2 <Opengatemmng ConfigVersion="0.7.5">
4 <!-- #########################################################
5 ## Opengate gateway server hostname(FQDN or IP address)## -->
6 <OpengateServerName>opengate.example.com</OpengateServerName>
8 <!-- Debug dump level -->
9 <!-- Set 0 to write only open/close and error messages to syslog -->
10 <!-- Set 1 to write some information adding to 0 -->
11 <!-- Set 2 to write many information to syslog -->
12 <!-- Set 3 to write more information to syslog -->
15 <!-- Syslog (local0, local1, .., local7)-->
18 <Facility>local1</Facility>
21 <!-- ### MUST BE MODIFIED ## -->
22 <!-- network interface device name -->
25 <!-- ### MUST BE MODIFIED ## -->
26 <!-- auth server setting for administrators(watanaby,admin1,admin2) -->
28 <UserType>admin</UserType>
29 <Protocol>pop3s</Protocol>
30 <Address>192.168.0.2</Address>
31 <AcceptUsers>watanaby admin1 admin2</AcceptUsers>
34 <!-- ### MUST BE MODIFIED ## -->
35 <!-- auth server setting for normal(not admin) users -->
37 <Protocol>shibboleth</Protocol>
38 <UidAttribute>uid</UidAttribute>
39 <EppnAttribute>eppn</EppnAttribute>
40 <MailAttribute>mail</MailAttribute>
43 <!-- ### MUST BE MODIFIED ## -->
44 <!-- # Set hosts where opengateMd (daemon) is running # -->
45 <!-- Daemon acts as UDP server and opengateMmng as clients -->
46 <!-- DB update is transmitted immediately with this UDP -->
47 <!-- (If failed, update is transmitted after cache timeout) -->
48 <!-- Following set the servers [address port] receiving UDP -->
49 <!-- Be care to set firewall properly to pass the packet -->
50 <UdpServer>127.0.0.1 4989</UdpServer>
51 <!-- <UdpServer>192.168.1.1 4989</UdpServer> -->
52 <!-- <UdpServer>192.168.2.1 4989</UdpServer> -->
53 <!-- <UdpServer>192.168.3.1 4989</UdpServer> -->
55 <!-- ### MUST BE MODIFIED ## -->
56 <!-- MySql database (for mac address management) parameters -->
58 <Server>localhost</Server>
61 <Database>opengatem</Database>
64 <!-- ### MUST BE MODIFIED ## -->
65 <!-- Terminal allowed to register by owner oneself -->
66 <!-- The terminal type is checked by http-agent pattern
67 having the form of "POSIX Extended Regular Expression".
68 Matching is sensitive to upper/lower case.
69 If set NULL string, ALL agents are allowed -->
70 <!-- Can set multiple pattern tags. -->
72 <!-- TO ACTIVATE AGENT FILTER, REMOVE THIS COMMENT OUT TAG
73 <AllowableAgentPattern>iPhone|iPad|iPod|Android</AllowableAgentPattern>
74 <AllowableAgentPattern>Windows Phone|Windows CE</AllowableAgentPattern>
75 <AllowableAgentPattern>BlackBerry|RIM Tablet</AllowableAgentPattern>
78 <!-- on click, network is opened in this time and closed (Sec) -->
79 <OpenTimeout>60</OpenTimeout>
81 <!-- SQLite busy timeout (milli-seconds) -->
82 <SqliteBusyTimeout>100</SqliteBusyTimeout>
84 <!-- SQLite database file -->
85 <!-- opengatemd work db -->
86 <SqliteDbMd>/tmp/opengatemd.db</SqliteDbMd>
88 <!-- opengatemmng work db -->
89 <SqliteDbMmng>/tmp/opengatemng.db</SqliteDbMmng>
91 <!-- SQLite database file -->
92 <!-- for opengate session management -->
93 <SqliteDb>/tmp/opengate.db</SqliteDb>
95 <!-- IPFW rule number range and tag number used by opengate -->
99 <Interval>1</Interval>
102 <!-- Ipfw is opened via perl script(1) or direct from C(0) -->
105 <Path>/etc/opengate/ipfwctrlmd.pl</Path>
108 <!-- IPFW Tag number used in rc.firewall -->
109 <IpfwTagNumber>123</IpfwTagNumber>
111 <!-- Related command path -->
112 <IpfwPath>/sbin/ipfw</IpfwPath>
114 <!-- ipfw exclusive exec lock timeout (second) -->
115 <LockTimeout>10</LockTimeout>
117 <!-- Lock file to prevent overlapped ipfw rule number -->
118 <!-- exclusive execution to opengate processes -->
119 <LockFile>/tmp/opengate.lock</LockFile>
121 <!-- daemon programs -->
122 <MacCheckDaemon>opengatemd</MacCheckDaemon>
124 <!-- Lock file to prevent overlapped daemon proc -->
125 <DaemonLockFile>/tmp/opengatemd.lock</DaemonLockFile>
127 <!-- Maximum count of register devices for one user -->
128 <MaxDevices>5</MaxDevices>
130 <!-- Mac Address Expiration Date(in MySql Date Format) -->
131 <LimitDate>adddate(last_day(adddate(now(),interval 15 day)),interval 1 day)</LimitDate>
133 <!-- The Date to Show Log in Web Page(in MySql Date Format) -->
134 <ShowLogAfter>adddate(now(), interval -1 month)</ShowLogAfter>
136 <!-- Available HTML languages (first lang is used as default) -->
137 <HtmlLangs>ja en</HtmlLangs>
139 <!-- Path to Apache Contents -->
140 <DocumentRoot>/usr/local/www/apache24/data</DocumentRoot>
141 <CgiDir>/cgi-bin</CgiDir>
142 <OpengateDir>/opengate</OpengateDir>
144 <!-- HTML Documents (in each language dir)-->
145 <DenyDoc>macdeny.html</DenyDoc>
146 <CheckDoc>macchk.html</CheckDoc>
147 <RegisterDoc>macreg.html</RegisterDoc>
148 <UpdateDoc>macupdate.html</UpdateDoc>
149 <AuthDoc>macauth.html</AuthDoc>
150 <AuthAdminDoc>macauth.html</AuthAdminDoc>
151 <OwnRegisterDoc>macreg.html</OwnRegisterDoc>
152 <OwnUpdateDoc>macupdate.html</OwnUpdateDoc>
153 <FwdDoc>macfwd.html</FwdDoc>
154 <ReturnDoc>macreturn.html</ReturnDoc>
156 <!-- timeout for above return jump -->
157 <ReturnWaitTime>3</ReturnWaitTime>
159 <!-- Related command path -->
160 <ArpPath>/usr/sbin/arp</ArpPath>
161 <NdpPath>/usr/sbin/ndp</NdpPath>
164 <CheckCgi>opengatemchk.cgi</CheckCgi>
165 <RegisterCgi>opengatemreg.cgi</RegisterCgi>
166 <UpdateCgi>opengatemup.cgi</UpdateCgi>
167 <OwnCgi>opengatemown.cgi</OwnCgi>
168 <JumpCgi>opengatemown.cgi</JumpCgi> <!-- to insert page, modify this -->
169 <FwdCgi>opengatemfwd.cgi</FwdCgi>
171 <!-- maximum request count per day to modify mac registraion -->
172 <MaxMacModifyPerDay>30</MaxMacModifyPerDay>
174 <!-- cookie name to hold the dmin/user authentication state -->
175 <AuthAdminCookie>OpengatemAdmin</AuthAdminCookie>
176 <AuthUserCookie>OpengatemUser</AuthUserCookie>
178 <!-- Limit Date Warning Mail -->
180 <CmdPath>/bin/rmail</CmdPath>
181 <Content>/etc/opengate/warningmail</Content>
182 <Timing>date(now())=date(adddate(limitDate, interval -7 day)) or date(now())=date(adddate(limitDate, interval -1 day))</Timing>
185 <!-- Separate char between userID and extraID [userID@extraID] -->
186 <UserIdSeparator>@</UserIdSeparator>
189 <!-- ## End of Configuration ## -->
192 <!-- ## Following is only documentation ## -->
195 <!-- ######################################
196 ###### About AuthServer setting ######
198 ########### Format #############
199 {a|b}: a or b, set one of them
203 #### TYPE 1 (POP or FTP) ####
205 <Protocol>{pop3|pop3s|ftp|ftpse|ftpsi}</Protocol>
206 <Address>{-hostname-|-ip_address-}</Address>
207 [ <Port>-portno-</Port> ]
208 [ <Timeout>-seconds-</Timeout> ]
209 [<MailDomain>-mail-address-after-@-</MailDomain>]
211 # AuthOK, if request by <Protocol> is accepted by <Address>.
212 # Address is FQDN or IP address
213 # If <Port> is not defined, port number in /etc/services is used.
214 # The request is aborted at <Timeout> seconds.
215 # If <Timeout> is not defined, system value is used.
216 # pop3s is SSLed pop3
217 # ftpse is SSLed ftp run in Explicit mode.
218 # ftpsi is SSLed ftp run in Implicit mode.
220 # MailDomain indicates the domain to which warning mail is sent.
221 # if userid=watanaby and MailDomain=og.saga-u.ac.jp,
222 # time-limit-warning-mail is sent to watanaby@og.saga-u.ac.jp.
224 #### TYPE 2 (PAM) ####
226 <Protocol>pam</Protocol>
227 [ <ServiceName>-servicename_in_pam_conf-</ServiceName> ]
228 [ <Timeout>-second-</Timeout> ]
229 [<MailDomain>-mail-address-after-@-</MailDomain>]
232 # If not define <ServiceName>, "opengate" is used in "pam.conf".
234 #### TYPE 3 (RADIUS) ####
236 <Protocol>radius</Protocol>
237 [ <ConfFile>-path_to_radius_conf-</ConfFile> ]
238 [ <Timeout>-second-</Timeout> ]
239 [<MailDomain>-mail-address-after-@-</MailDomain>]
242 # If not define <ConfigFile>, "/etc/radius.conf" is used.
244 #### TYPE 4 (LDAP) ####
246 <Protocol>ldap</Protocol>
247 <Uri>-uri-of-ldap-server-</Uri>
248 <BaseDN>-ldap_base_dn_to_search-</BaseDN>
249 [ <Timeout>-second-</Timeout> ]
250 [<MailDomain>-mail-address-after-@-</MailDomain>]
254 # 'ldap://foo.bar.com' for NonSSL
255 # 'ldaps://foo.bar.com' for SSL
256 # 'ldaps://foo.bar.com:1234' to use specific port
258 #### TYPE 5 (ACCEPT or DENY) ####
260 <Protocol>{accept|deny}</Protocol>
261 [<MailDomain>-mail-address-after-@-</MailDomain>]
263 # The user is accepted or denied without inquiring auth.
264 # ***This setting is prepared for debugging***
266 #### TYPE 6 (Shibboleth) ####
268 <Protocol>shibboleth</Protocol>
269 <UidAttribute>-env-vars-for-uid-</UidAttribute>
270 [<OrgAttribute>-env-vars-for-uid-</OrgAttribute>]
271 [<EppnAttribute>-env-vars-for-eppn-</EppnAttribute>]
272 [<MailAttribute>-env-vars-for-mail-address-</MailAttribute>]
273 [<MailDomain>-mail-address-after-@-</MailDomain>]
277 # 'UidAttiribute' means the environment variable having UserId
278 # in the organization.
280 # <UidAttribute>uid persistent-id targeted-id</UidAttribute>
281 # left item has priority, if not found, search next item
283 # 'OrgAttiribute' means the environment variable having Organization
285 # <OrgAttribute>o affiliation Shib-Identity-Provider</OrgAttribute>
286 # left item has priority, if not found, search next item
288 # 'EppnAttiribute' means the environment variable having
289 # ePPN(edu person pricipal name 'user@org') or other global id
291 # <EppnAttribute>eppn mail</EppnAttribute>
292 # left item has priority, if not found, search next item
294 # If Uid and Eppn are defined, Uid has priority.
296 # 'MailAttiribute' means the environment variable for mail-address
298 # <MailAttribute>mail</MailAttribute>
299 # left item has priority, if not found, search next item
301 # Set 'opengatemXXX.cgi as 'shibboleth' in .htaccess
302 # <FILES opengatemXXX.cgi>
303 # AuthType shibboleth
304 # ShibRequestSetting requireSession 1
305 # ShibRequireSession On
309 # ***Only one Shibboleth setting is permitted in conf***
311 #### TYPE 7 (Http Basic) ####
313 <Protocol>httpbasic</Protocol>
314 [<MailDomain>-mail-address-after-@-</MailDomain>]
317 # Set 'opengatemXXX.cgi' as 'Basic' in .htaccess
318 # <FILES opengateXXX.cgi>
320 # AuthServerFile /tmp/passwd.dat
324 # environment variable REMOTE_USER is used for userid
325 # ***Only one Httpbasic setting is permitted in conf***
327 #### TYPE 8 (Splash Page Only) ####
329 <Protocol>splash</Protocol>
331 # No authentication. Splash page only management.
332 # Use this when you don't want to identify user,
333 # but only want to show an agreement or usage policy page.
334 # The message should be described in macfwd.html.
335 # If accept response is required, remove the Refresh setting.
339 <!-- ######## Examples of Auth Server Setting ##############
341 <Protocol>pop3s</Protocol>
342 <Address>pop.saga-u.ac.jp</Address>
343 <Timeout>30</Timeout>
344 <MailDomain>og.saga-u.ac.jp</MailDomain>
348 <Protocol>ldap</Protocol>
349 <Uri>ldaps://ldap.saga-u.ac.jp</Uri>
350 <BaseDN>ou=people,dc=saga-u,dc=ac,dc=jp</BaseDN>
352 <MailDomain>og.saga-u.ac.jp</MailDomain>
356 <Address>192.168.0.1</Address>
357 <Protocol>ftpsi</Protocol>
358 <Timeout>15</Timeout>
359 <MailDomain>og.saga-u.ac.jp</MailDomain>
363 <Protocol>radius</Protocol>
364 <MailDomain>og.saga-u.ac.jp</MailDomain>
368 <Protocol>pam</Protocol>
369 <MailDomain>og.saga-u.ac.jp</MailDomain>
373 <Protocol>shibboleth</Protocol>
374 <UidAttribute>uid</UidAttribute>
375 <OrgAttribute>o</OrgAttribute>
376 <EppnAttribute>eppn</EppnAttribute>
377 <MailAttribute>mail</MailAttribute>
381 <Protocol>httpbasic</Protocol>
382 <MailDomain>og.saga-u.ac.jp</MailDomain>
387 <!-- ####### An Example of Multiple authentication servers ######
388 If multiple auth servers are set, check these servers sequentially.
389 When denied by first server, request is sent to the next one.
390 When accepted by a server, following servers are ignored.
393 setting for first priority
396 setting for second priority
399 setting for third priority
403 <!-- ######################################
404 #### Config for exceptional users ####
406 <!-- ###### about ExtraSet #######
408 <ExtraSet> overwritten on default settings
410 You can switch parameter values by userID and extraID
411 entered as [userID@extraID] in userID field on auth page.
413 Each <ExtraSet> has conditions such as <.. ExtraId="aaa"> or
414 <.. UserIdPattern="bbb">, or etc.
415 The conditions is compared with the string entered in
418 When you set the condition as <.. ExtraId="aaa">,
419 [extraId] equal to [aaa] is matched (eg, xx@aaa).
421 When you set the condition as <.. UserIdPattern="bbb">,
422 [userId] including [bbb] is matched (eg, xbbbx@xx).
424 When you set the condition as <.. UserExtraPattern="bbb">,
425 [userId@extraId] including [bbb] is matched (eg, xbbbx@xx, aa@xbbbx).
427 When you set the condition as <.. UserExtraPatternNot="bbb">,
428 string NOT including [bbb] is matched.
430 Pattern has the form of "POSIX Extended Regular Expression".
431 Matching is insensitive to upper/lower case.
433 The <ExtraSet> having multi-conditions is used when both are true.
434 Omitted condition matched to every string.
436 The first matched <ExtraSet> is used, at existing many matched set.
438 The paremeters in <ExtraSet> overwrite the default value.
439 When a parameter is not found in <ExtraSet>, the default is used.
441 When userID is entered without extraID, ExtraId matchs to "default".
442 Thus if you want to find [user1] only in default server,
443 use as <ExtraSet ExtraId="default" UserIdPattern="^user1$">.
445 Example1 is used when user entered as [any_user@guest],
446 where "any_user" is any string.
447 It means that [xxx@guest] uses different auth server.
449 Example2 is used when [anyuser@admin].
450 It means that [xxx@adimin] can use many auth servers.
452 Example3 is used when [user1] or [user2].
453 It means that [user1] and [user2] emerge specific syslog(eg. mail).
455 <!-- ## ExtraSet sample 1 ##
456 <ExtraSet ExtraId="guest">
458 <Address>192.168.0.1</Address>
459 <Protocol>ftp</Protocol>
461 <IpfwTagNumber>999</IpfwTagNumber>
464 ## End of sample 1 ##
466 <!-- ## ExtraSet sample 2 ##
467 <ExtraSet ExtraId="admin">
469 <Protocol>pam</Protocol>
472 <Address>192.168.0.1</Address>
473 <Protocol>pop3s</Protocol>
474 <Timeout>10</Timeout>
477 <Address>192.168.0.2</Address>
478 <Protocol>ftp</Protocol>
479 <Timeout>10</Timeout>
482 ## End of sample 2 ##
484 <!-- ## ExtraSet sample 3 ##
485 <ExtraSet ExtraId="default" UserIdPattern="^user1$|^user2$">
488 <Facility>local2</Facility>
491 ## Caution: if no userid is entered, set as userid="?" ##
492 ## End of sample 3 ##