--- a/raddb/mods-available/cui +++ b/raddb/mods-available/cui @@ -29,7 +29,7 @@ driver = "rlm_sql_${dialect}" sqlite { - filename = ${radacctdir}/cui.sqlite + filename = ${db_dir}/cui.sqlite bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql } --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -504,20 +504,15 @@ # state and the cached VPs. This will persist session # across server restarts. # - # The default directory is ${logdir}, for historical - # reasons. You should ${db_dir} instead. And check - # the value of db_dir in the main radiusd.conf file. - # It should not point to ${raddb} - # # The server will need write perms, and the directory # should be secured from anyone else. You might want # a script to remove old files from here periodically: # - # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \; # # This feature REQUIRES "name" option be set above. # - # persist_dir = "${logdir}/tlscache" + # persist_dir = "${cachedir}/tlscache" # # As of 3.0.20, it is possible to partially @@ -586,7 +581,7 @@ # deleted by the server when the command # returns. # - # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } # OCSP Configuration --- a/raddb/mods-available/sql +++ b/raddb/mods-available/sql @@ -70,7 +70,7 @@ # sqlite { # Path to the sqlite database - filename = "/tmp/freeradius.db" + filename = "${db_dir}/freeradius.db" # How long to wait for write locks on the database to be # released (in ms) before giving up. @@ -85,7 +85,7 @@ mysql { # If any of the files below are set, TLS encryption is enabled tls { - ca_file = "/etc/ssl/certs/my_ca.crt" + ca_file = "/etc/ssl/certs/ca-certificates.crt" ca_path = "/etc/ssl/certs/" certificate_file = "/etc/ssl/certs/private/client.crt" private_key_file = "/etc/ssl/certs/private/client.key" --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -98,10 +98,10 @@ modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs -run_dir = ${localstatedir}/run/${name} +run_dir = /run/${name} -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} +db_dir = ${localstatedir}/lib/radiusd +cachedir = ${localstatedir}/cache/radiusd # # libdir: Where to find the rlm_* modules. @@ -137,18 +137,7 @@ # libdir = @libdir@ -# pidfile: Where to place the PID of the RADIUS server. # -# The server may be signalled while it's running by using this -# file. -# -# This file is written when ONLY running in daemon mode. -# -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` -# -pidfile = ${run_dir}/${name}.pid - -# # correct_escapes: use correct backslash escaping # # Prior to version 3.0.5, the handling of backslashes was a little @@ -501,8 +490,8 @@ # member. This can allow for some finer-grained access # controls. # -# user = radius -# group = radius + user = radius + group = radius # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. --- a/raddb/sites-available/abfab-tls +++ b/raddb/sites-available/abfab-tls @@ -25,7 +25,7 @@ enable = no lifetime = 24 # hours name = "abfab-tls" -# persist_dir = ${logdir}/abfab-tls +# persist_dir = ${cachedir}/abfab-tls } require_client_cert = yes @@ -64,7 +64,7 @@ enable = no lifetime = 24 # hours name = "abfab-tls" - # persist_dir = ${logdir}/abfab-tls + # persist_dir = ${cachedir}/abfab-tls } require_client_cert = yes verify { --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls @@ -316,11 +316,11 @@ # should be secured from anyone else. You might want # a script to remove old files from here periodically: # - # find ${logdir}/tlscache -mtime +2 -exec rm -f {} \; + # find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \; # # This feature REQUIRES "name" option be set above. # - #persist_dir = "${logdir}/tlscache" + #persist_dir = "${cachedir}/tlscache" } #