kkalev [Tue, 7 Dec 2004 18:40:28 +0000 (18:40 +0000)]
Add a return-attribute directive. That way we can send back configurable
attributes instead of session-timeout. The return-attribute will work *only*
if we *don't* count Acct-Session-Time
aland [Tue, 7 Dec 2004 18:04:27 +0000 (18:04 +0000)]
Minor updates
aland [Tue, 7 Dec 2004 17:59:48 +0000 (17:59 +0000)]
First stab at documentation.
aland [Tue, 7 Dec 2004 00:27:36 +0000 (00:27 +0000)]
Document new load balancing among the modules
aland [Mon, 6 Dec 2004 20:57:02 +0000 (20:57 +0000)]
whitespace
Better error messages if we can't find a module
kkalev [Mon, 6 Dec 2004 16:47:02 +0000 (16:47 +0000)]
Print out statistics every so many packets if we are in forground. Useful for
perfomance testing
kkalev [Mon, 6 Dec 2004 15:28:44 +0000 (15:28 +0000)]
inline ms_sleep and isdateline
Make the sleep time between sending packets configurable
Also sleep only after sending a configurable number of packets (default 1)
aland [Mon, 6 Dec 2004 00:26:19 +0000 (00:26 +0000)]
All policies have to be in named policies...
aland [Sun, 5 Dec 2004 23:54:32 +0000 (23:54 +0000)]
Parse load-balance groups by parsing them as normal groups,
and then setting their type to MOD_LOAD_BALANCE. This means
that the parsing code is the same (nice), but that their processing
is done by the special "load-balance" group.
aland [Sun, 5 Dec 2004 23:40:15 +0000 (23:40 +0000)]
Added some support for load balancing sections. Some defines,
and a function to do load balancing, if and when they're defined.
We still have to write the code to parse the load balancing stuff,
and create the data structures...
aland [Sat, 4 Dec 2004 18:02:52 +0000 (18:02 +0000)]
Sample of policy language
aland [Sat, 4 Dec 2004 17:58:04 +0000 (17:58 +0000)]
First pass at a "policy language"
In the tradition of programmers everywhere, there's no documentation.
But it works, honest
aland [Fri, 3 Dec 2004 18:41:24 +0000 (18:41 +0000)]
Get less excited about % in strings...
aland [Fri, 3 Dec 2004 18:24:31 +0000 (18:24 +0000)]
Change $(INSTALL) to $(LIBTOOL) --mode=install $(INSTALL)
It doesn't hurt, and it helps some platforms work.
kkalev [Fri, 3 Dec 2004 16:13:42 +0000 (16:13 +0000)]
Fix Bug #167
aland [Wed, 1 Dec 2004 22:33:29 +0000 (22:33 +0000)]
Added Request-Processing-Stage as an xlat, in which modules
can now discover which stage they're in.
aland [Wed, 1 Dec 2004 22:31:58 +0000 (22:31 +0000)]
Line-based log module.
No examples of documentation yet.
pnixon [Tue, 30 Nov 2004 15:47:09 +0000 (15:47 +0000)]
add a make target to install radwatch only
kkalev [Tue, 30 Nov 2004 13:02:23 +0000 (13:02 +0000)]
Update documentation about read_groups
kkalev [Tue, 30 Nov 2004 12:57:06 +0000 (12:57 +0000)]
Update configuration about read_groups
kkalev [Tue, 30 Nov 2004 12:52:10 +0000 (12:52 +0000)]
* Add a default '1' in the priority column definition of the usergroup table
* Add a read_groups directive (by default 'yes'). If set we read groups non
the less. Otherwise, the user MUST have a Fall-Through = Yes in radreply
pnixon [Tue, 30 Nov 2004 10:45:56 +0000 (10:45 +0000)]
Use freeradius Timestamp field as it implicitly has a Timezone AND exists in EVERY record regardless of NAS Type
pnixon [Fri, 26 Nov 2004 12:33:36 +0000 (12:33 +0000)]
Clearer stats notification and some minor logic changes to increase speed
pnixon [Thu, 25 Nov 2004 01:21:43 +0000 (01:21 +0000)]
cleanups and random hacking.
pnixon [Wed, 24 Nov 2004 23:34:48 +0000 (23:34 +0000)]
Fairly major update to support Cisco Gatekeeper billing records
pnixon [Wed, 24 Nov 2004 14:38:40 +0000 (14:38 +0000)]
Minor logging change
aland [Tue, 23 Nov 2004 17:20:23 +0000 (17:20 +0000)]
In paircompare, don't get excited if the first attribute
doesn't exist. It may be a "virtual" attribute, and there may
be a comparison function registered for it.
aland [Tue, 23 Nov 2004 17:11:57 +0000 (17:11 +0000)]
Added support for Time-Of-Day, which takes HH:MM[:SS]
aland [Sun, 21 Nov 2004 14:32:14 +0000 (14:32 +0000)]
Make "use_tunneled_reply" work properly for PEAP, where the
Access-Accept from the home server results in the local server
sending more Access-Challenges. The VP's from the Access-Accept
have to be stored somewhere until the local server sends an
Access-Accept
aland [Sun, 21 Nov 2004 14:30:39 +0000 (14:30 +0000)]
Make "use_tunneled_reply" work for MS-CHAPv2
aland [Sun, 21 Nov 2004 14:30:01 +0000 (14:30 +0000)]
As found on the net, with edits to make it work with FreeRADIUS
aland [Sun, 21 Nov 2004 14:29:33 +0000 (14:29 +0000)]
Added xlat support for Packet-Authentication-Vector
aland [Sat, 20 Nov 2004 22:32:18 +0000 (22:32 +0000)]
Use /dev/urandom, if it exists.
After getting a random vector, stir the pool again.
phampson [Thu, 18 Nov 2004 01:36:16 +0000 (01:36 +0000)]
Add Suggests for php4-mysql | php4-pgsql to DialUpAdmin package
aland [Wed, 10 Nov 2004 17:46:53 +0000 (17:46 +0000)]
radeapclient is built using libtool, so it should be installed
with libtool.
Bug found by Christophe Boyanique.
aland [Wed, 10 Nov 2004 01:16:27 +0000 (01:16 +0000)]
Added future note
kkalev [Tue, 9 Nov 2004 17:55:23 +0000 (17:55 +0000)]
Instead of a 'SELECT *' for the nas table support which requires specific row
order, just use 'SELECT id,nasname,shortname,type,secret FROM %{nas-table}'
and get the rows we need.
pnixon [Mon, 8 Nov 2004 00:19:51 +0000 (00:19 +0000)]
Support (FreeRADIUS Style) Quintum VSAs
kkalev [Wed, 3 Nov 2004 19:22:50 +0000 (19:22 +0000)]
Add radiusReplyMessage as Reply-Message reply item. This closes BUG #152
kkalev [Sun, 31 Oct 2004 19:59:10 +0000 (19:59 +0000)]
Add NAS-IP-Address LDAP attribute. This closes BUG#143
aland [Sat, 30 Oct 2004 01:05:39 +0000 (01:05 +0000)]
s/T_INVALID/T_OP_INVALID/g
kkalev [Thu, 28 Oct 2004 11:12:10 +0000 (11:12 +0000)]
In lib/sql/group_info.php3 only unset variables if we need to. In lib/sql/defaults.php3 don't run for groups
only for users
kkalev [Wed, 27 Oct 2004 11:33:42 +0000 (11:33 +0000)]
In the show groups page, note that we only show groups with members
kkalev [Wed, 27 Oct 2004 11:22:41 +0000 (11:22 +0000)]
On group creation, if member list is empty report that, not that the group was created.
kkalev [Mon, 25 Oct 2004 13:55:04 +0000 (13:55 +0000)]
* Add lib/sql/group_change.php3 to add and delete a user from groups
* Add a new directive sql_show_all_groups. If set to true then in user edit page we show all available
groups with the ones the user is a member of highlighted. The administrator can then directly
change user group membership by changing membership in this group list.
kkalev [Fri, 22 Oct 2004 12:12:37 +0000 (12:12 +0000)]
In config.php3 remove whitespaces from $login. Don't remove '-'
pnixon [Thu, 21 Oct 2004 20:53:04 +0000 (20:53 +0000)]
Added selectable database support
aland [Thu, 21 Oct 2004 18:29:20 +0000 (18:29 +0000)]
Removed unnecessary if statement
pnixon [Thu, 21 Oct 2004 09:58:23 +0000 (09:58 +0000)]
spelling mistake
aland [Wed, 20 Oct 2004 21:24:34 +0000 (21:24 +0000)]
Don't mark a request finished until the post-proxy-fail stuff
has handled it.
aland [Wed, 20 Oct 2004 21:23:51 +0000 (21:23 +0000)]
include parsing for new proxy fail directive, which isn't used
anywhere yet
aland [Wed, 20 Oct 2004 21:23:15 +0000 (21:23 +0000)]
Include request_process into radiusd
aland [Wed, 20 Oct 2004 21:22:27 +0000 (21:22 +0000)]
Move yet more code around.
It turns out util.c is included in radrelay and radwho, so putting
server-specific stuff in there is dumb. We now have a new file,
request_process.c, which has rad_respond (freshly moved out of
radiusd.c to threads.c, to here), and some other functions here.
aland [Wed, 20 Oct 2004 19:58:54 +0000 (19:58 +0000)]
move rad_respond() to threads.c. It's not the perfect location,
but it's better than radiusd.c. This should help reduce the churn
in radiusd.c, and make it easier to implement a more state machine
approach to handling requests.
aland [Wed, 20 Oct 2004 18:20:45 +0000 (18:20 +0000)]
If we've rejected a request because it's taken too long to process,
then stop calling any modules to process the request. Instead,
bail out of all sections && module calls.
aland [Wed, 20 Oct 2004 18:09:41 +0000 (18:09 +0000)]
More debug messages in request_reject
Better messages on timeout, when a module is "locked", and doesn't
respond.
aland [Wed, 20 Oct 2004 17:44:46 +0000 (17:44 +0000)]
When we're rejecting a request, include the reason why.
This permits us to be able to do something different, based on
the source of the problem.
aland [Wed, 20 Oct 2004 17:12:58 +0000 (17:12 +0000)]
Updated debugging messages
aland [Fri, 15 Oct 2004 20:32:14 +0000 (20:32 +0000)]
Allow modules in "authorize", etc. to have subsections, too
kkalev [Fri, 15 Oct 2004 10:42:16 +0000 (10:42 +0000)]
Small type in login_time_create, close bug #141
aland [Tue, 12 Oct 2004 17:46:38 +0000 (17:46 +0000)]
s/T_INVALID/T_OP_INVALID/
This should make bug #91 easier to fix.
pnixon [Thu, 7 Oct 2004 18:26:37 +0000 (18:26 +0000)]
Support Quintum VSA's in the same manner as Cisco VSA's (They are compatible)
aland [Tue, 5 Oct 2004 14:40:54 +0000 (14:40 +0000)]
Removed extraneous bracket
aland [Tue, 5 Oct 2004 14:37:01 +0000 (14:37 +0000)]
Use mutexes only if we have pthread.h
Don't set "Auth-Type = LDAP" if the packet doesn't contain a
User-Password attribute. That screws up too many people.
aland [Tue, 5 Oct 2004 14:14:31 +0000 (14:14 +0000)]
Use new samba scheme, in addition to old one
aland [Mon, 4 Oct 2004 15:25:36 +0000 (15:25 +0000)]
Build pton/ntop if the functions exist, AND AF_INET6 exists
pnixon [Fri, 1 Oct 2004 13:10:34 +0000 (13:10 +0000)]
Update all mentions of h323confid to callid to match previous schema changes
aland [Wed, 29 Sep 2004 20:49:13 +0000 (20:49 +0000)]
If we're told to log passwords, and there's no User-Password,
print the Auth-Type in the log message, so as not to confuse
people who expect to see a password
aland [Wed, 29 Sep 2004 15:58:20 +0000 (15:58 +0000)]
May have failed to read a VP.
Bug & patch by Kevin Bonner
kkalev [Wed, 29 Sep 2004 08:20:02 +0000 (08:20 +0000)]
In sql_set_user in the radius_xlat don't call the escape function. The
resulting string will be escaped in the queries xlat so we don't need
to escape it twice (it will make things wrong if we have an escape candidate
character in the username).
Patch from Oliver Graf
aland [Mon, 27 Sep 2004 16:33:27 +0000 (16:33 +0000)]
Remember that we initialized the pool
aland [Fri, 24 Sep 2004 14:59:10 +0000 (14:59 +0000)]
Declaring zero-sized arrays is bad
kkalev [Fri, 24 Sep 2004 12:32:29 +0000 (12:32 +0000)]
Add a small documentation file about expiration
aland [Thu, 23 Sep 2004 17:44:40 +0000 (17:44 +0000)]
Added a few more "magic" server-side expansions:
%{<packet>:Packet-Src-IP-Address}, Dst-IP-address, Src-Port, Dst-Port
aland [Wed, 22 Sep 2004 20:23:35 +0000 (20:23 +0000)]
Include the new VALUEs
aland [Wed, 22 Sep 2004 20:18:56 +0000 (20:18 +0000)]
Moved label to a point where it made sense
aland [Wed, 22 Sep 2004 20:03:45 +0000 (20:03 +0000)]
Moved the X-Ascend attributes to the bottom of the file, and
added a number of VALUE's for them, based on the VSA VALUES.
Also included a script to re-generate the X-Ascend-Foo VALUEs,
so that they don't be edited by hand.
aland [Wed, 22 Sep 2004 19:38:25 +0000 (19:38 +0000)]
Removed duplicate VALUE names
aland [Wed, 22 Sep 2004 15:22:09 +0000 (15:22 +0000)]
Include code to make udpfromto work.
This closes bug #137
aland [Tue, 21 Sep 2004 14:30:24 +0000 (14:30 +0000)]
strlen doesn't return 'char', so don't put it into a 'char'
variable.
Bug found by Jouni Malinen
pnixon [Sun, 19 Sep 2004 23:07:32 +0000 (23:07 +0000)]
Bring the sample VIEWs and FUNCTIONs inline with the current table structure
aland [Fri, 17 Sep 2004 21:49:57 +0000 (21:49 +0000)]
Rearranged the code to do:
split into argv, expand argv
rather than
expand strings, split into argv
This removes an "argv insertion" vulnerability, where someone
could log in with a username like "foo bar", and get "foo" and "bar"
passed to the executed program as two separate argv's, rather
than one as "foo bar'.
Also, handling of double & single quotes has been added.
This should fix bug #89.
Also, don't call pipe() until after we've verified the arguments to
the function, etc. This means that we won't leak file descriptors.
3APA3A [Fri, 17 Sep 2004 08:20:45 +0000 (08:20 +0000)]
! fixed: MS-CHAP MPPE key is not generated if authenticated with ntlm_auth
kkalev [Thu, 16 Sep 2004 21:12:21 +0000 (21:12 +0000)]
Fix bug #136, bugs found by Pawel Foremski
aland [Thu, 16 Sep 2004 15:12:46 +0000 (15:12 +0000)]
Experimental file to replace rlm_radutmp.c, if it works.
It uses trees & multiple data structures to avoid reading radutmp,
if at all possible. This means that the server uses more memory,
but can run faster with large radutmps.
Tested in simple scenarios, but not in complicated ones.
kkalev [Mon, 13 Sep 2004 09:37:17 +0000 (09:37 +0000)]
Fix a small typo in the userinfo mysql schema. Found by Evert Meulie
mgriego [Fri, 10 Sep 2004 21:34:33 +0000 (21:34 +0000)]
Use T_INVALID since T_OP_INVALID isn't defined. Also, gettoken returns to
operator, not token.
aland [Fri, 10 Sep 2004 19:20:45 +0000 (19:20 +0000)]
Document optional operator.
aland [Fri, 10 Sep 2004 19:15:08 +0000 (19:15 +0000)]
Allow ldap.attrmap to have an extra field, which defines the
operator to use. If the ldap entry doesn't contain an operator,
then the default here will be used.
It's not perfect, but it allows ":=" and "+=" for attributes
with multiple values.
aland [Fri, 10 Sep 2004 19:02:32 +0000 (19:02 +0000)]
Deleted log in the comments, "cvs log" may be used instead.
Whitespace changes, to format the module more like the rest
of the server
aland [Fri, 10 Sep 2004 15:06:27 +0000 (15:06 +0000)]
One last fix for the fix.
kkalev [Fri, 10 Sep 2004 15:04:18 +0000 (15:04 +0000)]
Comment out the access_attr configuration directive by default. That will
make configuring AD server a bit easier.
aland [Fri, 10 Sep 2004 14:50:26 +0000 (14:50 +0000)]
Perform the duplicate check BEFORE adding the attribute to
the list of base attributes.
Updated the duplicate check, to allow duplicate names & numbers,
but different flags/types, while still disallowing duplicate names
with different numbers.
aland [Thu, 9 Sep 2004 14:25:58 +0000 (14:25 +0000)]
Define a macro for max regex matches, so we don't have typos.
Bug found by "Mitchell, Michael"
aland [Wed, 8 Sep 2004 21:36:28 +0000 (21:36 +0000)]
Removed DOS characters
aland [Tue, 7 Sep 2004 16:04:07 +0000 (16:04 +0000)]
Added rbtree_deletebydata()
Added context to user callback for rbtree_walk()
kkalev [Tue, 7 Sep 2004 11:42:21 +0000 (11:42 +0000)]
Fix a small bug in user_admin.php3 found by Joerg Staedele
phampson [Sat, 4 Sep 2004 07:07:46 +0000 (07:07 +0000)]
Silently drop packets with a bad Message-Authenticator, as per RFC3579
phampson [Sat, 4 Sep 2004 07:07:07 +0000 (07:07 +0000)]
Add a Message-Authenticator to the sample, so that a bad secret will cause
rejection, not acceptance.
aland [Fri, 3 Sep 2004 17:43:31 +0000 (17:43 +0000)]
Updates from Guy