| 2420 |
richard |
1 |
# -*- text -*-
|
|
|
2 |
##
|
|
|
3 |
## sql.conf -- SQL modules
|
|
|
4 |
##
|
|
|
5 |
## $Id: 4a59483c35c77f573fb177919e19ba4434cc3da1 $
|
|
|
6 |
|
|
|
7 |
######################################################################
|
|
|
8 |
#
|
|
|
9 |
# Configuration for the SQL module
|
|
|
10 |
#
|
|
|
11 |
# The database schemas and queries are located in subdirectories:
|
|
|
12 |
#
|
|
|
13 |
# sql/<DB>/main/schema.sql Schema
|
|
|
14 |
# sql/<DB>/main/queries.conf Authorisation and Accounting queries
|
|
|
15 |
#
|
|
|
16 |
# Where "DB" is mysql, mssql, oracle, or postgresql.
|
|
|
17 |
#
|
|
|
18 |
#
|
|
|
19 |
|
|
|
20 |
sql {
|
|
|
21 |
# The sub-module to use to execute queries. This should match
|
|
|
22 |
# the database you're attempting to connect to.
|
|
|
23 |
#
|
|
|
24 |
# * rlm_sql_mysql
|
|
|
25 |
# * rlm_sql_mssql
|
|
|
26 |
# * rlm_sql_oracle
|
|
|
27 |
# * rlm_sql_postgresql
|
|
|
28 |
# * rlm_sql_sqlite
|
|
|
29 |
# * rlm_sql_null (log queries to disk)
|
|
|
30 |
#
|
|
|
31 |
driver = "rlm_sql_mysql"
|
|
|
32 |
|
|
|
33 |
#
|
|
|
34 |
# Several drivers accept specific options, to set them, a
|
|
|
35 |
# config section with the the name as the driver should be added
|
|
|
36 |
# to the sql instance.
|
|
|
37 |
#
|
|
|
38 |
# Driver specific options are:
|
|
|
39 |
#
|
|
|
40 |
# sqlite {
|
|
|
41 |
# # Path to the sqlite database
|
|
|
42 |
# filename = "/tmp/freeradius.db"
|
|
|
43 |
#
|
|
|
44 |
# # How long to wait for write locks on the database to be
|
|
|
45 |
# # released (in ms) before giving up.
|
|
|
46 |
# busy_timeout = 200
|
|
|
47 |
#
|
|
|
48 |
# # If the file above does not exist and bootstrap is set
|
|
|
49 |
# # a new database file will be created, and the SQL statements
|
|
|
50 |
# # contained within the bootstrap file will be executed.
|
|
|
51 |
# bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
|
|
|
52 |
# }
|
|
|
53 |
#
|
|
|
54 |
# mysql {
|
|
|
55 |
# # If any of the files below are set, TLS encryption is enabled
|
|
|
56 |
# tls {
|
|
|
57 |
# ca_file = "/etc/ssl/certs/my_ca.crt"
|
|
|
58 |
# ca_path = "/etc/ssl/certs/"
|
|
|
59 |
# certificate_file = "/etc/ssl/certs/private/client.crt"
|
|
|
60 |
# private_key_file = "/etc/ssl/certs/private/client.key"
|
|
|
61 |
# cipher = "DHE-RSA-AES256-SHA:AES128-SHA"
|
|
|
62 |
# }
|
|
|
63 |
#
|
|
|
64 |
# # If yes, (or auto and libmysqlclient reports warnings are
|
|
|
65 |
# # available), will retrieve and log additional warnings from
|
|
|
66 |
# # the server if an error has occured. Defaults to 'auto'
|
|
|
67 |
# warnings = auto
|
|
|
68 |
# }
|
|
|
69 |
#
|
|
|
70 |
# postgresql {
|
|
|
71 |
#
|
|
|
72 |
# # unlike MySQL, which has a tls{} connection configuration, postgresql
|
|
|
73 |
# # uses its connection parameters - see the radius_db option below in
|
|
|
74 |
# # this file
|
|
|
75 |
#
|
|
|
76 |
# # Send application_name to the postgres server
|
|
|
77 |
# # Only supported in PG 9.0 and greater. Defaults to no.
|
|
|
78 |
# send_application_name = yes
|
|
|
79 |
# }
|
|
|
80 |
#
|
|
|
81 |
|
|
|
82 |
# The dialect of SQL you want to use, this should usually match
|
|
|
83 |
# the driver you selected above.
|
|
|
84 |
#
|
|
|
85 |
# If you're using rlm_sql_null, then it should be the type of
|
|
|
86 |
# database the logged queries are going to be executed against.
|
|
|
87 |
dialect = "mysql"
|
|
|
88 |
|
|
|
89 |
# Connection info:
|
|
|
90 |
#
|
|
|
91 |
server = "localhost"
|
|
|
92 |
port = 3306
|
|
|
93 |
login = "radius"
|
|
|
94 |
password = "radpass"
|
|
|
95 |
|
|
|
96 |
# Database table configuration for everything except Oracle
|
|
|
97 |
radius_db = "radius"
|
|
|
98 |
|
|
|
99 |
# If you are using Oracle then use this instead
|
|
|
100 |
# radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
|
|
|
101 |
|
|
|
102 |
# If you're using postgresql this can also be used instead of the connection info parameters
|
|
|
103 |
# radius_db = "dbname=radius host=localhost user=radius password=raddpass"
|
|
|
104 |
|
|
|
105 |
# Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
|
|
|
106 |
# use SSL connections then use this form of connection info parameter
|
|
|
107 |
# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt"
|
|
|
108 |
|
|
|
109 |
# If you want both stop and start records logged to the
|
|
|
110 |
# same SQL table, leave this as is. If you want them in
|
|
|
111 |
# different tables, put the start table in acct_table1
|
|
|
112 |
# and stop table in acct_table2
|
|
|
113 |
acct_table1 = "radacct"
|
|
|
114 |
acct_table2 = "radacct"
|
|
|
115 |
|
|
|
116 |
# Allow for storing data after authentication
|
|
|
117 |
postauth_table = "radpostauth"
|
|
|
118 |
|
|
|
119 |
# Tables containing 'check' items
|
|
|
120 |
authcheck_table = "radcheck"
|
|
|
121 |
groupcheck_table = "radgroupcheck"
|
|
|
122 |
|
|
|
123 |
# Tables containing 'reply' items
|
|
|
124 |
authreply_table = "radreply"
|
|
|
125 |
groupreply_table = "radgroupreply"
|
|
|
126 |
|
|
|
127 |
# Table to keep group info
|
|
|
128 |
usergroup_table = "radusergroup"
|
|
|
129 |
|
|
|
130 |
# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
|
|
|
131 |
# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
|
|
|
132 |
# read_groups = yes
|
|
|
133 |
|
|
|
134 |
# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
|
|
|
135 |
# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
|
|
|
136 |
# read_profiles = yes
|
|
|
137 |
|
|
|
138 |
# Remove stale session if checkrad does not see a double login
|
|
|
139 |
delete_stale_sessions = yes
|
|
|
140 |
|
|
|
141 |
# Write SQL queries to a logfile. This is potentially useful for tracing
|
|
|
142 |
# issues with authorization queries. See also "logfile" directives in
|
|
|
143 |
# mods-config/sql/main/*/queries.conf. You can enable per-section logging
|
|
|
144 |
# by enabling "logfile" there, or global logging by enabling "logfile" here.
|
|
|
145 |
#
|
|
|
146 |
# Per-section logging can be disabled by setting "logfile = ''"
|
|
|
147 |
# logfile = ${logdir}/sqllog.sql
|
|
|
148 |
|
|
|
149 |
# Set the maximum query duration and connection timeout
|
|
|
150 |
# for rlm_sql_mysql.
|
|
|
151 |
# query_timeout = 5
|
|
|
152 |
|
|
|
153 |
# As of version 3.0, the "pool" section has replaced the
|
|
|
154 |
# following configuration items:
|
|
|
155 |
#
|
|
|
156 |
# num_sql_socks
|
|
|
157 |
# connect_failure_retry_delay
|
|
|
158 |
# lifetime
|
|
|
159 |
# max_queries
|
|
|
160 |
|
|
|
161 |
#
|
|
|
162 |
# The connection pool is new for 3.0, and will be used in many
|
|
|
163 |
# modules, for all kinds of connection-related activity.
|
|
|
164 |
#
|
|
|
165 |
# When the server is not threaded, the connection pool
|
|
|
166 |
# limits are ignored, and only one connection is used.
|
|
|
167 |
#
|
|
|
168 |
# If you want to have multiple SQL modules re-use the same
|
|
|
169 |
# connection pool, use "pool = name" instead of a "pool"
|
|
|
170 |
# section. e.g.
|
|
|
171 |
#
|
|
|
172 |
# sql1 {
|
|
|
173 |
# ...
|
|
|
174 |
# pool {
|
|
|
175 |
# ...
|
|
|
176 |
# }
|
|
|
177 |
# }
|
|
|
178 |
#
|
|
|
179 |
# # sql2 will use the connection pool from sql1
|
|
|
180 |
# sql2 {
|
|
|
181 |
# ...
|
|
|
182 |
# pool = sql1
|
|
|
183 |
# }
|
|
|
184 |
#
|
|
|
185 |
pool {
|
|
|
186 |
# Connections to create during module instantiation.
|
|
|
187 |
# If the server cannot create specified number of
|
|
|
188 |
# connections during instantiation it will exit.
|
|
|
189 |
# Set to 0 to allow the server to start without the
|
|
|
190 |
# database being available.
|
|
|
191 |
start = ${thread[pool].start_servers}
|
|
|
192 |
|
|
|
193 |
# Minimum number of connections to keep open
|
|
|
194 |
min = ${thread[pool].min_spare_servers}
|
|
|
195 |
|
|
|
196 |
# Maximum number of connections
|
|
|
197 |
#
|
|
|
198 |
# If these connections are all in use and a new one
|
|
|
199 |
# is requested, the request will NOT get a connection.
|
|
|
200 |
#
|
|
|
201 |
# Setting 'max' to LESS than the number of threads means
|
|
|
202 |
# that some threads may starve, and you will see errors
|
|
|
203 |
# like 'No connections available and at max connection limit'
|
|
|
204 |
#
|
|
|
205 |
# Setting 'max' to MORE than the number of threads means
|
|
|
206 |
# that there are more connections than necessary.
|
|
|
207 |
max = ${thread[pool].max_servers}
|
|
|
208 |
|
|
|
209 |
# Spare connections to be left idle
|
|
|
210 |
#
|
|
|
211 |
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
|
|
212 |
# is set. This should be less than or equal to "max" above.
|
|
|
213 |
spare = ${thread[pool].max_spare_servers}
|
|
|
214 |
|
|
|
215 |
# Number of uses before the connection is closed
|
|
|
216 |
#
|
|
|
217 |
# 0 means "infinite"
|
|
|
218 |
uses = 0
|
|
|
219 |
|
|
|
220 |
# The number of seconds to wait after the server tries
|
|
|
221 |
# to open a connection, and fails. During this time,
|
|
|
222 |
# no new connections will be opened.
|
|
|
223 |
retry_delay = 30
|
|
|
224 |
|
|
|
225 |
# The lifetime (in seconds) of the connection
|
|
|
226 |
lifetime = 0
|
|
|
227 |
|
|
|
228 |
# idle timeout (in seconds). A connection which is
|
|
|
229 |
# unused for this length of time will be closed.
|
|
|
230 |
idle_timeout = 60
|
|
|
231 |
|
|
|
232 |
# NOTE: All configuration settings are enforced. If a
|
|
|
233 |
# connection is closed because of "idle_timeout",
|
|
|
234 |
# "uses", or "lifetime", then the total number of
|
|
|
235 |
# connections MAY fall below "min". When that
|
|
|
236 |
# happens, it will open a new connection. It will
|
|
|
237 |
# also log a WARNING message.
|
|
|
238 |
#
|
|
|
239 |
# The solution is to either lower the "min" connections,
|
|
|
240 |
# or increase lifetime/idle_timeout.
|
|
|
241 |
}
|
|
|
242 |
|
|
|
243 |
# Set to 'yes' to read radius clients from the database ('nas' table)
|
|
|
244 |
# Clients will ONLY be read on server startup.
|
|
|
245 |
# read_clients = yes
|
|
|
246 |
|
|
|
247 |
# Table to keep radius client info
|
|
|
248 |
client_table = "nas"
|
|
|
249 |
|
|
|
250 |
#
|
|
|
251 |
# The group attribute specific to this instance of rlm_sql
|
|
|
252 |
#
|
|
|
253 |
|
|
|
254 |
# This entry should be used for additional instances (sql foo {})
|
|
|
255 |
# of the SQL module.
|
|
|
256 |
# group_attribute = "${.:instance}-SQL-Group"
|
|
|
257 |
|
|
|
258 |
# This entry should be used for the default instance (sql {})
|
|
|
259 |
# of the SQL module.
|
|
|
260 |
group_attribute = "SQL-Group"
|
|
|
261 |
|
|
|
262 |
# Read database-specific queries
|
|
|
263 |
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
|
|
|
264 |
}
|