir = ${logdir}/abfab-tls + # persist_dir = ${cachedir}/abfab-tls } require_client_cert = yes verify { @@ -63,7 +63,7 @@ listen { enable = no lifetime = 24 # hours name = "abfab-tls" - # persist_dir = ${logdir}/abfab-tls + # persist_dir = ${cachedir}/abfab-tls } require_client_cert = yes verify { diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls index 8c8e06a..9f55b74 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -366,11 +366,11 @@ listen { # should be secured from anyone else. You might want # a script to remove old files from here periodically: # - # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \; # # This feature REQUIRES "name" option be set above. # - #persist_dir = "${logdir}/tlscache" + #persist_dir = "${cachedir}/tlscache" } # -- 2.31.1