Commit e5822c64 authored by Jonathan Gazeley's avatar Jonathan Gazeley
Browse files

Tidy up comments so they only print if the option is set

parent c5c8004e
Loading
Loading
Loading
Loading
+4 −10
Original line number Diff line number Diff line
@@ -54,13 +54,12 @@ detail <%= @name %> {
  #  people from seeing that information.
  permissions = <%= @permissions %>

<%- if @group -%>
  # The Unix group of the log file.
  #
  # The user that the server runs as must be in the specified
  # system group otherwise this will fail to work.
  #
#  group = ${security.group}
<%- if @group -%>
  group = <%= @group %>
<%- end -%>

@@ -75,24 +74,23 @@ detail <%= @name %> {
  #
  header = "<%= @header %>"

<%- if @locking -%>
  #
  #  Uncomment this line if the detail file reader will be
  #  reading this detail file.
  #
#  locking = yes
<%- if @locking -%>
  locking = <%= @locking == true %>
<%- end -%>

<%- if @log_packet_header -%>
  #
  #  Log the Packet src/dst IP/port.  This is disabled by
  #  default, as that information isn't used by many people.
  #
#  log_packet_header = yes
<%- if @log_packet_header -%>
  log_packet_header = <%= @log_packet_header == true %>
<%- end -%>

<%- if !@suppress.empty? -%>
  #
  # Certain attributes such as User-Password may be
  # "sensitive", so they should not be printed in the
@@ -101,10 +99,6 @@ detail <%= @name %> {
  #
  # The attributes should be listed one to a line.
  #
  #suppress {
    # User-Password
  #}
<%- if !@suppress.empty? -%>
  suppress {
    <%= @suppress.join("\n    ") %>
  }
+30 −63
Original line number Diff line number Diff line
@@ -75,36 +75,32 @@ eap {
  }
<%- end -%>

<%- if @eap_pwd -%>
  #
  # EAP-pwd -- secure password-based authentication
  #
<%- if @eap_pwd -%>
   pwd {
#    group = 19
  <%- if @pwd_group -%>
    group = <%= @pwd_group %>
  <%- end -%>

    #
#    server_id = theserver@example.com
  <%- if @pwd_server_id -%>
    server_id = <%= @pwd_server_id %>
  <%- end -%>

    #  This has the same meaning as for TLS.
#    fragment_size = 1020
  <%- if @pwd_fragment_size -%>
    #  This has the same meaning as for TLS.
    fragment_size = <%= @pwd_fragment_size %>
  <%- end -%>

  <%- if @pwd_virtual_server -%>
    # The virtual server which determines the
    # "known good" password for the user.
    # Note that unlike TLS, only the "authorize"
    # section is processed.  EAP-PWD requests can be
    # distinguished by having a User-Name, but
    # no User-Password, CHAP-Password, EAP-Message, etc.
#    virtual_server = "inner-tunnel"
  <%- if @pwd_virtual_server -%>
    virtual_server = <%= @pwd_virtual_server %>
  <%- end -%>
   }
@@ -139,11 +135,10 @@ eap {
  #  the users password will go over the wire in plain-text,
  #  for anyone to see.
  #
<%- if @gtc_challenge -%>
  gtc {
    #  The default challenge, which many clients
    #  ignore..
    #challenge = "Password: "
<%- if @gtc_challenge -%>
    challenge = "<%= @gtc_challenge %>"
<%- end  -%>

@@ -223,6 +218,7 @@ eap {
    #
    ca_file = <%= @tls_ca_file %>

<%- if @tls_auto_chain -%>
     #  OpenSSL will automatically create certificate chains,
     #  unless we tell it to not do that.  The problem is that
     #  it sometimes gets the chains right from a certificate
@@ -230,8 +226,6 @@ eap {
    #
    #  When setting "auto_chain = no", the server certificate
    #  file MUST include the full certificate chain.
  #  auto_chain = yes
<%- if @tls_auto_chain -%>
    auto_chain = <%= @tls_auto_chain %>
<%- end -%>

@@ -256,8 +250,6 @@ eap {
    #  look up the shared key (hexphrase) based on the
    #  identity.
    #
  #  psk_identity = "test"
  #  psk_hexphrase = "036363823"
<%- if @tls_psk_identity -%>
    psk_identity = "<%= @tls_psk_identity %>"
<%- end -%>
@@ -273,6 +265,7 @@ eap {
    #
    dh_file = <%= @tls_dh_file %>

<%- if @tls_random_file -%>
    #
    #  If your system doesn't have /dev/urandom,
    #  you will need to create this file, and
@@ -282,11 +275,10 @@ eap {
    #  write to files in its configuration
    #  directory.
    #
#    random_file = /dev/urandom
<%- if @tls_random_file -%>
    random_file = <%= @tls_random_file %>"
<%- end -%>

<%- if @tls_fragment_size -%>
    #
    #  This can never exceed the size of a RADIUS
    #  packet (4096 bytes), and is preferably half
@@ -296,11 +288,10 @@ eap {
    #  In these cases, fragment size should be
    #  1024 or less.
    #
  #  fragment_size = 1024
<%- if @tls_fragment_size -%>
    fragment_size = <%= @tls_fragment_size %>
<%- end -%>

<%- if @tls_include_length -%>
    #  include_length is a flag which is
    #  by default set to yes If set to
    #  yes, Total Length of the message is
@@ -309,11 +300,10 @@ eap {
    #  message is included ONLY in the
    #  First packet of a fragment series.
    #
  #  include_length = yes
<%- if @tls_include_length -%>
    include_length = <%= @tls_include_length %>
<%- end -%>

<%- if @tls_check_crl -%>
    #  Check the Certificate Revocation List
    #
    #  1) Copy CA certificates and CRLs to same directory.
@@ -321,24 +311,22 @@ eap {
    #    'c_rehash' is OpenSSL's command.
    #  3) uncomment the line below.
    #  5) Restart radiusd
  #  check_crl = yes
<%- if @tls_check_crl -%>
    check_crl = <%= @tls_check_crl %>
<%- end -%>

    # Check if intermediate CAs have been revoked.
  #  check_all_crl = yes
<%- if @tls_check_all_crl -%>
    # Check if intermediate CAs have been revoked.
    check_all_crl = <%= @tls_check_all_crl %>
<%- end -%>

    # Allow use of expired CRLs
<%- if @tls_allow_expired_crl -%>
    # Allow use of expired CRLs
    allow_expired_crl = <%= @tls_allow_expired_crl %>
<%- end -%>

    ca_path = <%= @tls_ca_path %>

<%- if @tls_check_cert_issuer -%>
    #
    #  If check_cert_issuer is set, the value will
    #  be checked against the DN of the issuer in
@@ -351,11 +339,10 @@ eap {
    #  TLS-Client-Cert-Issuer attribute.  This check
    #  can be done via any mechanism you choose.
    #
  #  check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
<%- if @tls_check_cert_issuer -%>
    check_cert_issuer = "<%= @tls_check_cert_issuer %>"
<%- end -%>

<%- if @tls_check_cert_cn -%>
    #
    #  If check_cert_cn is set, the value will
    #  be xlat'ed and checked against the CN
@@ -372,8 +359,6 @@ eap {
    #  TLS-Client-Cert-CN attribute.  This check
    #  can be done via any mechanism you choose.
    #
  #  check_cert_cn = %{User-Name}
<%- if @tls_check_cert_cn -%>
    check_cert_cn = <%= @tls_check_cert_cn %>
<%- end -%>
    #
@@ -385,6 +370,7 @@ eap {
    #
    cipher_list = "<%= @tls_cipher_list %>"

<%- if @tls_disable_tlsv1_2 -%>
    # Work-arounds for OpenSSL nonsense
    # OpenSSL 1.0.1f and 1.0.1g do not calculate
    # the EAP keys correctly.  The fix is to upgrade
@@ -392,8 +378,6 @@ eap {
    #
    #  For EAP-FAST, this MUST be set to "yes".
    #
#    disable_tlsv1_2 = no
<%- if @tls_disable_tlsv1_2 -%>
    disable_tlsv1_2 = <%= @tls_disable_tlsv1_2 %>
<%- end -%>

@@ -466,6 +450,7 @@ eap {
      #
      max_entries = <%= @tls_cache_max_entries %>

<%- if @tls_cache_name -%>
      #
      #  Internal "name" of the session cache. Used to
      #  distinguish which TLS context sessions belong to.
@@ -475,11 +460,10 @@ eap {
      #  set the "name" if you want to persist sessions (see
      #  below).
      #
      #name = "EAP module"
<%- if @tls_cache_name -%>
      name = "<%= @tls_cache_name %>"
<%- end -%>

<%- if @tls_cache_persist_dir -%>
      #
      #  Simple directory-based storage of sessions.
      #  Two files per session will be written, the SSL
@@ -494,8 +478,6 @@ eap {
      #
      #  This feature REQUIRES "name" option be set above.
      #
      #persist_dir = "${logdir}/tlscache"
<%- if @tls_cache_persist_dir -%>
      persist_dir = "<%= @tls_cache_persist_dir %>"
<%- end -%>
    }
@@ -516,17 +498,17 @@ eap {
    #  run on successful certificate validation.
    #
    verify {
<%- if @tls_verify_skip_if_ocsp_ok -%>
      #  If the OCSP checks succeed, the verify section
      #  is run to allow additional checks.
      #
      #  If you want to skip verify on OCSP success,
      #  uncomment this configuration item, and set it
      #  to "yes".
  #    skip_if_ocsp_ok = no
<%- if @tls_verify_skip_if_ocsp_ok -%>
      skip_if_ocsp_ok = <%= @tls_verify_skip_if_ocsp_ok %>
<%- end -%>

<%- if @tls_tmpdir -%>
      #  A temporary directory where the client
      #  certificates are stored.  This directory
      #  MUST be owned by the UID of the server,
@@ -538,11 +520,10 @@ eap {
      #
      #  You should also delete all of the files
      #  in the directory when the server starts.
  #    tmpdir = /tmp/radiusd
<%- if @tls_tmpdir -%>
      tmpdir = <%= @tls_tmpdir %>
<%- end -%>

<%- if @tls_client -%>
      #  The command used to verify the client cert.
      #  We recommend using the OpenSSL command-line
      #  tool.
@@ -555,8 +536,6 @@ eap {
      #  in PEM format.  This file is automatically
      #  deleted by the server when the command
      #  returns.
  #    client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
<%- if @tls_client -%>
      client = "<%= @tls_client %>"
<%- end -%>
    }
@@ -590,6 +569,7 @@ eap {
      #
      url = "<%= @tls_ocsp_url %>"

<%- if @tls_ocsp_use_nonce -%>
      #
      # If the OCSP Responder can not cope with nonce
      # in the request, then it can be disabled here.
@@ -604,20 +584,18 @@ eap {
      # to disable it in the query here.
      # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
      #
      # use_nonce = yes
<%- if @tls_ocsp_use_nonce -%>
      use_nonce = <%= @tls_ocsp_use_nonce %>
<%- end -%>

<%- if @tls_ocsp_timeout -%>
      #
      # Number of seconds before giving up waiting
      # for OCSP response. 0 uses system default.
      #
      # timeout = 0
<%- if @tls_ocsp_timeout -%>
      timeout = <%= @tls_ocsp_timeout %>
<%- end -%>

<%- if @tls_ocsp_softfail -%>
      #
      # Normally an error in querying the OCSP
      # responder (no response from server, server did
@@ -632,8 +610,6 @@ eap {
      # certificates to connect if the OCSP responder
      # is not available. Use with caution.
      #
      # softfail = no
<%- if @tls_ocsp_softfail -%>
      softfail = <%= @tls_ocsp_softfail %>
<%- end -%>
    }
@@ -654,7 +630,6 @@ eap {
    # virtual server has access to these attributes, and can
    # be used to accept or reject the request.
    #
  #  virtual_server = check-eap-tls
<%- if @tls_virtual_server -%>
    virtual_server = <%= @tls_virtual_server %>
<%- end -%>
@@ -741,15 +716,15 @@ eap {
    #
    virtual_server = "<%= @ttls_virtual_server %>"

<%- if @ttls_include_length -%>
    #  This has the same meaning, and overwrites, the
    #  same field in the "tls" configuration, above.
    #  The default value here is "yes".
    #
  #  include_length = yes
<%- if @ttls_include_length -%>
    include_length = <%= @ttls_include_length %>
<%- end -%>

<%- if @ttls_require_client_cert -%>
    #
    # Unlike EAP-TLS, EAP-TTLS does not require a client
    # certificate. However, you can require one by setting the
@@ -760,8 +735,6 @@ eap {
    #
    # in the control items for a request.
    #
  #  require_client_cert = yes
<%- if @ttls_require_client_cert -%>
    require_client_cert = <%= @ttls_require_client_cert %>
<%- end -%>
  }
@@ -849,13 +822,12 @@ eap {
    #
    use_tunneled_reply = <%= @peap_use_tunneled_reply %>

<%- if @peap_proxy_tunneled_request_as_eap -%>
    #  When the tunneled session is proxied, the
    #  home server may not understand EAP-MSCHAP-V2.
    #  Set this entry to "no" to proxy the tunneled
    #  EAP-MSCHAP-V2 as normal MSCHAPv2.
    #
  #  proxy_tunneled_request_as_eap = yes
<%- if @peap_proxy_tunneled_request_as_eap -%>
    proxy_tunneled_request_as_eap = <%= @peap_proxy_tunneled_request_as_eap %>
<%- end -%>

@@ -871,24 +843,23 @@ eap {
    #
    virtual_server = "<%= @peap_virtual_server %>"

<%- if @peap_soh -%>
    # This option enables support for MS-SoH
    # see doc/SoH.txt for more info.
    # It is disabled by default.
    #
  #  soh = yes
<%- if @peap_soh -%>
    soh = <%= @peap_soh %>
<%- end -%>

<%- if @peap_soh_virtual_server -%>
    #
    # The SoH reply will be turned into a request which
    # can be sent to a specific virtual server:
    #
  #  soh_virtual_server = "soh-server"
<%- if @peap_soh_virtual_server -%>
    soh_virtual_server = <%= @peap_soh_virtual_server %>
<%- end -%>

<%- if @peap_require_client_cert -%>
    #
    # Unlike EAP-TLS, PEAP does not require a client certificate.
    # However, you can require one by setting the following
@@ -898,8 +869,6 @@ eap {
    #
    # in the control items for a request.
    #
  #  require_client_cert = yes
<%- if @peap_require_client_cert -%>
    require_client_cert = <%= @peap_require_client_cert %>
<%- end -%>
}
@@ -920,6 +889,7 @@ eap {
  #  currently support.
  #
  mschapv2 {
<%- if @mschapv2_send_error -%>
    #  Prior to version 2.1.11, the module never
    #  sent the MS-CHAP-Error message to the
    #  client.  This worked, but it had issues
@@ -936,17 +906,14 @@ eap {
    #  but *may* also cause other clients to stop
    #  working.
    #
#    send_error = no
<%- if @mschapv2_send_error -%>
    send_error = <%= @mschapv2_send_error %>
<%- end -%>

<%- if @mschapv2_identity -%>
    #  Server identifier to send back in the challenge.
    #  This should generally be the host name of the
    #  RADIUS server.  Or, some information to uniquely
    #  identify it.
#    identity = "FreeRADIUS"
<%- if @mschapv2_identity -%>
    identity = "<%= @mschapv2_identity %>"
<%- end -%>
  }
+2 −4
Original line number Diff line number Diff line
@@ -14,21 +14,19 @@ files <%= @name %> {
  # matches this instance of the files module.
  moddir = <%= @moddir %>

<%- if @key -%>
  # The default key attribute to use for matches.  The content
  # of this attribute is used to match the "name" of the
  # entry.
  #key = "%{%{Stripped-User-Name}:-%{User-Name}}"
<%- if @key -%>
  key = "<%= @key %>"
<%- end -%>

  #  The old "users" style file is now located here.
  filename = <%= @filename %>

<%- if @usersfile -%>
  #  This is accepted for backwards compatibility
  #  It will be removed in a future release.
  # usersfile = ${moddir}/authorize
<%- if @usersfile -%>
  usersfile = <%= @usersfile %>
<%- end -%>

+1 −2
Original line number Diff line number Diff line
@@ -60,6 +60,7 @@ ippool <%= @name %> {
  #  "no timeout".  The default value is 0
  maximum_timeout = <%= @maximum_timeout %>

<%- if @key -%>
  #  The key to use for the session database (which
  #  holds the allocated ip's) normally it should
  #  just be the nas ip/port (which is the default).
@@ -68,8 +69,6 @@ ippool <%= @name %> {
  #  all requests, the key should be based on some
  #  other attribute that is in ALL requests, AND
  #  is unique to each machine needing an IP address.
#  key = "%{NAS-IP-Address} %{NAS-Port}"
<%- if @key -%>
  key = "<%= @key %>"
<%- end -%>
}
+27 −55
Original line number Diff line number Diff line
@@ -58,25 +58,23 @@ ldap <%= @name %> {
	#  At a minimum you probably want to set KRB5_CLIENT_KTNAME.
	#
	sasl {
		# SASL mechanism
#		mech = 'PLAIN'
<%- if @sasl.has_key?('mech') -%>
		# SASL mechanism
		mech = '<%= @sasl['mech'] %>'
<%- end -%>

		# SASL authorisation identity to proxy.
#		proxy = 'autz_id'
<%- if @sasl.has_key?('proxy') -%>
		# SASL authorisation identity to proxy.
		proxy = '<%= @sasl['proxy'] %>'
<%- end -%>

		# SASL realm. Used for kerberos.
#		realm = 'example.org'
<%- if @sasl.has_key?('realm') -%>
		# SASL realm. Used for kerberos.
		realm = '<%= @sasl['realm'] %>'
<%- end -%>
	}

<%- if @valuepair_attribute -%>
	#
	#  Generic valuepair attribute
	#
@@ -94,11 +92,10 @@ ldap <%= @name %> {
	#  	<value>:	Is the value to parse into the new attribute.
	# 			If the value is wrapped in double quotes it
	#			will be xlat expanded.
#	valuepair_attribute = 'radiusAttribute'
<%- if @valuepair_attribute -%>
	valuepair_attribute = <%= @valuepair_attribute %>
<%- end -%>

<%- if @update -%>
	#
	#  Mapping of LDAP directory attributes to RADIUS dictionary attributes.
	#
@@ -126,7 +123,6 @@ ldap <%= @name %> {
	#  Note: LDAP attribute names should be single quoted unless you want
	#  the name to be derived from an xlat expansion, or an attribute ref.
	#
<%- if @update -%>
	update {
		<%= @update.join("\n		") %>
	}
@@ -148,18 +144,16 @@ ldap <%= @name %> {
	}
<%- end -%>

<%- if @edir -%>
	#  Set to yes if you have eDirectory and want to use the universal
	#  password mechanism.
#	edir = no
<%- if @edir -%>
	edir = <%= @edir %>
<%- end -%>

<%- if @edir_autz -%>
	#  Set to yes if you want to bind as the user after retrieving the
	#  Cleartext-Password. This will consume the login grace, and
	#  verify user authorization.
#	edir_autz = no
<%- if @edir_autz -%>
	edir_autz = <%= @edir_autz %>
<%- end -%>

@@ -195,31 +189,28 @@ ldap <%= @name %> {
		#  proxy IDs and realms to be used for different users.
		#
		sasl {
			# SASL mechanism
#			mech = 'PLAIN'
      <%- if @user_sasl.has_key?('mech') -%>
			# SASL mechanism
			mech = '<%= @user_sasl['mech'] %>'
      <%- end -%>

			# SASL authorisation identity to proxy.
#			proxy = &User-Name
      <%- if @user_sasl.has_key?('proxy') -%>
			# SASL authorisation identity to proxy.
			proxy = '<%= @user_sasl['proxy'] %>'
      <%- end -%>

			# SASL realm. Used for kerberos.
#			realm = 'example.org'
      <%- if @user_sasl.has_key?('realm') -%>
			# SASL realm. Used for kerberos.
			realm = '<%= @user_sasl['realm'] %>'
      <%- end -%>
		}

		#  Search scope, may be 'base', 'one', sub' or 'children'
#		scope = 'sub'
<%- if @user_scope -%>
		#  Search scope, may be 'base', 'one', sub' or 'children'
		scope = '<%= @user_scope %>'
<%- end -%>

<%- if @user_sort_by -%>
		#  Server side result sorting
		#
		#  A list of space delimited attributes to order the result set by.
@@ -235,19 +226,17 @@ ldap <%= @name %> {
		#
		#  If a search returns multiple user objects and sort_by is not
		#  set, the search will fail.
#		sort_by = '-uid'
<%- if @user_sort_by -%>
		sort_by = '<%= @user_sort_by %>'
<%- end -%>

<%- if @user_access_attribute -%>
		#  If this is undefined, anyone is authorised.
		#  If it is defined, the contents of this attribute
		#  determine whether or not the user is authorised
#		access_attribute = 'dialupAccess'
<%- if @user_access_attribute -%>
		access_attribute = '<%= @user_access_attribute %>'
<%- end -%>

<%- if @user_access_positive -%>
		#  Control whether the presence of 'access_attribute'
		#  allows access, or denys access.
		#
@@ -270,8 +259,6 @@ ldap <%= @name %> {
		#    userAccessAllowed: false
		#
		#  Will result in the user being locked out.
#		access_positive = yes
<%- if @user_access_positive -%>
		access_positive = <%= @user_access_positive %>
<%- end -%>
	}
@@ -287,25 +274,22 @@ ldap <%= @name %> {
		#  group objects a user might be a member of.
		filter = "<%= @group_filter %>"

		# Search scope, may be 'base', 'one', sub' or 'children'
#		scope = 'sub'
<%- if @group_scope -%>
		# Search scope, may be 'base', 'one', sub' or 'children'
		scope = '<%= @group_scope %>'
<%- end -%>

<%- if @group_name_attribute -%>
		#  Attribute that uniquely identifies a group.
		#  Is used when converting group DNs to group
		#  names.
#		name_attribute = cn
<%- if @group_name_attribute -%>
		name_attribute = <%= @group_name_attribute %>
<%- end -%>

<%- if @group_membership_filter -%>
		#  Filter to find group objects a user is a member of.
		#  That is, group objects with attributes that
		#  identify members (the inverse of membership_attribute).
#		membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
<%- if @group_membership_filter -%>
		membership_filter = "<%= @group_membership_filter %>"
<%- end -%>

@@ -317,6 +301,7 @@ ldap <%= @name %> {
		#  referenced to actually exist.
		membership_attribute = '<%= @group_membership_attribute %>'

<%- if @group_cacheable_name -%>
		#  If cacheable_name or cacheable_dn are enabled,
		#  all group information for the user will be
		#  retrieved from the directory and written to LDAP-Group
@@ -331,28 +316,23 @@ ldap <%= @name %> {
		#  the type that matches the format of your check items
		#  i.e. if your groups are specified as DNs then enable
		#  cacheable_dn else enable cacheable_name.
#		cacheable_name = 'no'
<%- if @group_cacheable_name -%>
		cacheable_name = '<%= @group_cacheable_name %>'
<%- end -%>
#		cacheable_dn = 'no'
<%- if @group_cacheable_dn -%>
		cacheable_dn = '<%= @group_cacheable_dn %>'
<%- end -%>

<%- if @group_cache_attribute -%>
		#  Override the normal cache attribute (<inst>-LDAP-Group or
		#  LDAP-Group if using the default instance) and create a
		#  custom attribute.  This can help if multiple module instances
		#  are used in fail-over.
#		cache_attribute = 'LDAP-Cached-Membership'
<%- if @group_cache_attribute -%>
		cache_attribute = '<%= @group_cache_attribute %>'
<%- end -%>

<%- if @group_attribute -%>
		#  Override the normal group comparison attribute name
		#  (<inst>-LDAP-Group or LDAP-Group if using the default instance) .
#		group_attribute = "${.:instance}-${.:name}-Group"
<%- if @group_attribute -%>
		group_attribute = '<%= @group_attribute %>'
<%- end -%>
	}
@@ -363,29 +343,26 @@ ldap <%= @name %> {
	#  the same mapping scheme applied to user objects (the update section above).
	#
	profile {
		#  Filter for RADIUS profile objects
#		filter = '(objectclass=radiusprofile)'
<%- if @profile_filter -%>
		#  Filter for RADIUS profile objects
		filter = '<%= @profile_filter %>'
<%- end -%>

<%- if @profile_default -%>
		#  The default profile.  This may be a DN or an attribute
		#  reference.
		#  To get old v2.2.x style behaviour, or to use the
		#  &User-Profile attribute to specify the default profile,
		#  set this to &control:User-Profile.
#		default = 'cn=radprofile,dc=example,dc=org'
<%- if @profile_default -%>
		default = '<%= @profile_default %>'
<%- end -%>

<%- if @profile_attribute -%>
		#  The LDAP attribute containing profile DNs to apply
		#  in addition to the default profile above.  These are
		#  retrieved from the user object, at the same time as the
		#  attributes from the update section, are are applied
		#  if authorization is successful.
#		attribute = 'radiusProfileDn'
<%- if @profile_default -%>
		attribute = '<%= @profile_attribute %>'
<%- end -%>
	}
@@ -402,9 +379,8 @@ ldap <%= @name %> {
		#
		filter = '<%= @client_filter %>'

		# Search scope, may be 'base', 'one', 'sub' or 'children'
#		scope = 'sub'
<%- if @client_scope -%>
		# Search scope, may be 'base', 'one', 'sub' or 'children'
		scope = '<%= @client_scope %>'
<%- end -%>

@@ -447,9 +423,8 @@ ldap <%= @name %> {
		}
	}

	#  Load clients on startup
#	read_clients = no
<%- if @read_clients -%>
	#  Load clients on startup
	read_clients = <%= @read_clients %>
<%- end -%>

@@ -512,13 +487,12 @@ ldap <%= @name %> {
	#  These options set timeouts, keep-alives, etc. for the connections.
	#
	options {
<%- if @dereference -%>
		#  Control under which situations aliases are followed.
		#  May be one of 'never', 'searching', 'finding' or 'always'
		#  default: libldap's default which is usually 'never'.
		#
		#  LDAP_OPT_DEREF is set to this value.
#		dereference = 'always'
<%- if @dereference -%>
		dereference = '<%= @dereference %>'
<%- end -%>

@@ -539,6 +513,7 @@ ldap <%= @name %> {
		#
		use_referral_credentials = <%= @use_referral_credentials %>

<%- if @session_tracking -%>
		#
		#  If 'yes', then include draft-wahl-ldap-session tracking
		#  controls.
@@ -548,8 +523,6 @@ ldap <%= @name %> {
		#  as session tracking controls, in applicable LDAP operations.
		#  Default 'no'.
		#
#		session_tracking = yes
<%- if @session_tracking -%>
		session_tracking = <%= @session_tracking %>
<%- end -%>

@@ -609,7 +582,6 @@ ldap <%= @name %> {
<% if @keyfile -%>
		private_key_file = <%= @keyfile %>
<% end -%>
#		random_file = /dev/urandom
<%- if @random_file -%>
		random_file = <%= @random_file %>
<%- end -%>
Loading