[opengatem/opengatem.git] / conf / opengatemmng.conf.sample

<?xml version="1.0"?>
<Opengatemmng ConfigVersion="0.7.5">

        <!-- #########################################################
             ## Opengate gateway server hostname(FQDN or IP address)## -->
        <OpengateServerName>opengate.example.com</OpengateServerName>

        <!-- Debug dump level -->
        <!-- Set 0 to write only open/close and error messages to syslog -->
        <!-- Set 1 to write some information adding to 0 -->
        <!-- Set 2 to write many information to syslog -->
        <!-- Set 3 to write more information to syslog -->
        <Debug>1</Debug>

        <!-- Syslog (local0, local1, .., local7)-->
        <Syslog>
                <Enable>1</Enable>
                <Facility>local1</Facility>
        </Syslog>

        <!-- ### MUST BE MODIFIED ## -->
        <!-- network interface device name -->
        <Device>fxp0</Device> 

        <!-- ### MUST BE MODIFIED ## -->
        <!-- auth server setting for administrators(watanaby,admin1,admin2) -->
        <AuthServer>
                <UserType>admin</UserType>
                <Protocol>pop3s</Protocol>
                <Address>192.168.0.2</Address>
                <AcceptUsers>watanaby admin1 admin2</AcceptUsers>
        </AuthServer>

        <!-- ### MUST BE MODIFIED ## -->
        <!-- auth server setting for normal(not admin) users  -->
        <AuthServer>
                <Protocol>shibboleth</Protocol>
                <UidAttribute>uid</UidAttribute>
                <EppnAttribute>eppn</EppnAttribute>
                <MailAttribute>mail</MailAttribute>
        </AuthServer>

        <!-- ### MUST BE MODIFIED ## -->
        <!-- # Set hosts where opengateMd (daemon) is running # --> 
        <!-- Daemon acts as UDP server and opengateMmng as clients -->
        <!-- DB update is transmitted immediately with this UDP --> 
        <!-- (If failed, update is transmitted after cache timeout) --> 
        <!-- Following set the servers [address port] receiving UDP -->
        <!-- Be care to set firewall properly to pass the packet -->
        <UdpServer>127.0.0.1 4989</UdpServer>
        <!-- <UdpServer>192.168.1.1 4989</UdpServer> -->
        <!-- <UdpServer>192.168.2.1 4989</UdpServer> -->
        <!-- <UdpServer>192.168.3.1 4989</UdpServer> -->

        <!-- ### MUST BE MODIFIED ## -->
        <!-- MySql database (for mac address management) parameters -->
        <MySqlDb>
                <Server>localhost</Server>
                <User>root</User>
                <Password></Password>
                <Database>opengatem</Database>
        </MySqlDb>

        <!-- ### MUST BE MODIFIED ## -->
        <!-- Terminal allowed to register by owner oneself -->
        <!-- The terminal type is checked by http-agent pattern 
        having the form of "POSIX Extended Regular Expression".
        Matching is sensitive to upper/lower case. 
        If set NULL string, ALL agents are allowed -->
        <!-- Can set multiple pattern tags. -->

        <!-- TO ACTIVATE AGENT FILTER, REMOVE THIS COMMENT OUT TAG
        <AllowableAgentPattern>iPhone|iPad|iPod|Android</AllowableAgentPattern>
        <AllowableAgentPattern>Windows Phone|Windows CE</AllowableAgentPattern>
        <AllowableAgentPattern>BlackBerry|RIM Tablet</AllowableAgentPattern>
        -->

        <!--  on click, network is opened in this time and closed (Sec) -->
        <OpenTimeout>60</OpenTimeout>

        <!-- SQLite busy timeout (milli-seconds) -->
        <SqliteBusyTimeout>100</SqliteBusyTimeout>
        
        <!-- SQLite database file -->
        <!-- opengatemd work db -->
        <SqliteDbMd>/tmp/opengatemd.db</SqliteDbMd>

        <!-- opengatemmng work db -->
        <SqliteDbMmng>/tmp/opengatemng.db</SqliteDbMmng>

        <!-- SQLite database file -->
        <!-- for opengate session management -->
        <SqliteDb>/tmp/opengate.db</SqliteDb>

        <!-- IPFW rule number range and tag number used by opengate -->
        <IpfwRule>
                <Min>10000</Min>
                <Max>40000</Max>
                <Interval>1</Interval>
        </IpfwRule>

        <!-- Ipfw is opened via perl script(1) or direct from C(0) -->
        <IpfwScript>
                <Enable>0</Enable>
                <Path>/etc/opengate/ipfwctrlmd.pl</Path>
        </IpfwScript>

        <!-- IPFW Tag number used in rc.firewall -->
        <IpfwTagNumber>123</IpfwTagNumber>

        <!-- Related command path -->
        <IpfwPath>/sbin/ipfw</IpfwPath>

        <!-- ipfw exclusive exec lock timeout (second) -->
        <LockTimeout>10</LockTimeout>

        <!-- Lock file to prevent overlapped ipfw rule number -->
        <!-- exclusive execution to opengate processes -->
        <LockFile>/tmp/opengate.lock</LockFile>

        <!-- daemon programs -->
        <MacCheckDaemon>opengatemd</MacCheckDaemon>

        <!-- Lock file to prevent overlapped daemon proc -->
        <DaemonLockFile>/tmp/opengatemd.lock</DaemonLockFile>

        <!-- Maximum count of register devices for one user -->
        <MaxDevices>5</MaxDevices>

        <!-- Mac Address Expiration Date(in MySql Date Format) -->
        <LimitDate>adddate(last_day(adddate(now(),interval 15 day)),interval 1 day)</LimitDate>

        <!-- The Date to Show Log in Web Page(in MySql Date Format) -->
        <ShowLogAfter>adddate(now(), interval -1 month)</ShowLogAfter>

        <!-- Available HTML languages (first lang is used as default) -->
        <HtmlLangs>ja en</HtmlLangs>

        <!-- Path to Apache Contents -->
        <DocumentRoot>/usr/local/www/apache24/data</DocumentRoot>
        <CgiDir>/cgi-bin</CgiDir>
        <OpengateDir>/opengate</OpengateDir>

        <!-- HTML Documents (in each language dir)-->
        <DenyDoc>macdeny.html</DenyDoc>
        <CheckDoc>macchk.html</CheckDoc>
        <RegisterDoc>macreg.html</RegisterDoc>
        <UpdateDoc>macupdate.html</UpdateDoc>
        <AuthDoc>macauth.html</AuthDoc>
        <AuthAdminDoc>macauth.html</AuthAdminDoc>
        <OwnRegisterDoc>macreg.html</OwnRegisterDoc>
        <OwnUpdateDoc>macupdate.html</OwnUpdateDoc>
        <FwdDoc>macfwd.html</FwdDoc>
        <ReturnDoc>macreturn.html</ReturnDoc>

        <!-- timeout for above return jump -->
        <ReturnWaitTime>3</ReturnWaitTime>

        <!-- Related command path -->
        <ArpPath>/usr/sbin/arp</ArpPath>
        <NdpPath>/usr/sbin/ndp</NdpPath>

        <!-- CGIs -->
        <CheckCgi>opengatemchk.cgi</CheckCgi>
        <RegisterCgi>opengatemreg.cgi</RegisterCgi>
        <UpdateCgi>opengatemup.cgi</UpdateCgi>
        <OwnCgi>opengatemown.cgi</OwnCgi>
        <JumpCgi>opengatemown.cgi</JumpCgi> <!-- to insert page, modify this -->
        <FwdCgi>opengatemfwd.cgi</FwdCgi>

        <!-- maximum request count per day to modify mac registraion -->
        <MaxMacModifyPerDay>30</MaxMacModifyPerDay>

        <!-- cookie name to hold the dmin/user authentication state -->
        <AuthAdminCookie>OpengatemAdmin</AuthAdminCookie>
        <AuthUserCookie>OpengatemUser</AuthUserCookie>

        <!-- Limit Date Warning Mail -->
        <Mail>
                <CmdPath>/bin/rmail</CmdPath>
                <Content>/etc/opengate/warningmail</Content>
                <Timing>date(now())=date(adddate(limitDate, interval -7 day)) or date(now())=date(adddate(limitDate, interval -1 day))</Timing>
        </Mail>

        <!-- Separate char between userID and extraID [userID@extraID] -->
        <UserIdSeparator>@</UserIdSeparator>

</Opengatemmng> 
<!-- ## End of Configuration ## -->


<!-- ## Following is only documentation ## -->


<!--    ######################################
        ###### About AuthServer setting ######
        
        ########### Format ############# 
                {a|b}: a or b, set one of them 
                [ x ]: x is optional
                 -x- : x is a value
        
        #### TYPE 1 (POP or FTP) ####
        <AuthServer>
                <Protocol>{pop3|pop3s|ftp|ftpse|ftpsi}</Protocol>
                <Address>{-hostname-|-ip_address-}</Address>
                [ <Port>-portno-</Port> ]
                [ <Timeout>-seconds-</Timeout> ]
                [<MailDomain>-mail-address-after-@-</MailDomain>]
        </AuthServer>
        #   AuthOK, if request by <Protocol> is accepted by <Address>.
        #   Address is FQDN or IP address       
        #   If <Port> is not defined, port number in /etc/services is used.
        #   The request is aborted at <Timeout> seconds.
        #   If <Timeout> is not defined, system value is used.
        #   pop3s is SSLed pop3
        #   ftpse is SSLed ftp run in Explicit mode. 
        #   ftpsi is SSLed ftp run in Implicit mode.

        #   MailDomain indicates the domain to which warning mail is sent.
        #    if userid=watanaby and MailDomain=og.saga-u.ac.jp, 
        #     time-limit-warning-mail is sent to watanaby@og.saga-u.ac.jp.

        #### TYPE 2 (PAM) ####
        <AuthServer>
                <Protocol>pam</Protocol>
                [ <ServiceName>-servicename_in_pam_conf-</ServiceName> ]
                [ <Timeout>-second-</Timeout> ]
                [<MailDomain>-mail-address-after-@-</MailDomain>]
        </AuthServer>
        #   Auth by PAM
        #   If not define <ServiceName>, "opengate" is used in "pam.conf".

        #### TYPE 3 (RADIUS) ####
        <AuthServer>
                <Protocol>radius</Protocol>
                [ <ConfFile>-path_to_radius_conf-</ConfFile> ]
                [ <Timeout>-second-</Timeout> ]
                [<MailDomain>-mail-address-after-@-</MailDomain>]
        </AuthServer>
        #   Auth by RADIUS
        #   If not define <ConfigFile>, "/etc/radius.conf" is used.
        
        #### TYPE 4 (LDAP) ####
        <AuthServer>
                <Protocol>ldap</Protocol>
                <Uri>-uri-of-ldap-server-</Uri>
                <BaseDN>-ldap_base_dn_to_search-</BaseDN>
                [ <Timeout>-second-</Timeout> ]
                [<MailDomain>-mail-address-after-@-</MailDomain>]
        </AuthServer>
        #   Auth by LDAP/LDAPS
        #   Uri examples
        #     'ldap://foo.bar.com' for NonSSL
        #     'ldaps://foo.bar.com' for SSL
        #     'ldaps://foo.bar.com:1234' to use specific port
        
        #### TYPE 5 (ACCEPT or DENY) ####
        <AuthServer>
                <Protocol>{accept|deny}</Protocol>
                [<MailDomain>-mail-address-after-@-</MailDomain>]
        </AuthServer>
        #   The user is accepted or denied without inquiring auth.
        #   ***This setting is prepared for debugging***

        #### TYPE 6 (Shibboleth) ####
        <AuthServer>
                <Protocol>shibboleth</Protocol>
                <UidAttribute>-env-vars-for-uid-</UidAttribute>
                [<OrgAttribute>-env-vars-for-uid-</OrgAttribute>]
                [<EppnAttribute>-env-vars-for-eppn-</EppnAttribute>]
                [<MailAttribute>-env-vars-for-mail-address-</MailAttribute>]
                [<MailDomain>-mail-address-after-@-</MailDomain>]
        </AuthServer>
        #   Auth by Shibboleth

        #   'UidAttiribute' means the environment variable having UserId
        #       in the organization.
        #     E.G., 
        #     <UidAttribute>uid persistent-id targeted-id</UidAttribute>
        #       left item has priority, if not found, search next item

        #   'OrgAttiribute' means the environment variable having Organization
        #     E.G., 
        #     <OrgAttribute>o affiliation Shib-Identity-Provider</OrgAttribute>
        #       left item has priority, if not found, search next item

        #   'EppnAttiribute' means the environment variable having
        #     ePPN(edu person pricipal name 'user@org') or other global id 
        #     E.G., 
        #     <EppnAttribute>eppn mail</EppnAttribute>
        #       left item has priority, if not found, search next item

        #     If Uid and Eppn are defined, Uid has priority.

        #   'MailAttiribute' means the environment variable for mail-address
        #     E.G., 
        #     <MailAttribute>mail</MailAttribute>
        #       left item has priority, if not found, search next item

        #   Set 'opengatemXXX.cgi as 'shibboleth' in .htaccess
        #    <FILES opengatemXXX.cgi>
        #      AuthType shibboleth
        #      ShibRequestSetting requireSession 1
        #      ShibRequireSession On
        #      ShibUseHeaders On
        #      require valid-user
        #    </FILES>
        #    ***Only one Shibboleth setting is permitted in conf***

        #### TYPE 7 (Http Basic) ####
        <AuthServer>
                <Protocol>httpbasic</Protocol>
                [<MailDomain>-mail-address-after-@-</MailDomain>]
        </AuthServer>
        #   Auth by http-basic
        #   Set 'opengatemXXX.cgi' as 'Basic' in .htaccess
        #    <FILES opengateXXX.cgi>
        #      AuthType Basic
        #      AuthServerFile /tmp/passwd.dat
        #      AuthName "User"
        #      require valid-user
        #    </FILES>
        #   environment variable REMOTE_USER is used for userid
        #   ***Only one Httpbasic setting is permitted in conf***

        #### TYPE 8 (Splash Page Only) ####
        <AuthServer>
                <Protocol>splash</Protocol>
        </AuthServer>
        #   No authentication. Splash page only management.
        #   Use this when you don't want to identify user,
        #   but only want to show an agreement or usage policy page.
        #   The message should be described in macfwd.html.
        #   If accept response is required, remove the Refresh setting.

-->     

<!--    ######## Examples of Auth Server Setting ##############
        <AuthServer>
                <Protocol>pop3s</Protocol>
                <Address>pop.saga-u.ac.jp</Address>
                <Timeout>30</Timeout>
                <MailDomain>og.saga-u.ac.jp</MailDomain>
        </AuthServer>

        <AuthServer>
                <Protocol>ldap</Protocol>
                <Uri>ldaps://ldap.saga-u.ac.jp</Uri>
                <BaseDN>ou=people,dc=saga-u,dc=ac,dc=jp</BaseDN>
                <Timeout>5</Timeout>
                <MailDomain>og.saga-u.ac.jp</MailDomain>
        </AuthServer>

        <AuthServer>
                <Address>192.168.0.1</Address>
                <Protocol>ftpsi</Protocol>
                <Timeout>15</Timeout>
                <MailDomain>og.saga-u.ac.jp</MailDomain>
        </AuthServer>

        <AuthServer>
                <Protocol>radius</Protocol>
                <MailDomain>og.saga-u.ac.jp</MailDomain>
        </AuthServer>

        <AuthServer>
                <Protocol>pam</Protocol>
                <MailDomain>og.saga-u.ac.jp</MailDomain>
        </AuthServer>

        <AuthServer>
                <Protocol>shibboleth</Protocol>
                <UidAttribute>uid</UidAttribute>
                <OrgAttribute>o</OrgAttribute>
                <EppnAttribute>eppn</EppnAttribute>
                <MailAttribute>mail</MailAttribute>
        </AuthServer>

        <AuthServer>
                <Protocol>httpbasic</Protocol>
                <MailDomain>og.saga-u.ac.jp</MailDomain>
        </AuthServer>

-->

<!--    ####### An Example of Multiple authentication servers ######
        If multiple auth servers are set, check these servers sequentially.
        When denied by first server, request is sent to the next one.
        When accepted by a server, following servers are ignored.

        <AuthServer>
                setting for first priority
        </AuthServer>
        <AuthServer>
                setting for second priority
        </AuthServer>
        <AuthServer>
                setting for third priority
        </AuthServer>

-->
<!--    ######################################
        #### Config for exceptional users ####
 -->
<!--    ###### about ExtraSet #######

     <ExtraSet> overwritten on default settings 

        You can switch parameter values by userID and extraID 
        entered as [userID@extraID] in userID field on auth page.
        
        Each <ExtraSet> has conditions such as <.. ExtraId="aaa"> or 
        <.. UserIdPattern="bbb">, or etc.
        The conditions is compared with the string entered in 
        userID field.

        When you set the condition as <.. ExtraId="aaa">, 
         [extraId] equal to [aaa] is matched (eg, xx@aaa).
                
        When you set the condition as <.. UserIdPattern="bbb">,
         [userId] including [bbb] is matched (eg, xbbbx@xx).

        When you set the condition as <.. UserExtraPattern="bbb">,
         [userId@extraId] including [bbb] is matched (eg, xbbbx@xx, aa@xbbbx).

        When you set the condition as <.. UserExtraPatternNot="bbb">,
         string NOT including [bbb] is matched.

        Pattern has the form of "POSIX Extended Regular Expression".
        Matching is insensitive to upper/lower case.
        
        The <ExtraSet> having multi-conditions is used when both are true.
        Omitted condition matched to every string. 

        The first matched <ExtraSet> is used, at existing many matched set.

        The paremeters in <ExtraSet> overwrite the default value.
        When a parameter is not found in <ExtraSet>, the default is used.
        
        When userID is entered without extraID, ExtraId matchs to "default".
        Thus if you want to find [user1] only in default server,
        use as <ExtraSet ExtraId="default" UserIdPattern="^user1$">.

        Example1 is used when user entered as [any_user@guest],
        where "any_user" is any string.
        It means that [xxx@guest] uses different auth server.

        Example2 is used when [anyuser@admin].
        It means that [xxx@adimin] can use many auth servers.

        Example3 is used when [user1] or [user2].
        It means that [user1] and [user2] emerge specific syslog(eg. mail).
-->
<!--    ## ExtraSet sample 1 ##
        <ExtraSet ExtraId="guest">
                <AuthServer>
                        <Address>192.168.0.1</Address>
                        <Protocol>ftp</Protocol>
                </AuthServer>
                <IpfwTagNumber>999</IpfwTagNumber>

        </ExtraSet>
        ## End of sample 1 ##
-->
<!--    ## ExtraSet sample 2 ##
        <ExtraSet ExtraId="admin">
                <AuthServer>
                        <Protocol>pam</Protocol>
                </AuthServer>
                <AuthServer>
                        <Address>192.168.0.1</Address>
                        <Protocol>pop3s</Protocol>
                        <Timeout>10</Timeout>
                </AuthServer>
                <AuthServer>
                        <Address>192.168.0.2</Address>
                        <Protocol>ftp</Protocol>
                        <Timeout>10</Timeout>
                </AuthServer>
        </ExtraSet>
        ## End of sample 2 ##  
-->
<!--    ## ExtraSet sample 3 ##
        <ExtraSet ExtraId="default" UserIdPattern="^user1$|^user2$">    
                <Syslog>
                        <Enable>1</Enable>
                        <Facility>local2</Facility>
                </Syslog>
        </ExtraSet>
        ## Caution: if no userid is entered, set as userid="?"  ##
        ## End of sample 3 ##
-->