ocserv配置文件

The following directives do not change with server reload.

#

User authentication method. To require multiple methods to be

used for the user to login, add multiple auth directives. The values

in the 'auth' directive are AND composed (if multiple all must

succeed).

Available options: certificate, plain, pam, radius, gssapi.

Note that authentication methods utilizing passwords cannot be

combined (e.g., the plain, pam or radius methods).

#

certificate:

This indicates that all connecting users must present a certificate.

The username and user group will be then extracted from it (see

cert-user-oid and cert-group-oid). The certificate to be accepted

it must be signed by the CA certificate as specified in 'ca-cert' and

it must not be listed in the CRL, as specified by the 'crl' option.

#

pam[gid-min=1000]:

This enabled PAM authentication of the user. The gid-min option is used

by auto-select-group option, in order to select the minimum valid group ID.

#

plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]

The plain option requires specifying a password file which contains

entries of the following format.

"username:groupname1,groupname2:encoded-password"

One entry must be listed per line, and 'ocpasswd' should be used

to generate password entries. The 'otp' suboption allows to specify

an oath password file to be used for one time passwords; the format of

the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile

#

radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]:

The radius option requires specifying freeradius-client configuration

file. If the groupconfig option is set, then config-per-user will be overriden,

and all configuration will be read from radius. The 'override-interim-updates' if set to

true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.

#

gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]

The gssapi option allows to use authentication methods supported by GSSAPI,

such as Kerberos tickets with ocserv. It should be best used as an alternative

to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with

tickets and without tickets to login. The default value for require-local-user-map

is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented

to have been issued within the provided number of seconds. That option is used to

restrict logins even if the KDC provides long time TGT tickets.

#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
#auth = "radius[config=/etc/radiusclient-ng/radiusclient.conf,groupconfig=true]"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

Specify alternative authentication methods that are sufficient

for authentication. That is, if set, any of the methods enabled

will be sufficient to login, irrespective of the main 'auth' entries.

When multiple options are present, they are OR composed (any of them

succeeding allows login).

enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"

Accounting methods available:

radius: can be combined with any authentication method, it provides

radius accounting to available users (see also stats-report-time).

#

pam: can be combined with any authentication method, it provides

a validation of the connecting user's name using PAM. It is

superfluous to use this method when authentication is already

PAM.

#

Only one accounting method can be specified.

#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
#acct = "radius[config=/etc/radiusclient-ng/radiusclient.conf]"

Use listen-host to limit to specific IPs or to the IPs of a provided

hostname.

#listen-host = [IP|HOSTNAME]

When the server has a dynamic DNS address (that may change),

should set that to true to ask the client to resolve again on

reconnects.

#listen-host-is-dyndns = true

TCP and UDP port number

tcp-port = 4433
udp-port = 4433

Accept connections using a socket file. It accepts HTTP

connections (i.e., without SSL/TLS unlike its TCP counterpart),

and uses it as the primary channel. That option cannot be

combined with certificate authentication.

#listen-clear-file = /var/run/ocserv-conn.socket

The user the worker processes will be run as. It should be

unique (no other services run as this user).

run-as-user = ocserv
run-as-group = ocserv

socket file used for IPC with occtl. You only need to set that,

if you use more than a single servers.

#occtl-socket-file = /var/run/occtl.socket

socket file used for server IPC (worker-main), will be appended with .PID

It must be accessible within the chroot environment (if any), so it is best

specified relatively to the chroot directory.

socket-file = ocserv.sock

The default server directory. Does not require any devices present.

chroot-dir = /var/lib/ocser