kkalev [Thu, 20 Dec 2001 13:24:01 +0000 (13:24 +0000)]
Add changelog for recent changes in rlm_ldap.c
Add documentation for ldap_xlat in rlm_ldap
kkalev [Wed, 19 Dec 2001 21:06:06 +0000 (21:06 +0000)]
Add ldap caching. Make rlm_ldap thread safe. Fix a memory leak in ldap_xlat.
Remove a few dict_attrbyname in ldap_pairget which where unneeded.
Move two radius_xlat's in ldap_authenticate to the right place.
aland [Wed, 19 Dec 2001 20:22:43 +0000 (20:22 +0000)]
When decoding an attribute, break, and do NOT fall through to
copying extra characters.
Bug found and patch posted by radius@palosanto.com
kkalev [Wed, 19 Dec 2001 16:26:05 +0000 (16:26 +0000)]
Add user definable counter reset values. Something like:
reset = 10h were h means hours
fcusack [Wed, 19 Dec 2001 04:44:46 +0000 (04:44 +0000)]
Don't do anything if Auth-Type already set and == Reject
kkalev [Tue, 18 Dec 2001 21:49:07 +0000 (21:49 +0000)]
Add support for 'never' counter expiration.
Patch by Aleksandr Kuzminsky <ingoth@nbi.com.ua>
fcusack [Sun, 16 Dec 2001 03:47:25 +0000 (03:47 +0000)]
protect against missing dictionary entries when setting up known password types
fcusack [Sat, 15 Dec 2001 06:01:18 +0000 (06:01 +0000)]
MS-MPPE-Encryption-Types, not MS-MPPE-Encryption-Type (per RFC 2548).
fcusack [Sat, 15 Dec 2001 04:21:31 +0000 (04:21 +0000)]
remove #ifdef for vendor_dict hack.
fcusack [Sat, 15 Dec 2001 04:01:54 +0000 (04:01 +0000)]
correct usage hint for challenge_req.
fcusack [Fri, 14 Dec 2001 23:23:46 +0000 (23:23 +0000)]
Use attribute settings for 0.4+. My local tree is a butchered 0.3 which
is why this setting is even #ifdef'd.
fcusack [Fri, 14 Dec 2001 22:50:05 +0000 (22:50 +0000)]
Add flexible password support -- now supports pap/chap/mschap/mschapv2 and mppe.
fcusack [Fri, 14 Dec 2001 22:44:13 +0000 (22:44 +0000)]
forgot this earlier
fcusack [Fri, 14 Dec 2001 22:42:24 +0000 (22:42 +0000)]
Use MD5_DIGEST_LENGTH instead of '16'.
fcusack [Fri, 14 Dec 2001 22:34:52 +0000 (22:34 +0000)]
misc updates
aland [Fri, 14 Dec 2001 16:05:16 +0000 (16:05 +0000)]
If we have an SQL query error, then the request is NOT invalid.
Instead, return NOOP, as we're unable to do anything.
Additional minor cosmetic changes
aland [Thu, 13 Dec 2001 18:06:46 +0000 (18:06 +0000)]
removed no longer needed define for WITH_THREAD_POOL
aland [Thu, 13 Dec 2001 18:02:45 +0000 (18:02 +0000)]
define major and minor revisions seperately, so that we can
use them seperately (later) for version controlling the modules
aland [Thu, 13 Dec 2001 17:55:29 +0000 (17:55 +0000)]
finish a dangling sentence
cmiller [Thu, 13 Dec 2001 14:30:04 +0000 (14:30 +0000)]
debian: updated to 0.4
aland [Thu, 13 Dec 2001 04:08:40 +0000 (04:08 +0000)]
use the proper target for in-src-tree library testing
aland [Thu, 13 Dec 2001 04:06:26 +0000 (04:06 +0000)]
deleted yet another copy of rules.mak
updated lower-level make file to use upper-level rules.mak
aland [Thu, 13 Dec 2001 04:01:29 +0000 (04:01 +0000)]
Add include cflag for libltdl
aland [Thu, 13 Dec 2001 04:01:01 +0000 (04:01 +0000)]
removed unnecessary head files.
re-arranged so as to not conflict
aland [Thu, 13 Dec 2001 03:36:51 +0000 (03:36 +0000)]
cleaned up to remove include of /usr/include (should be done
on all sane C compilers), and link to -lc
Additional minor fixes
cparker [Wed, 12 Dec 2001 22:39:55 +0000 (22:39 +0000)]
Retagged tree with 0.5 version, as 0.4 is released.
raghu [Wed, 12 Dec 2001 02:05:14 +0000 (02:05 +0000)]
EAP module with supported EAP types
raghu [Wed, 12 Dec 2001 02:01:43 +0000 (02:01 +0000)]
EAP authentication type -- MD5
raghu [Wed, 12 Dec 2001 02:00:01 +0000 (02:00 +0000)]
All supported EAP authentication types
raghu [Wed, 12 Dec 2001 01:57:23 +0000 (01:57 +0000)]
EAP module for all EAP based authentications
aland [Tue, 11 Dec 2001 22:35:36 +0000 (22:35 +0000)]
As posted to the list by Jeremy McNamara <jj@indie.org>
This is apparently mostly a copy of the Cisco dictionary.
aland [Wed, 5 Dec 2001 18:27:24 +0000 (18:27 +0000)]
Removed extraneous 'vp_printlist', which was causing confusion.
Problem found by radius@palosanto.com
3APA3A [Thu, 29 Nov 2001 09:45:00 +0000 (09:45 +0000)]
! Vendor-Specific attribute check added to rad_receive to avoid memory
corruption in case of invalid attribute length inside Vendor-Specific
attribute
! dict_vendorcode() call removed from rad_decode(). We do not need it any
more.
kkalev [Tue, 27 Nov 2001 22:44:24 +0000 (22:44 +0000)]
Add xlat_register and xlat_unregister functions. Now modules can register their
own xlat functions. That way we can have ldap URLs or SQL selects in xlat
strings. These strings will be of the form:
%{module:string}
For example for ldap it will be something like this:
%{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
Also added ldap_xlat in rlm_ldap.c as defined above. It allows for LDAP URLs
in xlat strings.
cmiller [Sun, 25 Nov 2001 20:12:09 +0000 (20:12 +0000)]
debian: export DH_COMPAT variable, so /etc/raddb/* are listed as conffiles.
fcusack [Wed, 21 Nov 2001 11:46:03 +0000 (11:46 +0000)]
Correct a comment
fcusack [Wed, 21 Nov 2001 11:30:12 +0000 (11:30 +0000)]
fix mem leak from sync_mode: free an instance var on destruction.
cmiller [Tue, 20 Nov 2001 17:19:28 +0000 (17:19 +0000)]
debian: remove empty directory /var/log/freeradius
debian: changed logfile-rolling to use logrotate instead of cron and 'savelog'
debian: improved initscript.
cmiller [Tue, 20 Nov 2001 17:15:38 +0000 (17:15 +0000)]
Include check for gdbm-ndbm.h file, for GDBM versions near 1.7.3 .
cmiller [Tue, 20 Nov 2001 17:13:22 +0000 (17:13 +0000)]
Close STD{IN,OUT,ERR} if not running in debug mode. (Debian Bug#11678)
cmiller [Tue, 20 Nov 2001 15:41:15 +0000 (15:41 +0000)]
Added "standard" (non /usr/local/) paths for postgresql headers and libs.
3APA3A [Thu, 15 Nov 2001 18:04:41 +0000 (18:04 +0000)]
+ support for MS-CHAPv2. SHA1 digest support was added (sha1.c, sha2.c)
MS-CHAPv2 was not tested in real life. Please feedback if you
will get any result.
! module is configurable via radiusd.conf and supports instances
! module supports both authorization and authentication. Authorization
sets authentication to MS-CHAP if any NTLM-related things found.
It will allow dynamically choose between PAP, CHAP, MS-CHAP, etc
based on attributes given by NAS.
During authorization new attributes added to config_items:
LM-Password - LM-encoded password
NT-Password - NT-encoded password
SMB-Account-CTRL - account control flags in SAMBA format
During authentication these attributes are checked against data
provided by NAS.
- RFC 2433 text with MS-CHAPv1 description removed. Microsoft attributes
are covered by RFC 2458, MS-CHAPv2 - RFC 2759. You can obtain them
all from www.rfceditor.org or www.freeradius.org/rfc/
3APA3A [Thu, 15 Nov 2001 17:26:14 +0000 (17:26 +0000)]
Added NT/LM password attributes. They will be created during MS-CHAP
authorization or you can store them in raddb/users
mschap module sample configuration added
kkalev [Thu, 15 Nov 2001 14:41:50 +0000 (14:41 +0000)]
Do an xlat on the access_group attribute.
Patch by Gordon Tetlow <gordont@gnf.org>
Also, use groupmembership_filter attribute as filter for user membership
in the access group.
kkalev [Thu, 15 Nov 2001 00:22:36 +0000 (00:22 +0000)]
Added function ldap_groupcmp(). Now we can do checks on user ldap group membership.
aland [Tue, 13 Nov 2001 23:08:39 +0000 (23:08 +0000)]
This patch eliminates Oracle's complain in rare cases when:
- retrieved field is NULL (eg., SQL operators) - ORA-01405 fetched
column value is NULL
- field has as maximum character as it was declared
(40 char field has 40 characters) - ORA-01406 fetched column
value was truncated.
Patch from Mitry Matyushkov <mitry@todes.org.by>
fcusack [Sun, 11 Nov 2001 06:18:49 +0000 (06:18 +0000)]
Add config hint for pam_radius
fcusack [Sun, 11 Nov 2001 05:17:10 +0000 (05:17 +0000)]
Support fast_sync mode, which allows responses without an explicit challenge.
kkalev [Fri, 9 Nov 2001 00:53:09 +0000 (00:53 +0000)]
Change paircmp,paircompare,simplapaircmp and RAD_COMPARE_FUNC to allow for
the use of radius_xlat() in paircompare functions
cparker [Thu, 8 Nov 2001 23:27:45 +0000 (23:27 +0000)]
Added dictionary entries to support RFC-2867 Tunnel Accounting.
aland [Thu, 8 Nov 2001 16:58:56 +0000 (16:58 +0000)]
No authhost in proxy means LOCAL
No accthost in proxy means LOCAL
Corrected bug where acct_port for proxy was set to auth_port
cparker [Thu, 8 Nov 2001 01:12:32 +0000 (01:12 +0000)]
Added function prototypes for RFC2868 encryption/decryption to
support Tunnel-Password attrbutes.
cparker [Thu, 8 Nov 2001 01:04:33 +0000 (01:04 +0000)]
Removed #ifdef for printing tunnel attribute tags in the Merit
format, because we don't want to do that. Ever. :)
cparker [Thu, 8 Nov 2001 00:53:01 +0000 (00:53 +0000)]
Dictionary changes to include 'dictionary.tunnel' by default
and tag/ecryption options set correctly in 'dictionary.tunnel'
cparker [Thu, 8 Nov 2001 00:49:48 +0000 (00:49 +0000)]
Added final support to encrypt/decrypt RFC-2868 Tunnel-Password
attributes when sending and receiving.
aland [Wed, 7 Nov 2001 21:06:45 +0000 (21:06 +0000)]
If we're not caching the password, use fgetpwent() to walk
through the specified password file.
Yes, fgetpwent() isn't portable. A fix for that requires
another patch...
Patch from Daniel Carroll <freeradius@defiant.mesastate.edu>
aland [Wed, 7 Nov 2001 15:55:14 +0000 (15:55 +0000)]
Print out the proper verified message.
Bug noted by Simon Oakley <soakley@nextone.com>
aland [Wed, 7 Nov 2001 15:20:06 +0000 (15:20 +0000)]
If the thread is already at the tail, don't move it.
aland [Wed, 7 Nov 2001 15:16:24 +0000 (15:16 +0000)]
Hmm... pid may be unsigned apparently. So checking if it's smaller
than zero is NOT a good thing. So we cast it to 'int' to get around
the problem.
fcusack [Wed, 7 Nov 2001 08:18:44 +0000 (08:18 +0000)]
Use "long names" for config vars, rather than abbreviated names.
fcusack [Wed, 7 Nov 2001 07:30:48 +0000 (07:30 +0000)]
Remove ActivCard-related TODO's, will add a doc note about this later.
aland [Tue, 6 Nov 2001 19:02:56 +0000 (19:02 +0000)]
Threads don't block SIGCHLD.
Do waitpid() even when using threads, to clean up Exec-Program
child processes.
Bug noted by "louzhigang"<cddxj@21cn.com>
aland [Tue, 6 Nov 2001 18:37:02 +0000 (18:37 +0000)]
Added empty FreeRADIUS Vendor-Specific dictionary.
Any on-the-wire attributes which are specific to the server MUST
go into this dictionary.
cparker [Tue, 6 Nov 2001 16:41:49 +0000 (16:41 +0000)]
Fixed bug where having remote authhost and LOCAL accthost caused
requests not to be proxied or replied to.
aland [Mon, 5 Nov 2001 15:18:50 +0000 (15:18 +0000)]
Parse 'accthost' from the realm confgiruation, and use it in
the various logic decisions.
kkalev [Sat, 3 Nov 2001 00:25:01 +0000 (00:25 +0000)]
- Added authorize() function to set Auth-Type = CHAP if Chap-Password exists
- Added module messages when rejecting user
kkalev [Fri, 2 Nov 2001 23:03:02 +0000 (23:03 +0000)]
Change default password_attribute to NULL
pam [Fri, 2 Nov 2001 10:24:36 +0000 (10:24 +0000)]
Change to propper operator in assigning Auth-Type to LDAP
bug noted by Kostas Kalevras <kkalev@noc.ntua.gr>
kkalev [Fri, 2 Nov 2001 01:18:28 +0000 (01:18 +0000)]
Add:
o Module Messages in rlm_ldap when we reject a user
o Add password to config_items stripping off any headers.
password_header and password_attribute directives are defined
Update documentation and configuration file
aland [Thu, 1 Nov 2001 17:02:05 +0000 (17:02 +0000)]
Update to use new definition of dict_addattr()
cparker [Thu, 1 Nov 2001 00:55:17 +0000 (00:55 +0000)]
Missed case where tag was not set for PW_TYPE_INTEGER correctly.
This is now handled properly when writing vp's into the packet
data.
cparker [Thu, 1 Nov 2001 00:36:22 +0000 (00:36 +0000)]
Added TAG_ANY attribute tag definition to allow tags to be
wildcarded in Check-Items and in modules like attr_filter.
cparker [Thu, 1 Nov 2001 00:19:30 +0000 (00:19 +0000)]
Corrected tunnel attribute names to match the RFC.
cparker [Thu, 1 Nov 2001 00:06:43 +0000 (00:06 +0000)]
Updated 'pairmake()' to allow parsing of Tags for attributes.
Supports both native ( Attribute:Tag = Value ) and merit's
syntax ( Attribute = :Tag:Value ).
aland [Wed, 31 Oct 2001 18:17:45 +0000 (18:17 +0000)]
After reading the configuratio files, IF we're not debugging,
then trap a number of fatal signals.
If we're debugging, then don't trap fatal signals, so that the OS
can dump core.
cparker [Wed, 31 Oct 2001 17:11:43 +0000 (17:11 +0000)]
Updated dictionary.tunnel to support new method for specifying
tagged attributes. Added additional attributes specified in
RFC 2868.
cparker [Wed, 31 Oct 2001 17:01:13 +0000 (17:01 +0000)]
Initial patch to allow support for RFC 2868 Tagged Attributes.
This patch adds to the ATTR_FLAGS struct for attributes, and
will read tag and vendor options properly from the dictionary.
It also parses tags into the FLAGS struct on received packets.
'dict_addattr' has an additional option to pass the ATTR_FLAGS
struct when reading the dictionary.
aland [Wed, 31 Oct 2001 16:19:06 +0000 (16:19 +0000)]
In pairmove2, if given Vendor-Specific, then move ALL vendor
specific attributes.
Updated rfc_clean() to move VSA's over, so that they can appear
in authentication reject packets, too.
aland [Wed, 31 Oct 2001 15:29:56 +0000 (15:29 +0000)]
Small bugfix by "Nikolay P. Romanyuk" <mag@vtelecom.ru>
aland [Wed, 31 Oct 2001 15:29:18 +0000 (15:29 +0000)]
Change '=' in if to '=='
aland [Tue, 30 Oct 2001 19:16:55 +0000 (19:16 +0000)]
Allow operators in the SQL table. This patch (so far) doesn't
include changes to the SQL queries, which still have to be
updated.
Patch from Mitry Matyushkov <mitry@todes.org.by>
aland [Tue, 30 Oct 2001 17:45:24 +0000 (17:45 +0000)]
Added 'radlog_dest' variable, so we can set the destination of
the log messages to files, syslog, stdout, or stderr, without
over-loading the normal logging directory.
This can NOT be set from the configuration file yet. That patch
is next.
aland [Tue, 30 Oct 2001 17:22:04 +0000 (17:22 +0000)]
Updated MPP and simultaneous-use checking
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Tue, 30 Oct 2001 17:12:24 +0000 (17:12 +0000)]
Added ATTR_FLAGS data structure from Cistron, and updated
references to 'addport'.
aland [Tue, 30 Oct 2001 16:36:48 +0000 (16:36 +0000)]
Removed mapping of vendor Private Enterprise Code to internal code.
We now use the vendor PEC directly, which means that we error out
if the vendor PEC is larger than 65535.
Fixing that problem requires major changes to the source, which
can wait until later.
aland [Tue, 30 Oct 2001 15:38:58 +0000 (15:38 +0000)]
Added note on broken Bay software
aland [Mon, 29 Oct 2001 21:41:22 +0000 (21:41 +0000)]
Make CHAP authentication a module, instead of having it in
the server core.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 21:29:54 +0000 (21:29 +0000)]
Support PAP, MS-CHAP, and use /etc/smbpasswd file, if so configured
Patch from 3APA3A <3APA3A@SECURITY.NNOV.RU>
aland [Mon, 29 Oct 2001 21:04:51 +0000 (21:04 +0000)]
When rejecting the user, add a Module-Message saying why.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 21:02:35 +0000 (21:02 +0000)]
If we have a Module-Message, then print it out when rejecting
or denying the request.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 20:58:01 +0000 (20:58 +0000)]
Added defines for Module-Message, to allow modules to pass messages
around.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 19:13:48 +0000 (19:13 +0000)]
removed old sql defines
aland [Mon, 29 Oct 2001 18:58:14 +0000 (18:58 +0000)]
Added more text on using PAM, as posted to the list by
"Bruce Ritchie" <bruce.ritchie@maclaren.com>
aland [Mon, 29 Oct 2001 16:45:01 +0000 (16:45 +0000)]
Allow ldap module use a start tls command with ldap server.
Patch from Andrew Kukhta <andy@wubn.net>, with added 'configure'
checks
aland [Fri, 26 Oct 2001 19:04:42 +0000 (19:04 +0000)]
Build the utilities on static && dynamic targets, instead of 'all'
aland [Fri, 26 Oct 2001 16:59:38 +0000 (16:59 +0000)]
create the binary directory before installing the binaries
cparker [Fri, 26 Oct 2001 00:24:12 +0000 (00:24 +0000)]
Preliminary support for displaying Tunnel attributes as defined in
RFC 2868. Tag is properly printed for both string and integer
attributes when server or radclient displays A/V debugging pairs.
raddb/dictionary.tunnel is not changed yet. Type will need to updated
for the tunnel attributes to t_string or t_integer for these changes
to be displayed.
aland [Thu, 25 Oct 2001 21:46:16 +0000 (21:46 +0000)]
If we're using threads, block SIGINT, SIGQUIT, too. And use
pthread_sigmask(), instead of sigprocmask().
This may fix CPU loading problems when there's a problem...
aland [Thu, 25 Oct 2001 21:05:28 +0000 (21:05 +0000)]
Corrected typo in last commit
aland [Thu, 25 Oct 2001 20:44:57 +0000 (20:44 +0000)]
Add a 'Realm' attribute for local realms.