added documentation and configuration example for FreeRadius;
This commit is contained in:
105
privacyidea.freeradiusmodule
Normal file
105
privacyidea.freeradiusmodule
Normal file
@@ -0,0 +1,105 @@
|
||||
#
|
||||
# Sample FreeRadius rlm_exec wrapper configuration to perform OTP authentication
|
||||
# against privacyidea without rtl_perl module (unavailable on OS X 10.9 Server)
|
||||
#
|
||||
# Version 1.0, latest version, documentation and bugtracker available at:
|
||||
# https://gitlab.lindenaar.net/scripts/privacyidea-checkotp
|
||||
#
|
||||
# Copyleft (c) 2015 by Frederik Lindenaar
|
||||
#
|
||||
|
||||
#
|
||||
# Return value of the program run determines the result of the exec instance
|
||||
# call (See doc/configurable_failover for details) as follows:
|
||||
#
|
||||
# < 0 : fail the module failed
|
||||
# = 0 : ok the module succeeded
|
||||
# = 1 : reject the module rejected the user
|
||||
# = 2 : fail the module failed
|
||||
# = 3 : ok the module succeeded
|
||||
# = 4 : handled the module has done everything to handle the request
|
||||
# = 5 : invalid the user's configuration entry was invalid
|
||||
# = 6 : userlock the user was locked out
|
||||
# = 7 : notfound the user was not found
|
||||
# = 8 : noop the module did nothing
|
||||
# = 9 : updated the module updated information in the request
|
||||
# > 9 : fail the module failed
|
||||
#
|
||||
|
||||
exec privacyidea {
|
||||
#
|
||||
# Wait for the program to finish.
|
||||
#
|
||||
# If we do NOT wait, then the program is "fire and
|
||||
# forget", and any output attributes from it are ignored.
|
||||
#
|
||||
# If we are looking for the program to output
|
||||
# attributes, and want to add those attributes to the
|
||||
# request, then we MUST wait for the program to
|
||||
# finish, and therefore set 'wait=yes'
|
||||
#
|
||||
# allowed values: {no, yes}
|
||||
wait = yes
|
||||
|
||||
#
|
||||
# The name of the program to execute, and it's
|
||||
# arguments. Dynamic translation is done on this
|
||||
# field, so things like the following example will
|
||||
# work.
|
||||
#
|
||||
program = "[WRAPPERSCRIPT_PATH]/privacyidea-checkotp [PRIVACYIDEA_URL]"
|
||||
|
||||
#
|
||||
# The attributes which are placed into the
|
||||
# environment variables for the program.
|
||||
#
|
||||
# Allowed values are:
|
||||
#
|
||||
# request attributes from the request
|
||||
# config attributes from the configuration items list
|
||||
# reply attributes from the reply
|
||||
# proxy-request attributes from the proxy request
|
||||
# proxy-reply attributes from the proxy reply
|
||||
#
|
||||
# Note that some attributes may not exist at some
|
||||
# stages. e.g. There may be no proxy-reply
|
||||
# attributes if this module is used in the
|
||||
# 'authorize' section.
|
||||
#
|
||||
input_pairs = request
|
||||
|
||||
#
|
||||
# Where to place the output attributes (if any) from
|
||||
# the executed program. The values allowed, and the
|
||||
# restrictions as to availability, are the same as
|
||||
# for the input_pairs.
|
||||
#
|
||||
output_pairs =
|
||||
|
||||
#
|
||||
# When to execute the program. If the packet
|
||||
# type does NOT match what's listed here, then
|
||||
# the module does NOT execute the program.
|
||||
#
|
||||
# For a list of allowed packet types, see
|
||||
# the 'dictionary' file, and look for VALUEs
|
||||
# of the Packet-Type attribute.
|
||||
#
|
||||
# By default, the module executes on ANY packet.
|
||||
# Un-comment out the following line to tell the
|
||||
# module to execute only if an Access-Accept is
|
||||
# being sent to the NAS.
|
||||
#
|
||||
packet_type = Access-Request
|
||||
|
||||
#
|
||||
# Should we escape the environment variables?
|
||||
#
|
||||
# If this is set, all the RADIUS attributes
|
||||
# are capitalised and dashes replaced with
|
||||
# underscores. Also, RADIUS values are surrounded
|
||||
# with double-quotes.
|
||||
#
|
||||
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
|
||||
shell_escape = yes
|
||||
}
|
||||
Reference in New Issue
Block a user