From c8c9166fa1705c102c523e1fbd460e6015919e5e Mon Sep 17 00:00:00 2001 From: Daniel STAN Date: Mon, 23 Mar 2015 19:57:01 +0100 Subject: [PATCH] =?UTF-8?q?freeradius:=20auth=20g=C3=A9n=C3=A9rale=20sur?= =?UTF-8?q?=20radius=20et=20eap?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Bundler/freeradius.xml | 5 + Cfg/etc/freeradius/radiusd.conf/radiusd.conf | 7 +- .../radiusd.conf/radiusd.conf.G00_pea | 772 ------------------ 3 files changed, 10 insertions(+), 774 deletions(-) delete mode 100644 Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea diff --git a/Bundler/freeradius.xml b/Bundler/freeradius.xml index 1162cd0..4261175 100644 --- a/Bundler/freeradius.xml +++ b/Bundler/freeradius.xml @@ -10,6 +10,11 @@ + + + + + diff --git a/Cfg/etc/freeradius/radiusd.conf/radiusd.conf b/Cfg/etc/freeradius/radiusd.conf/radiusd.conf index 2c0e270..c9ad25d 100644 --- a/Cfg/etc/freeradius/radiusd.conf/radiusd.conf +++ b/Cfg/etc/freeradius/radiusd.conf/radiusd.conf @@ -59,6 +59,7 @@ sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct +crans_conf = /usr/scripts/freeradius # Location of config and logfiles. confdir = ${raddbdir} @@ -505,7 +506,8 @@ proxy_requests = no # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # -$INCLUDE ${confdir}/clients.conf +#$INCLUDE ${confdir}/clients.conf +$INCLUDE ${crans_conf}/dynamic_clients.conf # SNMP CONFIGURATION @@ -634,7 +636,7 @@ modules { $INCLUDE ${confdir}/modules/realm $INCLUDE ${confdir}/modules/chap $INCLUDE ${confdir}/modules/acct_unique - $INCLUDE /usr/scripts/freeradius/rlm_python_wifi.conf + $INCLUDE ${crans_conf}/modules/ # Extensible Authentication Protocol # # For all EAP related authentications. @@ -767,3 +769,4 @@ $INCLUDE ${confdir}/policy.conf # See "sites-enabled/default" for some additional documentation. # $INCLUDE sites-enabled/ +$INCLUDE ${crans_conf}/sites-available/ diff --git a/Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea b/Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea deleted file mode 100644 index c9ad25d..0000000 --- a/Cfg/etc/freeradius/radiusd.conf/radiusd.conf.G00_pea +++ /dev/null @@ -1,772 +0,0 @@ -# -*- text -*- -## -## radiusd.conf -- FreeRADIUS server configuration file. -## -## http://www.freeradius.org/ -## $Id: radiusd.conf.in,v 1.275 2008/05/30 09:18:43 aland Exp $ -## - -###################################################################### -# -# Read "man radiusd" before editing this file. See the section -# titled DEBUGGING. It outlines a method where you can quickly -# obtain the configuration you want, without running into -# trouble. -# -# Run the server in debugging mode, and READ the output. -# -# $ radiusd -X -# -# We cannot emphasize this point strongly enough. The vast -# majority of problems can be solved by carefully reading the -# debugging output, which includes warnings about common issues, -# and suggestions for how they may be fixed. -# -# There may be a lot of output, but look carefully for words like: -# "warning", "error", "reject", or "failure". The messages there -# will usually be enough to guide you to a solution. -# -# If you are going to ask a question on the mailing list, then -# explain what you are trying to do, and include the output from -# debugging mode (radiusd -X). Failure to do so means that all -# of the responses to your question will be people telling you -# to "post the output of radiusd -X". - -###################################################################### -# -# The location of other config files and logfiles are declared -# in this file. -# -# Also general configuration for modules can be done in this -# file, it is exported through the API to modules that ask for -# it. -# -# See "man radiusd.conf" for documentation on the format of this -# file. Note that the individual configuration items are NOT -# documented in that "man" page. They are only documented here, -# in the comments. -# -# As of 2.0.0, FreeRADIUS supports a simple processing language -# in the "authorize", "authenticate", "accounting", etc. sections. -# See "man unlang" for details. -# - -prefix = /usr -exec_prefix = /usr -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = /var/log/freeradius -raddbdir = /etc/freeradius -radacctdir = ${logdir}/radacct -crans_conf = /usr/scripts/freeradius - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/freeradius - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = $(raddbdir) - -# -# libdir: Where to find the rlm_* modules. -# -# This should be automatically set at configuration time. -# -# If the server builds and installs, but fails at execution time -# with an 'undefined symbol' error, then you can use the libdir -# directive to work around the problem. -# -# The cause is usually that a library has been installed on your -# system in a place where the dynamic linker CANNOT find it. When -# executing as root (or another user), your personal environment MAY -# be set up to allow the dynamic linker to find the library. When -# executing as a daemon, FreeRADIUS MAY NOT have the same -# personalized configuration. -# -# To work around the problem, find out which library contains that symbol, -# and add the directory containing that library to the end of 'libdir', -# with a colon separating the directory names. NO spaces are allowed. -# -# e.g. libdir = /usr/local/lib:/opt/package/lib -# -# You can also try setting the LD_LIBRARY_PATH environment variable -# in a script which starts the server. -# -# If that does not work, then you can re-configure and re-build the -# server to NOT use shared libraries, via: -# -# ./configure --disable-shared -# make -# make install -# -libdir = /usr/lib/freeradius - -# pidfile: Where to place the PID of the RADIUS server. -# -# The server may be signalled while it's running by using this -# file. -# -# This file is written when ONLY running in daemon mode. -# -# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid` -# -pidfile = ${run_dir}/freeradius.pid - -# chroot: directory where the server does "chroot". -# -# The chroot is done very early in the process of starting the server. -# After the chroot has been performed it switches to the "user" listed -# below (which MUST be specified). If "group" is specified, it switchs -# to that group, too. Any other groups listed for the specified "user" -# in "/etc/group" are also added as part of this process. -# -# The current working directory (chdir / cd) is left *outside* of the -# chroot until all of the modules have been initialized. This allows -# the "raddb" directory to be left outside of the chroot. Once the -# modules have been initialized, it does a "chdir" to ${logdir}. This -# means that it should be impossible to break out of the chroot. -# -# If you are worried about security issues related to this use of chdir, -# then simply ensure that the "raddb" directory is inside of the chroot, -# end be sure to do "cd raddb" BEFORE starting the server. -# -# If the server is statically linked, then the only files that have -# to exist in the chroot are ${run_dir} and ${logdir}. If you do the -# "cd raddb" as discussed above, then the "raddb" directory has to be -# inside of the chroot directory, too. -# -#chroot = /path/to/chroot/directory - -# user/group: The name (or #number) of the user/group to run freeradius as. -# -# If these are commented out, the server will run as the user/group -# that started it. In order to change to a different user/group, you -# MUST be root ( or have root privleges ) to start the server. -# -# We STRONGLY recommend that you run the server with as few permissions -# as possible. That is, if you're not using shadow passwords, the -# user and group items below should be set to radius'. -# -# NOTE that some kernels refuse to setgid(group) when the value of -# (unsigned)group is above 60000; don't use group nobody on these systems! -# -# On systems with shadow passwords, you might have to set 'group = shadow' -# for the server to be able to read the shadow password file. If you can -# authenticate users while in debug mode, but not in daemon mode, it may be -# that the debugging mode server is running as a user that can read the -# shadow info, and the user listed below can not. -# -# The server will also try to use "initgroups" to read /etc/groups. -# It will join all groups where "user" is a member. This can allow -# for some finer-grained access controls. -# -user = freerad -group = freerad - -# max_request_time: The maximum time (in seconds) to handle a request. -# -# Requests which take more time than this to process may be killed, and -# a REJECT message is returned. -# -# WARNING: If you notice that requests take a long time to be handled, -# then this MAY INDICATE a bug in the server, in one of the modules -# used to handle a request, OR in your local configuration. -# -# This problem is most often seen when using an SQL database. If it takes -# more than a second or two to receive an answer from the SQL database, -# then it probably means that you haven't indexed the database. See your -# SQL server documentation for more information. -# -# Useful range of values: 5 to 120 -# -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -# a reply which was sent to the NAS. -# -# The RADIUS request is normally cached internally for a short period -# of time, after the reply is sent to the NAS. The reply packet may be -# lost in the network, and the NAS will not see it. The NAS will then -# re-send the request, and the server will respond quickly with the -# cached reply. -# -# If this value is set too low, then duplicate requests from the NAS -# MAY NOT be detected, and will instead be handled as seperate requests. -# -# If this value is set too high, then the server will cache too many -# requests, and some new requests may get blocked. (See 'max_requests'.) -# -# Useful range of values: 2 to 10 -# -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -# track of. This should be 256 multiplied by the number of clients. -# e.g. With 4 clients, this number should be 1024. -# -# If this number is too low, then when the server becomes busy, -# it will not respond to any new requests, until the 'cleanup_delay' -# time has passed, and it has removed the old requests. -# -# If this number is set too high, then the server will use a bit more -# memory for no real benefit. -# -# If you aren't sure what it should be set to, it's better to set it -# too high than too low. Setting it to 1000 per client is probably -# the highest it should be. -# -# Useful range of values: 256 to infinity -# -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -# replies out from that address. This directive is most useful for -# hosts with multiple IP addresses on one interface. -# -# If you want the server to listen on additional addresses, or on -# additionnal ports, you can use multiple "listen" sections. -# -# Each section make the server listen for only one type of packet, -# therefore authentication and accounting have to be configured in -# different sections. -# -# The server ignore all "listen" section if you are using '-i' and '-p' -# on the command line. -# -listen { - # Type of packets to listen for. - # Allowed values are: - # auth listen for authentication packets - # acct listen for accounting packets - # proxy IP to use for sending proxied packets - # detail Read from the detail file. For examples, see - # raddb/sites-available/copy-acct-to-home-server - # - type = auth - - # Note: "type = proxy" lets you control the source IP used for - # proxying packets, with some limitations: - # - # * Only ONE proxy listener can be defined. - # * A proxy listener CANNOT be used in a virtual server section. - # * You should probably set "port = 0". - # * Any "clients" configuration will be ignored. - - # IP address on which to listen. - # Allowed values are: - # dotted quad (1.2.3.4) - # hostname (radius.example.com) - # wildcard (*) - ipaddr = * - - # OR, you can use an IPv6 address, but not both - # at the same time. -# ipv6addr = :: # any. ::1 == localhost - - # Port on which to listen. - # Allowed values are: - # integer port number (1812) - # 0 means "use /etc/services for the proper port" - port = 0 - - # Some systems support binding to an interface, in addition - # to the IP address. This feature isn't strictly necessary, - # but for sites with many IP addresses on one interface, - # it's useful to say "listen on all addresses for eth0". - # - # If your system does not support this feature, you will - # get an error if you try to use it. - # -# interface = eth0 - - # Per-socket lists of clients. This is a very useful feature. - # - # The name here is a reference to a section elsewhere in - # radiusd.conf, or clients.conf. Having the name as - # a reference allows multiple sockets to use the same - # set of clients. - # - # If this configuration is used, then the global list of clients - # is IGNORED for this "listen" section. Take care configuring - # this feature, to ensure you don't accidentally disable a - # client you need. - # - # See clients.conf for the configuration of "per_socket_clients". - # -# clients = per_socket_clients -} - -# Le même mais en ipv6 -listen { - type = auth - ipv6addr = :: # any. ::1 == localhost - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -#listen { -# ipaddr = * -# ipv6addr = :: -# port = 0 -# type = acct -# interface = eth0 -# clients = per_socket_clients -#} - -# hostname_lookups: Log the names of clients or just their IP addresses -# e.g., www.freeradius.org (on) or 206.47.27.232 (off). -# -# The default is 'off' because it would be overall better for the net -# if people had to knowingly turn this feature on, since enabling it -# means that each client request will result in AT LEAST one lookup -# request to the nameserver. Enabling hostname_lookups will also -# mean that your server may stop randomly for 30 seconds from time -# to time, if the DNS requests take too long. -# -# Turning hostname lookups off also means that the server won't block -# for 30 seconds, if it sees an IP address which has no name associated -# with it. -# -# allowed values: {no, yes} -# -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -# if you're debugging a problem with the server. -# -# allowed values: {no, yes} -# -allow_core_dumps = no - -# Regular expressions -# -# These items are set at configure time. If they're set to "yes", -# then setting them to "no" turns off regular expression support. -# -# If they're set to "no" at configure time, then setting them to "yes" -# WILL NOT WORK. It will give you an error. -# -regular_expressions = yes -extended_expressions = yes - -# -# Logging section. The various "log_*" configuration items -# will eventually be moved here. -# -log { - # - # Destination for log messages. This can be one of: - # - # files - log to "file", as defined below. - # syslog - to syslog (see also the "syslog_facility", below. - # stdout - standard output - # stderr - standard error. - # - # The command-line option "-X" over-rides this option, and forces - # logging to go to stdout. - # - destination = syslog - - # - # The logging messages for the server are appended to the - # tail of this file if ${destination} == "files" - # - # If the server is running in debugging mode, this file is - # NOT used. - # - file = ${logdir}/radius.log - - # - # Which syslog facility to use, if ${destination} == "syslog" - # - # The exact values permitted here are OS-dependent. You probably - # don't want to change this. - # - syslog_facility = daemon - - # Log the full User-Name attribute, as it was found in the request. - # - # allowed values: {no, yes} - # - stripped_names = yes - - # Log authentication requests to the log file. - # - # allowed values: {no, yes} - # - auth = yes - - # Log passwords with the authentication requests. - # auth_badpass - logs password if it's rejected - # auth_goodpass - logs password if it's correct - # - # allowed values: {no, yes} - # - auth_badpass = yes - auth_goodpass = yes - - # On rajoute l'IP de la borne aux logs - # ainsi que la Mac (qui devraient contenir des ":" cf hints) - msg_goodpass="Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} Mac: %{Calling-Station-Id}" - msg_badpass="Nas: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} Mac: %{Calling-Station-Id}" -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# SECURITY CONFIGURATION -# -# There may be multiple methods of attacking on the server. This -# section holds the configuration items which minimize the impact -# of those attacks -# -security { - # - # max_attributes: The maximum number of attributes - # permitted in a RADIUS packet. Packets which have MORE - # than this number of attributes in them will be dropped. - # - # If this number is set too low, then no RADIUS packets - # will be accepted. - # - # If this number is set too high, then an attacker may be - # able to send a small number of packets which will cause - # the server to use all available memory on the machine. - # - # Setting this number to 0 means "allow any number of attributes" - max_attributes = 200 - - # - # reject_delay: When sending an Access-Reject, it can be - # delayed for a few seconds. This may help slow down a DoS - # attack. It also helps to slow down people trying to brute-force - # crack a users password. - # - # Setting this number to 0 means "send rejects immediately" - # - # If this number is set higher than 'cleanup_delay', then the - # rejects will be sent at 'cleanup_delay' time, when the request - # is deleted from the internal cache of requests. - # - # Useful ranges: 1 to 5 - reject_delay = 1 - - # - # status_server: Whether or not the server will respond - # to Status-Server requests. - # - # When sent a Status-Server message, the server responds with - # an Access-Accept or Accounting-Response packet. - # - # This is mainly useful for administrators who want to "ping" - # the server, without adding test users, or creating fake - # accounting packets. - # - # It's also useful when a NAS marks a RADIUS server "dead". - # The NAS can periodically "ping" the server with a Status-Server - # packet. If the server responds, it must be alive, and the - # NAS can start using it for real requests. - # - status_server = yes -} - -# PROXY CONFIGURATION -# -# proxy_requests: Turns proxying of RADIUS requests on or off. -# -# The server has proxying turned on by default. If your system is NOT -# set up to proxy requests to another server, then you can turn proxying -# off here. This will save a small amount of resources on the server. -# -# If you have proxying turned off, and your configuration files say -# to proxy a request, then an error message will be logged. -# -# To disable proxying, change the "yes" to "no", and comment the -# $INCLUDE line. -# -# allowed values: {no, yes} -# -proxy_requests = no -#$INCLUDE ${confdir}/proxy.conf - - -# CLIENTS CONFIGURATION -# -# Client configuration is defined in "clients.conf". -# - -# The 'clients.conf' file contains all of the information from the old -# 'clients' and 'naslist' configuration files. We recommend that you -# do NOT use 'client's or 'naslist', although they are still -# supported. -# -# Anything listed in 'clients.conf' will take precedence over the -# information from the old-style configuration files. -# -#$INCLUDE ${confdir}/clients.conf -$INCLUDE ${crans_conf}/dynamic_clients.conf - - -# SNMP CONFIGURATION -# -# Snmp configuration is only valid if SNMP support was enabled -# at compile time. -# -# To enable SNMP querying of the server, set the value of the -# 'snmp' attribute to 'yes' -# -snmp = no -#$INCLUDE ${confdir}/snmp.conf - - -# THREAD POOL CONFIGURATION -# -# The thread pool is a long-lived group of threads which -# take turns (round-robin) handling any incoming requests. -# -# You probably want to have a few spare threads around, -# so that high-load situations can be handled immediately. If you -# don't have any spare threads, then the request handling will -# be delayed while a new thread is created, and added to the pool. -# -# You probably don't want too many spare threads around, -# otherwise they'll be sitting there taking up resources, and -# not doing anything productive. -# -# The numbers given below should be adequate for most situations. -# -thread pool { - # Number of servers to start initially --- should be a reasonable - # ballpark figure. - start_servers = 5 - - # Limit on the total number of servers running. - # - # If this limit is ever reached, clients will be LOCKED OUT, so it - # should NOT BE SET TOO LOW. It is intended mainly as a brake to - # keep a runaway server from taking the system with it as it spirals - # down... - # - # You may find that the server is regularly reaching the - # 'max_servers' number of threads, and that increasing - # 'max_servers' doesn't seem to make much difference. - # - # If this is the case, then the problem is MOST LIKELY that - # your back-end databases are taking too long to respond, and - # are preventing the server from responding in a timely manner. - # - # The solution is NOT do keep increasing the 'max_servers' - # value, but instead to fix the underlying cause of the - # problem: slow database, or 'hostname_lookups=yes'. - # - # For more information, see 'max_request_time', above. - # - max_servers = 32 - - # Server-pool size regulation. Rather than making you guess - # how many servers you need, FreeRADIUS dynamically adapts to - # the load it sees, that is, it tries to maintain enough - # servers to handle the current load, plus a few spare - # servers to handle transient load spikes. - # - # It does this by periodically checking how many servers are - # waiting for a request. If there are fewer than - # min_spare_servers, it creates a new spare. If there are - # more than max_spare_servers, some of the spares die off. - # The default values are probably OK for most sites. - # - min_spare_servers = 3 - max_spare_servers = 10 - - # There may be memory leaks or resource allocation problems with - # the server. If so, set this value to 300 or so, so that the - # resources will be cleaned up periodically. - # - # This should only be necessary if there are serious bugs in the - # server which have not yet been fixed. - # - # '0' is a special value meaning 'infinity', or 'the servers never - # exit' - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -# -# The names and configuration of each module is located in this section. -# -# After the modules are defined here, they may be referred to by name, -# in other sections of this configuration file. -# -modules { - # - # Each module has a configuration as follows: - # - # name [ instance ] { - # config_item = value - # ... - # } - # - # The 'name' is used to load the 'rlm_name' library - # which implements the functionality of the module. - # - # The 'instance' is optional. To have two different instances - # of a module, it first must be referred to by 'name'. - # The different copies of the module are then created by - # inventing two 'instance' names, e.g. 'instance1' and 'instance2' - # - # The instance names can then be used in later configuration - # INSTEAD of the original 'name'. See the 'radutmp' configuration - # below for an example. - # - - # - # As of 2.0.5, most of the module configurations are in a - # separate directory. Files matching the regex /[a-zA-Z0-9_.]+/ - # are loaded. The modules are initialized ONLY if they are - # referenced in a processing section, such as authorize, - # authenticate, accounting, pre/post-proxy, etc. - # -# $INCLUDE ${confdir}/modules/ - $INCLUDE ${confdir}/modules/ldap - $INCLUDE ${confdir}/modules/mschap - $INCLUDE ${confdir}/modules/preprocess - $INCLUDE ${confdir}/modules/realm - $INCLUDE ${confdir}/modules/chap - $INCLUDE ${confdir}/modules/acct_unique - $INCLUDE ${crans_conf}/modules/ - # Extensible Authentication Protocol - # - # For all EAP related authentications. - # Now in another file, because it is very large. - # - $INCLUDE ${confdir}/eap.conf - - # Include another file that has the SQL-related configuration. - # This is another file only because it tends to be big. - # -# $INCLUDE ${confdir}/sql.conf - - - # For Cisco VoIP specific accounting with Postgresql, - # use: ${confdir}/sql/postgresql/voip-postpaid.conf - # - # You will also need the sql schema from: - # src/billing/cisco_h323_db_schema-postgres.sql - # Note: This config can be use AS WELL AS the standard sql - # config if you need SQL based Auth - - # - # This module is an SQL enabled version of the counter module. - # - # Rather than maintaining seperate (GDBM) databases of - # accounting info for each counter, this module uses the data - # stored in the raddacct table by the sql modules. This - # module NEVER does any database INSERTs or UPDATEs. It is - # totally dependent on the SQL module to process Accounting - # packets. - # -# $INCLUDE ${confdir}/sql/mysql/counter.conf - #$INCLUDE ${confdir}/sql/postgresql/counter.conf - - # $INCLUDE ${confdir}/sqlippool.conf - - # OTP token support. Not included by default. - # $INCLUDE ${confdir}/otp.conf - -} - -# Instantiation -# -# This section orders the loading of the modules. Modules -# listed here will get loaded BEFORE the later sections like -# authorize, authenticate, etc. get examined. -# -# This section is not strictly needed. When a section like -# authorize refers to a module, it's automatically loaded and -# initialized. However, some modules may not be listed in any -# of the following sections, so they can be listed here. -# -# Also, listing modules here ensures that you have control over -# the order in which they are initalized. If one module needs -# something defined by another module, you can list them in order -# here, and ensure that the configuration will be OK. -# -instantiate { - # - # Allows the execution of external scripts. - # The entire command line (and output) must fit into 253 bytes. - # - # e.g. Framed-Pool = `%{exec:/bin/echo foo}` -# exec - - # - # The expression module doesn't do authorization, - # authentication, or accounting. It only does dynamic - # translation, of the form: - # - # Session-Timeout = `%{expr:2 + 3}` - # - # So the module needs to be instantiated, but CANNOT be - # listed in any other section. See 'doc/rlm_expr' for - # more information. - # -# expr - - # - # We add the counter module here so that it registers - # the check-name attribute before any module which sets - # it -# daily -# expiration -# logintime - - # subsections here can be thought of as "virtual" modules. - # - # e.g. If you have two redundant SQL servers, and you want to - # use them in the authorize and accounting sections, you could - # place a "redundant" block in each section, containing the - # exact same text. Or, you could uncomment the following - # lines, and list "redundant_sql" in the authorize and - # accounting sections. - # - #redundant redundant_sql { - # sql1 - # sql2 - #} -} - -###################################################################### -# -# Policies that can be applied in multiple places are listed -# globally. That way, they can be defined once, and referred -# to multiple times. -# -###################################################################### -$INCLUDE ${confdir}/policy.conf - -###################################################################### -# -# As of 2.0.0, the "authorize", "authenticate", etc. sections -# are in separate configuration files, per virtual host. -# -###################################################################### - -###################################################################### -# -# Include all enabled virtual hosts. -# -# The following directory is searched for files that match -# the regex: -# -# /[a-zA-Z0-9_.]+/ -# -# The files are then included here, just as if they were cut -# and pasted into this file. -# -# See "sites-enabled/default" for some additional documentation. -# -$INCLUDE sites-enabled/ -$INCLUDE ${crans_conf}/sites-available/