cmiller [Thu, 13 Dec 2001 14:30:04 +0000 (14:30 +0000)]
debian: updated to 0.4
aland [Thu, 13 Dec 2001 04:08:40 +0000 (04:08 +0000)]
use the proper target for in-src-tree library testing
aland [Thu, 13 Dec 2001 04:06:26 +0000 (04:06 +0000)]
deleted yet another copy of rules.mak
updated lower-level make file to use upper-level rules.mak
aland [Thu, 13 Dec 2001 04:01:29 +0000 (04:01 +0000)]
Add include cflag for libltdl
aland [Thu, 13 Dec 2001 04:01:01 +0000 (04:01 +0000)]
removed unnecessary head files.
re-arranged so as to not conflict
aland [Thu, 13 Dec 2001 03:36:51 +0000 (03:36 +0000)]
cleaned up to remove include of /usr/include (should be done
on all sane C compilers), and link to -lc
Additional minor fixes
cparker [Wed, 12 Dec 2001 22:39:55 +0000 (22:39 +0000)]
Retagged tree with 0.5 version, as 0.4 is released.
raghu [Wed, 12 Dec 2001 02:05:14 +0000 (02:05 +0000)]
EAP module with supported EAP types
raghu [Wed, 12 Dec 2001 02:01:43 +0000 (02:01 +0000)]
EAP authentication type -- MD5
raghu [Wed, 12 Dec 2001 02:00:01 +0000 (02:00 +0000)]
All supported EAP authentication types
raghu [Wed, 12 Dec 2001 01:57:23 +0000 (01:57 +0000)]
EAP module for all EAP based authentications
aland [Tue, 11 Dec 2001 22:35:36 +0000 (22:35 +0000)]
As posted to the list by Jeremy McNamara <jj@indie.org>
This is apparently mostly a copy of the Cisco dictionary.
aland [Wed, 5 Dec 2001 18:27:24 +0000 (18:27 +0000)]
Removed extraneous 'vp_printlist', which was causing confusion.
Problem found by radius@palosanto.com
3APA3A [Thu, 29 Nov 2001 09:45:00 +0000 (09:45 +0000)]
! Vendor-Specific attribute check added to rad_receive to avoid memory
corruption in case of invalid attribute length inside Vendor-Specific
attribute
! dict_vendorcode() call removed from rad_decode(). We do not need it any
more.
kkalev [Tue, 27 Nov 2001 22:44:24 +0000 (22:44 +0000)]
Add xlat_register and xlat_unregister functions. Now modules can register their
own xlat functions. That way we can have ldap URLs or SQL selects in xlat
strings. These strings will be of the form:
%{module:string}
For example for ldap it will be something like this:
%{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
Also added ldap_xlat in rlm_ldap.c as defined above. It allows for LDAP URLs
in xlat strings.
cmiller [Sun, 25 Nov 2001 20:12:09 +0000 (20:12 +0000)]
debian: export DH_COMPAT variable, so /etc/raddb/* are listed as conffiles.
fcusack [Wed, 21 Nov 2001 11:46:03 +0000 (11:46 +0000)]
Correct a comment
fcusack [Wed, 21 Nov 2001 11:30:12 +0000 (11:30 +0000)]
fix mem leak from sync_mode: free an instance var on destruction.
cmiller [Tue, 20 Nov 2001 17:19:28 +0000 (17:19 +0000)]
debian: remove empty directory /var/log/freeradius
debian: changed logfile-rolling to use logrotate instead of cron and 'savelog'
debian: improved initscript.
cmiller [Tue, 20 Nov 2001 17:15:38 +0000 (17:15 +0000)]
Include check for gdbm-ndbm.h file, for GDBM versions near 1.7.3 .
cmiller [Tue, 20 Nov 2001 17:13:22 +0000 (17:13 +0000)]
Close STD{IN,OUT,ERR} if not running in debug mode. (Debian Bug#11678)
cmiller [Tue, 20 Nov 2001 15:41:15 +0000 (15:41 +0000)]
Added "standard" (non /usr/local/) paths for postgresql headers and libs.
3APA3A [Thu, 15 Nov 2001 18:04:41 +0000 (18:04 +0000)]
+ support for MS-CHAPv2. SHA1 digest support was added (sha1.c, sha2.c)
MS-CHAPv2 was not tested in real life. Please feedback if you
will get any result.
! module is configurable via radiusd.conf and supports instances
! module supports both authorization and authentication. Authorization
sets authentication to MS-CHAP if any NTLM-related things found.
It will allow dynamically choose between PAP, CHAP, MS-CHAP, etc
based on attributes given by NAS.
During authorization new attributes added to config_items:
LM-Password - LM-encoded password
NT-Password - NT-encoded password
SMB-Account-CTRL - account control flags in SAMBA format
During authentication these attributes are checked against data
provided by NAS.
- RFC 2433 text with MS-CHAPv1 description removed. Microsoft attributes
are covered by RFC 2458, MS-CHAPv2 - RFC 2759. You can obtain them
all from www.rfceditor.org or www.freeradius.org/rfc/
3APA3A [Thu, 15 Nov 2001 17:26:14 +0000 (17:26 +0000)]
Added NT/LM password attributes. They will be created during MS-CHAP
authorization or you can store them in raddb/users
mschap module sample configuration added
kkalev [Thu, 15 Nov 2001 14:41:50 +0000 (14:41 +0000)]
Do an xlat on the access_group attribute.
Patch by Gordon Tetlow <gordont@gnf.org>
Also, use groupmembership_filter attribute as filter for user membership
in the access group.
kkalev [Thu, 15 Nov 2001 00:22:36 +0000 (00:22 +0000)]
Added function ldap_groupcmp(). Now we can do checks on user ldap group membership.
aland [Tue, 13 Nov 2001 23:08:39 +0000 (23:08 +0000)]
This patch eliminates Oracle's complain in rare cases when:
- retrieved field is NULL (eg., SQL operators) - ORA-01405 fetched
column value is NULL
- field has as maximum character as it was declared
(40 char field has 40 characters) - ORA-01406 fetched column
value was truncated.
Patch from Mitry Matyushkov <mitry@todes.org.by>
fcusack [Sun, 11 Nov 2001 06:18:49 +0000 (06:18 +0000)]
Add config hint for pam_radius
fcusack [Sun, 11 Nov 2001 05:17:10 +0000 (05:17 +0000)]
Support fast_sync mode, which allows responses without an explicit challenge.
kkalev [Fri, 9 Nov 2001 00:53:09 +0000 (00:53 +0000)]
Change paircmp,paircompare,simplapaircmp and RAD_COMPARE_FUNC to allow for
the use of radius_xlat() in paircompare functions
cparker [Thu, 8 Nov 2001 23:27:45 +0000 (23:27 +0000)]
Added dictionary entries to support RFC-2867 Tunnel Accounting.
aland [Thu, 8 Nov 2001 16:58:56 +0000 (16:58 +0000)]
No authhost in proxy means LOCAL
No accthost in proxy means LOCAL
Corrected bug where acct_port for proxy was set to auth_port
cparker [Thu, 8 Nov 2001 01:12:32 +0000 (01:12 +0000)]
Added function prototypes for RFC2868 encryption/decryption to
support Tunnel-Password attrbutes.
cparker [Thu, 8 Nov 2001 01:04:33 +0000 (01:04 +0000)]
Removed #ifdef for printing tunnel attribute tags in the Merit
format, because we don't want to do that. Ever. :)
cparker [Thu, 8 Nov 2001 00:53:01 +0000 (00:53 +0000)]
Dictionary changes to include 'dictionary.tunnel' by default
and tag/ecryption options set correctly in 'dictionary.tunnel'
cparker [Thu, 8 Nov 2001 00:49:48 +0000 (00:49 +0000)]
Added final support to encrypt/decrypt RFC-2868 Tunnel-Password
attributes when sending and receiving.
aland [Wed, 7 Nov 2001 21:06:45 +0000 (21:06 +0000)]
If we're not caching the password, use fgetpwent() to walk
through the specified password file.
Yes, fgetpwent() isn't portable. A fix for that requires
another patch...
Patch from Daniel Carroll <freeradius@defiant.mesastate.edu>
aland [Wed, 7 Nov 2001 15:55:14 +0000 (15:55 +0000)]
Print out the proper verified message.
Bug noted by Simon Oakley <soakley@nextone.com>
aland [Wed, 7 Nov 2001 15:20:06 +0000 (15:20 +0000)]
If the thread is already at the tail, don't move it.
aland [Wed, 7 Nov 2001 15:16:24 +0000 (15:16 +0000)]
Hmm... pid may be unsigned apparently. So checking if it's smaller
than zero is NOT a good thing. So we cast it to 'int' to get around
the problem.
fcusack [Wed, 7 Nov 2001 08:18:44 +0000 (08:18 +0000)]
Use "long names" for config vars, rather than abbreviated names.
fcusack [Wed, 7 Nov 2001 07:30:48 +0000 (07:30 +0000)]
Remove ActivCard-related TODO's, will add a doc note about this later.
aland [Tue, 6 Nov 2001 19:02:56 +0000 (19:02 +0000)]
Threads don't block SIGCHLD.
Do waitpid() even when using threads, to clean up Exec-Program
child processes.
Bug noted by "louzhigang"<cddxj@21cn.com>
aland [Tue, 6 Nov 2001 18:37:02 +0000 (18:37 +0000)]
Added empty FreeRADIUS Vendor-Specific dictionary.
Any on-the-wire attributes which are specific to the server MUST
go into this dictionary.
cparker [Tue, 6 Nov 2001 16:41:49 +0000 (16:41 +0000)]
Fixed bug where having remote authhost and LOCAL accthost caused
requests not to be proxied or replied to.
aland [Mon, 5 Nov 2001 15:18:50 +0000 (15:18 +0000)]
Parse 'accthost' from the realm confgiruation, and use it in
the various logic decisions.
kkalev [Sat, 3 Nov 2001 00:25:01 +0000 (00:25 +0000)]
- Added authorize() function to set Auth-Type = CHAP if Chap-Password exists
- Added module messages when rejecting user
kkalev [Fri, 2 Nov 2001 23:03:02 +0000 (23:03 +0000)]
Change default password_attribute to NULL
pam [Fri, 2 Nov 2001 10:24:36 +0000 (10:24 +0000)]
Change to propper operator in assigning Auth-Type to LDAP
bug noted by Kostas Kalevras <kkalev@noc.ntua.gr>
kkalev [Fri, 2 Nov 2001 01:18:28 +0000 (01:18 +0000)]
Add:
o Module Messages in rlm_ldap when we reject a user
o Add password to config_items stripping off any headers.
password_header and password_attribute directives are defined
Update documentation and configuration file
aland [Thu, 1 Nov 2001 17:02:05 +0000 (17:02 +0000)]
Update to use new definition of dict_addattr()
cparker [Thu, 1 Nov 2001 00:55:17 +0000 (00:55 +0000)]
Missed case where tag was not set for PW_TYPE_INTEGER correctly.
This is now handled properly when writing vp's into the packet
data.
cparker [Thu, 1 Nov 2001 00:36:22 +0000 (00:36 +0000)]
Added TAG_ANY attribute tag definition to allow tags to be
wildcarded in Check-Items and in modules like attr_filter.
cparker [Thu, 1 Nov 2001 00:19:30 +0000 (00:19 +0000)]
Corrected tunnel attribute names to match the RFC.
cparker [Thu, 1 Nov 2001 00:06:43 +0000 (00:06 +0000)]
Updated 'pairmake()' to allow parsing of Tags for attributes.
Supports both native ( Attribute:Tag = Value ) and merit's
syntax ( Attribute = :Tag:Value ).
aland [Wed, 31 Oct 2001 18:17:45 +0000 (18:17 +0000)]
After reading the configuratio files, IF we're not debugging,
then trap a number of fatal signals.
If we're debugging, then don't trap fatal signals, so that the OS
can dump core.
cparker [Wed, 31 Oct 2001 17:11:43 +0000 (17:11 +0000)]
Updated dictionary.tunnel to support new method for specifying
tagged attributes. Added additional attributes specified in
RFC 2868.
cparker [Wed, 31 Oct 2001 17:01:13 +0000 (17:01 +0000)]
Initial patch to allow support for RFC 2868 Tagged Attributes.
This patch adds to the ATTR_FLAGS struct for attributes, and
will read tag and vendor options properly from the dictionary.
It also parses tags into the FLAGS struct on received packets.
'dict_addattr' has an additional option to pass the ATTR_FLAGS
struct when reading the dictionary.
aland [Wed, 31 Oct 2001 16:19:06 +0000 (16:19 +0000)]
In pairmove2, if given Vendor-Specific, then move ALL vendor
specific attributes.
Updated rfc_clean() to move VSA's over, so that they can appear
in authentication reject packets, too.
aland [Wed, 31 Oct 2001 15:29:56 +0000 (15:29 +0000)]
Small bugfix by "Nikolay P. Romanyuk" <mag@vtelecom.ru>
aland [Wed, 31 Oct 2001 15:29:18 +0000 (15:29 +0000)]
Change '=' in if to '=='
aland [Tue, 30 Oct 2001 19:16:55 +0000 (19:16 +0000)]
Allow operators in the SQL table. This patch (so far) doesn't
include changes to the SQL queries, which still have to be
updated.
Patch from Mitry Matyushkov <mitry@todes.org.by>
aland [Tue, 30 Oct 2001 17:45:24 +0000 (17:45 +0000)]
Added 'radlog_dest' variable, so we can set the destination of
the log messages to files, syslog, stdout, or stderr, without
over-loading the normal logging directory.
This can NOT be set from the configuration file yet. That patch
is next.
aland [Tue, 30 Oct 2001 17:22:04 +0000 (17:22 +0000)]
Updated MPP and simultaneous-use checking
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Tue, 30 Oct 2001 17:12:24 +0000 (17:12 +0000)]
Added ATTR_FLAGS data structure from Cistron, and updated
references to 'addport'.
aland [Tue, 30 Oct 2001 16:36:48 +0000 (16:36 +0000)]
Removed mapping of vendor Private Enterprise Code to internal code.
We now use the vendor PEC directly, which means that we error out
if the vendor PEC is larger than 65535.
Fixing that problem requires major changes to the source, which
can wait until later.
aland [Tue, 30 Oct 2001 15:38:58 +0000 (15:38 +0000)]
Added note on broken Bay software
aland [Mon, 29 Oct 2001 21:41:22 +0000 (21:41 +0000)]
Make CHAP authentication a module, instead of having it in
the server core.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 21:29:54 +0000 (21:29 +0000)]
Support PAP, MS-CHAP, and use /etc/smbpasswd file, if so configured
Patch from 3APA3A <3APA3A@SECURITY.NNOV.RU>
aland [Mon, 29 Oct 2001 21:04:51 +0000 (21:04 +0000)]
When rejecting the user, add a Module-Message saying why.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 21:02:35 +0000 (21:02 +0000)]
If we have a Module-Message, then print it out when rejecting
or denying the request.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 20:58:01 +0000 (20:58 +0000)]
Added defines for Module-Message, to allow modules to pass messages
around.
Patch from Kostas Kalevras <kkalev@noc.ntua.gr>
aland [Mon, 29 Oct 2001 19:13:48 +0000 (19:13 +0000)]
removed old sql defines
aland [Mon, 29 Oct 2001 18:58:14 +0000 (18:58 +0000)]
Added more text on using PAM, as posted to the list by
"Bruce Ritchie" <bruce.ritchie@maclaren.com>
aland [Mon, 29 Oct 2001 16:45:01 +0000 (16:45 +0000)]
Allow ldap module use a start tls command with ldap server.
Patch from Andrew Kukhta <andy@wubn.net>, with added 'configure'
checks
aland [Fri, 26 Oct 2001 19:04:42 +0000 (19:04 +0000)]
Build the utilities on static && dynamic targets, instead of 'all'
aland [Fri, 26 Oct 2001 16:59:38 +0000 (16:59 +0000)]
create the binary directory before installing the binaries
cparker [Fri, 26 Oct 2001 00:24:12 +0000 (00:24 +0000)]
Preliminary support for displaying Tunnel attributes as defined in
RFC 2868. Tag is properly printed for both string and integer
attributes when server or radclient displays A/V debugging pairs.
raddb/dictionary.tunnel is not changed yet. Type will need to updated
for the tunnel attributes to t_string or t_integer for these changes
to be displayed.
aland [Thu, 25 Oct 2001 21:46:16 +0000 (21:46 +0000)]
If we're using threads, block SIGINT, SIGQUIT, too. And use
pthread_sigmask(), instead of sigprocmask().
This may fix CPU loading problems when there's a problem...
aland [Thu, 25 Oct 2001 21:05:28 +0000 (21:05 +0000)]
Corrected typo in last commit
aland [Thu, 25 Oct 2001 20:44:57 +0000 (20:44 +0000)]
Add a 'Realm' attribute for local realms.
aland [Thu, 25 Oct 2001 15:42:08 +0000 (15:42 +0000)]
Corrected typo in last commit
cparker [Thu, 25 Oct 2001 14:54:01 +0000 (14:54 +0000)]
Added more documentation and configuration examples for Ascend NAS
aland [Thu, 25 Oct 2001 14:37:44 +0000 (14:37 +0000)]
If targetname is not set, then don't output the utils.
Noted by "jason" <rohwedde@codegrinder.com>
aland [Thu, 25 Oct 2001 14:30:26 +0000 (14:30 +0000)]
write log message about invalid shells and invalid password
Patch from Bill Campbell <bill@celestial.com>
aland [Wed, 24 Oct 2001 15:43:25 +0000 (15:43 +0000)]
If we've received a reply from the home server after we've given
up, and already sent a reply to the NAS, then delete the packet
from the home server, and don't process it. It's too late.
Bug found and patch by Vesselin Atanasov <vesselin@bgnet.bg>
aland [Wed, 24 Oct 2001 14:13:47 +0000 (14:13 +0000)]
FIxes and updates for the configure script
Patches from "Nikolay P. Romanyuk" <mag@vtelecom.ru>
aland [Tue, 23 Oct 2001 19:18:30 +0000 (19:18 +0000)]
Add a configure script which automatically roots through
configuring the sub-directories
aland [Tue, 23 Oct 2001 19:08:33 +0000 (19:08 +0000)]
Added /usr/local/pgsql/lib and /usr/local/pgsql/include for the
libs/includes, so that we find postgres in it's standard install
location.
aland [Tue, 23 Oct 2001 19:05:53 +0000 (19:05 +0000)]
Remove postgres checks from the top-level configure, and put
them in the sql/drivers/... directory, where they belong.
Patch from "Nikolay P. Romanyuk" <mag@vtelecom.ru>
aland [Tue, 23 Oct 2001 19:04:23 +0000 (19:04 +0000)]
When doing 'distclean', do 'clean', too.
Patch from "Nikolay P. Romanyuk" <mag@vtelecom.ru>
aland [Tue, 23 Oct 2001 19:03:46 +0000 (19:03 +0000)]
Changes to allow postgres to be found on './configure'
Patch from "Nikolay P. Romanyuk" <mag@vtelecom.ru>
aland [Tue, 23 Oct 2001 17:53:56 +0000 (17:53 +0000)]
A better patch for decode attribute.
Patch from Raghu <raghud@hereuare.com>
aland [Mon, 22 Oct 2001 17:50:57 +0000 (17:50 +0000)]
Updated 'malformed packet' messages to include prefix of 'WARNING'
to make it clear what's going on.
Removed 'memset 0' buffer overflow.
Added the ability to configure the maximum number of attributes
which may be in a packet. If there are more attributes than this,
then the packet is dropped.
This helps prevent DoS attacks, as noted today on the devel list
by 3APA3A <3APA3A@SECURITY.NNOV.RU>
aland [Mon, 22 Oct 2001 17:20:14 +0000 (17:20 +0000)]
When sending or receiving a radius packet, use an area on the local
stack to get the packet, or to build the new one. If everything
checks out, then we allocate memory for it, and copy the contents
over.
While the extra 'memcpy' takes time, the benefit is that we only
allocate the minimum amount of memory required for the packet.
aland [Mon, 22 Oct 2001 15:13:11 +0000 (15:13 +0000)]
Auto-reload for rlm_fastusers and rlm_unix
Patch from Philippe Levan <levan@epix.net>
aland [Mon, 22 Oct 2001 14:18:53 +0000 (14:18 +0000)]
If call xlat with template of attribute which does not exists in
request then function decode_attribute falls in endless cycle.
Patch to fix it, from Andrei Koulik <agk@sci-nnov.ru>
aland [Fri, 19 Oct 2001 18:57:19 +0000 (18:57 +0000)]
If we don't have ndbm, maybe the functions we need are in gdbm?
aland [Fri, 19 Oct 2001 17:38:37 +0000 (17:38 +0000)]
If we don't find nbdm, then don't build the utils or install, either.
aland [Fri, 19 Oct 2001 17:33:52 +0000 (17:33 +0000)]
If we don't find the header files, then fail.