cmiller [Wed, 6 Mar 2002 18:34:54 +0000 (18:34 +0000)]
Tried to get python detection working properly. It may be close, but the
test for whether libpython${whatever} has Py_Initialize() is UGLY. I hope
someone cleans that up.
aland [Wed, 6 Mar 2002 17:55:39 +0000 (17:55 +0000)]
When updating the head of a list, update the *real* head, and
not the local pointer to the head, which is thrown away when
the function returns.
Patch from Lutz Donnerhacke <lutz@iks-jena.de>
aland [Wed, 6 Mar 2002 17:49:36 +0000 (17:49 +0000)]
Make authentication reject messages more consistent.
Don't return bad IP address if we're doing '1.2.3.4+', and the
request doesn't have a NAS port to add.
aland [Wed, 6 Mar 2002 17:35:53 +0000 (17:35 +0000)]
Updated schema with more restrictions on field values, from
Thomas Huehn <huehn@eozaen.net>
aland [Wed, 6 Mar 2002 16:36:09 +0000 (16:36 +0000)]
Don't use a hard-coded '32' for the select over the auth, acct,
and proxy FD's. The modules are configured *before* these FD's
are opened, so there may be more than 32 FD's in use.
Instead, we have to dynamically figure out what the maximum FD
is from the set we're selecting over, and use that value.
Bug found by Cvetan Ivanov <zezo@spnet.net>
cmiller [Wed, 6 Mar 2002 16:02:24 +0000 (16:02 +0000)]
Added tests to detect the style of gethostbyaddr_r() function, and use it.
It knows of GNU and SYSV, atm.
aland [Tue, 5 Mar 2002 23:14:25 +0000 (23:14 +0000)]
Aptis (Nortel CVX 1800?) dictionary, found on the net, and edited
for FreeRADIUS.
aland [Tue, 5 Mar 2002 15:44:38 +0000 (15:44 +0000)]
Changed attribute type, so says "ju bin" <binju@online.sz.js.cn>
aland [Tue, 5 Mar 2002 15:41:55 +0000 (15:41 +0000)]
Removed SQL from authenticate section. They're no longer needed.
aland [Tue, 5 Mar 2002 15:21:27 +0000 (15:21 +0000)]
Removed checks for gethostbyFOO_r(), until such time as we can
do intelligent checks.
aland [Mon, 4 Mar 2002 21:14:44 +0000 (21:14 +0000)]
Added attributes from RFC 3162.
Some are of type 'octets', when they should really be of type 'IPv6',
but that isn't a serious problem for now.
kkalev [Sat, 2 Mar 2002 16:13:48 +0000 (16:13 +0000)]
o Add support for Autz-Type attribute. We can now create autztype sections in
radiusd.conf.
o Add sql_xlat. Only SELECTS are supported right now
o Move sql_release socket in a few places were it wasn't needed
o Remove sql_authenticate function. We still use the authenticate_query directive
to extract the user password. The work should now be done by the pap/chap modules.
o Do a pairfree of check_tmp and reply_tmp if paircmp fails
in sql_authorize
ramoore [Sat, 2 Mar 2002 06:49:55 +0000 (06:49 +0000)]
Update the print_abinary function to show 'est' when the established bit is set.
ramoore [Sat, 2 Mar 2002 05:50:43 +0000 (05:50 +0000)]
Prevent nas_name functions from calling client_name.
Add nas_name3 function that can return a dotted quad when
NAS name is not known.
Update radwho to use nas_name3 function
ramoore [Sat, 2 Mar 2002 03:31:37 +0000 (03:31 +0000)]
This patch changes the return code within the CISCO_ACCOUNTING_HACK from FAIL to NOOP.
If a FAIL is returned, freeradius does not sent an ACK to the NAS that sent the stop
packet, so it just keeps resending. NOOP is more appropriate.
fcusack [Fri, 1 Mar 2002 16:57:18 +0000 (16:57 +0000)]
Remove GPL text; sha1.c is in the public domain.
fcusack [Fri, 1 Mar 2002 16:53:23 +0000 (16:53 +0000)]
reload now just sends -HUP
raghu [Thu, 28 Feb 2002 21:44:29 +0000 (21:44 +0000)]
TLS_Message_Length is made configurable
aland [Wed, 27 Feb 2002 15:32:07 +0000 (15:32 +0000)]
Minor fixups
from bj@zuto.de (Rainer Clasen)
aland [Tue, 26 Feb 2002 21:46:17 +0000 (21:46 +0000)]
If both 'authhost' and 'accthost' in a realm are LOCAL, then we
don't need a shared secret.
Bug noted by "Vector" <cistron@itpsg.com>
aland [Tue, 26 Feb 2002 19:22:24 +0000 (19:22 +0000)]
If fgetspnam() returns NULL, then it means that the shadow password
entry does NOT exist.
This probably fixes the bug where non-cached passwords don't work...
raghu [Tue, 26 Feb 2002 00:57:30 +0000 (00:57 +0000)]
More debugging statements
raghu [Tue, 26 Feb 2002 00:56:35 +0000 (00:56 +0000)]
Made Length field configurable.
Now Total length can be included in every packet or
only in the first fragment of the message.
Initial patch provided by Adam <adam@cfar.umd.edu>.
aland [Mon, 25 Feb 2002 22:44:09 +0000 (22:44 +0000)]
Check for gethostbyFOO_r(), and use them, if they exist.
aland [Mon, 25 Feb 2002 22:34:27 +0000 (22:34 +0000)]
Use gmtime_r by default, so that we're thread-safe.
aland [Mon, 25 Feb 2002 18:47:55 +0000 (18:47 +0000)]
<grumble> work around variations in gdbm from version to version.
For gdbm pre version 1.8, we can't use NOLOCK, as it doesn't exist.
This means that the DB file is *always* locked, and NO ONE ELSE can
get access to it ANYTIME.
aland [Mon, 25 Feb 2002 18:44:36 +0000 (18:44 +0000)]
Check if gdbm has gdbm_fdesc
aland [Mon, 25 Feb 2002 17:19:40 +0000 (17:19 +0000)]
Removed use of internal autoconf variable which is set to patently
absurd value.
aland [Mon, 25 Feb 2002 16:19:20 +0000 (16:19 +0000)]
Added new file describing the variables as defined by the server.
Added some more text in the configuration file, describing the
difference between ${foo} and %{foo}
aland [Mon, 25 Feb 2002 16:02:50 +0000 (16:02 +0000)]
Removed text describing variables and variable substitution
aland [Mon, 25 Feb 2002 16:02:23 +0000 (16:02 +0000)]
Added %{proxy-reply:Attribute-Name} for xlat
aland [Mon, 25 Feb 2002 15:51:43 +0000 (15:51 +0000)]
Updated comments on sql_user_name
aland [Mon, 25 Feb 2002 15:40:26 +0000 (15:40 +0000)]
Corrected typo in function name
aland [Fri, 22 Feb 2002 16:02:28 +0000 (16:02 +0000)]
Open the DB unlocked, and do file locking ourselves using the
new functions.
aland [Fri, 22 Feb 2002 15:53:05 +0000 (15:53 +0000)]
Call new rad_lockfd() function, instead of having ifdef in the
code for lockf/flock.
Remove *horrid* cast of a 'FILE*' to 'int', to "convert" a FILE*
into an integer file descriptor. This just won't work. fileno()
is what we want.
aland [Fri, 22 Feb 2002 15:40:54 +0000 (15:40 +0000)]
Use new library file lock/unlock functions
aland [Fri, 22 Feb 2002 15:37:18 +0000 (15:37 +0000)]
removed copies of file locking code.
Use new rad_lockfd() and rad_unlockfd() functions.
aland [Fri, 22 Feb 2002 15:36:27 +0000 (15:36 +0000)]
New functions: rad_lockfd() and rad_unlockfd(), to get rid of
duplication of file locking code.
aland [Thu, 21 Feb 2002 22:46:40 +0000 (22:46 +0000)]
Don't use a global 'acctfd'
As a result, update 'session_zap' to take an fd as an argument.
Update radutmp to use 'request->packet->fd', instead of the global
acctfd
aland [Thu, 21 Feb 2002 20:36:34 +0000 (20:36 +0000)]
Enable passwd caching by default.
Add a note that turning caching off may cause problems.
aland [Thu, 21 Feb 2002 19:11:01 +0000 (19:11 +0000)]
If we match a huntgroup, then add an attribute saying that
to the request. This is so it can be used && examined later.
Based on a patch from Simon Allard <simon.allard@staff.ihug.co.nz>
aland [Thu, 21 Feb 2002 16:23:47 +0000 (16:23 +0000)]
Patch to PostgreSQL schema for operators.
From Igor Chen <cron@office.lintec.com.ua>
kkalev [Thu, 21 Feb 2002 00:04:11 +0000 (00:04 +0000)]
Update documentation
kkalev [Thu, 21 Feb 2002 00:03:03 +0000 (00:03 +0000)]
Remove the auth_type directive. Change the ldap caching default to no (ldap_cache_timeout = 0)
aland [Wed, 20 Feb 2002 21:35:36 +0000 (21:35 +0000)]
Clear more fields of the request when deleting it, and if
debugging, mark up the secret so that it's easier to tell that
the request has been deleted.
aland [Wed, 20 Feb 2002 16:42:14 +0000 (16:42 +0000)]
Added patch for heimdal code, from
"Kevin C. Miller" <kevinm@andrew.cmu.edu>
Added note that this is NOT configurable, as the patch deletes
existing functionality, and replaces it with different code.
This kind of non-configurable code which removes existing, tested,
and working code is not very polite.
aland [Wed, 20 Feb 2002 16:22:15 +0000 (16:22 +0000)]
postgresql's 'PQcmdTuples' used in function 'affected_rows'
doesn't returns number of affected rows for SELECT statement, but
returns empty string. Use PQntuples(), instead.
Patch from Andrew Kukhta <andy@wubn.net>
aland [Wed, 20 Feb 2002 16:19:13 +0000 (16:19 +0000)]
If the tag is invalid, rad_send() should ignore it, and set tag
to 0x00.
rad_decode(), if the type of attribute is string and has an invalid
tag, it should recognize the first octet as being part of the string.
If the attribute is "Tunnel-Password", and has invalid tag, then
the tag should be ignored.
Patch from Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp>
aland [Wed, 20 Feb 2002 16:12:27 +0000 (16:12 +0000)]
Added URL's for tips on configuring MySQL.
This doesn't really belong here, but there isn't a better place for
it right now.
aland [Wed, 20 Feb 2002 16:09:22 +0000 (16:09 +0000)]
use dir name macros in all configure options
libtool is required only when building the package
misc clean ups (reorder "header" to follow general RPM style)
make sure /var/log/radius and /var/log/radius/radacct are owned by
root and only readable by root.
Patch from Marko Myllynen
aland [Wed, 20 Feb 2002 16:03:46 +0000 (16:03 +0000)]
use condrestart instead of reload, so radiusd is not started by
logrotate if it was not already running
Added keyword "missingok" so logrotate execution won't stop if
some FreeRADIUS files are not found (e.g., FreeRADIUS hasn't
started after install and thus some files are not yet created).
Added rotating of radutmp
rotate detail files using "radacct/*/detail" so all detail files
are automatically rotated, no need to add NAS names to the path.
missingok parameter ensures that this works whether * matches
to anything or not.
Patch from Marko Myllynen
aland [Wed, 20 Feb 2002 16:01:00 +0000 (16:01 +0000)]
do not use radwatch (it's deprecated)
test that config file exists
return proper return value, not 0 always
added condrestart support, used by logrotate (see next patch)
misc clean ups
Patch from Marko Myllynen
aland [Tue, 19 Feb 2002 22:50:53 +0000 (22:50 +0000)]
In proxy_send(), if there is no realm to proxy the request to,
then return an error.
In rad_respond(), check if proxy_send() returns an error, and
reject the request if so.
Also, fix up a possible race condition in refresh_request(), where
we were marking the request finished, and THEN still accessing it.
aland [Tue, 19 Feb 2002 18:29:58 +0000 (18:29 +0000)]
Don't call fopen on syslog, if the logging destination is syslog
aland [Tue, 19 Feb 2002 15:46:04 +0000 (15:46 +0000)]
Corrected logic in delay request code.
Bug noted by Eddie Stassen <eddie@saix.net>
aland [Tue, 19 Feb 2002 15:41:50 +0000 (15:41 +0000)]
Added define for librad_max_attributes
aland [Mon, 18 Feb 2002 22:09:55 +0000 (22:09 +0000)]
There are cases where IF all of the matching realms are marked
dead, that we do NOT want to fall through to the default realm.
Based on a patch from bj@zuto.de (Rainer Clasen)
aland [Mon, 18 Feb 2002 21:43:37 +0000 (21:43 +0000)]
Added note that the pid file is written only in daemon mode.
aland [Mon, 18 Feb 2002 21:38:40 +0000 (21:38 +0000)]
Added log message when marking a realm dead.
aland [Mon, 18 Feb 2002 19:43:14 +0000 (19:43 +0000)]
Sanity checks and more cleanups for new "reject_delay"
aland [Mon, 18 Feb 2002 19:42:10 +0000 (19:42 +0000)]
Added configuration section "security", with "max_attributes" and
"reject_delay"
aland [Mon, 18 Feb 2002 19:26:05 +0000 (19:26 +0000)]
New security configuration items: max_attributes && reject_delay.
roland.haenel@qsc.de says that a delaying the reject helps slow
down a DoS attack. This probably only helps for well-behaved NAS
boxes, but slowing down authentication rejects is probably a good
idea in any case.
raghu [Wed, 13 Feb 2002 20:32:55 +0000 (20:32 +0000)]
Avoid compiler warning
raghu [Wed, 13 Feb 2002 20:32:16 +0000 (20:32 +0000)]
TLS-Length contains Total Length as expected by MS
raghu [Wed, 13 Feb 2002 20:30:01 +0000 (20:30 +0000)]
TLS-Length contains total length as expected by MS
aland [Wed, 13 Feb 2002 20:04:57 +0000 (20:04 +0000)]
Minor cleanups.
Patch from Marko Myllynen
aland [Wed, 13 Feb 2002 15:09:52 +0000 (15:09 +0000)]
A *much* better method for finding Python.
Patch from Gordon Messmer <yinyang@eburg.com>
aland [Wed, 13 Feb 2002 14:33:25 +0000 (14:33 +0000)]
Don't clobber the password if we're using SNMP
Patch from "scott.list" <scott.list@mlec.net>
aland [Mon, 11 Feb 2002 20:39:24 +0000 (20:39 +0000)]
Added a note on building statically, for people who don't have
some shared libraries.
aland [Mon, 11 Feb 2002 20:36:25 +0000 (20:36 +0000)]
Added comments on how to use && set 'libdir'
Added sample python module config, from migs paraz <mparaz@yahoo.com>
aland [Mon, 11 Feb 2002 20:24:30 +0000 (20:24 +0000)]
Whoops... corrected a typo
aland [Mon, 11 Feb 2002 20:23:06 +0000 (20:23 +0000)]
Preliminary Python module from migs paraz <mparaz@yahoo.com>
To get it to build, go to the rlm_python directory, and do:
LIBS="-lpthread -ldl -lutil" ./configure --with-rlm-python-lib-dir=/usr/lib/python2.0/config/ --with-rlm-python-include-dir=/usr/include/python2.0/ --with-rlm-python-version=2.0
... at least on my system, with python 2.0. The 'configure' scripts
should be fixed in the future to do this automagically, but that's
for the future.
aland [Mon, 11 Feb 2002 20:17:25 +0000 (20:17 +0000)]
Use sed on input library names, to make them safe for the shell,
to create variable names.
aland [Mon, 11 Feb 2002 15:42:49 +0000 (15:42 +0000)]
Whoops... this should have been committed with the other code.
From Dmitri Ageev <d_ageev@ortcc.ru>
kkalev [Sat, 9 Feb 2002 13:41:25 +0000 (13:41 +0000)]
* Fix a small bug in log_badlogins. The nas domain should be a variable not hard coded.
aland [Fri, 8 Feb 2002 18:51:02 +0000 (18:51 +0000)]
Updated with summaries of changes since 0.4
aland [Fri, 8 Feb 2002 17:25:01 +0000 (17:25 +0000)]
Added note about unixODBC
aland [Fri, 8 Feb 2002 17:24:16 +0000 (17:24 +0000)]
add unixODBC support
Patch from Dmitri Ageev <d_ageev@ortcc.ru>
aland [Fri, 8 Feb 2002 17:23:43 +0000 (17:23 +0000)]
Added 'reconfig' target, to re-build the SQL driver configure scripts
aland [Fri, 8 Feb 2002 16:52:12 +0000 (16:52 +0000)]
Re-set result on failed match.
Patch from Thomas Jalsovsky <admin@postel.sk>
kkalev [Fri, 8 Feb 2002 14:55:41 +0000 (14:55 +0000)]
* Add support for the rest of the operators. Created the lib/operators.php3 file containing helper functions
raghu [Fri, 8 Feb 2002 00:45:31 +0000 (00:45 +0000)]
EAPTLS ACK packet length is 6 and not 5
kkalev [Thu, 7 Feb 2002 17:58:36 +0000 (17:58 +0000)]
* Added operator support in sql. The eq(=),set(:=) and add(+=) operators are supported. Added an
sql_use_operators configuration directive. Hope everything works.
* Fixed a bug in sql/change_attrs which did not allow multi valued attributes in sql.
* unset item_vals before adding info in ldap and sql user_info files.
kkalev [Thu, 7 Feb 2002 09:18:32 +0000 (09:18 +0000)]
Add ordering in user_accounting.php3. The results can be either ordered ascending (older first)
or descending (recent first). Added a corresponding configuration directive.
aland [Wed, 6 Feb 2002 20:52:04 +0000 (20:52 +0000)]
Usage() function, for help.
Added '-r server_ip' option, to allow sending packets to different
servers.
Patch from Randy Moore <ramoore@axion-it.net>
aland [Wed, 6 Feb 2002 20:49:17 +0000 (20:49 +0000)]
Removed dependency on hard-code size of the session ID.
Based on a patch from Randy Moore <ramoore@axion-it.net>
aland [Wed, 6 Feb 2002 20:06:23 +0000 (20:06 +0000)]
While doing paircmp(), if one attribute doesn't match, then go
look for another instance of the same attribute, which may result
in a match.
Since most attributes only show up once, this won't significantly
affect the behaviour of the server.
raghu [Tue, 5 Feb 2002 19:35:39 +0000 (19:35 +0000)]
EAP-TLS, Added new variable to avoid confusion with certificate file names
raghu [Tue, 5 Feb 2002 19:24:05 +0000 (19:24 +0000)]
Name changes to reflect proper names & elegant fragmentation handling
aland [Tue, 5 Feb 2002 17:09:43 +0000 (17:09 +0000)]
Only double-check the counter value against the reset date, IF
the count attribute is of type DATE.
Integers get counted as-is.
All other attributes get counted not by their value, but by
how many times they've been seen.
aland [Mon, 4 Feb 2002 21:41:15 +0000 (21:41 +0000)]
Fix for adding ascend binary filters, using +=
aland [Mon, 4 Feb 2002 15:45:35 +0000 (15:45 +0000)]
Added -D_POSIX_PTHREAD_SEMANTICS to use the two argument version
of ctime_r on Solaris, as that OS is too stupid to do anything
useful or intelligent on it's own.
Bug noted by Eddie Stassen <eddie@saix.net>
aland [Fri, 1 Feb 2002 19:39:57 +0000 (19:39 +0000)]
Moved the server to using ctime_r, instead of ctime, to help
with threading issues.
Bug noted by Eddie Stassen <eddie@saix.net>
aland [Fri, 1 Feb 2002 16:17:08 +0000 (16:17 +0000)]
Replaced calls to localtime() with calls to localtime_r(), which
is thread safe.
Bug noted by Eddie Stassen <eddie@saix.net>
aland [Fri, 1 Feb 2002 16:14:42 +0000 (16:14 +0000)]
Include header file for time.
aland [Fri, 1 Feb 2002 16:11:02 +0000 (16:11 +0000)]
renamed 'clock' variable to quiet compiler warnings.
aland [Fri, 1 Feb 2002 16:08:00 +0000 (16:08 +0000)]
Look for, and define localtime_r.
For systems NOT having it, the "implementation" just calls localtime,
and copies the data to the user-supplied buffer.
On systems with per-thread buffers for localtime() (like glibc),
this doesn't make any difference.
On systems without per-thread buffers, it will at least lower the
possibility of race conditions.
This hack is just a temporary one, until we need a *real* thread-safe
version of localtime_r.
aland [Thu, 31 Jan 2002 22:17:58 +0000 (22:17 +0000)]
Changed Simultaneous-Use check behavior to trust content of
radutmp file if NAS is not in 'naslist'. Also prevents unnecessary
'fork'ing if NAS is listed as type 'other' in 'naslist'.
Patch from Randy Moore <ramoore@axion-it.net>
aland [Thu, 31 Jan 2002 17:48:54 +0000 (17:48 +0000)]
Remvoed references to bugs.freeradius.org, as it doesn't exist
any more.
aland [Tue, 29 Jan 2002 22:47:15 +0000 (22:47 +0000)]
Try s slightly different way of closing stdin, stdout, and stderr
when running in daemon mode.
The previous code had 2-3 sections which looked like they tried
to do the same thing...