<?xml version="1.0"?>
-<Opengate ConfigVersion="1.4.23">
+<Opengate ConfigVersion="1.5.13">
<!-- #################################################
-# ####### NEED TO MODIFY FOLLOWING PARAMETERS ##### -->
+ ####### NEED TO MODIFY FOLLOWING PARAMETERS ##### -->
<!-- #########################################################
## Opengate gateway server hostname(FQDN or IP address)## -->
## Authentication servers (can set multiple servers) ##
## REFER document at the end of this file ## -->
- <AuthServer>
+ <AuthServer>
+ <Protocol>pop3s</Protocol>
<Address>192.168.0.2</Address>
- <Protocol>pop3s</Protocol>
- <Timeout>10</Timeout>
- </AuthServer>
+ </AuthServer>
<!-- ##########################################################
-# #### usually, need not to modify following parameters #### -->
+ #### usually, need not to modify following parameters #### -->
<!-- ###################################################
-# if you want to switch parameters with userID or extraID
-# (entered by user as [userID@extraID] in auth page),
-# REFER the information of ExtraSet at the end of this file.
-# ################################################### -->
+ if you want to switch parameters with userID or extraID
+ (entered by user as [userID@extraID] in auth page),
+ REFER the information of ExtraSet at the end of this file.
+ ################################################### -->
<!-- Debug dump level -->
<!-- Set 0 to write only open/close and error messages to syslog -->
<!-- Set 2 to write many information to syslog -->
<Debug>1</Debug>
- <!-- client usage watch mode in default('Java', 'Http', or 'Time') -->
+ <!-- client usage watch mode in default('Http', or 'Time') -->
<WatchMode>Http</WatchMode>
<!-- Syslog (local0, local1, .., local7)-->
<Facility>local1</Facility>
</Syslog>
+ <!-- SQLite database file -->
+ <SqliteDb>/tmp/opengate.db</SqliteDb>
+
<!-- Allowable duration for users to use network(seconds) -->
- <!-- If no connection with java/http, network is closed after this. -->
+ <!-- If no connection with http, network is closed after this. -->
<Duration>
<Default>300</Default>
<Max>3600</Max>
</Duration>
<!-- Client Live Check (seconds) -->
- <!-- In JAVA connection, send HELLO and get reply. -->
<!-- In HTTP connection, existance of HELLO request. -->
<!-- In no connection, check mac address mismatch and no packet. -->
- <ActiveCheckInterval>100</ActiveCheckInterval>
+ <ActiveCheckInterval>50</ActiveCheckInterval>
<!-- Close when no packet is passed between the interval -->
<NoPacketInterval>5400</NoPacketInterval>
<!-- Watch client with Http Keep-Alive -->
<HttpWatch>
- <!-- HTTP_USER_AGENT ignoring http watch mode -->
+ <!-- HTTP_USER_AGENT that is not compatible with http watch mode -->
<!-- defined by "POSIX Extended Regular Expression" -->
<SkipAgentPattern>^$</SkipAgentPattern>
</HttpWatch>
- <!-- Watch client with Java Applet -->
- <JavaWatch>
- <!-- HTTP_USER_AGENT ignoring java watch mode -->
- <!-- defined by "POSIX Extended Regular Expression" -->
- <SkipAgentPattern>^$</SkipAgentPattern>
- </JavaWatch>
-
- <!-- IPFW rule number range used by opengate -->
+ <!-- IPFW rule number range and tag number used by opengate -->
<IpfwRule>
<Min>10000</Min>
<Max>40000</Max>
<Interval>2</Interval>
</IpfwRule>
- <!-- IP6FW rule number range used by opengate -->
- <Ip6fwRule>
- <Min>10000</Min>
- <Max>40000</Max>
- <Interval>2</Interval>
- </Ip6fwRule>
-
+ <!-- IPFW Tag number used in rc.firewall -->
+ <IpfwTagNumber>123</IpfwTagNumber>
+
<!-- Port number range used by opengate -->
<ListenPort>
<Min>30000</Min>
<!-- communication reply timeout(second) -->
<CommWaitTimeout>10</CommWaitTimeout>
- <!-- Java connection timeout(second) -->
- <JavaWaitTimeout>600</JavaWaitTimeout>
-
<!-- http reconnect timeout(second) -->
<ReconnectTimeout>180</ReconnectTimeout>
<HtmlLangs>en ja</HtmlLangs>
<!-- Path to Apache Contents -->
- <DocumentRoot>/usr/local/www/data</DocumentRoot>
+ <DocumentRoot>/usr/local/www/apache22/data</DocumentRoot>
<CgiDir>/cgi-bin</CgiDir>
<OpengateDir>/opengate</OpengateDir>
<!-- HTML Documents (in each language dir)-->
<DenyDoc>deny.html</DenyDoc>
- <DenyDocSsl>deny-ssl.html</DenyDocSsl>
<AcceptDocHttp>accept-http.html</AcceptDocHttp>
- <AcceptDocJava>accept-java.html</AcceptDocJava>
<AcceptDocTime>accept-time.html</AcceptDocTime>
<AcceptDoc2>accept2.html</AcceptDoc2>
<AuthDoc>index.html</AuthDoc>
<FwdDoc>topindex.html</FwdDoc>
<RetryDoc>retry.html</RetryDoc>
<HttpKeepDoc>httpkeep.html</HttpKeepDoc>
+ <SkipAuthDoc>skip-auth.html</SkipAuthDoc>
<!-- CGI programs -->
<AuthCgi>opengateauth.cgi</AuthCgi>
<FwdCgi>opengatefwd.cgi</FwdCgi>
<MainCgi>opengatesrv.cgi</MainCgi>
- <!-- Java Script (in opengate dir) -->
+ <!-- JavaScript (in opengate dir) -->
<HttpKeepJS>httpkeep.js</HttpKeepJS>
<Md5JS>md5.js</Md5JS>
- <!-- URL used to retry -->
+ <!-- URL used for retrying -->
<ExternalUrl>http://www.google.com/</ExternalUrl>
<!-- Url to start browsing after authentication -->
- <!-- if type=0, use acceptdoc2. if type=1, use below url -->
+ <!-- type:0=acceptdoc2.html,1=below Url,2=redirected(requested) Url -->
<StartPage>
<Type>0</Type>
<Url>http://www.yahoo.com/</Url>
</StartPage>
+ <!-- authentication by http-cookie is allowed(1) or not(0) -->
+ <EnableCookieAuth>1</EnableCookieAuth>
+
<!-- Related command path -->
<ArpPath>/usr/sbin/arp</ArpPath>
<NdpPath>/usr/sbin/ndp</NdpPath>
<IpfwPath>/sbin/ipfw</IpfwPath>
- <Ip6fwPath>/sbin/ip6fw</Ip6fwPath>
<PsPath>/bin/ps</PsPath>
<!-- Ipfw is opened via perl script(1) or direct from C(0) -->
<Path>/etc/opengate/ipfwctrl.pl</Path>
</IpfwScript>
- <!-- Ip6fw is opened via perl script(1) or direct from C(0) -->
- <Ip6fwScript>
- <Enable>0</Enable>
- <Path>/etc/opengate/ipfwctrl.pl</Path>
- </Ip6fwScript>
-
<!-- Lock file for exclusive exec to prevent overlapped rule number -->
<LockFile>/tmp/opengate.lock</LockFile>
<UserIdSeparator>@</UserIdSeparator>
- <!-- #Config for exceptional users, See below document# -->
-<!-- ############ExtraSet sample 1###############
+ <!-- #### Config for exceptional users, See below document #### -->
+ ## To use below sample, remove the XML comment mark ##
+
+<!-- ## ExtraSet sample 1 ##
<ExtraSet ExtraId="guest">
<AuthServer>
<Address>192.168.0.1</Address>
<Protocol>ftp</Protocol>
</AuthServer>
+ <IpfwTagNumber>999</IpfwTagNumber>
+
</ExtraSet>
- ############################################ -->
+ ## End of sample 1 ## -->
-<!-- ############ExtraSet sample 2###############
+<!-- ## ExtraSet sample 2 ##
<ExtraSet ExtraId="admin">
<AuthServer>
<Protocol>pam</Protocol>
<Timeout>10</Timeout>
</AuthServer>
</ExtraSet>
- ############################################ -->
+ ## End of sample 2 ## -->
-<!-- ############ExtraSet sample 3###############
+<!-- ## ExtraSet sample 3 ##
<ExtraSet ExtraId="default" UserIdPattern="^user1$|^user2$">
<Syslog>
<Enable>1</Enable>
<Facility>local2</Facility>
</Syslog>
</ExtraSet>
- ############################################ -->
+ ## Caution: if no userid is entered, set as userid="?" ##
+ ## End of sample 3 ## -->
</Opengate>
+<!-- ## End of Configuration ## -->
-<!-- ##########################################################
-########### <ExtraSet> overwritten on default settings ####
-#
-# You can switch parameter values by userID and extraID
-# entered as [userID@extraID] in userID field on auth page.
-#
-# Each <ExtraSet> has conditions such as <.. ExtraId="aaa"> or
-# <.. UserIdPattern="bbb">.
-# The conditions is compared with the string entered in
-# userID field.
-#
-# When you set the condition as <.. ExtraId="aaa">,
-# the string [any_user@aaa] is matched and the ExtraSet is used.
-#
-# When you set the condition as <.. UserIdPattern="bbb">,
-# the string [any_bbb_any] is matched.
-# UserIdPattern has the form of "POSIX Extended Regular Expression".
-# Matching is insensitive to upper/lower case.
-#
-# The <ExtraSet> having both conditions is used when both are true.
-# Omitted condition matched to every string.
-#
-# The first matched <ExtraSet> is used, at existing many matched set.
-#
-# The paremeters in <ExtraSet> overwrite the default value.
-# When a parameter is not found in <ExtraSet>, the default is used.
-#
-# When userID is entered without extraID, ExtraId matchs to "default".
-# Thus if you want to find [user1] only in default server,
-# use as <ExtraSet ExtraId="default" UserIdPattern="^user1$">.
-#
-# Example1 is used when user entered as [any_user@guest],
-# where "any_user" is any string.
-# It means that [xxx@guest] uses different auth server.
-#
-# Example2 is used when [anyuser@admin].
-# It means that [xxx@adimin] can use many auth servers.
-#
-# Example3 is used when [user1] or [user2].
-# It means that [user1] and [user2] emerge specific syslog(eg. mail).
-#
-###########################################################
-
-
-###########################################################
-# ######Documentation about AuthServer setting ######
-#
-# ########### Format #############
-# where
-# {a|b}: a or b, set one of them
-# [ x ]: x is optional
-# -x- : x is a value
-#
-# #### TYPE 1 (POP or FTP) ####
-# <AuthServer>
-# <Protocol>{pop3|pop3s|ftp|ftpse|ftpsi}</Protocol>
-# <Address>{-hostname-|-ip_address-}</Address>
-# [ <Port>-portno-</Port> ]
-# [ <Timeout>-seconds-</Timeout> ]
-# </AuthServer>
-# # AuthOK, if request by <Protocol> is accepted by <Address>.
-# # Address is FQDN or IP address
-# # If <Port> is not defined, port number in /etc/services is used.
-# # The request is aborted at <Timeout> seconds.
-# # If <Timeout> is not defined, system value is used.
-# # pop3s is SSLed pop3
-# # ftpse is SSLed ftp run in Explicit mode.
-# # ftpsi is SSLed ftp run in Implicit mode.
-#
-# #### TYPE 2 (PAM) ####
-# <AuthServer>
-# <Protocol>pam</Protocol>
-# [ <ServiceName>-servicename_in_pam_conf-</ServiceName> ]
-# [ <Timeout>-second-</Timeout> ]
-# </AuthServer>
-# # Auth by PAM
-# # If not define <ServiceName>, "opengate" is used in "pam.conf".
-#
-# #### TYPE 3 (RADIUS) ####
-# <AuthServer>
-# <Protocol>radius</Protocol>
-# [ <ConfFile>-path_to_radius_conf-</ConfFile> ]
-# [ <Timeout>-second-</Timeout> ]
-# </AuthServer>
-# # Auth by RADIUS
-# # If not define <ConfigFile>, "/etc/radius.conf" is used.
-#
-# #### TYPE 4 (LDAP) ####
-# <AuthServer>
-# <Protocol>ldap</Protocol>
-# <Uri>-uri-of-ldap-server-</Uri>
-# <BaseDN>-ldap_base_dn_to_search-</BaseDN>
-# [ <Timeout>-second-</Timeout> ]
-# </AuthServer>
-# # Auth by LDAP/LDAPS
-# # Uri examples
-# # 'ldap://foo.bar.com' for NonSSL
-# # 'ldaps://foo.bar.com' for SSL
-# # 'ldaps://foo.bar.com:1234' to use specific port
-#
-# #### TYPE 5 (ACCEPT or DENY) ####
-# <AuthServer>
-# <Protocol>{accept|deny}</Protocol>
-# </AuthServer>
-# # The user is accepted or denied without inquiry.
-# # This setting is prepared for debugging.
-#
-# ############# Examples ##############
-# <AuthServer>
-# <Address>pop.saga-u.ac.jp</Address>
-# <Protocol>pop3s</Protocol>
-# <Timeout>30</Timeout>
-# </AuthServer>
-#
-# <AuthServer>
-# <Protocol>ldap</Protocol>
-# <Uri>ldaps://ldap.saga-u.ac.jp</Uri>
-# <BaseDN>ou=people,dc=saga-u,dc=ac,dc=jp</BaseDN>
-# <Timeout>5</Timeout>
-# </AuthServer>
-#
-# <AuthServer>
-# <Address>192.168.0.1</Address>
-# <Protocol>ftpsi</Protocol>
-# <Timeout>15</Timeout>
-# </AuthServer>
-#
-# <AuthServer>
-# <Protocol>radius</Protocol>
-# </AuthServer>
-#
-# <AuthServer>
-# <Protocol>pam</Protocol>
-# </AuthServer>
-#
-#
-# ####### Multiple authentication servers ######
-# If multiple auth servers are set, check these servers sequentially.
-# When denied by a server, request is sent to the next one.
-# And when accepted by a server, following servers are ignored.
-#
-# <AuthServer>
-# setting for first priority
-# </AuthServer>
-# <AuthServer>
-# setting for second priority
-# </AuthServer>
-# <AuthServer>
-# setting for third priority
-# </AuthServer>
-#
-# ######################################
+
+
+
+<!-- ## Following is only documentation ## -->
+
+<!-- ###### about ExtraSet #######
+
+ <ExtraSet> overwritten on default settings
+
+ You can switch parameter values by userID and extraID
+ entered as [userID@extraID] in userID field on auth page.
+
+ Each <ExtraSet> has conditions such as <.. ExtraId="aaa"> or
+ <.. UserIdPattern="bbb">.
+ The conditions is compared with the string entered in
+ userID field.
+
+ When you set the condition as <.. ExtraId="aaa">,
+ the string [any_user@aaa] is matched and the ExtraSet is used.
+
+ When you set the condition as <.. UserIdPattern="bbb">,
+ the string [any_bbb_any] is matched.
+ UserIdPattern has the form of "POSIX Extended Regular Expression".
+ Matching is insensitive to upper/lower case.
+
+ The <ExtraSet> having both conditions is used when both are true.
+ Omitted condition matched to every string.
+
+ The first matched <ExtraSet> is used, at existing many matched set.
+
+ The paremeters in <ExtraSet> overwrite the default value.
+ When a parameter is not found in <ExtraSet>, the default is used.
+
+ When userID is entered without extraID, ExtraId matchs to "default".
+ Thus if you want to find [user1] only in default server,
+ use as <ExtraSet ExtraId="default" UserIdPattern="^user1$">.
+
+ Example1 is used when user entered as [any_user@guest],
+ where "any_user" is any string.
+ It means that [xxx@guest] uses different auth server.
+
+ Example2 is used when [anyuser@admin].
+ It means that [xxx@adimin] can use many auth servers.
+
+ Example3 is used when [user1] or [user2].
+ It means that [user1] and [user2] emerge specific syslog(eg. mail).
+
+-->
+
+<!-- ###### About AuthServer setting ######
+
+ ########### Format #############
+ {a|b}: a or b, set one of them
+ [ x ]: x is optional
+ -x- : x is a value
+
+ #### TYPE 1 (POP or FTP) ####
+ <AuthServer>
+ <Protocol>{pop3|pop3s|ftp|ftpse|ftpsi}</Protocol>
+ <Address>{-hostname-|-ip_address-}</Address>
+ [ <Port>-portno-</Port> ]
+ [ <Timeout>-seconds-</Timeout> ]
+ </AuthServer>
+ # AuthOK, if request by <Protocol> is accepted by <Address>.
+ # Address is FQDN or IP address
+ # If <Port> is not defined, port number in /etc/services is used.
+ # The request is aborted at <Timeout> seconds.
+ # If <Timeout> is not defined, system value is used.
+ # pop3s is SSLed pop3
+ # ftpse is SSLed ftp run in Explicit mode.
+ # ftpsi is SSLed ftp run in Implicit mode.
+
+ #### TYPE 2 (PAM) ####
+ <AuthServer>
+ <Protocol>pam</Protocol>
+ [ <ServiceName>-servicename_in_pam_conf-</ServiceName> ]
+ [ <Timeout>-second-</Timeout> ]
+ </AuthServer>
+ # Auth by PAM
+ # If not define <ServiceName>, "opengate" is used in "pam.conf".
+
+ #### TYPE 3 (RADIUS) ####
+ <AuthServer>
+ <Protocol>radius</Protocol>
+ [ <ConfFile>-path_to_radius_conf-</ConfFile> ]
+ [ <Timeout>-second-</Timeout> ]
+ </AuthServer>
+ # Auth by RADIUS
+ # If not define <ConfigFile>, "/etc/radius.conf" is used.
+
+ #### TYPE 4 (LDAP) ####
+ <AuthServer>
+ <Protocol>ldap</Protocol>
+ <Uri>-uri-of-ldap-server-</Uri>
+ <BaseDN>-ldap_base_dn_to_search-</BaseDN>
+ [ <Timeout>-second-</Timeout> ]
+ </AuthServer>
+ # Auth by LDAP/LDAPS
+ # Uri examples
+ # 'ldap://foo.bar.com' for NonSSL
+ # 'ldaps://foo.bar.com' for SSL
+ # 'ldaps://foo.bar.com:1234' to use specific port
+
+ #### TYPE 5 (ACCEPT or DENY) ####
+ <AuthServer>
+ <Protocol>{accept|deny}</Protocol>
+ </AuthServer>
+ # The user is accepted or denied without inquiry.
+ # This setting is prepared for debugging.
+
+ #### TYPE 6 (Shibboleth) ####
+ <AuthServer>
+ <Protocol>shibboleth</Protocol>
+ <UidAttribute>-uid-env-var-</UidAttribute>
+ </AuthServer>
+
+ # Auth by Shibboleth
+ # Set 'opengatesrv.cgi/opengateauth.cgi' as SHIB-AUTH in .htaccess
+ # <FILES opengateauth.cgi>
+ # AuthType shibboleth
+ # ShibRequestSetting requireSession 1
+ # ShibRequireSession On
+ # ShibUseHeaders On
+ # require valid-user
+ # </FILES>
+ # <FILES opengatesrv.cgi>
+ # AuthType shibboleth
+ # ShibRequestSetting requireSession 1
+ # ShibRequireSession On
+ # ShibUseHeaders On
+ # require valid-user
+ # </FILES>
+ # 'UidAttiribute' means the environment variable for UserId
+
+ #### TYPE 7 (Http Basic) ####
+ <AuthServer>
+ <Protocol>httpbasic</Protocol>
+ </AuthServer>
+
+ # Auth by http-basic
+ # Set 'opengatesrv.cgi' as BASIC-AUTH in .htaccess
+ # <FILES opengatesrv.cgi>
+ # AuthType Basic
+ # AuthUserFile /tmp/passwd.dat
+ # AuthName "User"
+ # require valid-user
+ # </FILES>
+ # environment variable REMOTE_USER is used for userid
+-->
+
+<!-- ######## Examples of Auth Server Setting ##############
+ <AuthServer>
+ <Address>pop.saga-u.ac.jp</Address>
+ <Protocol>pop3s</Protocol>
+ <Timeout>30</Timeout>
+ </AuthServer>
+
+ <AuthServer>
+ <Protocol>ldap</Protocol>
+ <Uri>ldaps://ldap.saga-u.ac.jp</Uri>
+ <BaseDN>ou=people,dc=saga-u,dc=ac,dc=jp</BaseDN>
+ <Timeout>5</Timeout>
+ </AuthServer>
+
+ <AuthServer>
+ <Address>192.168.0.1</Address>
+ <Protocol>ftpsi</Protocol>
+ <Timeout>15</Timeout>
+ </AuthServer>
+
+ <AuthServer>
+ <Protocol>radius</Protocol>
+ </AuthServer>
+
+ <AuthServer>
+ <Protocol>pam</Protocol>
+ </AuthServer>
+-->
+
+<!-- ####### An Example of Multiple authentication servers ######
+ If multiple auth servers are set, check these servers sequentially.
+ When denied by a server, request is sent to the next one.
+ And when accepted by a server, following servers are ignored.
+
+ <AuthServer>
+ setting for first priority
+ </AuthServer>
+ <AuthServer>
+ setting for second priority
+ </AuthServer>
+ <AuthServer>
+ setting for third priority
+ </AuthServer>
+
-->