Commit 5a85623a authored by Jonathan Gazeley's avatar Jonathan Gazeley
Browse files

Don't set content of these modules as the one supplied by the package manager should suffice

parent bee0b774
######################################################################
######################################################################
## THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS! ##
######################################################################
######################################################################
# -*- text -*-
#
# $Id$
#
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
always accept {
rcode = accept
}
######################################################################
######################################################################
## THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS! ##
######################################################################
######################################################################
# This is the stock FreeRADIUS 'detail' log. We leave it unaltered
# and instead make further instantiations that inherit from it and
# change parameters if necessary
# -*- text -*-
#
# $Id$
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/detail.log
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
detailperm = 0640
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customized by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "%t"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
suppress {
User-Password
}
}
# -*- text -*-
#
# $Id$
#
# More examples of doing detail logs.
#
# Many people want to log authentication requests.
# Rather than modifying the server core to print out more
# messages, we can use a different instance of the 'detail'
# module, to log the authentication requests to a file.
#
# You will also need to un-comment the 'auth_log' line
# in the 'authorize' section, below.
#
detail auth_log-for-bsql {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-bsql.log
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
locking = yes
# You may also strip out passwords completely
suppress {
User-Password
EAP-Message
Framed-MTU
State
Message-Authenticator
Packet-Type
Proxy-State
Tunnel-Type
Tunnel-Medium-Type
Tunnel-Private-Group-Id
}
}
detail auth_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
suppress {
User-Password
}
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
log_packet_header = yes
}
# This is the same as the block above, except it allows passwords
# # to be written to the log file
detail auth_log_password {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
detailperm = 0600
}
# This module logs authentication reply packets sent
# to a NAS. Both Access-Accept and Access-Reject packets
# are logged.
#
# You will also need to un-comment the 'reply_log' line
# in the 'post-auth' section, below.
#
detail reply_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log
detailperm = 0600
}
#
# This module logs packets proxied to a home server.
#
# You will also need to un-comment the 'pre_proxy_log' line
# in the 'pre-proxy' section, below.
#
detail pre_proxy_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log
#
# This MUST be 0600, otherwise anyone can read
# the users passwords!
detailperm = 0600
# You may also strip out passwords completely
#suppress {
# User-Password
#}
}
#
# This module logs response packets from a home server.
#
# You will also need to un-comment the 'post_proxy_log' line
# in the 'post-proxy' section, below.
#
detail post_proxy_log {
detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log
detailperm = 0600
}
......@@ -166,15 +166,11 @@ class freeradius (
}
# Install a few modules required on all FR installations
freeradius::module { 'always':
source => 'puppet:///modules/freeradius/modules/always',
}
freeradius::module { 'detail':
source => 'puppet:///modules/freeradius/modules/detail',
}
freeradius::module { 'detail.log':
source => 'puppet:///modules/freeradius/modules/detail.log',
}
# No content is specified, so we accept the package manager default
# Defining them here prevents them from being purged
freeradius::module { 'always': }
freeradius::module { 'detail': }
freeradius::module { 'detail.log': }
# Syslog rules
if $syslog == true {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment