kkalev [Wed, 28 Aug 2002 12:26:58 +0000 (12:26 +0000)]
Show number of failed logins in the last 7 days in the user admin page
kkalev [Wed, 28 Aug 2002 09:53:59 +0000 (09:53 +0000)]
Don't delete existing generic attributes in ldap_pairget when adding new ones. Since generic attributes
have operators we don't need to try to be cleaver.
fcusack [Wed, 28 Aug 2002 08:33:07 +0000 (08:33 +0000)]
Implement 'ewindow2', an "extended ewindow" which allows users
to override the delay-mode imposed by the 'softfail' option if
the user enters two correct consecutive passcodes. This helps
in a big way with users going out of sync: we cannot safely make
{ewindow,softfail} too large or it becomes easy to guess passcodes,
but we can safely make ewindow2 reasonably "big".
RISK: It may not hold up to cryptanalysis. TMI for a changelog.
Some other minor changes along the way.
aland [Tue, 27 Aug 2002 19:53:46 +0000 (19:53 +0000)]
Comment out the U, P, S, and C prefix hints by default. They
confuse way too many people.
aland [Tue, 27 Aug 2002 17:05:44 +0000 (17:05 +0000)]
Edited description of how the server works, as posted to the list
by 3APA3A <3APA3A@SECURITY.NNOV.RU>
aland [Tue, 27 Aug 2002 16:50:12 +0000 (16:50 +0000)]
Renamed the file to be more consistent
aland [Tue, 27 Aug 2002 16:48:31 +0000 (16:48 +0000)]
Moved the MIB file to a more intelligent place.
aland [Tue, 27 Aug 2002 16:46:44 +0000 (16:46 +0000)]
Merged two documents into one.
aland [Tue, 27 Aug 2002 16:43:28 +0000 (16:43 +0000)]
Belated update, to make it more in line with the changes over
the past year.
aland [Tue, 27 Aug 2002 14:13:45 +0000 (14:13 +0000)]
Preliminary docs, from ram@princess1.net
kkalev [Tue, 27 Aug 2002 00:56:58 +0000 (00:56 +0000)]
hopefully make rad_check_ts work in rlm_sql_checksimul
kkalev [Mon, 26 Aug 2002 18:53:50 +0000 (18:53 +0000)]
Remove simul_zap_query and replace it with a call to session_zap.
Fix a typo in the dialup_admin Changelog
aland [Mon, 26 Aug 2002 18:48:37 +0000 (18:48 +0000)]
If we don't add the attribute to the list, delete it.
Patch from Kevin Bonner <keb@pa.net>
aland [Mon, 26 Aug 2002 14:54:54 +0000 (14:54 +0000)]
One more bug fix, to make it work with 'users' file entry:
bob Auth-Type := Local, User-Password == "bob", Login-Service =~ "Telnet|LAT"
Tunnel-Client-Auth-Id:0 += `(uid=%{Stripped-User-Name:-%{User-Name:-none}})`,
Tunnel-Client-Auth-Id:0 += `%{User-Name}`,
Tunnel-Client-Auth-Id:0 += `UPDATE ${acct_table1} SET FramedIPAddress = '%{Framed-IP-Address}', NASIPAddress='%{NAS-IP-Address}'`
and test packet:
User-Name = "bob", User-Password = "bob", Calling-Station-Id = "555", Login-Serv
ice = Telnet, Framed-IP-Address = 1.2.3.4, NAS-IP-Address = 5.6.7.8
and receiving reply:
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=206, length=101
Tunnel-Client-Auth-Id:0 = "(uid=bob)"
Tunnel-Client-Auth-Id:0 = "bob"
Tunnel-Client-Auth-Id:0 = "UPDATE SET FramedIPAddress = '1.2.3.4', NASIPAddress='5.6.7.8'"
As a note, the 'xlat' implementation appears to be overly complicated.
Using 'for (...p++)' in the loop, instead of 'while (*p)', means
that 'p' is incremented ALWAYS, instead of only when it's needed.
The previous code was easy when we only had xlat'd strings of %U,
but for more complicated ones, it caused a lot of problems.
Also, updated the error message for unknown xlat functions/attributes,
to print out only if there is no xlat function of that name, AND
there is no dictionary attribute of that name.
This helps to minimize the errors which were confusing people,
when xlat was previously complaining about unknown attributes, when
the named attribute was in the dictionary, but no in the incoming
request.
aland [Mon, 26 Aug 2002 14:49:23 +0000 (14:49 +0000)]
If we don't parse a VP when looking for an XLAT'd string, return
an error, instead of de-referencing a NULL pointer.
aland [Mon, 26 Aug 2002 14:01:10 +0000 (14:01 +0000)]
Corrected typo in name.
Patch from ram@princess1.net
kkalev [Mon, 26 Aug 2002 08:55:59 +0000 (08:55 +0000)]
If there are more than one attributes of the same name in the VALUE_PAIR list
do an attribute rewrite on all of them not just the first one we find.
kkalev [Sun, 25 Aug 2002 09:51:55 +0000 (09:51 +0000)]
Add handlers for preproxy,postproxy and postauth
aland [Sat, 24 Aug 2002 16:54:55 +0000 (16:54 +0000)]
Add more NULL's to module data structures, in preparation for
adding pre/post proxy, and post-auth stages.
Patch from Franck Springinsfeld
fcusack [Sat, 24 Aug 2002 02:58:37 +0000 (02:58 +0000)]
add a '.' at end of sentence
fcusack [Sat, 24 Aug 2002 02:57:45 +0000 (02:57 +0000)]
reformat for 80 cols
aland [Fri, 23 Aug 2002 17:51:21 +0000 (17:51 +0000)]
In pairmake(), if we're creating an integer type VP with a
regular expression operator, then do NOT look at it's string value.
Instead, save it for later, so that we can do the regular expression
comparison on the names of the integers.
aland [Fri, 23 Aug 2002 17:50:03 +0000 (17:50 +0000)]
Fix a weird bug where we were doing 'ip_ntoa' on date/integer
attributes, but not on IP addresses, when parsing attributes
from a packet to a VALUE_PAIR.
When parsing an integer attribute to a VALUE_PAIR, also look up
the name for it's value in the dictionary, and put the name into
the strvalue field. This allows us to do regular expression
comparisons on integers (sort of...)
3APA3A [Fri, 23 Aug 2002 10:36:35 +0000 (10:36 +0000)]
- Statement that FreeRADIUS can't proxy MS-CHAPv1 removed
+ Added description of realms problem with MS-CHAPv2
3APA3A [Fri, 23 Aug 2002 09:55:43 +0000 (09:55 +0000)]
! MS-CHAP-MPPE-Keys changed to be encrypted with User-Password style
3APA3A [Fri, 23 Aug 2002 09:45:45 +0000 (09:45 +0000)]
- removed radpwencode - Attributes will be marked as encoded, all encoding/
decoding will be done automatically by libradius.
fcusack [Fri, 23 Aug 2002 06:18:37 +0000 (06:18 +0000)]
update for 0.7/0.8
aland [Thu, 22 Aug 2002 18:44:37 +0000 (18:44 +0000)]
Make radwho and radzap read 'radiusd.conf', to get the locations
of the radutmp files.
Patch from Andrea Gabellini
These files should really be moved to 'src/modules/rlm_radutmp',
and cleaned up.
aland [Thu, 22 Aug 2002 16:01:05 +0000 (16:01 +0000)]
Minor reformatting, and adding more debugging messages, to see
what the authenticate code is doing, and why it fails.
aland [Thu, 22 Aug 2002 15:23:48 +0000 (15:23 +0000)]
Updated, as we hope to be approaching another release soon.
aland [Thu, 22 Aug 2002 15:08:58 +0000 (15:08 +0000)]
Make realm comparisons case insensitive
aland [Thu, 22 Aug 2002 14:33:59 +0000 (14:33 +0000)]
Corrected name, and made VSA a Cisco VSA
Patch from Thomas Jalsovsky
kkalev [Thu, 22 Aug 2002 14:16:54 +0000 (14:16 +0000)]
Small html fix in password.php3
aland [Thu, 22 Aug 2002 14:14:20 +0000 (14:14 +0000)]
When doing group checks, call fgetgrnam on the *group* file, not
on the *passwd* file.
Patch from Maxim Konovalov
kkalev [Thu, 22 Aug 2002 14:09:52 +0000 (14:09 +0000)]
Small html fix in user_edit.php3
kkalev [Wed, 21 Aug 2002 22:46:36 +0000 (22:46 +0000)]
Print a message when ippool_authorize can't find the Pool-Name attribute
kkalev [Wed, 21 Aug 2002 12:36:47 +0000 (12:36 +0000)]
Remove the entry about a multi column index on the radacct table. It is not needed.
kkalev [Wed, 21 Aug 2002 12:25:24 +0000 (12:25 +0000)]
Add support for the user ldap regular profile attribute
aland [Tue, 20 Aug 2002 18:44:04 +0000 (18:44 +0000)]
Copied the MIBS over from GNU radius (which originally copied them
from the RFC's, which allow unlimited redistribution)
kkalev [Tue, 20 Aug 2002 14:49:56 +0000 (14:49 +0000)]
Add support for the max results setting in the user find page
kkalev [Tue, 20 Aug 2002 14:34:45 +0000 (14:34 +0000)]
Add find pages
kkalev [Tue, 20 Aug 2002 14:34:10 +0000 (14:34 +0000)]
Add a user find page. User can be searched based on the full name, department or RADIUS attribute.
The radius attribute should be included in the _user_ profile, not in a group/regular/default profile.
kkalev [Tue, 20 Aug 2002 11:59:06 +0000 (11:59 +0000)]
Add a help page for the Expiration attribute
kkalev [Tue, 20 Aug 2002 11:58:34 +0000 (11:58 +0000)]
* Add support for the Expiration attribute. Add it in the sql attribute map, in user_edit.attrs and
check for it in user_admin
* Add a few more keys in the userinfo and badusers tables.
* Fix a problem with lib/sql/defaults.php3 where the first character in the default value when using
operators was set to the opeator
kkalev [Tue, 20 Aug 2002 10:53:27 +0000 (10:53 +0000)]
Fix a few typos
kkalev [Tue, 20 Aug 2002 10:50:45 +0000 (10:50 +0000)]
Update the FAQ about missing attributes from the user/group edit pages and add a few comments
in the configuration files
aland [Mon, 19 Aug 2002 15:34:27 +0000 (15:34 +0000)]
If the received data is larger than the packet length field,
then do the 'memset' on the internal buffer, not on an uninitialized
pointer.
Patch from Vaughn Skinner
Also, enforce minimum/maximum packet lengths, based on the
contents of the 'length' field. Previously, we only did the checks
based on the number of bytes that were received.
This check adds one more restriction on input...
aland [Fri, 16 Aug 2002 20:15:21 +0000 (20:15 +0000)]
Patch to simplify looking for snmp, and to make it work on
FreeBSD.
Hmm... maybe we should just include ucd-snmp, like Gnu-radius does...
Patch from Harrie Hazewinkel
aland [Fri, 16 Aug 2002 20:09:36 +0000 (20:09 +0000)]
Make 'radiusd' depend on the module libs, so that when a module
it needs changes, then radiusd will be re-built.
Based on a patch from rrie Hazewinkel
kkalev [Fri, 16 Aug 2002 16:32:15 +0000 (16:32 +0000)]
Update Changelog
kkalev [Fri, 16 Aug 2002 16:32:03 +0000 (16:32 +0000)]
Add attributes for the sql group tables in admin.conf. Now SQL group support should really work!
kkalev [Fri, 16 Aug 2002 14:46:21 +0000 (14:46 +0000)]
Add an sql_groupcmp and a corresponding attribute Sql-Group. Remove the
authenticate_query from rlm_sql. The authorize_query should be enough.
kkalev [Fri, 16 Aug 2002 11:23:26 +0000 (11:23 +0000)]
Comment out Reply-Message in conf/user_edit.attrs since in sql it maps to the same attribute as
the lock message
aland [Thu, 15 Aug 2002 18:59:00 +0000 (18:59 +0000)]
Added "Ascend-Max-Shared-Users", which goes along with
"Ascend-Shared-Profile", or so says JJ Foote <dopefish@zerg.com>
aland [Thu, 15 Aug 2002 16:18:57 +0000 (16:18 +0000)]
Added spaces to make it easier to read.
aland [Thu, 15 Aug 2002 16:16:08 +0000 (16:16 +0000)]
File from Calum <calum.aug02@umtstrial.co.uk>
kkalev [Thu, 15 Aug 2002 15:57:22 +0000 (15:57 +0000)]
Add two entries in the counter database:
DEFAULT1 and DEFAULT2.
DEFAULT1 holds the time of the next database reset while
DEFAULT2 the time of the last database reset.
Every time the database is reset these entries are updated. When rlm_counter starts it
checks the next database reset time. If it is lower than the current time then rlm_counter
was not runing at the time the database should have been reset. So we reset it now.
aland [Thu, 15 Aug 2002 14:44:56 +0000 (14:44 +0000)]
OK, make it work with test packet:
User-Name = "bob", User-Password = "bob", Framed-IP-Address = 1.2.3.4, NAS-IP-Address = 5.6.7.8
and 'users' file entry:
bob Auth-Type := Local, User-Password == "bob"
Tunnel-Client-Auth-Id:0 = `UPDATE ${acct_table1} SET FramedIPAddress = '%{Framed-IP-Address}', NASIPAddress='%{NAS-IP-Address}'`
and receiving reply:
Tunnel-Client-Auth-Id:0 = "UPDATE SET FramedIPAddress = '1.2.3.4', NASIPAddress='5.6.7.8'"
The only problem now, is that the not-found xlat's don't cause
errors.
fcusack [Thu, 15 Aug 2002 01:41:32 +0000 (01:41 +0000)]
Test for authenticate_query having a value, rather than its existence.
Problem noted by Justin Schoeman <justin@expertron.co.za>.
aland [Wed, 14 Aug 2002 19:02:37 +0000 (19:02 +0000)]
If we do not find the named xlat, or the attribute, and there's
nothing else to do (no :-${other} ), then skip the trailing closing
'}' in the input string.
Also, allow bare { and } in input strings, by using \ as an escape
character.
aland [Wed, 14 Aug 2002 17:01:49 +0000 (17:01 +0000)]
Added new function: 'pairxlatmove', which works like pairmove(),
but does xlat, too.
Made rlm_files use it for the replies, so that the reply attributes
can be dynamically translated.
kkalev [Wed, 14 Aug 2002 16:21:59 +0000 (16:21 +0000)]
Add a new configuration directive, new_attribute. If it is set then searchfor
will be ignored and a new attribute will be created with the value contained
in replacewith and it will be added to searchin (packet,reply or config)
aland [Wed, 14 Aug 2002 15:39:49 +0000 (15:39 +0000)]
Re-set the 'octets' length to 0, only if we actually have octets.
Complain if we receive non-octet characters.
Bug found by Francois Dessart
kkalev [Wed, 14 Aug 2002 14:31:39 +0000 (14:31 +0000)]
Add support for the Rewrite-Rule attribute in rlm_attr_rewrite
kkalev [Wed, 14 Aug 2002 14:00:12 +0000 (14:00 +0000)]
When updating ldap user information don't do an update if the new attribute value
is '-' (default value)
kkalev [Wed, 14 Aug 2002 13:44:45 +0000 (13:44 +0000)]
Call sql_finish_select_query and sql_release_socket in the correct when we
run the authenticate query
kkalev [Wed, 14 Aug 2002 12:28:00 +0000 (12:28 +0000)]
Add a few more things about the xlat function.
kkalev [Tue, 13 Aug 2002 16:18:21 +0000 (16:18 +0000)]
Also use da_sql_error when reporting errors
kkalev [Tue, 13 Aug 2002 15:55:52 +0000 (15:55 +0000)]
Call da_sql_error with correct arguments
kkalev [Tue, 13 Aug 2002 15:50:13 +0000 (15:50 +0000)]
Comment out the Reply-Message entry in user_edit.attrs.
aland [Tue, 13 Aug 2002 15:49:29 +0000 (15:49 +0000)]
More documentation.
Die with error (instead of segv) if no detail file is given.
Patch from Simon <lists@routemeister.net>
kkalev [Tue, 13 Aug 2002 15:42:45 +0000 (15:42 +0000)]
When reporting sql errors also print the output of da_sql_error
kkalev [Tue, 13 Aug 2002 15:03:06 +0000 (15:03 +0000)]
html fixes in show_groups.php3
kkalev [Tue, 13 Aug 2002 11:08:39 +0000 (11:08 +0000)]
Add a show_groups.php3 to show all active user groups
kkalev [Tue, 13 Aug 2002 10:18:30 +0000 (10:18 +0000)]
* Allow the administrator to specify a group in the New User page. Update lib/sql/create_user.php3 to add
the user to the specified group
* Call user_info.php3 and defaults.php3 in user_new.php3 after creating a user
* Only run if $login is not NULL in lib/sql/defaults.php3
* In group admin add a button to administer the selected user which will redirect the administrator to the
corresponding user_admin page
kkalev [Tue, 13 Aug 2002 08:33:24 +0000 (08:33 +0000)]
Add Reply-Message in conf/user_edit.attrs so that it appears in the user/group edit pages
kkalev [Tue, 13 Aug 2002 07:59:56 +0000 (07:59 +0000)]
* Only call user_info.php3 in user_new.php3 when we are creating a user
* Fix a bug with personal information attributes in user_new.php3
kkalev [Tue, 13 Aug 2002 07:00:23 +0000 (07:00 +0000)]
* Have adddress and home address in user personal info
* Set $user_info in lib/{ldap,sql}/user_info.php3 and only if the user exists and has personal info
* Show language attributes only if general_prefered_lang is not 'en'
kkalev [Tue, 13 Aug 2002 06:27:25 +0000 (06:27 +0000)]
Set personal information attributes to defaults in lib/ldap/user_info.php3
kkalev [Tue, 13 Aug 2002 06:26:12 +0000 (06:26 +0000)]
Fix a typo for department
kkalev [Mon, 12 Aug 2002 21:47:20 +0000 (21:47 +0000)]
Set a few more personal information attributes to defaults in lib/sql/user_info.php3
kkalev [Mon, 12 Aug 2002 21:34:19 +0000 (21:34 +0000)]
* Now that ldap_groupcmp is complete we really don't need access_group. Removed it.
* Remember to free groupmemb_attribute in ldap_detach
* Update documentation and radiusd.conf
aland [Mon, 12 Aug 2002 15:29:00 +0000 (15:29 +0000)]
Added better filter for LDAP uid, as posted to the list by Kostas.
%{Stripped-User-Name:-%{User-Name}} is better than %u
kkalev [Mon, 12 Aug 2002 13:38:05 +0000 (13:38 +0000)]
Use a textarea for new members in group_admin.php3 and group_new.php3. Update lib/sql/create_group.php3 and
lib/sql/group_admin.php3
kkalev [Mon, 12 Aug 2002 13:08:20 +0000 (13:08 +0000)]
* Fix a small bug in lib/sql/create_user.php3 where work and home phone were stored in the wrong fields.
* Set personal information attributes in lib/sql/user_info.php3 to default values.
* Add a page to change the user's personal information. Changed the user toolbar and added htdocs/user_info.php3
along with lib/{sql,ldap}/change_info.php3
* Print a message if we can't connect to the ldap server in lib/ldap/user_info.php3
kkalev [Sun, 11 Aug 2002 22:59:02 +0000 (22:59 +0000)]
Move sql_get_socket deeper inside rlm_sql_checksimul
kkalev [Sun, 11 Aug 2002 20:27:24 +0000 (20:27 +0000)]
Add a few missing sql_release_socket. Patch from Kevin Bonner <keb@pa.net>
kkalev [Sun, 11 Aug 2002 17:49:16 +0000 (17:49 +0000)]
* Add support for group membership attribute inside the user entry in ldap_groupcmp. The attribute
can either contain the name or the DN of the group. Added the groupmembership_attribute
configuration directive
* Move the ldap_{get,release}_conn in ldap_groupcmp so that we hold a connection for the minimum time.
* Update documentation and radiusd.conf
kkalev [Sun, 11 Aug 2002 09:46:48 +0000 (09:46 +0000)]
Do an xlat on the search and replace strings
kkalev [Sat, 10 Aug 2002 18:52:24 +0000 (18:52 +0000)]
Update Changelog
kkalev [Sat, 10 Aug 2002 18:46:33 +0000 (18:46 +0000)]
The new group page should only be available if the general library type is sql
kkalev [Sat, 10 Aug 2002 16:49:21 +0000 (16:49 +0000)]
* Add support for groups in SQL. Added several new files and modified a few more.
* Default values in SQL are now extracted from the group membership. Added a lib/sql/defaults.php3 file.
As a result the default operator is not '=' anymore but whatever we find in the group check and reply tables.
* In lib/sql/user_info.php3 set user_exists in more than one places.
* Add support for the '=*' and '!*' operators
* Added a HELP_WANTED file describing what are the major things missing which people could contribute.
* Updated TODO
fcusack [Fri, 9 Aug 2002 14:58:15 +0000 (14:58 +0000)]
XSUB.h
aland [Thu, 8 Aug 2002 18:30:04 +0000 (18:30 +0000)]
Don't do "ptr++" when skipping over a tag for string tunnel attributes.
That screws up the count of attrlen and length.
Instead, remember that there's an offset to skip the tag, and
don't play games with ptr.
aland [Tue, 6 Aug 2002 17:33:40 +0000 (17:33 +0000)]
Change '!=' to '==', so Cisco garbage like:
foo-bar-baz = "boo-bar-baz = 5"
Will work.
aland [Tue, 6 Aug 2002 16:50:31 +0000 (16:50 +0000)]
A big sweep of changes to use 'configure' to discover which header
files exist, and when to include them.
This code is *really* bad. It uses inet_aton, and gethostby..,
and has a lot of compiler warnings. Someone should really go
through it, and clean it up.
aland [Tue, 6 Aug 2002 16:11:39 +0000 (16:11 +0000)]
Run autoheader, too, when re-building module configure scripts
aland [Tue, 6 Aug 2002 15:27:21 +0000 (15:27 +0000)]
Added note about Exec-Program, with samples.
aland [Tue, 6 Aug 2002 15:26:27 +0000 (15:26 +0000)]
Added note about 'printenv'
aland [Tue, 6 Aug 2002 15:20:38 +0000 (15:20 +0000)]
Updated so gdbm-ndbm.h isn't found to be the same as gdbm/ndbm.h
Bug found by Eric Reischer