aland [Fri, 23 Jan 2004 17:02:31 +0000 (17:02 +0000)]
Add scripts to automatically generate test certificates.
aland [Thu, 22 Jan 2004 19:43:29 +0000 (19:43 +0000)]
corrected typo
aland [Thu, 22 Jan 2004 18:23:19 +0000 (18:23 +0000)]
More attempts to get MySQL working
aland [Thu, 22 Jan 2004 16:47:50 +0000 (16:47 +0000)]
Added big warnings about old & untested features
aland [Thu, 22 Jan 2004 16:30:38 +0000 (16:30 +0000)]
Fix typos
aland [Thu, 22 Jan 2004 16:30:19 +0000 (16:30 +0000)]
Update sample password
aland [Thu, 22 Jan 2004 15:35:28 +0000 (15:35 +0000)]
Install radeapclient, too
aland [Wed, 21 Jan 2004 20:52:42 +0000 (20:52 +0000)]
${module.submodule.item} now works properly
aland [Wed, 21 Jan 2004 20:35:11 +0000 (20:35 +0000)]
Enhanced configuration file variable expansion, hopefully
without breaking anything.
OLD: ${foo} means "foo in current section, OR foo in main section}
e.g. ${logdir}
NEW: ${foo} means the same as before
${.foo} means "foo in current section ONLY", just in case
there are name conflicts.
${..foo} means "foo in the section enclosing this section"
${main.module.submodule.foo} should be obvious...
For now, we need "main" in there, but a commit in the next few
days should remove that restriction...
mcr [Wed, 21 Jan 2004 00:39:55 +0000 (00:39 +0000)]
fixed "ChalX" to "RandX".
added Autz-Type:=, which is really needed for basic testing.
aland [Tue, 20 Jan 2004 16:31:02 +0000 (16:31 +0000)]
Look for stripped user name, then user name, in group cmp.
aland [Mon, 19 Jan 2004 19:09:45 +0000 (19:09 +0000)]
Use a better name for the SQL stuff.
Bug noted by Keith Yoder
aland [Mon, 19 Jan 2004 19:08:21 +0000 (19:08 +0000)]
Don't return "OK" until the TLV success packet was sent back.
Bug & patch noted by Mike Saywell
phampson [Sun, 18 Jan 2004 07:57:11 +0000 (07:57 +0000)]
Imported changes from downstream Debian packaging.
kkalev [Fri, 16 Jan 2004 14:47:29 +0000 (14:47 +0000)]
* Add a message when adding a user in the badusers table
* Close sql connections in add_badusers.php3
kkalev [Fri, 16 Jan 2004 13:50:06 +0000 (13:50 +0000)]
* Add the ability to erase rows from the badusers table
* In log_badlogins for multiple logins if it is a mppp attempt, log it
kkalev [Fri, 16 Jan 2004 13:20:20 +0000 (13:20 +0000)]
res should be int not unsigned
aland [Wed, 14 Jan 2004 16:32:28 +0000 (16:32 +0000)]
Updated text about how to use authentication
aland [Tue, 13 Jan 2004 20:03:18 +0000 (20:03 +0000)]
Look for mysql_config, and believe it, if it exists.
We *could* use mysql_config to set cflags & libs in this script,
and double-check that they work, but when I tried that, it always
failed, even though trying the same tests by hand worked. <sigh>
aland [Tue, 13 Jan 2004 17:05:36 +0000 (17:05 +0000)]
Move the "waitpid" code to after the check for error in select,
which means that we don't clobber errno.
Bug found by Robby Griffin
aland [Tue, 13 Jan 2004 16:07:01 +0000 (16:07 +0000)]
Stupid RedHat stuff. Their OpenSSL uses kerberos by default,
so packages which *don't* want to use Kerberos have to set
RedHat-specific magic, so that OpenSSL will work.
aland [Mon, 12 Jan 2004 21:07:26 +0000 (21:07 +0000)]
Make !* work.
patch from oe Maimon
aland [Mon, 12 Jan 2004 20:24:43 +0000 (20:24 +0000)]
Correct type of PID used in signal handler.
Patch from Andrew Belashov
aland [Mon, 12 Jan 2004 20:21:11 +0000 (20:21 +0000)]
Print timestamp as an unsigned long, which works a little better
on 64-bit systems.
Patch from Andrew Belashov
aland [Mon, 12 Jan 2004 20:18:33 +0000 (20:18 +0000)]
When printing 'size_t' numbers, we *really* should be using %zu.
The 'z' says "the following thing is a size_t"
The 'u' says "unsigned", as ssize_t exists
The problem is that we don't know how prevalent 'z' is. It's
in Linux, NetBSD, FreeBSD, and Solaris, so using it *should* be OK.
In the short term, it's easier to cast the functions returning
size_t to (int), SOLELY for purposes of printing. If the value
doesn't fit into an int, then only the debugging messages will
be wrong, as this change doesn't affect the code logic at all.
Patch from Andrew Belashov, tested on 64-bit sparc systems
aland [Mon, 12 Jan 2004 18:27:08 +0000 (18:27 +0000)]
Minor additional documentation
aland [Mon, 12 Jan 2004 18:23:57 +0000 (18:23 +0000)]
Cleaned up request handling logic. I'm not sure what I was
thinking before, but this makes sense.
aland [Mon, 12 Jan 2004 18:21:33 +0000 (18:21 +0000)]
Added a large amount of text, which walks through the configurable
fail-over in steps. I finally understand what it does...
aland [Mon, 12 Jan 2004 18:20:43 +0000 (18:20 +0000)]
Allow "redundant", "group", and "append" as section names,
even if they're not modules.
They're used by the configurable fail-over code (which has
apparently been broken in the CVS head for a while, due to the
lack of this patch)
aland [Mon, 12 Jan 2004 18:19:06 +0000 (18:19 +0000)]
Reserve priority zero for future use
aland [Mon, 12 Jan 2004 18:18:23 +0000 (18:18 +0000)]
Minor formatting to be pretty
aland [Mon, 12 Jan 2004 18:18:00 +0000 (18:18 +0000)]
Pass *all* VP's to the exec'd program, instead of leaving the
last one
aland [Mon, 12 Jan 2004 18:17:27 +0000 (18:17 +0000)]
FCNTL locks work across processes. For threads, we need an
additional mutex
aland [Mon, 12 Jan 2004 18:15:59 +0000 (18:15 +0000)]
Added comments about LD_LIBRARY_PATH, and pre-loading libraries,
so that local craziness with OpenSSL and MySQL may be worked around
aland [Mon, 12 Jan 2004 18:12:49 +0000 (18:12 +0000)]
Make unlimited login-time work.
patch from Dmitry Lebkov
aland [Mon, 12 Jan 2004 18:09:13 +0000 (18:09 +0000)]
From Dustin Doris
aland [Sat, 10 Jan 2004 15:50:40 +0000 (15:50 +0000)]
For Mikrotik routers
aland [Fri, 9 Jan 2004 21:05:24 +0000 (21:05 +0000)]
Added dictionary for 3gpp2
aland [Thu, 8 Jan 2004 17:03:54 +0000 (17:03 +0000)]
If there are no OpenSSL libraries, don't include them.
aland [Wed, 7 Jan 2004 20:38:51 +0000 (20:38 +0000)]
Look for openssl/rand.h, too.
aland [Wed, 7 Jan 2004 20:38:16 +0000 (20:38 +0000)]
Hoist OpenSSL checks from a number of different places into
the top-level configuration file. This now exports OPENSSL_INCLUDES
and OPENSSL_LIBS *only* if it decides that it likes what it finds.
This also adds Michael Griego's patch to check for OpenSSL version
greater than or equal to 0.9.7.
The various EAP types now have stupidly simply configuration scripts,
which just look for OPENSSL_INCLUDES and OPENSSL_LIBS, rather than
re-doing all of the header/lib checking themselves.
We've got to apply the same patch to LDAP & X99_Token, but they
still work..
aland [Wed, 7 Jan 2004 18:13:53 +0000 (18:13 +0000)]
A little cleaner check for identity & username.
Patch from Michael Griego.
Hmm... the new code looks fairly duplicate. We could factor
it into a function for less code...
aland [Wed, 7 Jan 2004 17:55:12 +0000 (17:55 +0000)]
Updated the debugging message to make a little more sense.
aland [Wed, 7 Jan 2004 17:07:41 +0000 (17:07 +0000)]
Add script which sets LD_LIBRARY_PATH, etc, so that OpenSSL
weirdness can be taken care of.
It should also work for MySQL...
aland [Wed, 7 Jan 2004 15:55:26 +0000 (15:55 +0000)]
When finding MS-CHAP attributes, do "Auth-Type = MSCHAP", rather
than ":=". This means it won't over-ride any previous setting
of auth-type "accept" or "reject"
aland [Mon, 5 Jan 2004 17:06:35 +0000 (17:06 +0000)]
Clean up the examples
aland [Mon, 5 Jan 2004 17:06:16 +0000 (17:06 +0000)]
More description of the dictionaries & how they work.
aland [Mon, 5 Jan 2004 17:05:46 +0000 (17:05 +0000)]
Minor updates to the text.
Don't talk about disabling it. We don't want the users to do that.
aland [Mon, 5 Jan 2004 17:05:09 +0000 (17:05 +0000)]
When we have a stop record, don't compare it to unused entries.
This means that if we get two duplicate stops, the second one will
cause the server to complain. Previously, the server *may* have
complained, but not necessarily...
aland [Mon, 5 Jan 2004 17:03:54 +0000 (17:03 +0000)]
Use NAS-Port, not NAS-Port-Id in acct_unique.
The module should really be fixed to use xlat's...
aland [Mon, 5 Jan 2004 17:03:18 +0000 (17:03 +0000)]
Removed text saying there is a restriction on the number of
load-balancing realms
aland [Mon, 5 Jan 2004 17:02:31 +0000 (17:02 +0000)]
Removed restriction that there be no more than 32 load-balancing
realms, by implementing a new algorithm, which walks the list once,
and picks 1 of N. (See the Camel Book)
aland [Mon, 5 Jan 2004 17:01:19 +0000 (17:01 +0000)]
Updated "readvp2" (only used by radclient) to be a little more
tolerant of its input, and to NOT leak memory if there was an
error reading the VP's
aland [Mon, 5 Jan 2004 16:59:52 +0000 (16:59 +0000)]
Add UDPFROMTO stuff.
Print source port when signature is invalid
aland [Mon, 5 Jan 2004 16:58:32 +0000 (16:58 +0000)]
Now that we handle things a little better, don't do such strict
checking for # of entries returned
aland [Mon, 5 Jan 2004 16:57:50 +0000 (16:57 +0000)]
Include PEAP & MSCHAPv2 EAP sub-types, too.
aland [Mon, 5 Jan 2004 16:57:00 +0000 (16:57 +0000)]
Updates from RFC 2822 and RFC 3576
cparker [Fri, 2 Jan 2004 23:45:18 +0000 (23:45 +0000)]
Added 'accounting' and 'pre-proxy' method calls.
aland [Fri, 2 Jan 2004 19:28:16 +0000 (19:28 +0000)]
Build it only if WITH_UDPFROMTO is defined
mcr [Mon, 29 Dec 2003 01:21:08 +0000 (01:21 +0000)]
added test-SIM case.
mcr [Mon, 29 Dec 2003 01:13:43 +0000 (01:13 +0000)]
if the un-marshalling fails, then fail the packet.
aland [Tue, 23 Dec 2003 20:16:14 +0000 (20:16 +0000)]
As posted to the list by Keith Yoder
kkalev [Mon, 22 Dec 2003 15:18:51 +0000 (15:18 +0000)]
Small fix in user_finger.php3
kkalev [Mon, 22 Dec 2003 12:32:12 +0000 (12:32 +0000)]
Misplaced arguments in strncpy
aland [Fri, 19 Dec 2003 20:19:23 +0000 (20:19 +0000)]
Patch from Tiago Pierezan Camargo
Be a little more forgiving about string attributes in Cisco
AV-Pair's.
aland [Fri, 19 Dec 2003 19:53:03 +0000 (19:53 +0000)]
Potential patch
aland [Fri, 19 Dec 2003 19:49:44 +0000 (19:49 +0000)]
Allow integer timestamps, too.
Patch from James Nedila
aland [Fri, 19 Dec 2003 19:46:47 +0000 (19:46 +0000)]
Removed last vestiges of NAS-Port-Id meaning the integer attribute
aland [Fri, 19 Dec 2003 19:25:32 +0000 (19:25 +0000)]
Patch to change ctime_r to CTIME_R, which is now a macro, which
works properly on different platforms. (Hello, Solaris... who
needs to follow Posix?)
Patch from Oliver Graf
aland [Fri, 19 Dec 2003 19:03:56 +0000 (19:03 +0000)]
Minor cleanups
aland [Thu, 18 Dec 2003 16:04:54 +0000 (16:04 +0000)]
Added SQL to a number of sections, commented-out
mcr [Tue, 16 Dec 2003 03:50:34 +0000 (03:50 +0000)]
small amount of documentation on using EAP-SIM authentication.
mcr [Tue, 16 Dec 2003 02:33:05 +0000 (02:33 +0000)]
what to put into /etc/raddb/users for eapsim-XX tests.
mcr [Tue, 16 Dec 2003 02:32:42 +0000 (02:32 +0000)]
test cases for EAP-SIM.
aland [Mon, 15 Dec 2003 20:27:35 +0000 (20:27 +0000)]
Set src IP & port for reply, based on the dst IP & port
that the request came from.
aland [Mon, 15 Dec 2003 20:23:57 +0000 (20:23 +0000)]
Include udpfromto.c
aland [Mon, 15 Dec 2003 20:22:08 +0000 (20:22 +0000)]
Part 2.
Include header & C implementation, from Jan Berkel and
Miquel van Smoorenburg
aland [Mon, 15 Dec 2003 20:18:20 +0000 (20:18 +0000)]
Part 1 of patch from Jan Berkel, based on Miquel's patch.
./configure --with-udpfromto=yes
now sets options saying to use 'recvmsg' and 'sendmsg' for sending
RADIUS packets, which allows the destination address to be
discovered during receive, and to be set during send.
This should solve a number of the IP Alias problems that people
have had.
kkalev [Mon, 15 Dec 2003 16:55:28 +0000 (16:55 +0000)]
* Huge PostgreSQL compatibility patch by Guy Fraser <guy@incentre.net>
* Also support the Crypt-Password attribute in lib/sql/password_check.php3. Patch by Guy Fraser <guy@incentre.net>
kkalev [Sun, 14 Dec 2003 00:18:48 +0000 (00:18 +0000)]
A minor patch to return if pairmake() fails by James Nedila
aland [Fri, 12 Dec 2003 21:49:52 +0000 (21:49 +0000)]
Don't bother waiting for child threads if there are none.
aland [Fri, 12 Dec 2003 14:44:37 +0000 (14:44 +0000)]
Corrected typo.
Note by Robert Fitzsimons
aland [Thu, 11 Dec 2003 22:36:10 +0000 (22:36 +0000)]
Moved request list walking functions from radiusd to request_list
radiusd.c was way too big. It's more managable now.
aland [Wed, 10 Dec 2003 20:54:11 +0000 (20:54 +0000)]
A slightly better way of incrementing SNMP counters, which doesn't
clutter the code so much.
aland [Wed, 10 Dec 2003 20:41:42 +0000 (20:41 +0000)]
Keep more SNMP statistics about packets dropped, sent, etc.
aland [Wed, 10 Dec 2003 20:03:22 +0000 (20:03 +0000)]
Minor re-arrangement
aland [Wed, 10 Dec 2003 19:49:15 +0000 (19:49 +0000)]
When checking new request or proxy reply, don't bother checking
request->child_pid, as it may not be set. However, request->finished
will always be 0 if the request is "active", so we rely on that,
instead.
In proxy_ok() look for request->proxy_reply, to catch duplicate
replies from the home server. It's odd that we didn't do that before.
In the thread code, now check if child_pid is non-empty. If so,
busy-wait for 100 milliseconds, to wait for the other thread to
finish. If so, continue. If not, kill the entire server, as
it's too busy to process requests.
pnixon [Wed, 10 Dec 2003 15:20:39 +0000 (15:20 +0000)]
postauth functionality thanks to Guy Fraser <guy@incentre.net> with modifications by me.
kkalev [Tue, 9 Dec 2003 14:21:18 +0000 (14:21 +0000)]
Use the User-Password attribute instead of Password in user_test.php3
wichert [Tue, 9 Dec 2003 12:35:43 +0000 (12:35 +0000)]
Bugger, date_sub has a slightly different syntax than standard SQL, update call to match
wichert [Tue, 9 Dec 2003 12:30:38 +0000 (12:30 +0000)]
Add copyright to date_sub function
wichert [Tue, 9 Dec 2003 12:29:01 +0000 (12:29 +0000)]
Create DATE_SUB function which is used by the default alt_accounting_stop query
wichert [Tue, 9 Dec 2003 12:27:48 +0000 (12:27 +0000)]
Do not set RadAcctId to empty string, this is not allowed and postgres will pick a number anyway since we use a serial type. Also fix the alt accounting stop query to it is valid SQL instead of a syntax error
kkalev [Mon, 8 Dec 2003 16:35:35 +0000 (16:35 +0000)]
Only call pairfree if we are using pairxlatmove not for pairadd
kkalev [Sun, 7 Dec 2003 16:19:04 +0000 (16:19 +0000)]
Also be able to search in the proxy and proxy_reply structures in rlm_attr_rewrite
aland [Sun, 7 Dec 2003 00:25:42 +0000 (00:25 +0000)]
eap.h support for tunneled callbacks
rlm_eap.c update request->proxy in authenticate
call tunneled callbacks in postproxy
types/rlm_eap_ttls/eap_ttls.h
types/rlm_eap_tls/eap_tls.h
move prototype for eapttls_process
types/rlm_eap_peap/eap_peap.h
include rlm_eap.h
types/rlm_eap_peap/rlm_eap_peap.c
types/rlm_eap_ttls/rlm_eap_ttls.c
handle "updated" return code from tunnel handler
types/rlm_eap_peap/peap.c
types/rlm_eap_ttls/ttls.c
hoist reply processing into it's own routine.
handle proxy replies
aland [Sun, 7 Dec 2003 00:22:07 +0000 (00:22 +0000)]
Cosmetic changes in debugging messages
aland [Sun, 7 Dec 2003 00:16:13 +0000 (00:16 +0000)]
De-coupled the input requests from the thread management.
We now have a queue of input requests, which the new requests
get dropped into. Asynchronously from that, the threads wait
on a thread-global semaphore, and then pick up requests from
the queue.
The queue is protected by a mutex, both for adding & deleting
requests.
The threads in the pool no longer have per-thread semaphores.
Semaphores are required here because the main handler thread
has to be able to signal the semaphore, and have that signal
remembered, even if there are no threads currently waiting on
the semaphore. Further, the main handler has to be able to
signal the semaphore multiple times, when there are multiple
requests waiting, and all of the threads are busy.
If a thread wakes up and there is no request for it to process,
it simply goes back to waiting on the sempahore. This makes
the process a little more fail-safe, in that we can ensure that
requests are never left forever in the queue, by signalling the
semaphores more than required.
aland [Fri, 5 Dec 2003 20:49:03 +0000 (20:49 +0000)]
Re-arranged the rad_check_list & proxy_check_list code to make
a little more sense. The main request handling loop which does
select() is now a little smaller.
We now have a packet_ok() function, to see if the incoming packet
is acceptable.
We now have a request_ok() function, which sees if the request
(as a whole) is acceptable.
The old code mixed up a lot of the packet/request checking into
multiple functions which each did packet/request checking. The
new code is a little more straightforward.
The idea is to fix the race condition in the proxy code (bug #7),
and to apply the pending multi-cpu patches, by adding a queue of
requests we're sitting on, but which haven't yet been given to a
thread.
The new code makes it a little clearer as to what changes have
to be made, and where, in order to add those features.
aland [Fri, 5 Dec 2003 18:45:48 +0000 (18:45 +0000)]
container is a ptr, not a ptr to a ptr
Update casts to be prettier