diff --git a/tests/docker-ocserv/Dockerfile-debian-radius b/tests/docker-ocserv/Dockerfile-debian-radius index 62160022..47aa35a5 100644 --- a/tests/docker-ocserv/Dockerfile-debian-radius +++ b/tests/docker-ocserv/Dockerfile-debian-radius @@ -16,13 +16,14 @@ RUN echo 'admin:admin' |chpasswd RUN mkdir /etc/ocserv +ADD ca.pem /etc/ocserv/ ADD key.pem /etc/ocserv/ ADD cert.pem /etc/ocserv/ ADD cert.pem /etc/ocserv/ ADD ocserv-radius.conf /etc/ocserv/ocserv.conf -ADD radiusclient.conf /etc/radiusclient/ +ADD radiusclient-debian.conf /etc/radiusclient/radiusclient.conf ADD radius-clients.conf /etc/freeradius/clients.conf -ADD radiusclient-servers /etc/freeradius/servers +ADD radiusclient-servers /etc/radiusclient/servers ADD ocserv /usr/sbin/ ADD ocpasswd /usr/bin/ ADD occtl /usr/bin/ diff --git a/tests/docker-ocserv/Dockerfile-debian-radius-config b/tests/docker-ocserv/Dockerfile-debian-radius-config index fb48d3c3..fa3ed8f3 100644 --- a/tests/docker-ocserv/Dockerfile-debian-radius-config +++ b/tests/docker-ocserv/Dockerfile-debian-radius-config @@ -1,6 +1,6 @@ FROM debian:testing -RUN apt-get update +RUN apt-get update -y RUN apt-get install -y libgnutls-deb0-28 liboath0 libprotobuf-c1 libev4 RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200 RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25 @@ -16,13 +16,14 @@ RUN echo 'admin:admin' |chpasswd RUN mkdir /etc/ocserv +ADD ca.pem /etc/ocserv/ ADD key.pem /etc/ocserv/ ADD cert.pem /etc/ocserv/ ADD cert.pem /etc/ocserv/ ADD ocserv-radius-config.conf /etc/ocserv/ocserv.conf -ADD radiusclient.conf /etc/radiusclient/ +ADD radiusclient-debian.conf /etc/radiusclient/radiusclient.conf ADD radius-clients.conf /etc/freeradius/clients.conf -ADD radiusclient-servers /etc/freeradius/servers +ADD radiusclient-servers /etc/radiusclient/servers ADD ocserv /usr/sbin/ ADD ocpasswd /usr/bin/ ADD occtl /usr/bin/ diff --git a/tests/docker-ocserv/Makefile.am b/tests/docker-ocserv/Makefile.am index 41de8bed..32758d1d 100644 --- a/tests/docker-ocserv/Makefile.am +++ b/tests/docker-ocserv/Makefile.am @@ -8,7 +8,7 @@ EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.p haproxy-proxyproto-unix.cfg Dockerfile-fedora-proxyproto-unix ocserv-proxyproto-unix.conf \ proxy-connectscript ocserv-pam-noauth.conf Dockerfile-fedora-pam-noauth \ pam-acct-ocserv Dockerfile-fedora-otp ocserv-otp.conf users2.oath Dockerfile-fedora-reload \ - ocserv-reload.conf Dockerfile-fedora-fw-neg ocserv-fw-neg.conf + ocserv-reload.conf Dockerfile-fedora-fw-neg ocserv-fw-neg.conf radiusclient-debian.conf TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ top_builddir="$(top_builddir)" diff --git a/tests/docker-ocserv/radiusclient-debian.conf b/tests/docker-ocserv/radiusclient-debian.conf new file mode 100644 index 00000000..d2c1f4af --- /dev/null +++ b/tests/docker-ocserv/radiusclient-debian.conf @@ -0,0 +1,92 @@ +# General settings + +# specify which authentication comes first respectively which +# authentication is used. possible values are: "radius" and "local". +# if you specify "radius,local" then the RADIUS server is asked +# first then the local one. if only one keyword is specified only +# this server is asked. +auth_order radius,local + +# maximum login tries a user has +login_tries 4 + +# timeout for all login tries +# if this time is exceeded the user is kicked out +login_timeout 60 + +# name of the nologin file which when it exists disables logins. +# it may be extended by the ttyname which will result in +# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable +# logins on /dev/ttyS2) +nologin /etc/nologin + +# name of the issue file. it's only display when no username is passed +# on the radlogin command line +issue /etc/radiusclient/issue + +# RADIUS settings + +# RADIUS server to use for authentication requests. this config +# item can appear more then one time. if multiple servers are +# defined they are tried in a round robin fashion if one +# server is not answering. +# optionally you can specify a the port number on which is remote +# RADIUS listens separated by a colon from the hostname. if +# no port is specified /etc/services is consulted of the radius +# service. if this fails also a compiled in default is used. +authserver localhost + +# RADIUS server to use for accouting requests. All that I +# said for authserver applies, too. +# +acctserver localhost + +# file holding shared secrets used for the communication +# between the RADIUS client and server +servers /etc/radiusclient/servers + +# dictionary of allowed attributes and values +# just like in the normal RADIUS distributions +dictionary /usr/share/radcli/dictionary + +# program to call for a RADIUS authenticated login +login_radius /usr/sbin/login.radius + +# file which holds sequence number for communication with the +# RADIUS server +seqfile /var/run/radius.seq + +# file which specifies mapping between ttyname and NAS-Port attribute +mapfile /etc/radiusclient/port-id-map + +# default authentication realm to append to all usernames if no +# realm was explicitly specified by the user +# the radiusd directly form Livingston doesnt use any realms, so leave +# it blank then +default_realm + +# time to wait for a reply from the RADIUS server +radius_timeout 10 + +# resend request this many times before trying the next server +radius_retries 3 + +# The length of time in seconds that we skip a nonresponsive RADIUS +# server for transaction requests. Server(s) being in the "dead" state +# are tried only after all other non-dead servers have been tried and +# failed or timeouted. The deadtime interval starts when the server +# does not respond to an authentication/accounting request transmissions. +# When the interval expires, the "dead" server would be re-tried again, +# and if it's still down then it will be considered "dead" for another +# such interval and so on. This option is no-op if there is only one +# server in the list. Set to 0 in order to disable the feature. +radius_deadtime 0 + +# local address from which radius packets have to be sent +bindaddr * + +# LOCAL settings + +# program to execute for local login +# it must support the -f flag for preauthenticated login +login_local /bin/login