diff options
-rw-r--r-- | main/freeradius/APKBUILD | 3 | ||||
-rw-r--r-- | main/freeradius/default-config.patch | 144 |
2 files changed, 104 insertions, 43 deletions
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD index 39a34d9fcc..7d7880b35b 100644 --- a/main/freeradius/APKBUILD +++ b/main/freeradius/APKBUILD @@ -150,6 +150,7 @@ package() { "$pkgdir"$_radconfdir install -d -m0750 -o radius -g radius \ + "$pkgdir"/var/cache/radiusd \ "$pkgdir"/var/lib/radiusd \ "$pkgdir"/var/log/radius \ "$pkgdir"/var/log/radius/radacct @@ -397,7 +398,7 @@ a66ab5d3f1c86450e9c50aa8be10a40fb4118467670048773ad8c80b5f3fb958dd3addc6ef245289 5f940e200aa39b2fbbfaf5b24f2ad99869fa75bb7e2008876940ea96cb9dbc7f2b27dd1672aa56cdb5243faabdcbc38875594dd8792af965987183c0aa2aefd1 print-var.mk c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d musl-fix-headers.patch 41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234 fix-scopeid.patch -0a60e3a5eff133898292cee4935d2d50c4a8a79c8357446999f12a368dac47abc4af4a09478cea001968f78791dca0eab305aaa3ee397ef09ebcc378b17f5ad0 default-config.patch +c266718d830076423c19a31c608a925ec664156ef2da87c97166d376b16f4582e7f8adebd9c8e3ef51b24da0ca3252f00b557ed9ee9dd8325d8a6a317f4e3ed1 default-config.patch f96b7b2e0fc614cb8b70bd500933538e98e05b58718af931a62bc7ba2307600cf8c2a8a99de856ad2e18101dd5bfe95c50ee34de20eef21ba0ad795577a6619b remove-eap-from-default-mods.patch 55e179d5e6b31d289c2da7f907e494a6a6f5900483fdff8d3bb25ee15a583b8705942eca1f0d5390e91376966e66e457dce9b2cf1a1f61c8eac6d8fb825404dd readme-setup-script.patch f88cb4ae335d67211c8563b6df88e20ee3729e57aa56423f99b518f83b190479b38bb189a0ab53c70ef9709a6229ccaa506ea6b79844cbfd4f2a7f0c7c292045 Fix-permissions-of-certs-in-bootstrap-fallback.patch diff --git a/main/freeradius/default-config.patch b/main/freeradius/default-config.patch index 520d75cbd0..0ad71173dd 100644 --- a/main/freeradius/default-config.patch +++ b/main/freeradius/default-config.patch @@ -1,6 +1,71 @@ +--- a/raddb/mods-available/cui ++++ b/raddb/mods-available/cui +@@ -29,7 +29,7 @@ + driver = "rlm_sql_${dialect}" + + sqlite { +- filename = ${radacctdir}/cui.sqlite ++ filename = ${db_dir}/cui.sqlite + bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql + } + +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -504,20 +504,15 @@ + # state and the cached VPs. This will persist session + # across server restarts. + # +- # The default directory is ${logdir}, for historical +- # reasons. You should ${db_dir} instead. And check +- # the value of db_dir in the main radiusd.conf file. +- # It should not point to ${raddb} +- # + # The server will need write perms, and the directory + # should be secured from anyone else. You might want + # a script to remove old files from here periodically: + # +- # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; ++ # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \; + # + # This feature REQUIRES "name" option be set above. + # +- # persist_dir = "${logdir}/tlscache" ++ # persist_dir = "${cachedir}/tlscache" + + # + # As of 3.0.20, it is possible to partially +@@ -586,7 +581,7 @@ + # deleted by the server when the command + # returns. + # +- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" ++ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # OCSP Configuration +--- a/raddb/mods-available/sql ++++ b/raddb/mods-available/sql +@@ -70,7 +70,7 @@ + # + sqlite { + # Path to the sqlite database +- filename = "/tmp/freeradius.db" ++ filename = "${db_dir}/freeradius.db" + + # How long to wait for write locks on the database to be + # released (in ms) before giving up. +@@ -85,7 +85,7 @@ + mysql { + # If any of the files below are set, TLS encryption is enabled + tls { +- ca_file = "/etc/ssl/certs/my_ca.crt" ++ ca_file = "/etc/ssl/certs/ca-certificates.crt" + ca_path = "/etc/ssl/certs/" + certificate_file = "/etc/ssl/certs/private/client.crt" + private_key_file = "/etc/ssl/certs/private/client.key" --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in -@@ -98,10 +98,9 @@ +@@ -98,10 +98,10 @@ modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs @@ -10,10 +75,11 @@ -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} +db_dir = ${localstatedir}/lib/radiusd ++cachedir = ${localstatedir}/cache/radiusd # # libdir: Where to find the rlm_* modules. -@@ -137,18 +136,7 @@ +@@ -137,18 +137,7 @@ # libdir = @libdir@ @@ -32,7 +98,7 @@ # correct_escapes: use correct backslash escaping # # Prior to version 3.0.5, the handling of backslashes was a little -@@ -501,8 +500,8 @@ +@@ -501,8 +490,8 @@ # member. This can allow for some finer-grained access # controls. # @@ -43,45 +109,39 @@ # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. ---- a/raddb/mods-available/eap -+++ b/raddb/mods-available/eap -@@ -586,7 +586,7 @@ - # deleted by the server when the command - # returns. - # -- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" -+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -25,7 +25,7 @@ + enable = no + lifetime = 24 # hours + name = "abfab-tls" +-# persist_dir = ${logdir}/abfab-tls ++# persist_dir = ${cachedir}/abfab-tls } - # OCSP Configuration ---- a/raddb/mods-available/sql -+++ b/raddb/mods-available/sql -@@ -70,7 +70,7 @@ - # - sqlite { - # Path to the sqlite database -- filename = "/tmp/freeradius.db" -+ filename = "${db_dir}/freeradius.db" - - # How long to wait for write locks on the database to be - # released (in ms) before giving up. -@@ -85,7 +85,7 @@ - mysql { - # If any of the files below are set, TLS encryption is enabled - tls { -- ca_file = "/etc/ssl/certs/my_ca.crt" -+ ca_file = "/etc/ssl/certs/ca-certificates.crt" - ca_path = "/etc/ssl/certs/" - certificate_file = "/etc/ssl/certs/private/client.crt" - private_key_file = "/etc/ssl/certs/private/client.key" ---- a/raddb/mods-available/cui -+++ b/raddb/mods-available/cui -@@ -29,7 +29,7 @@ - driver = "rlm_sql_${dialect}" - - sqlite { -- filename = ${radacctdir}/cui.sqlite -+ filename = ${db_dir}/cui.sqlite - bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql - } + require_client_cert = yes +@@ -64,7 +64,7 @@ + enable = no + lifetime = 24 # hours + name = "abfab-tls" +- # persist_dir = ${logdir}/abfab-tls ++ # persist_dir = ${cachedir}/abfab-tls + } + require_client_cert = yes + verify { +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -316,11 +316,11 @@ + # should be secured from anyone else. You might want + # a script to remove old files from here periodically: + # +- # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; ++ # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \; + # + # This feature REQUIRES "name" option be set above. + # +- #persist_dir = "${logdir}/tlscache" ++ #persist_dir = "${cachedir}/tlscache" + } + # |