Nikolai Kondrashov [Mon, 25 Apr 2016 15:58:53 +0000 (18:58 +0300)]
Dlopen the actual linked libpython
In rlm_python, if dl_iterate_phdr(3) is available, dlopen libpython
shared library at the actual path it was linked with on loading, instead
of with just its linker name (version-less SONAME).
This removes the need to have the linker name symlink (e.g.
"libpython2.7.so") in library directory, which is normally installed
only with the development packages. I.e. this removes the requirement of
having python-devel/libpython-dev installed, when loading rlm_python.
Alan T. DeKok [Wed, 15 Feb 2017 18:21:03 +0000 (13:21 -0500)]
Added systemd reload. Fixes #1662
v3.0.x has limited support for reload. While it limited, it
is possible. So supporting it is useful
Alan T. DeKok [Wed, 15 Feb 2017 15:57:33 +0000 (10:57 -0500)]
make the install process a little clearer
Alan T. DeKok [Wed, 15 Feb 2017 15:52:40 +0000 (10:52 -0500)]
pull openssl out as a macro
Alan T. DeKok [Wed, 15 Feb 2017 15:41:08 +0000 (10:41 -0500)]
remove extra assert. Addresses #1904
Alan DeKok [Tue, 14 Feb 2017 13:26:51 +0000 (08:26 -0500)]
Merge pull request #1859 from njm506/v3.0.x
v3.0.x: cherry-pick module/site symlink packaging changes from 4.0.x
Alan T. DeKok [Mon, 13 Feb 2017 20:53:35 +0000 (15:53 -0500)]
realms don't go into "server" sections
Alexander Clouter [Mon, 13 Feb 2017 17:10:16 +0000 (17:10 +0000)]
fix radrelay
Alan DeKok [Sun, 12 Feb 2017 14:17:48 +0000 (09:17 -0500)]
Merge pull request #1907 from virgofx/v3.0.x
Nomadix attribute fix for v3.0.x
Mark Johnson [Thu, 9 Feb 2017 20:15:37 +0000 (12:15 -0800)]
Updating Nomadix dictionary with missing attributes.
Alan DeKok [Wed, 8 Feb 2017 14:53:33 +0000 (09:53 -0500)]
Merge pull request #1902 from herwinw/v30x-debian-stretch
Added default-libmysqlclient-dev as build-depend in Debian
Alan T. DeKok [Wed, 8 Feb 2017 14:52:11 +0000 (09:52 -0500)]
add example for filtering Access-Challenge messages
Herwin Weststrate [Wed, 8 Feb 2017 07:30:22 +0000 (08:30 +0100)]
Added default-libmysqlclient-dev as build-depend in Debian
As an alternative for libmysqlclient-dev. This is required to build the
package under Debian Stretch.
Alan T. DeKok [Tue, 7 Feb 2017 20:04:38 +0000 (15:04 -0500)]
typo
Alan T. DeKok [Tue, 7 Feb 2017 19:32:00 +0000 (14:32 -0500)]
reject packets which contain multiple kinds of authentication protocols
Specifically, EAP and non-EAP packets.
In reality, no one should be caught by this.
Alan T. DeKok [Tue, 7 Feb 2017 15:43:06 +0000 (10:43 -0500)]
check handler before freeing it
Alan T. DeKok [Sun, 5 Feb 2017 14:38:34 +0000 (09:38 -0500)]
update hash based on client port, too
Alan T. DeKok [Sat, 4 Feb 2017 03:03:01 +0000 (22:03 -0500)]
note recent changes
Alan T. DeKok [Fri, 3 Feb 2017 22:29:18 +0000 (17:29 -0500)]
track TLS cache filename
And ensure it's deleted on failure.
Alan T. DeKok [Fri, 3 Feb 2017 22:17:24 +0000 (17:17 -0500)]
read the TLS data first, before the VPs
Matthew Newton [Thu, 2 Feb 2017 21:59:24 +0000 (21:59 +0000)]
Merge pull request #1896 from mcnewton/v3.0.x
systemd syslog.target is obsolete
Matthew Newton [Thu, 2 Feb 2017 21:10:43 +0000 (21:10 +0000)]
systemd syslog.target is obsolete
Arran Cudbard-Bell [Thu, 2 Feb 2017 10:19:34 +0000 (10:19 +0000)]
Update copyright year
Arran Cudbard-Bell [Thu, 2 Feb 2017 10:17:29 +0000 (10:17 +0000)]
Revert "Create the database by default..."
This reverts commit
70a41b507f36d1687dbf4b1457d62973b9a84ad0.
Arran Cudbard-Bell [Thu, 2 Feb 2017 10:13:22 +0000 (10:13 +0000)]
Merge pull request #1894 from herwinw/v30x_rlm_sql_mysql_whitespace
Removed combination of space+tab in rlm_sql_mysql.c
Herwin Weststrate [Thu, 2 Feb 2017 07:28:21 +0000 (08:28 +0100)]
Removed combination of space+tab in rlm_sql_mysql.c
Replaced it with just a tab
Arran Cudbard-Bell [Wed, 1 Feb 2017 20:51:06 +0000 (20:51 +0000)]
Use the actual field lengths when creating the result array
Arran Cudbard-Bell [Wed, 1 Feb 2017 20:50:14 +0000 (20:50 +0000)]
Trim whitespace before searching for operation type
Arran Cudbard-Bell [Wed, 1 Feb 2017 20:44:00 +0000 (20:44 +0000)]
Create the database by default...
Alan DeKok [Wed, 1 Feb 2017 19:29:19 +0000 (14:29 -0500)]
Merge pull request #1893 from spaetow/patch-2
Update abfab_tr policy
Matthew Newton [Wed, 1 Feb 2017 15:56:00 +0000 (15:56 +0000)]
Merge pull request #1892 from mcnewton/v3.0.x
update kibana dashboard so it doesn't have to be imported twice
Stefan Paetow [Wed, 1 Feb 2017 14:22:06 +0000 (14:22 +0000)]
Update abfab-tr
Only set the service name when it doesn't exist (=), not overwrite it (:=)
Matthew Newton [Wed, 1 Feb 2017 13:54:55 +0000 (13:54 +0000)]
update kibana dashboard so it doesn't have to be imported twice
define the search before the visualisations
Alan T. DeKok [Wed, 1 Feb 2017 00:52:00 +0000 (19:52 -0500)]
fix typo. Fixes #1891
Alan T. DeKok [Wed, 1 Feb 2017 00:51:54 +0000 (19:51 -0500)]
more warnings
Stefan Paetow [Tue, 31 Jan 2017 17:22:30 +0000 (17:22 +0000)]
Update abfab-tr
Since there seem to be problems with the GSS-Acceptor-Host-Name occasionally, set it if it hasn't been set yet (and it's defined in the client definition). Also add the GSS-Acceptor-Service-Name if it hasn't been set, or override the one set.
Alan T. DeKok [Thu, 26 Jan 2017 20:34:44 +0000 (15:34 -0500)]
more debugging about the data we're reading
Alan T. DeKok [Thu, 26 Jan 2017 20:34:30 +0000 (15:34 -0500)]
don't write empty packets to the detail file
Alan T. DeKok [Wed, 25 Jan 2017 21:38:54 +0000 (16:38 -0500)]
debug for non-threaded too
Alan T. DeKok [Wed, 25 Jan 2017 21:14:36 +0000 (16:14 -0500)]
note recent changes
Alan T. DeKok [Wed, 25 Jan 2017 21:11:54 +0000 (16:11 -0500)]
print out packet type, contents, and reply for detail packets
Alan T. DeKok [Wed, 25 Jan 2017 21:11:37 +0000 (16:11 -0500)]
don't print out IP addresses for detail packets
Alan T. DeKok [Mon, 23 Jan 2017 18:54:10 +0000 (13:54 -0500)]
note recent changes
Matthew Newton [Fri, 20 Jan 2017 16:26:15 +0000 (16:26 +0000)]
remove Kibana 3 dashboard, as it is now obsolete :(
Matthew Newton [Fri, 20 Jan 2017 16:25:48 +0000 (16:25 +0000)]
update elasticsearch/logstash examples so that they work with elastic stack v5
Alan T. DeKok [Wed, 18 Jan 2017 17:38:32 +0000 (12:38 -0500)]
note recent changes
Alan T. DeKok [Wed, 18 Jan 2017 17:37:46 +0000 (12:37 -0500)]
typo. Fixes #1882
Alan T. DeKok [Mon, 16 Jan 2017 15:25:49 +0000 (10:25 -0500)]
Add rule to catch BSDMake
Alan T. DeKok [Mon, 16 Jan 2017 14:20:37 +0000 (09:20 -0500)]
delete incorrect documentation
Arran Cudbard-Bell [Fri, 13 Jan 2017 16:59:01 +0000 (16:59 +0000)]
Don't emit errors if no result is available
Alan T. DeKok [Fri, 13 Jan 2017 15:46:22 +0000 (10:46 -0500)]
Revert ""no more rows" isn't an ERROR"
This reverts commit
9cd2d57c6f3594ae8c4d74f34fdc7770361d3bdb.
Better fix is coming
Alan T. DeKok [Fri, 13 Jan 2017 15:42:27 +0000 (10:42 -0500)]
"no more rows" isn't an ERROR
Arran Cudbard-Bell [Thu, 12 Jan 2017 19:07:02 +0000 (19:07 +0000)]
Typo
Arran Cudbard-Bell [Thu, 12 Jan 2017 18:13:06 +0000 (18:13 +0000)]
Use a proper rcode for no more rows
Arran Cudbard-Bell [Thu, 12 Jan 2017 16:54:50 +0000 (16:54 +0000)]
Merge pull request #1881 from mcnewton/v3.0.x
rlm_eap: RERROR type debugs so Module-Failure-Message gets set
Matthew Newton [Tue, 10 Jan 2017 11:44:55 +0000 (11:44 +0000)]
rlm_eap: RERROR type debugs so Module-Failure-Message gets set
Arran Cudbard-Bell [Thu, 12 Jan 2017 15:39:35 +0000 (15:39 +0000)]
Fix backport issue
Alan T. DeKok [Thu, 12 Jan 2017 15:15:19 +0000 (10:15 -0500)]
note recent changes
Arran Cudbard-Bell [Thu, 12 Jan 2017 15:10:22 +0000 (15:10 +0000)]
Call finish_select_query if we experience an error retrieving the result
# Conflicts:
# src/modules/rlm_sql/rlm_sql.c
Matthew Newton [Thu, 12 Jan 2017 12:52:33 +0000 (12:52 +0000)]
rlm_eap_pwd: initialise HMAC context
Closes #1876
Alan DeKok [Tue, 10 Jan 2017 19:02:27 +0000 (14:02 -0500)]
Merge pull request #1875 from spaetow/patch-2
Update realm module
Stefan Paetow [Tue, 10 Jan 2017 16:17:15 +0000 (16:17 +0000)]
Update realm
Add the tr_port keyword to specify the port for trust router connection
Alan T. DeKok [Mon, 9 Jan 2017 13:55:09 +0000 (08:55 -0500)]
typo
Alan T. DeKok [Wed, 4 Jan 2017 22:06:28 +0000 (17:06 -0500)]
hoist check to outside of switch statement
Alan T. DeKok [Mon, 2 Jan 2017 15:16:10 +0000 (10:16 -0500)]
note recent changes
Alan T. DeKok [Mon, 2 Jan 2017 15:15:21 +0000 (10:15 -0500)]
fix filtering operators
Alan T. DeKok [Mon, 2 Jan 2017 15:12:48 +0000 (10:12 -0500)]
update date
Alan T. DeKok [Mon, 2 Jan 2017 15:12:21 +0000 (10:12 -0500)]
document filtering operators < and >
Alan T. DeKok [Mon, 2 Jan 2017 14:56:43 +0000 (09:56 -0500)]
more descriptive
Alan T. DeKok [Mon, 2 Jan 2017 14:11:16 +0000 (09:11 -0500)]
document != as a filtering operator
Alan T. DeKok [Mon, 2 Jan 2017 14:04:20 +0000 (09:04 -0500)]
fix documentation
Alan T. DeKok [Tue, 20 Dec 2016 16:56:54 +0000 (11:56 -0500)]
note recent changes
Alan T. DeKok [Tue, 20 Dec 2016 16:54:51 +0000 (11:54 -0500)]
add recv_coa
which is a copy of authorize
Matthew Newton [Tue, 20 Dec 2016 13:08:31 +0000 (13:08 +0000)]
Merge pull request #1835 from qnet-herwin/retry_winbind_auth_with_normalized_username
Allow authentication retry in winbind
Herwin Weststrate [Wed, 9 Nov 2016 09:29:08 +0000 (10:29 +0100)]
Allow authentication retry in winbind
A setup with the following properties:
* Active Directory backend
* FreeRadius with eap-inner-proxy
* Windows client with single sign-on
* User using different casing in username than in backend
may result in failing connections. It looks like Windows reads the
correct username from the domain server once it has logged in, and uses
that to create the MS-CHAP2-Response attribute. The User-Name attribute
is still the one with the incorrect casing, causing the authentication
to fail.
The introduced config option kicks in after a failed authentication: it
reads the correct username from the backend, tries another
authentication, and uses the found User-Name to calculate
MS-CHAP2-Response if the second authentication works.
Alan DeKok [Wed, 7 Dec 2016 16:37:15 +0000 (11:37 -0500)]
Merge pull request #1850 from spbnick/v3.0.x_openssl_1.1_fix
OpenSSL v1.1 fixes for v3.0.x
Alan T. DeKok [Wed, 7 Dec 2016 14:57:06 +0000 (09:57 -0500)]
note recent changes
Alan T. DeKok [Wed, 7 Dec 2016 14:56:01 +0000 (09:56 -0500)]
continue to "next" in xlat alternate. Fixes #1866
Nikolai Kondrashov [Wed, 23 Nov 2016 08:27:45 +0000 (10:27 +0200)]
Do not assign OpenSSL callbacks if not needed
Check if CRYPTO_set_id_callback and CRYPTO_set_locking_callback are
defined as functions (as opposed to stub macros), and if they aren't,
don't call them and don't define the corresponding callbacks.
This avoids the "unused function" warnings with OpenSSL v1.1.
Nikolai Kondrashov [Wed, 23 Nov 2016 07:40:24 +0000 (09:40 +0200)]
Handle deprecated OpenSSL thread cleanup functions
Use appropriate OpenSSL thread cleanup function or don't use any,
depending on their deprecation status in various OpenSSL versions.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:09:15 +0000 (20:09 +0200)]
Accomodate consts added in OpenSSL 1.1
Update some declarations to use const to match respective changes in
OpenSSL 1.1 and not produce build warnings.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:09:05 +0000 (20:09 +0200)]
Do not use OPENSSL_config
Switch to using CONF_modules_load_file instead of OPENSSL_config, which
was deprecated in OpenSSL 1.1 and would produce build warnings.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:09:02 +0000 (20:09 +0200)]
Do not use ASN1_STRING_data
Switch to using ASN1_STRING_get0_data instead of ASN1_STRING_data, which
was deprecated in OpenSSL 1.1 and would produce build warnings.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:59 +0000 (20:08 +0200)]
Do not use HMAC_Init
Replace remaining use of HMAC_Init with HMAC_Init_ex to silence
deprecation warnings with OpenSSL 1.1.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:56 +0000 (20:08 +0200)]
Do not use HMAC_CTX_init
Switch to using HMAC_CTX_new in place of HMAC_CTX_init, which was
removed in OpenSSL 1.1, resulting in broken build.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:54 +0000 (20:08 +0200)]
Initialize HMAC context in rlm_otp
Add the missing mandatory HMAC context initialization to rlm_otp's
otp_gen_state. Otherwise the outcome of the following HMAC operations is
undefined.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:49 +0000 (20:08 +0200)]
Do not try to access private OpenSSL structs
Some more OpenSSL structures were made private in v1.1 and accessor
functions were added instead. Switch to using accessor functions to fix
the build.
Nikolai Kondrashov [Wed, 7 Dec 2016 12:23:54 +0000 (14:23 +0200)]
Move func substitutes from rlm_eap to missing.c
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:47 +0000 (20:08 +0200)]
Add a few OpenSSL fallback funcs
Add four fallback function implementations to use in place of functions
removed/deprecated in OpenSSL 1.1. Those are to be used in the following
patches to make the build work and not produce deprecation warnings.
Nikolai Kondrashov [Mon, 21 Nov 2016 08:21:33 +0000 (10:21 +0200)]
Check for openssl/conf.h
Check for presence of openssl/conf.h to support definition of fallback
functions in later patches.
Nikolai Kondrashov [Mon, 21 Nov 2016 08:13:55 +0000 (10:13 +0200)]
Check for openssl/asn1.h
Check for presence of openssl/asn1.h to support definition of fallback
functions in later patches.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:43 +0000 (20:08 +0200)]
Check for openssl/hmac.h
Apart from dealing with a FIXME, this is needed for implementing
compatibility fallbacks for some functions introduced in OpenSSL 1.1, in
following commits.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:40 +0000 (20:08 +0200)]
Check for EVP_CIPHER_CTX_new to detect libcrypto
Switch to checking for EVP_CIPHER_CTX_new instead of EVP_cleanup to
detect presence of libcrypto, because EVP_cleanup was removed as symbol
from OpenSSL 1.1, and the check would always fail.
Nikolai Kondrashov [Fri, 18 Nov 2016 18:08:33 +0000 (20:08 +0200)]
Fix SSL_get_client/server_random checks
Needed for conditionally avoiding accessing private OpenSSL structures
in a following patch.
Backported from v3.1.x.
Alan T. DeKok [Wed, 7 Dec 2016 00:22:12 +0000 (19:22 -0500)]
indentation helps
Alan T. DeKok [Wed, 30 Nov 2016 13:30:38 +0000 (08:30 -0500)]
switch with no match and no default
njm506 [Wed, 30 Nov 2016 13:00:17 +0000 (13:00 +0000)]
Merge branch 'v3.0.x' into v3.0.x
Alan T. DeKok [Mon, 28 Nov 2016 15:37:17 +0000 (10:37 -0500)]
limit FD to FD_SETSIZE
Graham Clinch [Sat, 1 Oct 2016 23:01:35 +0000 (00:01 +0100)]
dhcp module isn't built by default, don't try to enable it
Graham Clinch [Sat, 1 Oct 2016 22:08:07 +0000 (23:08 +0100)]
Don't package symlinks in sites-enabled and mods-enabled