Sophie

Sophie

distrib > Fedora > 14 > x86_64 > by-pkgid > f041150d7faea47577bb1bbdab1d0a00 > files > 5

nuauth-2.4.0-2.fc14.x86_64.rpm

##########################################
# Nuauth Configuration file
##########################################

# Nuauth
#############################################

# Addresses nuauth listen on for clients, long example:
#   "0.0.0.0:4129 127.0.0.1:8080 192.168.1.2 [::1] [2a01:e35:8a04::3538]:5000"
# will listen on:
#  * IPv4: 0.0.0.0 port 4129
#  * IPv4: 127.0.0.1 port 4129
#  * IPv4: 192.168.1.12 port 4129 (default port, nuauth_user_packet_port)
#  * IPv6: ::1 port 4129 (default port)
#  * IPv6: 2a01:e35:8a04::3538 port 5000
# Use 0.0.0.0 to bind to all IPv4 addresses, and [::] for all IPv6 addresses
#nuauth_client_listen_addr="0.0.0.0"

# address nuauth listens on for nufw packets
# It uses the same syntax as nuauth_client_listen_addr.
#nuauth_nufw_listen_addr="127.0.0.1"

# Absolute path to the unix domain socket for nufw servers
# If nuauth and nufw are installed on the same machine,
# a unix sock can be used between them.
# default: none
#nuauth_client_listen_socket="/tmp/nuauth_nufw.sock"

# Default port for nufw gw request
#nuauth_gw_packet_port=4128

# Default port for user authentification packet
#nuauth_user_packet_port=4129

# NuFW
############################################
# address of the nufw gw
# in UDP clear mode this is the address nuauth
# respond to authentication request
# In TLS mode transform this variable in a list
# containing all the ips used to connect to the
# nuauth server :
# nufw_gw_addr="192.168.75.1 192.168.75.254"
#
nufw_gw_addr="127.0.0.1"

############
# Is nufw using able to use libnetfilter_conntrack
# and able to kill a session
nufw_has_conntrack=1

############
# Is nufw using able to use libnetfilter_conntrack
# and has fixed timeout patch
nufw_has_fixed_timeout=1

##############################################################
# Module configuration :
#  syntax is the following
#   list of modules separated by space
#  syntax of a module :
#   name[:type[:config file]]
#  if syntax is :
#   name : load module "name" with config file included in nuauth.conf
#   name:type : load module "type" with config file CONFIG_DIR/modules/name.conf
#   name:type:conf : load module "type" with config file "conf"
##############################################################


## Authentication module for user :
# It is used if nuauth_uses_fake_sasl is set to 1
# to be choozen in :
# - plaintext  : user credentials are stored in a text file
# - system : authentication is done against PAM and groups are system groups. This provides
# a convenient way to use nss features and/or pam-modules

nuauth_user_check_module="plaintext"
# Set up following variables if you want to differenciate user id and
# group fetching from authentication:
#nuauth_get_user_id_module="plaintext"
#nuauth_get_user_groups_module="plaintext"


## Acl checking  module :
# to be choozen in :
# - ldap
# - plaintext

nuauth_acl_check_module="plaintext"

# Cache acl for more performance ?
nuauth_acl_cache=1

## Period handling module:
# to be choozen in:
# - xml_defs
# nuauth_periods_module="xml_defs"

##############################################
#Choose user logging method
##############################################
#You can log to MySQL, PostgreSQL, syslog or Prelude
#Therefore, acceptable values for this parameter are:
# : "mysql", "pgsql", "syslog", "nuprelude", "ulogd2"
nuauth_user_logs_module="syslog"

# define with nuauth_user_session_logs_module  which method you
# want to use for user connection and disconnection
# Available modules are :
#       syslog: log message with syslog
#       script: run a custom script at user connection  (CONFDIR/user-up.sh) and disconnection (CONFDIR/user-down.sh)
#       mysql: log users connection and disconnection in a sql table
#       nuprelude: log to Prelude IDS
# example : nuauth_user_session_logs_module="syslog mysql"
nuauth_user_session_logs_module="syslog"

# Module to log authentification errors
# Available modules: nuprelude, syslog
nuauth_auth_error_log_module="syslog"

############################################
# Other nuauth modules
############################################

# Module to modify an user session just after its creation
# Choose between : session_expire, session_authtype
nuauth_user_session_modify_module="session_expire"

# Module to finalize a packet before sending it back to nufw
# Available modules: mark_group, mark_uid, mark_field, mark_flag
nuauth_finalize_packet_module="mark_uid"

##############################################
# Comportemental items
##############################################

# Use command server?
# nuauth_use_command_server=0

# Debug level (0<=debug_level<=9)
nuauth_debug_level=0

# Debug area, binary and between
# DEBUG_AREA_MAIN = 1 Main domain
# DEBUG_AREA_PACKET = 2 Packet domain
# DEBUG_AREA_USER = 4 User domain
# DEBUG_AREA_GW = 8 Gateway domain
# DEBUG_AREA_AUTH = 16 Auth. domain
# DEBUG_AREA_PERF = 32 Performance display
# default : DEFAULT_DEBUG_AREA = 31
# nuauth_debug_areas=31

# What to do when several acls are found for a match :
#  - 0: Accept packet if an ACCEPT acl matches
#  - 1: Drop packet if there is a DROP acl matching
#  - 2: First decision match
# Default nuauth_prio_to_nok=2
nuauth_prio_to_nok=2

# client can work with two modes :
# POLL : client check each time interval if it need to send a packet (traffic economy for WAN)
# PUSH : nuauth warn client that they may need to send authentication packet (better response time on LAN)
nuauth_push_to_client=1

# If set to 0, it relaxes constraint of check of IP source address of
# authenticated packets. This can be useful to authenticate both IPv6 and IPv4
# packet in a simple client.
#nuauth_user_check_ip_equality=0

# Set to 1 to use user_check module
# Set to 0 to use sasl authentication
#
# Note: It is a good idea to set nuauth_log_users_without_realm
# to 1 it you set nuauth_uses_fake_sasl to 0.
# nuauth_uses_fake_sasl=1

# Number of connections a user can run
# 0 = unlimited (default)
nuauth_single_user_client_limit=0

# Number of connections per IP a user can run
# 0 = unlimited (default)
nuauth_single_ip_client_limit=0

# Reject (instead drop) when packet is reached
# 0: use drop (default)
# 1: reject (send icmp unreached message)
nuauth_reject_after_timeout=0

# Reject (instead drop) when user is not in any group of a ACCEPT acl
# 0: use drop (default)
# 1: reject (send icmp unreached message)
nuauth_reject_authenticated_drop=0

# DROP packet if logging phase has failed.
# The main use of this variable is to decide weither to drop
# or not packets when the number of packet in the logging queue
# gets too high.
# nuauth_drop_if_no_logging = 0

# Maximum number of packets that can remain on a logging queue.
# When a packet arrives when this number of packets is queued, it
# is not logged and get dropped if nuauth_drop_if_no_logging is 1.
# nuauth_max_unassigned_messages = 2000



# Do we use a fallback hello authentication mode for non NuFW supported
# protocols ?
# This brings authentication for all protocols based on IP
# by doing a posteriori IP based authentication.
# WARNING : Authentication is FAR less strict than nufw original protocol :
#  * It authenticates NATed computer (and every computers behind the same firewall)
#  * It is strictly MONO user
#  * But, it can authenticate all type of IP flows
nuauth_hello_authentication=0

# Do we use fallback mode when no client are found ?
# nuauth_push_to_client has to be set to 1 if you choose to enable it
nuauth_do_ip_authentication=0

## ip authentication module
# to be chozen in :
# ipauth_guest auth_mysql
#
nuauth_ip_authentication_module="ipauth_guest"

# set a user session duration after this duration is is necessary
# to reauthenticate:
# User is disconnected from the system after the duration. Disconnect
# occurs when a packet arrives.
#
# Please note that asking the password has to be done if needed on client
# side.
#
# Default is 0 which mean unlimited session
# example :
# nuauth_session_duration=3600

# maximum number of a simultaneously connected
# nufw authentication clients
# default : 1024
# nuauth_tls_max_clients=1024

# maximum number of simultaneously connected
# nufw servers
# (not implemented)
# default : 16
# nuauth_tls_max_servers=8


################################################
# Tuning parameters
################################################
include "nuauth.d/nuauth_tuning.conf"

################################################
# TLS parameters
##################################################
include "nuauth.d/nuauth_tls.conf"

############################################
# Kerberos 5 authentication
############################################
include "nuauth.d/nuauth_krb5.conf"

############################################
# Users tracking
#############################################

# decide if we're logging user activity
# log level is the sum of values :
# 0 : no log at all
# 1 : log new user (in syslog)
# 2 : log rejected packets
# 4 : log accepted packets
# 8 : do session tracking
# complete session tracking need special iptables
# rules, described in documentation

nuauth_log_users=9

#Controls whether the users logging is absolutely safe : access is logged before
#granted. This is probably necessary if SQL backend is used for SSO.
nuauth_log_users_sync=1

# update log entries to avoid accidental double connection
# DO NOT DISABLE IT BY CHANGING IT TO 0 if you want strict security
# WHEN USING SSO MODULES
nuauth_log_users_strict=1

# remove realm from username before logging
# this is the recommanded setting as it is easier
# to interact with other authorisation modules when SSO
# feature are used.
nuauth_log_users_without_realm=1

####################################################
# plaintext parameters
#####################################################
#plaintext_userfile="/etc/nufw/users.nufw"
#plaintext_aclfile="/etc/nufw/acls.nufw"

###################################################
# system parameters
###################################################
# add a lock to be able to deal with non thread
# safe pam modules. For more safety this is set to 1 by default
# NEEDED for winbind.
system_pam_module_not_threadsafe=1

# Some glibc (read 2.3.2) have a buggy implementation
# of getgrouplist which causes a crash. If this is the case
# set the following option to the maximum number of groups
# for a single user.
#system_glibc_cant_guess_maxgroups=0

# Suppress domain added as prefix during login phase
#system_suppress_prefixed_domain=0

###########################################
# Ldap external auth
###########################################

include "nuauth.d/nuauth_ldap.conf"

###############################################
# Database User Logging config
###############################################

include "nuauth.d/nuauth_mysql.conf"
include "nuauth.d/nuauth_pgsql.conf"

###########################
#
# X509 modules
######################

# For x509_std : nuauth_tls_trusted_issuer_dn
#This option is used to match issuer of a certificate against this string.
#It there is a match, then we trust the give certificate.
# nuauth_tls_trusted_issuer_dn=DN

###############################
# xml_defs module
##############################
# Place where periods have to be read
#xml_defs_periodfile="/etc/nufw/periods.xml"
#

#######################################
# marking modules
#######################################

include "nuauth.d/nuauth_mark.conf"

###########################################
# authtype module
###########################################
include "nuauth.d/nuauth_authtype.conf"

###########################################
# auth_mysql module
###########################################
# for ip authentication
# name of the table containing user sessions
# mysql_ipauth_table_name="ipauth_sessions"
# Is the mysql function check_net active in the MySQL database
# mysql_ipauth_check_netmask=1
#
# # for userid and groupid check
# mysql_userinfo_table_name="userinfo"
# mysql_groups_table_name="groups"
# mysql_groupinfo_table_name="groupinfo"
#
# fallback to guest's username, userID and groupID
# instead of dropping request.
# mysql_auth_fallback_to_guest=1
# mysql_auth_guest_username="guest"
# mysql_auth_guest_userid=0
# mysql_auth_guest_groupid=99

##############################################################
# ipauth_guest: ip authentication module
##############################################################
# Set the name of user that will be returned if there is no one
# connected at the source IP.
# ipauth_guest_username = "guest"

##############################################################
# ulogd2
##############################################################
# Logs (for packets) can be sent to ulogd2, using the UNIXSOCK
# module.

# absolute path to the unix socket created by ulogd2
# ulogd2_socket="/var/run/ulogd2.sock"

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional