diff options
Diffstat (limited to 'radsecproxy.conf.5.xml')
-rw-r--r-- | radsecproxy.conf.5.xml | 1148 |
1 files changed, 625 insertions, 523 deletions
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 4024bde..406f2bf 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,136 +2,138 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> <refentry> <refentryinfo> - <date>2009-03-12</date> + <date>2011-04-04</date> </refentryinfo> <refmeta> <refentrytitle> <application>radsecproxy.conf</application> </refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo>radsecproxy devel 2009-03-12</refmiscinfo> + <refmiscinfo>radsecproxy 1.5-dev</refmiscinfo> </refmeta> <refnamediv> <refname> <application>radsecproxy.conf</application> </refname> - <refpurpose> -Radsec proxy configuration file - </refpurpose> + <refpurpose>Radsec proxy configuration file</refpurpose> </refnamediv> <refsect1> <title>Description</title> <para> -When the proxy server starts, it will first check the command line arguments, -and then read the configuration file. Normally radsecproxy will read the -configuration file <filename>/etc/radsecproxy.conf</filename>. The command -line <option>-c</option> option can be used to instead read an alternate -file (see + When the proxy server starts, it will first check the command + line arguments, and then read the configuration file. Normally + radsecproxy will read the configuration file + <filename>/etc/radsecproxy.conf</filename>. The command line + <option>-c</option> option can be used to instead read an + alternate file (see <citerefentry> - <refentrytitle>radsecproxy</refentrytitle> - <manvolnum>1</manvolnum> + <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum> </citerefentry> -for details). + for details). </para> <para> - If the configuration file can not be found, the proxy will exit with an - error message. Note that there is also an include facility so that any - configuration file may include other configuration files. The proxy will - also exit on configuration errors. + If the configuration file can not be found, the proxy will exit + with an error message. Note that there is also an include facility + so that any configuration file may include other configuration + files. The proxy will also exit on configuration errors. </para> </refsect1> <refsect1> <title>Configuration Syntax</title> <para> -When the configuration file is processed, whitespace (spaces and tabs) are -generally ignored. For each line, leading and trailing whitespace are ignored. -A line is ignored if it is empty, only consists of whitespace, or if the first -non-whitespace character is a <literal>#</literal>. The configuration is -generally case insensitive, but in some cases the option values (see below) -are not. - </para> - <para> -There are two types of configuration structures than can be used. The first -and simplest are lines on the format <emphasis>option value</emphasis>. That -is, an option name, see below for a list of valid options, followed by -whitespace (at least one space or tab character), followed by a value. Note -that if the value contains whitespace, then it must be quoted using -<literal>""</literal> or <literal>''</literal>. Any whitespace -in front of the option or after the value will be ignored. - </para> - <para> -The other type of structure is a block. A block spans at least two lines, and -has the format: - <blockquote> -<literallayout> + When the configuration file is processed, whitespace (spaces and + tabs) are generally ignored. For each line, leading and trailing + whitespace are ignored. A line is ignored if it is empty, only + consists of whitespace, or if the first non-whitespace character + is a <literal>#</literal>. The configuration is generally case + insensitive, but in some cases the option values (see below) are + not. + </para> + <para> + There are two types of configuration structures than can be + used. The first and simplest are lines on the format + <emphasis>option value</emphasis>. That is, an option name, see + below for a list of valid options, followed by whitespace (at + least one space or tab character), followed by a value. Note + that if the value contains whitespace, then it must be quoted + using <literal>""</literal> or <literal>''</literal>. Any + whitespace in front of the option or after the value will be + ignored. + </para> + <para> + The other type of structure is a block. A block spans at least + two lines, and has the format: + <blockquote><literallayout> blocktype name { option value option value ... } -</literallayout> - </blockquote> -That is, some blocktype, see below for a list of the different block types, and -then enclosed in braces you have zero or more lines that each have the -previously described <emphasis>option value</emphasis> format. Different block -types have different rules for which options can be specified, they are listed -below. The rules regarding white space, comments and quotes are as above. Hence -you may do things like: - <blockquote> - <para> -<literallayout> + </literallayout></blockquote> + That is, some blocktype, see below for a list of the different + block types, and then enclosed in braces you have zero or more + lines that each have the previously described <emphasis>option + value</emphasis> format. Different block types have different + rules for which options can be specified, they are listed + below. The rules regarding white space, comments and quotes are + as above. Hence you may do things like: + <blockquote><literallayout> blocktype name { # option value option "value with space" ... } -</literallayout> - </para> - </blockquote> + </literallayout></blockquote> </para> <para> -Option value characters can also be written in hex. This is done by writing the -character <literal>%</literal> followed by two hexadecimal digits. If a -<literal>%</literal> is used without two following hexadecimal digits, the -<literal>%</literal> and the following characters are used as written. If you -want to write a <literal>%</literal> and not use this decoding, you may of -course write <literal>%</literal> in hex; i.e., <literal>%25</literal>. + Option value characters can also be written in hex. This is done + by writing the character <literal>%</literal> followed by two + hexadecimal digits. If a <literal>%</literal> is used without + two following hexadecimal digits, the <literal>%</literal> and + the following characters are used as written. If you want to + write a <literal>%</literal> and not use this decoding, you may + of course write <literal>%</literal> in hex; i.e., + <literal>%25</literal>. </para> <para> -There is one special option that can be used both as a basic option and inside -all blocks. That is the option <literal>include</literal> where the value -specifies files to be included. The value can be a single file, or it can use -normal shell globbing to specify multiple files, e.g.: + There is one special option that can be used both as a basic + option and inside all blocks. That is the option + <literal>include</literal> where the value specifies files to be + included. The value can be a single file, or it can use normal + shell globbing to specify multiple files, e.g.: <blockquote> <para> -include /etc/radsecproxy.conf.d/*.conf + include /etc/radsecproxy.conf.d/*.conf </para> </blockquote> -The files are sorted alphabetically. Included files are read in the order they -are specified, when reaching the end of a file, the next file is read. When -reaching the end of the last included file, the proxy returns to read the next -line following the <literal>include</literal> option. Included files may again -include other files. + The files are sorted alphabetically. Included files are read in + the order they are specified, when reaching the end of a file, + the next file is read. When reaching the end of the last + included file, the proxy returns to read the next line following + the <literal>include</literal> option. Included files may again + include other files. </para> </refsect1> <refsect1> <title>Basic Options</title> <para> -The following basic options may be specified in the configuration file. Note -that blocktypes and options inside blocks are discussed later. Note that none -of these options are required, and indeed in many cases they are not needed. -Note that you should specify each at most once. The behaviour with multiple -occurences is undefined. + The following basic options may be specified in the + configuration file. Note that blocktypes and options inside + blocks are discussed later. Note that none of these options are + required, and indeed in many cases they are not needed. Note + that you should specify each at most once. The behaviour with + multiple occurences is undefined. </para> <variablelist> <varlistentry> <term><literal>logLevel</literal></term> <listitem> <para> -This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where -1 logs only serious errors, and 5 logs everything. The default is 2 which logs -errors, warnings and a few informational messages. Note that the command line -option <option>-d</option> overrides this. + This option specifies the debug level. It must be set to + 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 + logs everything. The default is 2 which logs errors, + warnings and a few informational messages. Note that the + command line option <option>-d</option> overrides this. </para> </listitem> </varlistentry> @@ -139,22 +141,30 @@ option <option>-d</option> overrides this. <term><literal>logDestination</literal></term> <listitem> <para> -This specifies where the log messages should go. By default the messages go to -syslog with facility <literal>LOG_DAEMON</literal>. Using this option you can -specify another syslog facility, or you may specify that logging should be to -a particular file, not using syslog. The value must be either a file or -syslog URL. The file URL is the standard one, specifying a local file that -should be used. For syslog, you must use the syntax: -<literal>x-syslog:///FACILITY</literal> where <literal>FACILITY</literal> must -be one of <literal>LOG_DAEMON</literal>, <literal>LOG_MAIL</literal>, -<literal>LOG_USER</literal>, <literal>LOG_LOCAL0</literal>, -<literal>LOG_LOCAL1</literal>, <literal>LOG_LOCAL2</literal>, -<literal>LOG_LOCAL3</literal>, <literal>LOG_LOCAL4</literal>, -<literal>LOG_LOCAL5</literal>, <literal>LOG_LOCAL6</literal> or -<literal>LOG_LOCAL7</literal>. You may omit the facility from the URL to -specify logging to the default facility, but this is not very useful since -this is the default log destination. Note that this option is ignored if -<option>-f</option> is specified on the command line. + This specifies where the log messages should go. By + default the messages go to syslog with facility + <literal>LOG_DAEMON</literal>. Using this option you can + specify another syslog facility, or you may specify that + logging should be to a particular file, not using + syslog. The value must be either a file or syslog URL. The + file URL is the standard one, specifying a local file that + should be used. For syslog, you must use the syntax: + <literal>x-syslog:///FACILITY</literal> where + <literal>FACILITY</literal> must be one of + <literal>LOG_DAEMON</literal>, + <literal>LOG_MAIL</literal>, <literal>LOG_USER</literal>, + <literal>LOG_LOCAL0</literal>, + <literal>LOG_LOCAL1</literal>, + <literal>LOG_LOCAL2</literal>, + <literal>LOG_LOCAL3</literal>, + <literal>LOG_LOCAL4</literal>, + <literal>LOG_LOCAL5</literal>, + <literal>LOG_LOCAL6</literal> or + <literal>LOG_LOCAL7</literal>. You may omit the facility + from the URL to specify logging to the default facility, + but this is not very useful since this is the default log + destination. Note that this option is ignored if + <option>-f</option> is specified on the command line. </para> </listitem> </varlistentry> @@ -162,19 +172,24 @@ this is the default log destination. Note that this option is ignored if <term><literal>listenUDP</literal></term> <listitem> <para> -Normally the proxy will listen to the standard RADIUS UDP port -<literal>1812</literal> if configured to handle UDP clients. On most systems it -will do this for all of the system's IP addresses (both IPv4 and IPv6). On some -systems however, it may respond to only IPv4 or only IPv6. To specify an -alternate port you may use a value on the form <literal>*:port</literal> where -port is any valid port number. If you also want to specify a specific address -you can do e.g. <literal>192.168.1.1:1812</literal> or -<literal>[2001:db8::1]:1812</literal>. The port may be omitted if you want the -default one (like in these examples). These examples are equivalent to -<literal>192.168.1.1</literal> and <literal>2001:db8::1</literal>. Note that -you must use brackets around the IPv6 address. -This option may be specified multiple times to listen to multiple addresses -and/or ports. + Normally the proxy will listen to the standard RADIUS UDP + port <literal>1812</literal> if configured to handle UDP + clients. On most systems it will do this for all of the + system's IP addresses (both IPv4 and IPv6). On some + systems however, it may respond to only IPv4 or only + IPv6. To specify an alternate port you may use a value on + the form <literal>*:port</literal> where port is any valid + port number. If you also want to specify a specific + address you can do + e.g. <literal>192.168.1.1:1812</literal> or + <literal>[2001:db8::1]:1812</literal>. The port may be + omitted if you want the default one (like in these + examples). These examples are equivalent to + <literal>192.168.1.1</literal> and + <literal>2001:db8::1</literal>. Note that you must use + brackets around the IPv6 address. This option may be + specified multiple times to listen to multiple addresses + and/or ports. </para> </listitem> </varlistentry> @@ -182,9 +197,10 @@ and/or ports. <term><literal>listenTCP</literal></term> <listitem> <para> -This option is similar to the <literal>listenUDP</literal> option, except -that it is used for receiving connections from TCP clients. The default port -number is <literal>1812</literal>. + This option is similar to the <literal>listenUDP</literal> + option, except that it is used for receiving connections + from TCP clients. The default port number is + <literal>1812</literal>. </para> </listitem> </varlistentry> @@ -192,10 +208,11 @@ number is <literal>1812</literal>. <term><literal>listenTLS</literal></term> <listitem> <para> -This is similar to the <literal>listenUDP</literal> option, except that it is -used for receiving connections from TLS clients. The default port number is -<literal>2083</literal>. Note that this option was previously called -<literal>listenTCP</literal>. + This is similar to the <literal>listenUDP</literal> + option, except that it is used for receiving connections + from TLS clients. The default port number is + <literal>2083</literal>. Note that this option was + previously called <literal>listenTCP</literal>. </para> </listitem> </varlistentry> @@ -203,9 +220,10 @@ used for receiving connections from TLS clients. The default port number is <term><literal>listenDTLS</literal></term> <listitem> <para> -This is similar to the <literal>listenUDP</literal> option, except that it is -used for receiving connections from DTLS clients. The default port number is -<literal>2083</literal>. + This is similar to the <literal>listenUDP</literal> + option, except that it is used for receiving connections + from DTLS clients. The default port number is + <literal>2083</literal>. </para> </listitem> </varlistentry> @@ -213,8 +231,9 @@ used for receiving connections from DTLS clients. The default port number is <term><literal>sourceUDP</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for sending UDP client messages (e.g. Access Request). + This can be used to specify source address and/or source + port that the proxy will use for sending UDP client + messages (e.g. Access Request). </para> </listitem> </varlistentry> @@ -222,8 +241,8 @@ will use for sending UDP client messages (e.g. Access Request). <term><literal>sourceTCP</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for TCP connections. + This can be used to specify source address and/or source + port that the proxy will use for TCP connections. </para> </listitem> </varlistentry> @@ -231,8 +250,8 @@ will use for TCP connections. <term><literal>sourceTLS</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for TLS connections. + This can be used to specify source address and/or source + port that the proxy will use for TLS connections. </para> </listitem> </varlistentry> @@ -240,8 +259,8 @@ will use for TLS connections. <term><literal>sourceDTLS</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for DTLS connections. + This can be used to specify source address and/or source + port that the proxy will use for DTLS connections. </para> </listitem> </varlistentry> @@ -249,10 +268,12 @@ will use for DTLS connections. <term><literal>TTLAttribute</literal></term> <listitem> <para> -This can be used to change the default TTL attribute. Only change this if -you know what you are doing. The syntax is either a numerical value -denoting the TTL attribute, or two numerical values separated by column -specifying a vendor attribute, i.e. <literal>vendorid:attribute</literal>. + This can be used to change the default TTL attribute. Only + change this if you know what you are doing. The syntax is + either a numerical value denoting the TTL attribute, or + two numerical values separated by column specifying a + vendor attribute, + i.e. <literal>vendorid:attribute</literal>. </para> </listitem> </varlistentry> @@ -260,13 +281,15 @@ specifying a vendor attribute, i.e. <literal>vendorid:attribute</literal>. <term><literal>addTTL</literal></term> <listitem> <para> -If a TTL attribute is present, the proxy will decrement the value and -discard the message if zero. Normally the proxy does nothing if no TTL -attribute is present. If you use the addTTL option with a value 1-255, -the proxy will when forwarding a message with no TTL attribute, add one -with the specified value. Note that this option can also be specified -for a client/server. It will then override this setting when forwarding -a message to that client/server. + If a TTL attribute is present, the proxy will decrement + the value and discard the message if zero. Normally the + proxy does nothing if no TTL attribute is present. If you + use the addTTL option with a value 1-255, the proxy will + when forwarding a message with no TTL attribute, add one + with the specified value. Note that this option can also + be specified for a client/server. It will then override + this setting when forwarding a message to that + client/server. </para> </listitem> </varlistentry> @@ -274,13 +297,15 @@ a message to that client/server. <term><literal>loopPrevention</literal></term> <listitem> <para> -This can be set to <literal>on</literal> or <literal>off</literal> with -<literal>off</literal> being the default. When this is enabled, a request -will never be sent to a server named the same as the client it was received -from. I.e., the names of the client block and the server block are compared. -Note that this only gives limited protection against loops. -It can be used as a basic option and inside server blocks where it overrides -the basic setting. + This can be set to <literal>on</literal> or + <literal>off</literal> with <literal>off</literal> being + the default. When this is enabled, a request will never be + sent to a server named the same as the client it was + received from. I.e., the names of the client block and the + server block are compared. Note that this only gives + limited protection against loops. It can be used as a + basic option and inside server blocks where it overrides + the basic setting. </para> </listitem> </varlistentry> @@ -288,9 +313,10 @@ the basic setting. <term><literal>include</literal></term> <listitem> <para> -This is not a normal configuration option; it can be specified multiple times. -It can both be used as a basic option and inside blocks. For the full -description, see the configuration syntax section above. + This is not a normal configuration option; it can be + specified multiple times. It can both be used as a basic + option and inside blocks. For the full description, see + the configuration syntax section above. </para> </listitem> </varlistentry> @@ -299,137 +325,158 @@ description, see the configuration syntax section above. <refsect1> <title>Blocks</title> <para> -There are five types of blocks, they are <literal>client</literal>, -<literal>server</literal>, <literal>realm</literal>, <literal>tls</literal> -and <literal>rewrite</literal>. At least one instance of each of -<literal>client</literal> and <literal>realm</literal> is required. This is -necessary for the proxy to do anything useful, and it will exit if not. The -<literal>tls</literal> block is required if at least one TLS/DTLS client or -server is configured. Note that there can be multiple blocks for each type. -For each type, the block names should be unique. The behaviour with multiple -occurences of the same name for the same block type is undefined. Also note -that some block option values may reference a block by name, in which case -the block name must be previously defined. Hence the order of the blocks may -be significant. + There are five types of blocks, they are + <literal>client</literal>, <literal>server</literal>, + <literal>realm</literal>, <literal>tls</literal> and + <literal>rewrite</literal>. At least one instance of each of + <literal>client</literal> and <literal>realm</literal> is + required. This is necessary for the proxy to do anything useful, + and it will exit if not. The <literal>tls</literal> block is + required if at least one TLS/DTLS client or server is + configured. Note that there can be multiple blocks for each + type. For each type, the block names should be unique. The + behaviour with multiple occurences of the same name for the same + block type is undefined. Also note that some block option values + may reference a block by name, in which case the block name must + be previously defined. Hence the order of the blocks may be + significant. </para> </refsect1> <refsect1> <title>Client Block</title> <para> -The client block is used to configure a client. That is, tell the proxy about a -client, and what parameters should be used for that client. The name of the -client block must (with one exception, see below) be either the IP address -(IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form -IpAddress/PrefixLength, or a domain name (FQDN). Note that literal IPv6 -addresses must be enclosed in brackets. - </para> - <para> -If a domain name is specified, then this will be resolved immediately to all -the addresses associated with the name, and the proxy will not care about any -possible DNS changes that might occur later. Hence there is no dependency on -DNS after startup. - </para> - <para> -When some client later sends a request to the proxy, the proxy will look at the -IP address the request comes from, and then go through all the addresses of -each of the configured clients (in the order they are defined), to determine -which (if any) of the clients this is. - </para> - <para> -In the case of TLS/DTLS, the name of the client must match the FQDN or IP -address in the client certificate. Note that this is not required when the -client name is an IP prefix. - </para> - <para> -Alternatively one may use the <literal>host</literal> option inside a client -block. In that case, the value of the <literal>host</literal> option is used as -above, while the name of the block is only used as a descriptive name for the -administrator. The host option may be used multiple times, and can be a mix of -addresses, FQDNs and prefixes. - </para> - <para> -The allowed options in a client block are <literal>host</literal>, -<literal>type</literal>, <literal>secret</literal>, <literal>tls</literal>, -<literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, -<literal>duplicateInterval</literal>, <literal>addTTL</literal>, -<literal>rewrite</literal>, <literal>rewriteIn</literal>, -<literal>rewriteOut</literal> and <literal>rewriteAttribute</literal>. -We already discussed the -<literal>host</literal> option. The value of <literal>type</literal> must be -one of <literal>udp</literal>, <literal>tcp</literal>, <literal>tls</literal> -or <literal>dtls</literal>. The value of <literal>secret</literal> is the -shared RADIUS key used with this client. If the secret contains whitespace, -the value must be quoted. This option is optional for TLS/DTLS. - </para> - <para> -For a TLS/DTLS client you may also specify the <literal>tls</literal> option. -The option value must be the name of a previously defined TLS block. If this -option is not specified, the TLS block with the name -<literal>defaultClient</literal> will be used if defined. If not defined, it -will try to use the TLS block named <literal>default</literal>. If the -specified TLS block name does not exist, or the option is not specified and -none of the defaults exist, the proxy will exit with an error. - </para> - <para> -For a TLS/DTLS client, the option <literal>certificateNameCheck</literal> -can be set -to <literal>off</literal>, to disable the default behaviour of matching CN or -SubjectAltName against the specified hostname or IP address. - </para> - <para> -Additional validation of certificate attributes can be done by use of the -<literal>matchCertificateAttribute</literal> option. Currently one can only do -some matching of CN and SubjectAltName. For regexp matching on CN, one can use -the value <literal>CN:/regexp/</literal>. For SubjectAltName one can only do -regexp matching of the URI, this is specified as -<literal>SubjectAltName:URI:/regexp/</literal>. Note that currently this option -can only be specified once in a client block. - </para> - <para> -The <literal>duplicateInterval</literal> option can be used to specify for how -many seconds duplicate checking should be done. If a proxy receives a new -request within a few seconds of a previous one, it may be treated the same if -from the same client, with the same authenticator etc. The proxy will then -ignore the new request (if it is still processing the previous one), or -returned a copy of the previous reply. - </para> - <para> -The <literal>addTTL</literal> option is similar to the -<literal>addTTL</literal> option used in the basic config. See that for -details. Any value configured here overrides the basic one when sending -messages to this client. - </para> - <para> -The <literal>rewrite</literal> option is deprecated. Use -<literal>rewriteIn</literal> instead. - </para> - <para> -The <literal>rewriteIn</literal> option can be used to refer to a rewrite block -that specifies certain rewrite operations that should be performed on incoming -messages from the client. The rewriting is done before other processing. -For details, see the rewrite block text below. Similarly to -<literal>tls</literal> discussed above, if this option is not used, there is a -fallback to using the <literal>rewrite</literal> block named -<literal>defaultClient</literal> if it exists; and if not, a fallback to a -block named <literal>default</literal>. - </para> - <para> -The <literal>rewriteOut</literal> option is used in the same way as -<literal>rewriteIn</literal>, except that it specifies rewrite operations that -should be performed on outgoing messages to the client. The rewriting is done -after other processing. Also, there is no rewrite fallback if this option is -not used. - </para> - <para> -The <literal>rewriteAttribute</literal> option currently makes it possible to -specify that the User-Name attribute in a client request shall be rewritten in -the request sent by the proxy. The User-Name attribute is written back to the -original value if a matching response is later sent back to the client. The -value must be on the form User-Name:/regexpmatch/replacement/. Example usage: + The client block is used to configure a client. That is, tell + the proxy about a client, and what parameters should be used for + that client. The name of the client block must (with one + exception, see below) be either the IP address (IPv4 or IPv6) of + the client, an IP prefix (IPv4 or IPv6) on the form + IpAddress/PrefixLength, or a domain name (FQDN). Note that + literal IPv6 addresses must be enclosed in brackets. + </para> + <para> + If a domain name is specified, then this will be resolved + immediately to all the addresses associated with the name, and + the proxy will not care about any possible DNS changes that + might occur later. Hence there is no dependency on DNS after + startup. + </para> + <para> + When some client later sends a request to the proxy, the proxy + will look at the IP address the request comes from, and then go + through all the addresses of each of the configured clients (in + the order they are defined), to determine which (if any) of the + clients this is. + </para> + <para> + In the case of TLS/DTLS, the name of the client must match the + FQDN or IP address in the client certificate. Note that this is + not required when the client name is an IP prefix. + </para> + <para> + Alternatively one may use the <literal>host</literal> option + inside a client block. In that case, the value of the + <literal>host</literal> option is used as above, while the name + of the block is only used as a descriptive name for the + administrator. The host option may be used multiple times, and + can be a mix of addresses, FQDNs and prefixes. + </para> + <para> + The allowed options in a client block are + <literal>host</literal>, <literal>type</literal>, + <literal>secret</literal>, <literal>tls</literal>, + <literal>certificateNameCheck</literal>, + <literal>matchCertificateAttribute</literal>, + <literal>duplicateInterval</literal>, <literal>addTTL</literal>, + <literal>rewrite</literal>, <literal>rewriteIn</literal>, + <literal>rewriteOut</literal> and + <literal>rewriteAttribute</literal>. + + We already discussed the <literal>host</literal> option. The + value of <literal>type</literal> must be one of + <literal>udp</literal>, <literal>tcp</literal>, + <literal>tls</literal> or <literal>dtls</literal>. The value of + <literal>secret</literal> is the shared RADIUS key used with + this client. If the secret contains whitespace, the value must + be quoted. This option is optional for TLS/DTLS. + </para> + <para> + For a TLS/DTLS client you may also specify the + <literal>tls</literal> option. The option value must be the + name of a previously defined TLS block. If this option is not + specified, the TLS block with the name + <literal>defaultClient</literal> will be used if defined. If not + defined, it will try to use the TLS block named + <literal>default</literal>. If the specified TLS block name does + not exist, or the option is not specified and none of the + defaults exist, the proxy will exit with an error. + </para> + <para> + For a TLS/DTLS client, the option + <literal>certificateNameCheck</literal> can be set to + <literal>off</literal>, to disable the default behaviour of + matching CN or SubjectAltName against the specified hostname or + IP address. + </para> + <para> + Additional validation of certificate attributes can be done by + use of the <literal>matchCertificateAttribute</literal> + option. Currently one can only do some matching of CN and + SubjectAltName. For regexp matching on CN, one can use the value + <literal>CN:/regexp/</literal>. For SubjectAltName one can only + do regexp matching of the URI, this is specified as + <literal>SubjectAltName:URI:/regexp/</literal>. Note that + currently this option can only be specified once in a client + block. + </para> + <para> + The <literal>duplicateInterval</literal> option can be used to + specify for how many seconds duplicate checking should be + done. If a proxy receives a new request within a few seconds of + a previous one, it may be treated the same if from the same + client, with the same authenticator etc. The proxy will then + ignore the new request (if it is still processing the previous + one), or returned a copy of the previous reply. + </para> + <para> + The <literal>addTTL</literal> option is similar to the + <literal>addTTL</literal> option used in the basic config. See + that for details. Any value configured here overrides the basic + one when sending messages to this client. + </para> + <para> + The <literal>rewrite</literal> option is deprecated. Use + <literal>rewriteIn</literal> instead. + </para> + <para> + The <literal>rewriteIn</literal> option can be used to refer to + a rewrite block that specifies certain rewrite operations that + should be performed on incoming messages from the client. The + rewriting is done before other processing. For details, see the + rewrite block text below. Similarly to <literal>tls</literal> + discussed above, if this option is not used, there is a fallback + to using the <literal>rewrite</literal> block named + <literal>defaultClient</literal> if it exists; and if not, a + fallback to a block named <literal>default</literal>. + </para> + <para> + The <literal>rewriteOut</literal> option is used in the same way + as <literal>rewriteIn</literal>, except that it specifies + rewrite operations that should be performed on outgoing messages + to the client. The rewriting is done after other + processing. Also, there is no rewrite fallback if this option is + not used. + </para> + <para> + The <literal>rewriteAttribute</literal> option currently makes + it possible to specify that the User-Name attribute in a client + request shall be rewritten in the request sent by the proxy. The + User-Name attribute is written back to the original value if a + matching response is later sent back to the client. The value + must be on the form User-Name:/regexpmatch/replacement/. Example + usage: <blockquote> <para> -rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/ + rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/ </para> </blockquote> </para> @@ -437,295 +484,351 @@ rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/ <refsect1> <title>Server Block</title> <para> -The server block is used to configure a server. That is, tell the proxy about a -server, and what parameters should be used when communicating with that server. -The name of the server block must (with one exception, see below) be either the -IP address (IPv4 or IPv6) of the server, or a domain name (FQDN). If a domain -name is specified, then this will be resolved immediately to all the addresses -associated with the name, and the proxy will not care about any possible DNS -changes that might occur later. Hence there is no dependency on DNS after -startup. If the domain name resolves to multiple addresses, then for UDP/DTLS -the first address is used. For TCP/TLS, the proxy will loop through the -addresses until it can connect to one of them. In the case of TLS/DTLS, the -name of the server must match the FQDN or IP address in the server certificate. - </para> - <para> -Alternatively one may use the <literal>host</literal> option inside a server -block. In that case, the value of the <literal>host</literal> option is used as -above, while the name of the block is only used as a descriptive name for the -administrator. Note that multiple host options may be used. This will then be -treated as multiple names/addresses for the same server. When initiating a TCP/TLS -connection, all addresses of all names may be attempted, but there is no failover -between the different host values. For failover one must use separate server -blocks. - </para> - <para> -Note that the name of the block, or values of host options may include a -port number (separated with a column). This port number will then override the -default port or a port option in the server block. Also note that literal IPv6 -addresses must be enclosed in brackets. - </para> - <para> -The allowed options in a server block are <literal>host</literal>, -<literal>port</literal>, <literal>type</literal>, <literal>secret</literal>, -<literal>tls</literal>, <literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>, -<literal>rewrite</literal>, -<literal>rewriteIn</literal>, <literal>rewriteOut</literal>, -<literal>statusServer</literal>, <literal>retryCount</literal>, -<literal>retryInterval</literal>, <literal>dynamicLookupCommand</literal> -and <literal>loopPrevention</literal>. - </para> - <para> -We already discussed the <literal>host</literal> option. The -<literal>port</literal> option allows you to specify which port number the -server uses. The usage of <literal>type</literal>, <literal>secret</literal>, -<literal>tls</literal>, <literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>, -<literal>rewrite</literal>, -<literal>rewriteIn</literal> and <literal>rewriteOut</literal> are just as -specified for the <literal>client block</literal> above, except that -<literal>defaultServer</literal> (and not <literal>defaultClient</literal>) -is the fallback for the <literal>tls</literal>, <literal>rewrite</literal> -and <literal>rewriteIn</literal> options. - </para> - <para> -<literal>statusServer</literal> can be specified to enable the use of -status-server messages for this server. The value must be either -<literal>on</literal> or <literal>off</literal>. The default when not -specified, is <literal>off</literal>. If statusserver is enabled, the proxy -will during idle periods send regular status-server messages to the server -to verify that it is alive. This should only be enabled if the server -supports it. - </para> - <para> -The options <literal>retryCount</literal> and -<literal>retryInterval</literal> can be used to specify how many times the -proxy should retry sending a request and how long it should wait between each -retry. The defaults are 2 retries and an interval of 5s. - </para> - <para> -The option <literal>dynamicLookupCommand</literal> can be used to specify a -command that should be executed to dynamically configure and use a server. -The use of this feature will be documented separately/later. - </para> - <para> -Using the <literal>loopPrevention</literal> option here overrides any -basic setting of this option. See section <literal>BASIC -OPTIONS</literal> for details on this option. + The server block is used to configure a server. That is, tell + the proxy about a server, and what parameters should be used + when communicating with that server. The name of the server + block must (with one exception, see below) be either the IP + address (IPv4 or IPv6) of the server, or a domain name + (FQDN). If a domain name is specified, then this will be + resolved immediately to all the addresses associated with the + name, and the proxy will not care about any possible DNS changes + that might occur later. Hence there is no dependency on DNS + after startup. If the domain name resolves to multiple + addresses, then for UDP/DTLS the first address is used. For + TCP/TLS, the proxy will loop through the addresses until it can + connect to one of them. In the case of TLS/DTLS, the name of the + server must match the FQDN or IP address in the server + certificate. + </para> + <para> + Alternatively one may use the <literal>host</literal> option + inside a server block. In that case, the value of the + <literal>host</literal> option is used as above, while the name + of the block is only used as a descriptive name for the + administrator. Note that multiple host options may be used. This + will then be treated as multiple names/addresses for the same + server. When initiating a TCP/TLS connection, all addresses of + all names may be attempted, but there is no failover between the + different host values. For failover one must use separate server + blocks. + </para> + <para> + Note that the name of the block, or values of host options may + include a port number (separated with a column). This port + number will then override the default port or a port option in + the server block. Also note that literal IPv6 addresses must be + enclosed in brackets. + </para> + <para> + The allowed options in a server block are + <literal>host</literal>, <literal>port</literal>, + <literal>type</literal>, <literal>secret</literal>, + <literal>tls</literal>, <literal>certificateNameCheck</literal>, + <literal>matchCertificateAttribute</literal>, + <literal>addTTL</literal>, <literal>rewrite</literal>, + <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, + <literal>statusServer</literal>, <literal>retryCount</literal>, + <literal>retryInterval</literal>, + <literal>dynamicLookupCommand</literal> and + <literal>loopPrevention</literal>. + </para> + <para> + We already discussed the <literal>host</literal> option. The + <literal>port</literal> option allows you to specify which port + number the server uses. The usage of <literal>type</literal>, + <literal>secret</literal>, <literal>tls</literal>, + <literal>certificateNameCheck</literal>, + <literal>matchCertificateAttribute</literal>, + <literal>addTTL</literal>, <literal>rewrite</literal>, + <literal>rewriteIn</literal> and <literal>rewriteOut</literal> + are just as specified for the <literal>client block</literal> + above, except that <literal>defaultServer</literal> (and not + <literal>defaultClient</literal>) is the fallback for the + <literal>tls</literal>, <literal>rewrite</literal> and + <literal>rewriteIn</literal> options. + </para> + <para> + <literal>statusServer</literal> can be specified to enable the + use of status-server messages for this server. The value must be + either <literal>on</literal> or <literal>off</literal>. The + default when not specified, is <literal>off</literal>. If + statusserver is enabled, the proxy will during idle periods send + regular status-server messages to the server to verify that it + is alive. This should only be enabled if the server supports it. + </para> + <para> + The options <literal>retryCount</literal> and + <literal>retryInterval</literal> can be used to specify how many + times the proxy should retry sending a request and how long it + should wait between each retry. The defaults are 2 retries and + an interval of 5s. + </para> + <para> + The option <literal>dynamicLookupCommand</literal> can be used + to specify a command that should be executed to dynamically + configure and use a server. The use of this feature will be + documented separately/later. + </para> + <para> + Using the <literal>loopPrevention</literal> option here + overrides any basic setting of this option. See section + <literal>BASIC OPTIONS</literal> for details on this option. </para> </refsect1> <refsect1> <title>Realm Block</title> <para> -When the proxy receives an Access-Request it needs to figure out to which -server it should be forwarded. This is done by looking at the Username attribute -in the request, and matching that against the names of the defined realm blocks. -The proxy will match against the blocks in the order they are specified, using -the first match if any. If no realm matches, the proxy will simply ignore the -request. Each realm block specifies what the server should do when a match is -found. A realm block may contain none, one or multiple <literal>server</literal> -options, and similarly <literal>accountingServer</literal> options. There are -also <literal>replyMessage</literal> and <literal>accountingResponse</literal> -options. We will discuss these later. + When the proxy receives an Access-Request it needs to figure out + to which server it should be forwarded. This is done by looking + at the Username attribute in the request, and matching that + against the names of the defined realm blocks. The proxy will + match against the blocks in the order they are specified, using + the first match if any. If no realm matches, the proxy will + simply ignore the request. Each realm block specifies what the + server should do when a match is found. A realm block may + contain none, one or multiple <literal>server</literal> options, + and similarly <literal>accountingServer</literal> options. There + are also <literal>replyMessage</literal> and + <literal>accountingResponse</literal> options. We will discuss + these later. </para> <refsect2> <title>Realm block names and matching</title> <para> -In the general case the proxy will look for a <literal>@</literal> in the -username attribute, and try to do an exact case insensitive match between what -comes after the <literal>@</literal> and the name of the realm block. So if you -get a request with the attribute value <literal>anonymous@example.com</literal>, -the proxy will go through the realm names in the order they are specified, -looking for a realm block named <literal>example.com</literal>. + In the general case the proxy will look for a + <literal>@</literal> in the username attribute, and try to do + an exact case insensitive match between what comes after the + <literal>@</literal> and the name of the realm block. So if + you get a request with the attribute value + <literal>anonymous@example.com</literal>, the proxy will go + through the realm names in the order they are specified, + looking for a realm block named + <literal>example.com</literal>. </para> <para> -There are two exceptions to this, one is the realm name <literal>*</literal> -which means match everything. Hence if you have a realm block named -<literal>*</literal>, then it will always match. This should then be the last -realm block defined, since any blocks after this would never be checked. This -is useful for having a default. + There are two exceptions to this, one is the realm name + <literal>*</literal> which means match everything. Hence if + you have a realm block named <literal>*</literal>, then it + will always match. This should then be the last realm block + defined, since any blocks after this would never be + checked. This is useful for having a default. </para> <para> -The other exception is regular expression matching. If the realm name starts -with a <literal>/</literal>, the name is treated as an regular expression. A -case insensitive regexp match will then be done using this regexp on the value -of the entire Username attribute. Optionally you may also have a trailing -<literal>/</literal> after the regexp. So as an example, if you want to use -regexp matching the domain <literal>example.com</literal> you could have a -realm block named <literal>/@example\\.com$</literal>. Optinally this can also -be written <literal>/@example\\.com$/</literal>. If you want to match all -domains under the <literal>.com</literal> top domain, you could do -<literal>/@.*\\.com$</literal>. Note that since the matching is done on the -entire attribute value, you can also use rules like -<literal>/^[a-k].*@example\\.com$/</literal> to get some of the users in this -domain to use one server, while other users could be matched by another realm -block and use another server. + The other exception is regular expression matching. If the + realm name starts with a <literal>/</literal>, the name is + treated as an regular expression. A case insensitive regexp + match will then be done using this regexp on the value of the + entire Username attribute. Optionally you may also have a + trailing <literal>/</literal> after the regexp. So as an + example, if you want to use regexp matching the domain + <literal>example.com</literal> you could have a realm block + named <literal>/@example\\.com$</literal>. Optinally this can + also be written <literal>/@example\\.com$/</literal>. If you + want to match all domains under the <literal>.com</literal> + top domain, you could do <literal>/@.*\\.com$</literal>. Note + that since the matching is done on the entire attribute value, + you can also use rules like + <literal>/^[a-k].*@example\\.com$/</literal> to get some of + the users in this domain to use one server, while other users + could be matched by another realm block and use another + server. </para> </refsect2> <refsect2> <title>Realm block options</title> <para> -A realm block may contain none, one or multiple <literal>server</literal> -options. If defined, the values of the <literal>server</literal> options must -be the names of previously defined server blocks. Normally requests will be -forwarded to the first server option defined. If there are multiple server -options, the proxy will do fail-over and use the second server if the first -is down. If the two first are down, it will try the third etc. If say the -first server comes back up, it will go back to using that one. Currently -detection of servers being up or down is based on the use of StatusServer (if -enabled), and that TCP/TLS/DTLS connections are up. + A realm block may contain none, one or multiple + <literal>server</literal> options. If defined, the values of + the <literal>server</literal> options must be the names of + previously defined server blocks. Normally requests will be + forwarded to the first server option defined. If there are + multiple server options, the proxy will do fail-over and use + the second server if the first is down. If the two first are + down, it will try the third etc. If say the first server comes + back up, it will go back to using that one. Currently + detection of servers being up or down is based on the use of + StatusServer (if enabled), and that TCP/TLS/DTLS connections + are up. </para> <para> -A realm block may also contain none, one or multiple -<literal>accountingServer</literal> options. This is used exactly like the -<literal>server</literal> option, except that it is used for specifying where -to send matching accounting requests. The values must be the names of -previously defined server blocks. When multiple accounting servers are -defined, there is a failover mechanism similar to the one for the -<literal>server</literal> option. + A realm block may also contain none, one or multiple + <literal>accountingServer</literal> options. This is used + exactly like the <literal>server</literal> option, except that + it is used for specifying where to send matching accounting + requests. The values must be the names of previously defined + server blocks. When multiple accounting servers are defined, + there is a failover mechanism similar to the one for the + <literal>server</literal> option. </para> <para> -If there is no <literal>server</literal> option, the proxy will if -<literal>replyMessage</literal> is specified, reply back to the client with -an Access Reject message. The message contains a replyMessage attribute with -the value as specified by the <literal>replyMessage</literal> option. Note -that this is different from having no match since then the request is simply -ignored. You may wonder why this is useful. One example is if you handle say -all domains under say <literal>.bv</literal>. Then you may have several realm -blocks matching the domains that exists, while for other domains under -<literal>.bv</literal> you want to send a reject. At the same time you might -want to send all other requests to some default server. After the realms for -the subdomains, you would then have two realm definitions. One with the name -<literal>/@.*\\.bv$</literal> with no servers, followed by one with the name -<literal>*</literal> with the default server defined. This may also be useful -for blocking particular usernames. + If there is no <literal>server</literal> option, the proxy + will if <literal>replyMessage</literal> is specified, reply + back to the client with an Access Reject message. The message + contains a replyMessage attribute with the value as specified + by the <literal>replyMessage</literal> option. Note that this + is different from having no match since then the request is + simply ignored. You may wonder why this is useful. One example + is if you handle say all domains under say + <literal>.bv</literal>. Then you may have several realm blocks + matching the domains that exists, while for other domains + under <literal>.bv</literal> you want to send a reject. At the + same time you might want to send all other requests to some + default server. After the realms for the subdomains, you would + then have two realm definitions. One with the name + <literal>/@.*\\.bv$</literal> with no servers, followed by one + with the name <literal>*</literal> with the default server + defined. This may also be useful for blocking particular + usernames. </para> <para> -If there is no <literal>accountingServer</literal> option, the proxy will -normally do nothing, ignoring accounting requests. There is however an option -called <literal>accountingResponse</literal>. If this is set to -<literal>on</literal>, the proxy will log some of the accounting information -and send an Accounting-Response back. This is useful if you do not care much -about accounting, but want to stop clients from retransmitting accounting -requests. By default this option is set to <literal>off</literal>. + If there is no <literal>accountingServer</literal> option, the + proxy will normally do nothing, ignoring accounting + requests. There is however an option called + <literal>accountingResponse</literal>. If this is set to + <literal>on</literal>, the proxy will log some of the + accounting information and send an Accounting-Response + back. This is useful if you do not care much about accounting, + but want to stop clients from retransmitting accounting + requests. By default this option is set to + <literal>off</literal>. </para> </refsect2> </refsect1> <refsect1> <title>TLS Block</title> <para> -The TLS block specifies TLS configuration options and you need at least one -of these if you have clients or servers using TLS/DTLS. As discussed in the -client and server block descriptions, a client or server block may reference -a particular TLS block by name. There are also however the special TLS block -names <literal>default</literal>, <literal>defaultClient</literal> and -<literal>defaultServer</literal> which are used as defaults if the client or -server block does not reference a TLS block. Also note that a TLS block must -be defined before the client or server block that would use it. If you want -the same TLS configuration for all TLS/DTLS clients and servers, you need -just a single tls block named <literal>default</literal>, and the client and -servers need not refer to it. If you want all TLS/DTLS clients to use one -config, and all TLS/DTLS servers to use another, then you would be fine only -defining two TLS blocks named <literal>defaultClient</literal> and -<literal>defaultServer</literal>. If you want different clients (or different -servers) to have different TLS parameters, then you may need to create other -TLS blocks with other names, and reference those from the client or server -definitions. Note that you could also have say a client block refer to a -default, even <literal>defaultServer</literal> if you really want to. - </para> - <para> -The available TLS block options are <literal>CACertificateFile</literal>, -<literal>CACertificatePath</literal>, <literal>certificateFile</literal>, -<literal>certificateKeyFile</literal>, -<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>, -<literal>CRLCheck</literal> and <literal>policyOID</literal>. -When doing RADIUS over TLS/DTLS, both the -client and the server present certificates, and they are both verified by -the peer. Hence you must always specify <literal>certificateFile</literal> -and <literal>certificateKeyFile</literal> options, as well as -<literal>certificateKeyPassword</literal> if a password is needed to decrypt -the private key. Note that <literal>CACertificateFile</literal> may be a -certificate chain. In order to verify certificates, or send a chain of -certificates to a peer, you also always need to specify -<literal>CACertificateFile</literal> or <literal>CACertificatePath</literal>. -Note that you may specify both, in which case the certificates in -<literal>CACertificateFile</literal> are checked first. By default CRLs are -not checked. This can be changed by setting <literal>CRLCheck</literal> to -<literal>on</literal>. One can require peer certificates to adhere to certain -policies by specifying one or multiple policyOIDs using one or multiple -<literal>policyOID</literal> options. - </para> - <para> -CA certificates and CRLs are normally cached permanently. That is, once a CA -or CRL has been read, the proxy will never attempt to re-read it. CRLs may -change relatively often and the proxy should ideally always use the latest -CRLs. Rather than restarting the proxy, there is an option -<literal>cacheExpiry</literal> that specifies how many seconds the CA and -CRL information should be cached. Reasonable values might be say 3600 -(1 hour) or 86400 (24 hours), depending on how frequently CRLs are updated -and how critical it is to be up to date. This option may be set to zero to -disable caching. + The TLS block specifies TLS configuration options and you need + at least one of these if you have clients or servers using + TLS/DTLS. As discussed in the client and server block + descriptions, a client or server block may reference a + particular TLS block by name. There are also however the special + TLS block names <literal>default</literal>, + <literal>defaultClient</literal> and + <literal>defaultServer</literal> which are used as defaults if + the client or server block does not reference a TLS block. Also + note that a TLS block must be defined before the client or + server block that would use it. If you want the same TLS + configuration for all TLS/DTLS clients and servers, you need + just a single tls block named <literal>default</literal>, and + the client and servers need not refer to it. If you want all + TLS/DTLS clients to use one config, and all TLS/DTLS servers to + use another, then you would be fine only defining two TLS blocks + named <literal>defaultClient</literal> and + <literal>defaultServer</literal>. If you want different clients + (or different servers) to have different TLS parameters, then + you may need to create other TLS blocks with other names, and + reference those from the client or server definitions. Note that + you could also have say a client block refer to a default, even + <literal>defaultServer</literal> if you really want to. + </para> + <para> + The available TLS block options are + <literal>CACertificateFile</literal>, + <literal>CACertificatePath</literal>, + <literal>certificateFile</literal>, + <literal>certificateKeyFile</literal>, + <literal>certificateKeyPassword</literal>, + <literal>cacheExpiry</literal>, <literal>CRLCheck</literal> and + <literal>policyOID</literal>. When doing RADIUS over TLS/DTLS, + both the client and the server present certificates, and they + are both verified by the peer. Hence you must always specify + <literal>certificateFile</literal> and + <literal>certificateKeyFile</literal> options, as well as + <literal>certificateKeyPassword</literal> if a password is + needed to decrypt the private key. Note that + <literal>CACertificateFile</literal> may be a certificate + chain. In order to verify certificates, or send a chain of + certificates to a peer, you also always need to specify + <literal>CACertificateFile</literal> or + <literal>CACertificatePath</literal>. Note that you may specify + both, in which case the certificates in + <literal>CACertificateFile</literal> are checked first. By + default CRLs are not checked. This can be changed by setting + <literal>CRLCheck</literal> to <literal>on</literal>. One can + require peer certificates to adhere to certain policies by + specifying one or multiple policyOIDs using one or multiple + <literal>policyOID</literal> options. + </para> + <para> + CA certificates and CRLs are normally cached permanently. That + is, once a CA or CRL has been read, the proxy will never attempt + to re-read it. CRLs may change relatively often and the proxy + should ideally always use the latest CRLs. Rather than + restarting the proxy, there is an option + <literal>cacheExpiry</literal> that specifies how many seconds + the CA and CRL information should be cached. Reasonable values + might be say 3600 (1 hour) or 86400 (24 hours), depending on how + frequently CRLs are updated and how critical it is to be up to + date. This option may be set to zero to disable caching. </para> </refsect1> <refsect1> <title>Rewrite Block</title> <para> -The rewrite block specifies rules that may rewrite RADIUS messages. It can be -used to add, remove and modify specific attributes from messages received -from and sent to clients and servers. As discussed in the client and server -block descriptions, a client or server block may reference a particular -rewrite block by name. There are however also the special rewrite block names -<literal>default</literal>, <literal>defaultClient</literal> and -<literal>defaultServer</literal> which are used as defaults if the client or -server block does not reference a block. Also note that a rewrite block must -be defined before the client or server block that would use it. If you want -the same rewrite rules for input from all clients and servers, you need just -a single rewrite block named <literal>default</literal>, and the client and -servers need not refer to it. If you want all clients to use one config, and -all servers to use another, then you would be fine only defining two rewrite -blocks named <literal>defaultClient</literal> and -<literal>defaultServer</literal>. Note that these defaults are only used for -rewrite on input. No rewriting is done on output unless explicitly specifed -using the <literal>rewriteOut</literal> option. - </para> - <para> -The available rewrite block options -are <literal>addAttribute</literal>, <literal>addVendorAttribute</literal>, -<literal>removeAttribute</literal>, <literal>removeVendorAttribute</literal> -and <literal>modifyAttribute</literal>. They can all be specified none, one -or multiple times. - </para> - <para> -<literal>addAttribute</literal> is used to add attributes to a -message. The option value must be on the -form <literal>attribute:value</literal> where attribute is a numerical -value specifying the attribute. Simliarly, -the <literal>addVendorAttribute</literal> is used to specify a vendor -attribute to be added. The option value must be on the -form <literal>vendor:subattribute:value</literal>, where vendor and -subattribute are numerical values. - </para> - <para> -The <literal>removeAttribute</literal> option is used to specify an -attribute that should be removed from received messages. The option value -must be a numerical value specifying which attribute is to be removed. -Similarly, <literal>removeVendorAttribute</literal> is used to specify a -vendor attribute that is to be removed. The value can be a numerical value -for removing all attributes from a given vendor, or on the form -<literal>vendor:subattribute</literal>, where vendor and subattribute are -numerical values, for removing a specific subattribute for a specific -vendor. - </para> - <para> -<literal>modifyAttribute</literal> is used to specify modification of -attributes. The value must be on the form -<literal>attribute:/regexpmatch/replacement/</literal> where attribute is -a numerical attribute type, regexpmatch is regexp matching rule and -replacement specifies how to replace the matching regexp. Example usage: + The rewrite block specifies rules that may rewrite RADIUS + messages. It can be used to add, remove and modify specific + attributes from messages received from and sent to clients and + servers. As discussed in the client and server block + descriptions, a client or server block may reference a + particular rewrite block by name. There are however also the + special rewrite block names <literal>default</literal>, + <literal>defaultClient</literal> and + <literal>defaultServer</literal> which are used as defaults if + the client or server block does not reference a block. Also note + that a rewrite block must be defined before the client or server + block that would use it. If you want the same rewrite rules for + input from all clients and servers, you need just a single + rewrite block named <literal>default</literal>, and the client + and servers need not refer to it. If you want all clients to use + one config, and all servers to use another, then you would be + fine only defining two rewrite blocks named + <literal>defaultClient</literal> and + <literal>defaultServer</literal>. Note that these defaults are + only used for rewrite on input. No rewriting is done on output + unless explicitly specifed using the + <literal>rewriteOut</literal> option. + </para> + <para> + The available rewrite block options are + <literal>addAttribute</literal>, + <literal>addVendorAttribute</literal>, + <literal>removeAttribute</literal>, + <literal>removeVendorAttribute</literal> and + <literal>modifyAttribute</literal>. They can all be specified + none, one or multiple times. + </para> + <para> + <literal>addAttribute</literal> is used to add attributes to a + message. The option value must be on the form + <literal>attribute:value</literal> where attribute is a + numerical value specifying the attribute. Simliarly, the + <literal>addVendorAttribute</literal> is used to specify a + vendor attribute to be added. The option value must be on the + form <literal>vendor:subattribute:value</literal>, where vendor + and subattribute are numerical values. + </para> + <para> + The <literal>removeAttribute</literal> option is used to specify + an attribute that should be removed from received messages. The + option value must be a numerical value specifying which + attribute is to be removed. Similarly, + <literal>removeVendorAttribute</literal> is used to specify a + vendor attribute that is to be removed. The value can be a + numerical value for removing all attributes from a given vendor, + or on the form <literal>vendor:subattribute</literal>, where + vendor and subattribute are numerical values, for removing a + specific subattribute for a specific vendor. + </para> + <para> + <literal>modifyAttribute</literal> is used to specify + modification of attributes. The value must be on the form + <literal>attribute:/regexpmatch/replacement/</literal> where + attribute is a numerical attribute type, regexpmatch is regexp + matching rule and replacement specifies how to replace the + matching regexp. Example usage: <blockquote> <para> -modifyAttribute 1:/^(.*)@local$/\1@example.com/ + modifyAttribute 1:/^(.*)@local$/\1@example.com/ </para> </blockquote> </para> @@ -734,8 +837,7 @@ modifyAttribute 1:/^(.*)@local$/\1@example.com/ <title>See Also</title> <para> <citerefentry> - <refentrytitle>radsecproxy</refentrytitle> - <manvolnum>1</manvolnum> + <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum> </citerefentry>, <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec"> <citetitle>RadSec internet draft</citetitle> |