-<?xml version="1.0"?>\r
-<Opengate>\r
-\r
-<!-- ################################################# \r
- ####### NEED TO MODIFY FOLLOWING PARAMETERS ##### -->\r
-\r
- <!-- opengate gateway server hostname(FQDN or IP address) -->\r
-\r
- <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>\r
-\r
- <!-- Authentication server -->\r
- <!-- The AuthServer format is documented at the bottom of this file -->\r
-\r
- <AuthServer>\r
- <Address>192.168.0.2</Address>\r
- <Protocol>pop3s</Protocol>\r
- </AuthServer>\r
-\r
-<!-- ###################################################\r
- if you want to switch parameters with userID or extraID\r
- (which is entered by user as [userID@extraID]),\r
- see the information in ExtraSet below\r
- ################################################### --> \r
-\r
-<!-- #### usually, need not to modify following parameters #### -->\r
-\r
- <!-- Set 1 to write many information to syslog -->\r
- <!-- Set 0 to write only error message to syslog -->\r
- <Debug>0</Debug>\r
-\r
- <!-- Syslog -->\r
- <Syslog>\r
- <Enable>1</Enable>\r
- <Facility>local1</Facility>\r
- </Syslog>\r
- \r
- <!-- Available HTML languages (first lang is used as default) -->\r
- <HtmlLangs>en ja</HtmlLangs>\r
-\r
- <!-- Path to Apache Contents -->\r
- <DocumentRoot>/usr/local/www/data</DocumentRoot>\r
- <CgiDir>/cgi-bin</CgiDir>\r
- <OpengateDir>/opengate</OpengateDir>\r
-\r
- <!-- HTML Documents -->\r
- <DenyDoc>deny.html</DenyDoc>\r
- <DenyDocSsl>deny-ssl.html</DenyDocSsl>\r
- <AcceptDoc>accept.html</AcceptDoc>\r
- <AcceptDoc2>accept2.html</AcceptDoc2>\r
- <AuthDoc>index.html</AuthDoc>\r
- <AuthDocSsl>index-ssl.html</AuthDocSsl>\r
- <FwdDoc>topindex.html</FwdDoc>\r
- <RetryDoc>retry.html</RetryDoc>\r
-\r
- <!-- CGI programs -->\r
- <AuthCgi>opengateauth.cgi</AuthCgi>\r
- <FwdCgi>opengatefwd.cgi</FwdCgi>\r
- <MainCgi>opengatesrv.cgi</MainCgi>\r
-\r
- <!-- URL used to retry -->\r
- <ExternalUrl>http://www.google.com/</ExternalUrl>\r
-\r
- <!-- Url to start browsing after authentication -->\r
- <!-- if type=0, use acceptdoc2. if type=1, use below url -->\r
- <StartPage>\r
- <Type>0</Type>\r
- <Url>http://www.yahoo.com/</Url>\r
- </StartPage>\r
-\r
- <!-- Related command path -->\r
- <ArpPath>/usr/sbin/arp</ArpPath>\r
- <NdpPath>/usr/sbin/ndp</NdpPath>\r
- <IpfwPath>/sbin/ipfw</IpfwPath>\r
- <Ip6fwPath>/sbin/ip6fw</Ip6fwPath>\r
- <PsPath>/bin/ps</PsPath>\r
-\r
- <!-- Ipfw is opened via perl script(1) or direct from C(0) -->\r
- <IpfwScript>\r
- <Enable>0</Enable>\r
- <Path>/etc/opengate/ipfwctrl.pl</Path>\r
- </IpfwScript>\r
-\r
- <!-- Ip6fw is opened via perl script(1) or direct from C(0) -->\r
- <Ip6fwScript>\r
- <Enable>0</Enable>\r
- <Path>/etc/opengate/ipfwctrl.pl</Path>\r
- </Ip6fwScript>\r
-\r
- <!-- Allowable duration for users to use network(seconds) -->\r
- <Duration>\r
- <Default>1200</Default>\r
- <Max>10800</Max>\r
- </Duration>\r
- \r
- <!-- Live Check by sending 'HELLO' and counting packet (seconds) -->\r
- <ActiveCheck>\r
- <Interval>600</Interval>\r
- <NoReplyMaxCount>3</NoReplyMaxCount>\r
- <NoPacketInterval>5400</NoPacketInterval>\r
- </ActiveCheck>\r
-\r
- <!-- IPFW rule range used by opengate -->\r
- <IpfwRule>\r
- <Min>10000</Min>\r
- <Max>40000</Max>\r
- <Interval>2</Interval>\r
- </IpfwRule>\r
-\r
- <!-- IP6FW rule range used by opengate -->\r
- <Ip6fwRule>\r
- <Min>10000</Min>\r
- <Max>40000</Max>\r
- <Interval>2</Interval>\r
- </Ip6fwRule>\r
- \r
- <!-- Port range used by opengate -->\r
- <ListenPort>\r
- <Min>30000</Min>\r
- <Max>60000</Max>\r
- </ListenPort>\r
- \r
- <!-- Lock file for exclusive exec to prevent overlapped rule number -->\r
- <LockFile>/tmp/opengate.lock</LockFile>\r
-\r
- <!-- Separate char between userID and extraID [userID@extraID] -->\r
- <UserIdSeparator>@</UserIdSeparator>\r
-\r
-<!-- ########################################################## \r
- #### ExtraSet overwritten on default settings ####\r
-\r
- If you want to switch parameter values\r
- by userID and extraID entered as [userID@extraID],\r
- set following. \r
-\r
- If entered as [userID], above default parameters are used.\r
- If entered as [iserID@extraID] and matched set exists,\r
- the paremeters in the set is overwriten on the above default.\r
- The first matched extra set is used.\r
- \r
- Examples:\r
- First ExtraSet is used when user entered as [anyuser@guest],\r
- where "anyuser" is every userID.\r
- Second ExtraSet is used when [anyuser@admin].\r
- Third ExtraSet is used when [user1] or [user2].\r
- \r
- UserIdPattern is the "POSIX Extended Regular Expression".\r
- Matching is insensitive to upper/lower case.\r
-\r
- Word "default" is set to extraID, when extraID is not entered.\r
- ####################################################### -->\r
-\r
-<!--\r
- <ExtraSet ExtraId="guest">\r
- <AuthServer>\r
- <Address>192.168.0.1</Address>\r
- <Protocol>pop3s</Protocol>\r
- </AuthServer>\r
- <Duration>\r
- <Default>1200</Default>\r
- <Max>1200</Max>\r
- </Duration>\r
- </ExtraSet>\r
--->\r
-<!--\r
- <ExtraSet ExtraId="admin">\r
- <AuthServer>\r
- <Protocol>pam</Protocol>\r
- </AuthServer>\r
- </ExtraSet>\r
--->\r
-<!--\r
- <ExtraSet ExtraId="default" UserIdPattern="^user1$|^user2$"> \r
- <Syslog>\r
- <Enable>1</Enable>\r
- <Facility>local2</Facility>\r
- </Syslog>\r
- </ExtraSet>\r
--->\r
-</Opengate> \r
-\r
-\r
-\r
-<!-- ###################################################\r
- ######Documentation about AuthServer setting ######\r
- \r
- ########### Format ############# \r
- where {a|b}: a or b , [ x ]: x is optional, -x-: x is value\r
- \r
- #### TYPE 1 (POP or FTP) ####\r
- <AuthServer>\r
- <Protocol>{pop3|pop3s|ftp|ftpse|ftpsi}</Protocol>\r
- <Address>{-hostname-|-ip_address-}</Address>\r
- [ <Port>-portno-</Port> ]\r
- </AuthServer>\r
- # AuthOK, if request by <Protocol> is accepted by <Address>.\r
- # Address is FQDN or IP address \r
- # If <Port> is not defined, port number in /etc/services is used.\r
- # pop3s is SSLed pop3\r
- # ftpse is SSLed ftp run in Explicit mode. \r
- # ftpsi is SSLed ftp run in Implicit mode.\r
-\r
- #### TYPE 2 (PAM) ####\r
- <AuthServer>\r
- <Protocol>pam</Protocol>\r
- [ <ServiceName>-servicename_in_pam_conf-</ServiceName> ]\r
- </AuthServer>\r
- # Auth by PAM\r
- # If not define <ServiceName>, "opengate" is used in "pam.conf".\r
-\r
- #### TYPE 3 (RADIUS) ####\r
- <AuthServer>\r
- <Protocol>radius</Protocol>\r
- [ <ConfFile>-path_to_radius_conf-</ConfFile> ]\r
- </AuthServer>\r
- # Auth by RADIUS\r
- # If not define <ConfigFile>, "/etc/radius.conf" is used.\r
- \r
- #### TYPE 4 (ACCEPT or DENY) ####\r
- <AuthServer>\r
- <Protocol>{accept|deny}</Protocol>\r
- </AuthServer>\r
- # The user is accepted or denied without inquiry.\r
- # This setting is prepared for debugging.\r
- \r
- ############# Examples ##############\r
- <AuthServer>\r
- <Address>pop.saga-u.ac.jp</Address>\r
- <Protocol>pop3s</Protocol>\r
- <Port>10000</Port>\r
- </AuthServer>\r
-\r
- <AuthServer>\r
- <Address>192.168.0.1</Address>\r
- <Protocol>ftpsi</Protocol>\r
- </AuthServer>\r
-\r
- <AuthServer>\r
- <Protocol>radius</Protocol>\r
- </AuthServer>\r
-\r
- <AuthServer>\r
- <Protocol>pam</Protocol>\r
- </AuthServer>\r
- ###################################### -->\r
+<?xml version="1.0"?>
+<Opengate ConfigVersion="1.5.13">
+
+<!-- #################################################
+ ####### NEED TO MODIFY FOLLOWING PARAMETERS ##### -->
+
+ <!-- #########################################################
+ ## Opengate gateway server hostname(FQDN or IP address)## -->
+
+ <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>
+
+ <!-- #######################################################
+ ## Authentication servers (can set multiple servers) ##
+ ## REFER document at the end of this file ## -->
+
+ <AuthServer>
+ <Protocol>pop3s</Protocol>
+ <Address>192.168.0.2</Address>
+ </AuthServer>
+
+<!-- ##########################################################
+ #### usually, need not to modify following parameters #### -->
+
+<!-- ###################################################
+ if you want to switch parameters with userID or extraID
+ (entered by user as [userID@extraID] in auth page),
+ REFER the information of ExtraSet at the end of this file.
+ ################################################### -->
+
+ <!-- Debug dump level -->
+ <!-- Set 0 to write only open/close and error messages to syslog -->
+ <!-- Set 1 to write some information adding to 0 -->
+ <!-- Set 2 to write many information to syslog -->
+ <Debug>1</Debug>
+
+ <!-- client usage watch mode in default('Http', or 'Time') -->
+ <WatchMode>Http</WatchMode>
+
+ <!-- Syslog (local0, local1, .., local7)-->
+ <Syslog>
+ <Enable>1</Enable>
+ <Facility>local1</Facility>
+ </Syslog>
+
+ <!-- SQLite database file -->
+ <SqliteDb>/tmp/opengate.db</SqliteDb>
+
+ <!-- Allowable duration for users to use network(seconds) -->
+ <!-- If no connection with http, network is closed after this. -->
+ <Duration>
+ <Default>300</Default>
+ <Max>3600</Max>
+ </Duration>
+
+ <!-- Client Live Check (seconds) -->
+ <!-- In HTTP connection, existance of HELLO request. -->
+ <!-- In no connection, check mac address mismatch and no packet. -->
+ <ActiveCheckInterval>50</ActiveCheckInterval>
+
+ <!-- Close when no packet is passed between the interval -->
+ <NoPacketInterval>5400</NoPacketInterval>
+
+ <!-- Watch client with Http Keep-Alive -->
+ <HttpWatch>
+ <!-- HTTP_USER_AGENT that is not compatible with http watch mode -->
+ <!-- defined by "POSIX Extended Regular Expression" -->
+ <SkipAgentPattern>^$</SkipAgentPattern>
+ </HttpWatch>
+
+ <!-- IPFW rule number range and tag number used by opengate -->
+ <IpfwRule>
+ <Min>10000</Min>
+ <Max>40000</Max>
+ <Interval>2</Interval>
+ </IpfwRule>
+
+ <!-- IPFW Tag number used in rc.firewall -->
+ <IpfwTagNumber>123</IpfwTagNumber>
+
+ <!-- Port number range used by opengate -->
+ <ListenPort>
+ <Min>30000</Min>
+ <Max>60000</Max>
+ </ListenPort>
+
+ <!-- communication reply timeout(second) -->
+ <CommWaitTimeout>10</CommWaitTimeout>
+
+ <!-- http reconnect timeout(second) -->
+ <ReconnectTimeout>180</ReconnectTimeout>
+
+ <!-- ipfw exclusive exec lock timeout (second) -->
+ <LockTimeout>10</LockTimeout>
+
+ <!-- max delay from fwd.cgi to auth.cgi (second) -->
+ <ForwardingDelay>300</ForwardingDelay>
+
+
+ <!-- Available HTML languages (first lang is used as default) -->
+ <HtmlLangs>en ja</HtmlLangs>
+
+ <!-- Path to Apache Contents -->
+ <DocumentRoot>/usr/local/www/apache22/data</DocumentRoot>
+ <CgiDir>/cgi-bin</CgiDir>
+ <OpengateDir>/opengate</OpengateDir>
+
+ <!-- HTML Documents (in each language dir)-->
+ <DenyDoc>deny.html</DenyDoc>
+ <AcceptDocHttp>accept-http.html</AcceptDocHttp>
+ <AcceptDocTime>accept-time.html</AcceptDocTime>
+ <AcceptDoc2>accept2.html</AcceptDoc2>
+ <AuthDoc>index.html</AuthDoc>
+ <AuthDocSsl>index-ssl.html</AuthDocSsl>
+ <FwdDoc>topindex.html</FwdDoc>
+ <RetryDoc>retry.html</RetryDoc>
+ <HttpKeepDoc>httpkeep.html</HttpKeepDoc>
+ <SkipAuthDoc>skip-auth.html</SkipAuthDoc>
+
+ <!-- CGI programs -->
+ <AuthCgi>opengateauth.cgi</AuthCgi>
+ <FwdCgi>opengatefwd.cgi</FwdCgi>
+ <MainCgi>opengatesrv.cgi</MainCgi>
+
+ <!-- JavaScript (in opengate dir) -->
+ <HttpKeepJS>httpkeep.js</HttpKeepJS>
+ <Md5JS>md5.js</Md5JS>
+
+ <!-- URL used for retrying -->
+ <ExternalUrl>http://www.google.com/</ExternalUrl>
+
+ <!-- Url to start browsing after authentication -->
+ <!-- type:0=acceptdoc2.html,1=below Url,2=redirected(requested) Url -->
+ <StartPage>
+ <Type>0</Type>
+ <Url>http://www.yahoo.com/</Url>
+ </StartPage>
+
+ <!-- authentication by http-cookie is allowed(1) or not(0) -->
+ <EnableCookieAuth>1</EnableCookieAuth>
+
+ <!-- Related command path -->
+ <ArpPath>/usr/sbin/arp</ArpPath>
+ <NdpPath>/usr/sbin/ndp</NdpPath>
+ <IpfwPath>/sbin/ipfw</IpfwPath>
+ <PsPath>/bin/ps</PsPath>
+
+ <!-- Ipfw is opened via perl script(1) or direct from C(0) -->
+ <IpfwScript>
+ <Enable>0</Enable>
+ <Path>/etc/opengate/ipfwctrl.pl</Path>
+ </IpfwScript>
+
+ <!-- Lock file for exclusive exec to prevent overlapped rule number -->
+ <LockFile>/tmp/opengate.lock</LockFile>
+
+ <!-- Separate char between userID and extraID [userID@extraID] -->
+ <UserIdSeparator>@</UserIdSeparator>
+
+
+ <!-- #### Config for exceptional users, See below document #### -->
+ ## To use below sample, remove the XML comment mark ##
+
+<!-- ## ExtraSet sample 1 ##
+ <ExtraSet ExtraId="guest">
+ <AuthServer>
+ <Address>192.168.0.1</Address>
+ <Protocol>ftp</Protocol>
+ </AuthServer>
+ <IpfwTagNumber>999</IpfwTagNumber>
+
+ </ExtraSet>
+ ## End of sample 1 ## -->
+
+<!-- ## ExtraSet sample 2 ##
+ <ExtraSet ExtraId="admin">
+ <AuthServer>
+ <Protocol>pam</Protocol>
+ </AuthServer>
+ <AuthServer>
+ <Address>192.168.0.1</Address>
+ <Protocol>pop3s</Protocol>
+ <Timeout>10</Timeout>
+ </AuthServer>
+ <AuthServer>
+ <Address>192.168.0.2</Address>
+ <Protocol>ftp</Protocol>
+ <Timeout>10</Timeout>
+ </AuthServer>
+ </ExtraSet>
+ ## End of sample 2 ## -->
+
+<!-- ## ExtraSet sample 3 ##
+ <ExtraSet ExtraId="default" UserIdPattern="^user1$|^user2$">
+ <Syslog>
+ <Enable>1</Enable>
+ <Facility>local2</Facility>
+ </Syslog>
+ </ExtraSet>
+ ## Caution: if no userid is entered, set as userid="?" ##
+ ## End of sample 3 ## -->
+
+</Opengate>
+<!-- ## End of Configuration ## -->
+
+
+
+
+
+<!-- ## Following is only documentation ## -->
+
+<!-- ###### about ExtraSet #######
+
+ <ExtraSet> overwritten on default settings
+
+ You can switch parameter values by userID and extraID
+ entered as [userID@extraID] in userID field on auth page.
+
+ Each <ExtraSet> has conditions such as <.. ExtraId="aaa"> or
+ <.. UserIdPattern="bbb">.
+ The conditions is compared with the string entered in
+ userID field.
+
+ When you set the condition as <.. ExtraId="aaa">,
+ the string [any_user@aaa] is matched and the ExtraSet is used.
+
+ When you set the condition as <.. UserIdPattern="bbb">,
+ the string [any_bbb_any] is matched.
+ UserIdPattern has the form of "POSIX Extended Regular Expression".
+ Matching is insensitive to upper/lower case.
+
+ The <ExtraSet> having both conditions is used when both are true.
+ Omitted condition matched to every string.
+
+ The first matched <ExtraSet> is used, at existing many matched set.
+
+ The paremeters in <ExtraSet> overwrite the default value.
+ When a parameter is not found in <ExtraSet>, the default is used.
+
+ When userID is entered without extraID, ExtraId matchs to "default".
+ Thus if you want to find [user1] only in default server,
+ use as <ExtraSet ExtraId="default" UserIdPattern="^user1$">.
+
+ Example1 is used when user entered as [any_user@guest],
+ where "any_user" is any string.
+ It means that [xxx@guest] uses different auth server.
+
+ Example2 is used when [anyuser@admin].
+ It means that [xxx@adimin] can use many auth servers.
+
+ Example3 is used when [user1] or [user2].
+ It means that [user1] and [user2] emerge specific syslog(eg. mail).
+
+-->
+
+<!-- ###### About AuthServer setting ######
+
+ ########### Format #############
+ {a|b}: a or b, set one of them
+ [ x ]: x is optional
+ -x- : x is a value
+
+ #### TYPE 1 (POP or FTP) ####
+ <AuthServer>
+ <Protocol>{pop3|pop3s|ftp|ftpse|ftpsi}</Protocol>
+ <Address>{-hostname-|-ip_address-}</Address>
+ [ <Port>-portno-</Port> ]
+ [ <Timeout>-seconds-</Timeout> ]
+ </AuthServer>
+ # AuthOK, if request by <Protocol> is accepted by <Address>.
+ # Address is FQDN or IP address
+ # If <Port> is not defined, port number in /etc/services is used.
+ # The request is aborted at <Timeout> seconds.
+ # If <Timeout> is not defined, system value is used.
+ # pop3s is SSLed pop3
+ # ftpse is SSLed ftp run in Explicit mode.
+ # ftpsi is SSLed ftp run in Implicit mode.
+
+ #### TYPE 2 (PAM) ####
+ <AuthServer>
+ <Protocol>pam</Protocol>
+ [ <ServiceName>-servicename_in_pam_conf-</ServiceName> ]
+ [ <Timeout>-second-</Timeout> ]
+ </AuthServer>
+ # Auth by PAM
+ # If not define <ServiceName>, "opengate" is used in "pam.conf".
+
+ #### TYPE 3 (RADIUS) ####
+ <AuthServer>
+ <Protocol>radius</Protocol>
+ [ <ConfFile>-path_to_radius_conf-</ConfFile> ]
+ [ <Timeout>-second-</Timeout> ]
+ </AuthServer>
+ # Auth by RADIUS
+ # If not define <ConfigFile>, "/etc/radius.conf" is used.
+
+ #### TYPE 4 (LDAP) ####
+ <AuthServer>
+ <Protocol>ldap</Protocol>
+ <Uri>-uri-of-ldap-server-</Uri>
+ <BaseDN>-ldap_base_dn_to_search-</BaseDN>
+ [ <Timeout>-second-</Timeout> ]
+ </AuthServer>
+ # Auth by LDAP/LDAPS
+ # Uri examples
+ # 'ldap://foo.bar.com' for NonSSL
+ # 'ldaps://foo.bar.com' for SSL
+ # 'ldaps://foo.bar.com:1234' to use specific port
+
+ #### TYPE 5 (ACCEPT or DENY) ####
+ <AuthServer>
+ <Protocol>{accept|deny}</Protocol>
+ </AuthServer>
+ # The user is accepted or denied without inquiry.
+ # This setting is prepared for debugging.
+
+ #### TYPE 6 (Shibboleth) ####
+ <AuthServer>
+ <Protocol>shibboleth</Protocol>
+ <UidAttribute>-uid-env-var-</UidAttribute>
+ </AuthServer>
+
+ # Auth by Shibboleth
+ # Set 'opengatesrv.cgi/opengateauth.cgi' as SHIB-AUTH in .htaccess
+ # <FILES opengateauth.cgi>
+ # AuthType shibboleth
+ # ShibRequestSetting requireSession 1
+ # ShibRequireSession On
+ # ShibUseHeaders On
+ # require valid-user
+ # </FILES>
+ # <FILES opengatesrv.cgi>
+ # AuthType shibboleth
+ # ShibRequestSetting requireSession 1
+ # ShibRequireSession On
+ # ShibUseHeaders On
+ # require valid-user
+ # </FILES>
+ # 'UidAttiribute' means the environment variable for UserId
+
+ #### TYPE 7 (Http Basic) ####
+ <AuthServer>
+ <Protocol>httpbasic</Protocol>
+ </AuthServer>
+
+ # Auth by http-basic
+ # Set 'opengatesrv.cgi' as BASIC-AUTH in .htaccess
+ # <FILES opengatesrv.cgi>
+ # AuthType Basic
+ # AuthUserFile /tmp/passwd.dat
+ # AuthName "User"
+ # require valid-user
+ # </FILES>
+ # environment variable REMOTE_USER is used for userid
+-->
+
+<!-- ######## Examples of Auth Server Setting ##############
+ <AuthServer>
+ <Address>pop.saga-u.ac.jp</Address>
+ <Protocol>pop3s</Protocol>
+ <Timeout>30</Timeout>
+ </AuthServer>
+
+ <AuthServer>
+ <Protocol>ldap</Protocol>
+ <Uri>ldaps://ldap.saga-u.ac.jp</Uri>
+ <BaseDN>ou=people,dc=saga-u,dc=ac,dc=jp</BaseDN>
+ <Timeout>5</Timeout>
+ </AuthServer>
+
+ <AuthServer>
+ <Address>192.168.0.1</Address>
+ <Protocol>ftpsi</Protocol>
+ <Timeout>15</Timeout>
+ </AuthServer>
+
+ <AuthServer>
+ <Protocol>radius</Protocol>
+ </AuthServer>
+
+ <AuthServer>
+ <Protocol>pam</Protocol>
+ </AuthServer>
+-->
+
+<!-- ####### An Example of Multiple authentication servers ######
+ If multiple auth servers are set, check these servers sequentially.
+ When denied by a server, request is sent to the next one.
+ And when accepted by a server, following servers are ignored.
+
+ <AuthServer>
+ setting for first priority
+ </AuthServer>
+ <AuthServer>
+ setting for second priority
+ </AuthServer>
+ <AuthServer>
+ setting for third priority
+ </AuthServer>
+
+-->