pnixon [Tue, 1 Mar 2005 12:52:43 +0000 (12:52 +0000)]
new PAM config in upcomming SUSE 9.3Pro
pnixon [Tue, 1 Mar 2005 12:07:49 +0000 (12:07 +0000)]
Major cleanups to bring in sync with SUSE 9.2 Professional and to run as user radiusd instead of root
aland [Tue, 1 Mar 2005 01:47:39 +0000 (01:47 +0000)]
More/better error messages.
Don't allow quoted strings as conf-section names.
aland [Mon, 28 Feb 2005 23:54:13 +0000 (23:54 +0000)]
When $INCLUDE'ing files, cf_item_add may be called with a list
of items. If so, add all children to the parent trees.
We don't have to touch the child trees, because they aren't changed.
aland [Mon, 28 Feb 2005 22:47:17 +0000 (22:47 +0000)]
When reading files in a directory, be a little more restrictive.
We allow alpha-numeric, '.' and '_'. Anything else is ignored.
aland [Mon, 28 Feb 2005 22:32:13 +0000 (22:32 +0000)]
Moved copy_string && copy_var from exec.c to util.c, as public
functions, so that others may use them.
(mostly) copied "split into argv" code from exec.c into xlat_config,
to avoid injection attacks. i.e. "split into argv, and then xlat",
rather than "xlat, and then split into argv".
This also allows the use of "." in section/pair names.
aland [Mon, 28 Feb 2005 19:50:47 +0000 (19:50 +0000)]
Use rbtrees for CONF_SECTIONS, with hacks to make instance names
work...
aland [Mon, 28 Feb 2005 19:49:25 +0000 (19:49 +0000)]
Minor fix to xlat config
aland [Mon, 28 Feb 2005 18:45:31 +0000 (18:45 +0000)]
Put CONF_PAIRs into an rbtree. This doesn't make much difference
for most systems, but for large ones, it can help.
This also means that more memory is being used in the server,
but not a whole lot.
Next, putting sections into an rbtree.
aland [Mon, 28 Feb 2005 18:24:29 +0000 (18:24 +0000)]
Allow %{config: section[name2][item]}
kkalev [Mon, 28 Feb 2005 12:02:53 +0000 (12:02 +0000)]
Add the safe-characters directive in mssql.conf also
kkalev [Fri, 25 Feb 2005 23:51:11 +0000 (23:51 +0000)]
Don't set DEFAULT '0' for the nas table
nbk [Fri, 25 Feb 2005 00:59:56 +0000 (00:59 +0000)]
Remove the locks on the <detail> file and handle the case
where the last line is not complete
nbk [Tue, 22 Feb 2005 15:59:39 +0000 (15:59 +0000)]
Execute modules in {Pre,Post}-Proxy-Type stanzas (closes: #199)
nbk [Tue, 22 Feb 2005 15:58:53 +0000 (15:58 +0000)]
Prototype change for module_post_proxy()
nbk [Tue, 22 Feb 2005 15:58:30 +0000 (15:58 +0000)]
Prototype changes for module_{pre,post}_proxy()
nbk [Mon, 21 Feb 2005 15:02:26 +0000 (15:02 +0000)]
Re-arrange the states in the loop() function to prevent
radsqlrelay from duplicating accounting packets. Now the
transition is STATE_RUN -> STATE_BACKLOG -> STATE_CLOSE
(closes: #206)
nbk [Sun, 20 Feb 2005 18:53:35 +0000 (18:53 +0000)]
Build radsqlrelay, too.
kkalev [Sat, 19 Feb 2005 12:02:34 +0000 (12:02 +0000)]
In clear_opensessions depending on sql type use either IS NULL or = 0 in the DELETE statement.
We need to find a cleaner solution to this. This closes bug#175
kkalev [Sat, 19 Feb 2005 11:53:40 +0000 (11:53 +0000)]
Change ConnectInfo_{start,stop} to be varchar(50). This closes Bug#204
kkalev [Sat, 19 Feb 2005 11:45:11 +0000 (11:45 +0000)]
Add a patch from Thor Spruyt for setting the nas client query in the configuration file
This closes bug#201
kkalev [Sat, 19 Feb 2005 01:08:44 +0000 (01:08 +0000)]
* Add more documentation for per user counter limit attributes (daily/weekly/monthly limits)
* Make all counter limits default to none so that people don't get confused
kkalev [Sat, 19 Feb 2005 00:58:05 +0000 (00:58 +0000)]
Update password_check to work with all password attributes and use the configuration directives
aland [Fri, 18 Feb 2005 21:34:59 +0000 (21:34 +0000)]
re-arranged pap_authorize so that it will clean up base64 & hex
password attributes, so that other modules may use them.
This allows (for example) LDAP to store NT passwords base64-encoded,
with a header of {nt}. The LDAP module will add an attribute
NT-Password, with the value as base64-encoded. The PAP module
will base64-decode it during the "authorize" phase, so that the
mschap module can use the 16-byte NT hash during the authentication
phase.
aland [Fri, 18 Feb 2005 21:23:07 +0000 (21:23 +0000)]
Added auto-header discovery
{clear} User-Password
{cleartext} User-Password
{md5} MD5-Password
{smd5} SMD5-Password
{sha} SHA-Password
{ssha} SSHA-Password
{nt} NT-Password
The passwords are added "as-is", and require RLM_PAP to fix them...
aland [Fri, 18 Feb 2005 21:03:09 +0000 (21:03 +0000)]
Re-formatting of code, normalize whitespace around function args,
reduce the number of indents in some places
aland [Fri, 18 Feb 2005 18:06:56 +0000 (18:06 +0000)]
Updated docs for new behavior
aland [Fri, 18 Feb 2005 18:03:43 +0000 (18:03 +0000)]
new pap authorize function, which looks for hashed/encrypted
passwords in config items, and sets Auth-Type := PAP.
Updated radiusd.conf to add "unix" and "pap" to "authorize",
for more auto-discovery.
Updated "users" to NOT Set Auth-Type at ALL. This makes
auto-discovery work much better...
aland [Fri, 18 Feb 2005 01:14:37 +0000 (01:14 +0000)]
Support base64 encoding, via auto-discovery.
i.e. if it decodes to a base64 string of the right length, then
it's a base64 string.
This works with SMD5-Password := "l/ValIKmwbbPbodg+YNCS32Cz3M="
which is the same "testpassword" as the previous CVS commit.
aland [Fri, 18 Feb 2005 00:12:58 +0000 (00:12 +0000)]
Document SMD5 && SSHA passwords, too
aland [Fri, 18 Feb 2005 00:12:02 +0000 (00:12 +0000)]
Whoops... delete base64 stuff which was there by accident
aland [Fri, 18 Feb 2005 00:11:22 +0000 (00:11 +0000)]
These new attributes are of type "octets", not "string"
aland [Fri, 18 Feb 2005 00:11:06 +0000 (00:11 +0000)]
deleted hex2bin && bin2hex.
Added support for SMD5-Password & SSHA-Password.
SMD5-Password := 0x97f55a9482a6c1b6cf6e8760f983424b7d82cf73
SSHA-Password := 0x3b7fc2a325b3a841db199bb9f653fd8e05d6b1e4edbf63b5
User-Password := "testpassword"
aland [Thu, 17 Feb 2005 20:42:25 +0000 (20:42 +0000)]
unused headers
aland [Thu, 17 Feb 2005 20:41:55 +0000 (20:41 +0000)]
Add OSFFIA stuff back in. It looks like it's not used, so it
shouldn't hurt anything.
aland [Thu, 17 Feb 2005 20:35:36 +0000 (20:35 +0000)]
Updated documentation for rlm_unix
aland [Thu, 17 Feb 2005 20:35:04 +0000 (20:35 +0000)]
Removed all references to caching from the module. It's no longer
needed or useful.
kkalev [Thu, 17 Feb 2005 13:06:49 +0000 (13:06 +0000)]
Commit a patch from Andrea Gabellini. This should close bug#128
aland [Wed, 16 Feb 2005 18:54:52 +0000 (18:54 +0000)]
reap children in a child thread, not in the main server thread.
This minimizes locks
aland [Wed, 16 Feb 2005 18:50:29 +0000 (18:50 +0000)]
re-write of handling SIGCHLD.
delete sigchld handler. It's too hard to coordinate getting the
child pid & status from the thread that caught the signal to the
thread that (maybe) is waiting for it.
Instead, don't save child pid's if we've been told someone will
be waiting for it. They will call waitpid() and clean up the zombie.
DO save child pid's if the caller isn't going to wait. Someone
needs to call waitpid() on the EXACT PID number, to avoid grabbing
a PID that an "exec wait" thread is waiting for.
create new function: reap_children(), and scatter calls to it
in a number of places. This ensures that any child will have
waitpid() called quickly, and will be reaped.
aland [Wed, 16 Feb 2005 01:36:35 +0000 (01:36 +0000)]
removed external declaration of rad_savepid. This is a Good Thing.
Moved the function in threads.c, and declared it "static"
aland [Wed, 16 Feb 2005 01:31:19 +0000 (01:31 +0000)]
cat request_process.c | tr -d \\r > foo;mv foo request_process.c
aland [Wed, 16 Feb 2005 01:23:55 +0000 (01:23 +0000)]
Remove serious limits on the length of names in DICT_VALUE.
It's now 128, but can easily be bumped up.
aland [Wed, 16 Feb 2005 01:13:39 +0000 (01:13 +0000)]
Removed restrictions on vendor name length. (realistically)
It's now 1024, which should be large enough for most people.
aland [Tue, 15 Feb 2005 23:48:47 +0000 (23:48 +0000)]
Document new "virtual" modules
aland [Tue, 15 Feb 2005 23:43:47 +0000 (23:43 +0000)]
Make the "compile module" code actually return, rather than call
exit(). This means that we have a "stack" of errors to print if
something goes wrong, so we can track what referred to the item
making the problem.
Allow redundant{} etc. sections to have second names,
and use those names for printing.
Allow subsections in "instantiate", and use those subsections
as "virtual" modules, so that you don't have to copy blocks
of text, if the same kind of redundancy/fail-over is done in
multiple places.
This fixes bug #181
These subsections will later allow us to use the subsection names
in xlat's. e.g.
redundant magic_ldap {
ldap1
ldap2
}
... %{magic_ldap: query...}, which will fail-over from ldap1 to ldap2
aland [Tue, 15 Feb 2005 19:16:17 +0000 (19:16 +0000)]
Less code, less work
aland [Tue, 15 Feb 2005 19:10:35 +0000 (19:10 +0000)]
Move SIGCHLD handler to threads.c, no one else needs it
aland [Tue, 15 Feb 2005 19:10:02 +0000 (19:10 +0000)]
Check for maximum argv.
NULL terminate the argv array.
kkalev [Tue, 15 Feb 2005 18:28:11 +0000 (18:28 +0000)]
Change session_zap to include a session_time argument.
In simultaneous-use check in rlm_sql, don't set default protocol to PPP but
rather try to find it
kkalev [Tue, 15 Feb 2005 18:22:57 +0000 (18:22 +0000)]
Add Huntgroup support in preacct also
aland [Tue, 15 Feb 2005 01:21:57 +0000 (01:21 +0000)]
The whole 2-names for sections confuses the %{config:...} expansion,
so we allow the second name to be referenced, too.
aland [Tue, 15 Feb 2005 01:20:19 +0000 (01:20 +0000)]
Prototype for new function
aland [Tue, 15 Feb 2005 01:19:22 +0000 (01:19 +0000)]
Handle the case where the threads aren't initialized
aland [Tue, 15 Feb 2005 01:15:27 +0000 (01:15 +0000)]
put argv & response from child into different buffers.
aland [Tue, 15 Feb 2005 00:58:18 +0000 (00:58 +0000)]
Catch border cases
aland [Mon, 14 Feb 2005 21:12:16 +0000 (21:12 +0000)]
Use new library functions hex2bin/bin2hex
aland [Mon, 14 Feb 2005 21:02:35 +0000 (21:02 +0000)]
use new hex2bin function to be more forgiving for NT-Passwords
aland [Mon, 14 Feb 2005 20:59:14 +0000 (20:59 +0000)]
corrected typo
aland [Mon, 14 Feb 2005 20:57:24 +0000 (20:57 +0000)]
Moved hex2bin && bin2hex here from multiple locations in the source
kkalev [Mon, 14 Feb 2005 11:58:53 +0000 (11:58 +0000)]
Add documentation patches from Thor Spruyt. This closes bugs 170,171
phampson [Sun, 13 Feb 2005 01:01:57 +0000 (01:01 +0000)]
Try building SNMP support with -lkstat for Solaris 9
aland [Fri, 11 Feb 2005 21:59:31 +0000 (21:59 +0000)]
Don't read sub-directories when $INCLUDEing "dir/"
aland [Fri, 11 Feb 2005 21:57:46 +0000 (21:57 +0000)]
Don't try to read directories, either
aland [Fri, 11 Feb 2005 21:51:29 +0000 (21:51 +0000)]
When in authorize/etc in policies, don't allow it to call another
modules authenticate/etc phase.
We may want to loosen this restriction in the future...
aland [Fri, 11 Feb 2005 21:47:51 +0000 (21:47 +0000)]
free policy types call/return/etc
Allow policies to call modules. Weird, wild, stuff.
aland [Fri, 11 Feb 2005 16:52:04 +0000 (16:52 +0000)]
Fixed typo
aland [Fri, 11 Feb 2005 01:02:20 +0000 (01:02 +0000)]
Allow !=, too
aland [Thu, 10 Feb 2005 22:56:37 +0000 (22:56 +0000)]
Policy functions can now have return codes. The default is "ok".
The return codes are the module return codes, for simplicity.
The return codes can be checked in conditions, so:
if (foo() == ok) {
...
} else {
...
}
will work. There's no fail-over, or assignment of return codes
to variables, or possibility to check multiple return codes.
This is NOT a real language. It's a nasty hack to get interesting
things done...
aland [Thu, 10 Feb 2005 22:53:01 +0000 (22:53 +0000)]
Don't read "foo~" files.
Maybe we should make it read only *.conf? ...
aland [Thu, 10 Feb 2005 01:33:19 +0000 (01:33 +0000)]
Docs for latest updates
aland [Thu, 10 Feb 2005 00:24:15 +0000 (00:24 +0000)]
Inclusion works:
include "foo" relative to current directory
include "dir/" include all files in subdirectory
aland [Thu, 10 Feb 2005 00:22:41 +0000 (00:22 +0000)]
Don't leave DIR's open on error.
Enclose new readdir code in #ifdef HAVE_DIRENT_H, so no one else
breaks
aland [Wed, 9 Feb 2005 23:57:02 +0000 (23:57 +0000)]
re-arrange code, make the parser a little cleaner
aland [Wed, 9 Feb 2005 18:32:34 +0000 (18:32 +0000)]
Whoops, use dup(),not dup2()
aland [Wed, 9 Feb 2005 18:24:10 +0000 (18:24 +0000)]
When log_dest == stdout/stderr, DUP it to another fd, close it,
and then in the logger, prefer to use mainconfig.radlog_fd.
This allows logging to go to what was stdout/stderr, but doesn't
leave stdout/stderr open for writing by external (forked) programs
kkalev [Wed, 9 Feb 2005 17:59:48 +0000 (17:59 +0000)]
Add a patch from Nicolas Baradakis to fix redundant processing in the accounting
section. This closes bug#173
aland [Wed, 9 Feb 2005 17:42:47 +0000 (17:42 +0000)]
Use correct length of string
kkalev [Wed, 9 Feb 2005 12:56:19 +0000 (12:56 +0000)]
Add a radiusObjectProfile objectclass to be used for creating radius profile
objects if none other objectclass can be used (like *person objectclass, etc)
Original idea and patch by Novell
kkalev [Wed, 9 Feb 2005 12:48:31 +0000 (12:48 +0000)]
Update example.pl with a patch from Thor Spruyt (bug #195)
kkalev [Wed, 9 Feb 2005 12:46:20 +0000 (12:46 +0000)]
Add an rlm_perl patch from Thor Spruyt (bug #196)
kkalev [Wed, 9 Feb 2005 12:44:12 +0000 (12:44 +0000)]
Update dictionary.garderos with patch from Thor Spruyt (bug #205)
aland [Wed, 9 Feb 2005 00:51:14 +0000 (00:51 +0000)]
conf files can now do:
$INCLUDE /path/to/dir/
With a trailing "/" at the end, it means "include all files
in that directory, but not the '.' files"
For future expansion.
kkalev [Wed, 9 Feb 2005 00:06:00 +0000 (00:06 +0000)]
Really stupid typo
aland [Tue, 8 Feb 2005 23:29:37 +0000 (23:29 +0000)]
Don't return binary data
aland [Tue, 8 Feb 2005 23:26:58 +0000 (23:26 +0000)]
Update documentation for new functionality
kkalev [Tue, 8 Feb 2005 23:14:31 +0000 (23:14 +0000)]
Make debug messages on password extraction a little bit more verbose
aland [Tue, 8 Feb 2005 23:13:26 +0000 (23:13 +0000)]
Now that we have MD5-Password and SHA-Password, along with
{User, Crypt, NT, LM}-Password, those attributes should store
the appropriate "hashed" versions of the password.
The PAP module should automagically figure out what to do, based
on which of the above attributes it sees.
aland [Tue, 8 Feb 2005 21:47:56 +0000 (21:47 +0000)]
Added ability for functions to be in conditions. Not perfect yet,
but it works...
kkalev [Tue, 8 Feb 2005 21:44:06 +0000 (21:44 +0000)]
Add a few more checks for the previous patch
kkalev [Tue, 8 Feb 2005 21:39:11 +0000 (21:39 +0000)]
Add another configuration directive, password_radius_attribute. The default is
User-Password and it's purpose is to allow administrators to store NT hashes or
other forms of passwords in the userPassword attribute and map them to the
correct radius password attribute
aland [Tue, 8 Feb 2005 20:36:23 +0000 (20:36 +0000)]
Named policies are items just like any other.
Remove DOS LF's.
aland [Tue, 8 Feb 2005 20:33:50 +0000 (20:33 +0000)]
When there are errors instantiating a module, don't assume that
'ci' is a CONF_SECTION, it may be a CONF_PAIR. Instead, use the
'lineno' which was defined above.
aland [Mon, 7 Feb 2005 17:48:29 +0000 (17:48 +0000)]
Don't set Framed-MTU in default configuration
aland [Fri, 4 Feb 2005 02:00:08 +0000 (02:00 +0000)]
Added {SHA, SSHA, MD5, SMD5}-Password attributes for future
expansion
kkalev [Wed, 2 Feb 2005 11:45:17 +0000 (11:45 +0000)]
Add a few header files
aland [Mon, 31 Jan 2005 18:55:32 +0000 (18:55 +0000)]
Removed C++ comment
aland [Mon, 31 Jan 2005 18:42:26 +0000 (18:42 +0000)]
Updates from Trapeze
kkalev [Fri, 28 Jan 2005 07:21:43 +0000 (07:21 +0000)]
Add second patch from Novell for creating a postauth method in order to
implement the Novell eDirectory account policy check
aland [Wed, 26 Jan 2005 20:35:00 +0000 (20:35 +0000)]
Text from bug #168