main/freeradius/default-config.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

--- a/raddb/mods-available/cui
+++ b/raddb/mods-available/cui
@@ -29,7 +29,7 @@
 	driver = "rlm_sql_${dialect}"
 
 	sqlite {
-		filename = ${radacctdir}/cui.sqlite
+		filename = ${db_dir}/cui.sqlite
 		bootstrap = ${modconfdir}/${..:name}/cui/sqlite/schema.sql
 	}
 
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -504,20 +504,15 @@
 			#  state and the cached VPs. This will persist session
 			#  across server restarts.
 			#
-			#  The default directory is ${logdir}, for historical
-			#  reasons.  You should ${db_dir} instead.  And check
-			#  the value of db_dir in the main radiusd.conf file.
-			#  It should not point to ${raddb}
-			#
 			#  The server will need write perms, and the directory
 			#  should be secured from anyone else. You might want
 			#  a script to remove old files from here periodically:
 			#
-			#    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+			#    find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \;
 			#
 			#  This feature REQUIRES "name" option be set above.
 			#
-		#	persist_dir = "${logdir}/tlscache"
+		#	persist_dir = "${cachedir}/tlscache"
 
 			#
 			#  As of 3.0.20, it is possible to partially
@@ -586,7 +581,7 @@
 			#  deleted by the server when the command
 			#  returns.
 			#
-		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
 		}
 
 		#  OCSP Configuration
--- a/raddb/mods-available/sql
+++ b/raddb/mods-available/sql
@@ -70,7 +70,7 @@
 	#
 	sqlite {
 		# Path to the sqlite database
-		filename = "/tmp/freeradius.db"
+		filename = "${db_dir}/freeradius.db"
 
 		# How long to wait for write locks on the database to be
 		# released (in ms) before giving up.
@@ -85,7 +85,7 @@
 	mysql {
 		# If any of the files below are set, TLS encryption is enabled
 		tls {
-			ca_file = "/etc/ssl/certs/my_ca.crt"
+			ca_file = "/etc/ssl/certs/ca-certificates.crt"
 			ca_path = "/etc/ssl/certs/"
 			certificate_file = "/etc/ssl/certs/private/client.crt"
 			private_key_file = "/etc/ssl/certs/private/client.key"
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -98,10 +98,10 @@
 modconfdir = ${confdir}/mods-config
 certdir = ${confdir}/certs
 cadir   = ${confdir}/certs
-run_dir = ${localstatedir}/run/${name}
+run_dir = /run/${name}
 
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
+cachedir = ${localstatedir}/cache/radiusd
 
 #
 # libdir: Where to find the rlm_* modules.
@@ -137,18 +137,7 @@
 #
 libdir = @libdir@
 
-#  pidfile: Where to place the PID of the RADIUS server.
 #
-#  The server may be signalled while it's running by using this
-#  file.
-#
-#  This file is written when ONLY running in daemon mode.
-#
-#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
-#
-pidfile = ${run_dir}/${name}.pid
-
-#
 #  correct_escapes: use correct backslash escaping
 #
 #  Prior to version 3.0.5, the handling of backslashes was a little
@@ -501,8 +490,8 @@
 	#  member.  This can allow for some finer-grained access
 	#  controls.
 	#
-#	user = radius
-#	group = radius
+	user = radius
+	group = radius
 
 	#  Core dumps are a bad thing.  This should only be set to
 	#  'yes' if you're debugging a problem with the server.
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -25,7 +25,7 @@
 			enable = no
 			lifetime = 24 # hours
 			name = "abfab-tls"
-#			persist_dir = ${logdir}/abfab-tls
+#			persist_dir = ${cachedir}/abfab-tls
 		}
 
 		require_client_cert = yes
@@ -64,7 +64,7 @@
 			enable = no
 			lifetime = 24 # hours
 			name = "abfab-tls"
-			# persist_dir = ${logdir}/abfab-tls
+			# persist_dir = ${cachedir}/abfab-tls
 		}
 		require_client_cert = yes
 		verify {
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -316,11 +316,11 @@
 		      #  should be secured from anyone else. You might want
 		      #  a script to remove old files from here periodically:
 		      #
-		      #    find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;
+		      #    find ${cachedir}/tlscache -mtime +2 -exec rm -f {} \;
 		      #
 		      #  This feature REQUIRES "name" option be set above.
 		      #
-		      #persist_dir = "${logdir}/tlscache"
+		      #persist_dir = "${cachedir}/tlscache"
 		}
 
 		#