fcusack [Fri, 15 Mar 2002 00:02:03 +0000 (00:02 +0000)]
reformat for 80 cols
fcusack [Thu, 14 Mar 2002 23:52:57 +0000 (23:52 +0000)]
Test for openssl/des.h instead of -lcrypto. Apparently, some
systems' libcrypto is not openssl's, or they don't install
the headers in the standard location.
aland [Thu, 14 Mar 2002 22:18:21 +0000 (22:18 +0000)]
Added foundry dictionary, from Thomas Keitel
aland [Thu, 14 Mar 2002 20:58:24 +0000 (20:58 +0000)]
Added note that accounting packets get processed through 'acct_users'
aland [Thu, 14 Mar 2002 18:47:06 +0000 (18:47 +0000)]
Updated unix config with notes about FreeBSD.
cparker [Thu, 14 Mar 2002 16:49:53 +0000 (16:49 +0000)]
o Corrected bug in fall-through logic, so that Fall-Throuh = No
is correctly handled.
aland [Wed, 13 Mar 2002 16:48:39 +0000 (16:48 +0000)]
If GETHOSTBYADDRRSTYLE isn't defined, then don't compare it to
anything.
aland [Wed, 13 Mar 2002 15:54:07 +0000 (15:54 +0000)]
Added short note on EAP/TLS, from Adam <adam@cfar.umd.edu>
aland [Mon, 11 Mar 2002 20:39:20 +0000 (20:39 +0000)]
Corrected typo in last commit
aland [Mon, 11 Mar 2002 19:54:21 +0000 (19:54 +0000)]
Set 'request->child_pid' while processing the request.
aland [Mon, 11 Mar 2002 18:50:06 +0000 (18:50 +0000)]
Update help messages for 'radclient' to say how to specify a port
Patch from bj@zuto.de (Rainer Clasen)
aland [Mon, 11 Mar 2002 18:47:08 +0000 (18:47 +0000)]
Updated for latest set of changes.
aland [Mon, 11 Mar 2002 18:38:15 +0000 (18:38 +0000)]
Updated for latest set of changes.
aland [Mon, 11 Mar 2002 18:35:10 +0000 (18:35 +0000)]
Added sample PostgreSQL queries, from Igor Chen
aland [Mon, 11 Mar 2002 18:34:43 +0000 (18:34 +0000)]
Slight change to comments.
Show how to use Stripped-User-Name, if it's there, else User-Name,
else "none"
aland [Mon, 11 Mar 2002 18:26:35 +0000 (18:26 +0000)]
Updated pointer to documentation
aland [Mon, 11 Mar 2002 16:42:41 +0000 (16:42 +0000)]
Bump up the number of fd's we close
kkalev [Sun, 10 Mar 2002 13:46:12 +0000 (13:46 +0000)]
Update Changelog
kkalev [Sun, 10 Mar 2002 12:54:54 +0000 (12:54 +0000)]
fix a bug in da_sql_query.
Bug noted by Peter Santiago <peter.santiago@psinergybbs.com>
aland [Fri, 8 Mar 2002 19:17:04 +0000 (19:17 +0000)]
Added 'op' field back, and increased 'value' size to 253
aland [Fri, 8 Mar 2002 16:35:26 +0000 (16:35 +0000)]
Use maxfd+1 for select
aland [Thu, 7 Mar 2002 18:11:20 +0000 (18:11 +0000)]
Delay sending the proxied packet until after we've done things
to the request data structure.
There may be a race condition, where the reply comes while we're
accessing the structure, and two threads access it at the same time.
This change doesn't *prevent* the problem, it just makes it a lot
less likely to happen.
aland [Thu, 7 Mar 2002 18:09:51 +0000 (18:09 +0000)]
Fix a logic bug in refresh_request(). If the request hasn't
reached it's "max_request_time", AND there's still a thread
poking at it, THEN don't bother doing ANY kind of refreshing of it,
as that will result in huge confusion, while two threads access
the same data structure!
Added a few more asserts, to catch possible race conditions
as early as possible. If there's a problem, then the assert
should fire, instead of the code continuing, and killing itself
at some other random location.
kkalev [Thu, 7 Mar 2002 01:06:27 +0000 (01:06 +0000)]
Added tuning guide
aland [Wed, 6 Mar 2002 21:15:37 +0000 (21:15 +0000)]
Changed the default ports to 1812/1813, as most everyone should
be using them now.
aland [Wed, 6 Mar 2002 21:14:28 +0000 (21:14 +0000)]
Corrected typo, as note by Eduardo Roldan <eroldan@multitel.com.uy>
cmiller [Wed, 6 Mar 2002 20:46:09 +0000 (20:46 +0000)]
Added python module as seperate package.
cmiller [Wed, 6 Mar 2002 20:23:37 +0000 (20:23 +0000)]
Recompiled configure script.
cmiller [Wed, 6 Mar 2002 18:34:54 +0000 (18:34 +0000)]
Tried to get python detection working properly. It may be close, but the
test for whether libpython${whatever} has Py_Initialize() is UGLY. I hope
someone cleans that up.
aland [Wed, 6 Mar 2002 17:55:39 +0000 (17:55 +0000)]
When updating the head of a list, update the *real* head, and
not the local pointer to the head, which is thrown away when
the function returns.
Patch from Lutz Donnerhacke <lutz@iks-jena.de>
aland [Wed, 6 Mar 2002 17:49:36 +0000 (17:49 +0000)]
Make authentication reject messages more consistent.
Don't return bad IP address if we're doing '1.2.3.4+', and the
request doesn't have a NAS port to add.
aland [Wed, 6 Mar 2002 17:35:53 +0000 (17:35 +0000)]
Updated schema with more restrictions on field values, from
Thomas Huehn <huehn@eozaen.net>
aland [Wed, 6 Mar 2002 16:36:09 +0000 (16:36 +0000)]
Don't use a hard-coded '32' for the select over the auth, acct,
and proxy FD's. The modules are configured *before* these FD's
are opened, so there may be more than 32 FD's in use.
Instead, we have to dynamically figure out what the maximum FD
is from the set we're selecting over, and use that value.
Bug found by Cvetan Ivanov <zezo@spnet.net>
cmiller [Wed, 6 Mar 2002 16:02:24 +0000 (16:02 +0000)]
Added tests to detect the style of gethostbyaddr_r() function, and use it.
It knows of GNU and SYSV, atm.
aland [Tue, 5 Mar 2002 23:14:25 +0000 (23:14 +0000)]
Aptis (Nortel CVX 1800?) dictionary, found on the net, and edited
for FreeRADIUS.
aland [Tue, 5 Mar 2002 15:44:38 +0000 (15:44 +0000)]
Changed attribute type, so says "ju bin" <binju@online.sz.js.cn>
aland [Tue, 5 Mar 2002 15:41:55 +0000 (15:41 +0000)]
Removed SQL from authenticate section. They're no longer needed.
aland [Tue, 5 Mar 2002 15:21:27 +0000 (15:21 +0000)]
Removed checks for gethostbyFOO_r(), until such time as we can
do intelligent checks.
aland [Mon, 4 Mar 2002 21:14:44 +0000 (21:14 +0000)]
Added attributes from RFC 3162.
Some are of type 'octets', when they should really be of type 'IPv6',
but that isn't a serious problem for now.
kkalev [Sat, 2 Mar 2002 16:13:48 +0000 (16:13 +0000)]
o Add support for Autz-Type attribute. We can now create autztype sections in
radiusd.conf.
o Add sql_xlat. Only SELECTS are supported right now
o Move sql_release socket in a few places were it wasn't needed
o Remove sql_authenticate function. We still use the authenticate_query directive
to extract the user password. The work should now be done by the pap/chap modules.
o Do a pairfree of check_tmp and reply_tmp if paircmp fails
in sql_authorize
ramoore [Sat, 2 Mar 2002 06:49:55 +0000 (06:49 +0000)]
Update the print_abinary function to show 'est' when the established bit is set.
ramoore [Sat, 2 Mar 2002 05:50:43 +0000 (05:50 +0000)]
Prevent nas_name functions from calling client_name.
Add nas_name3 function that can return a dotted quad when
NAS name is not known.
Update radwho to use nas_name3 function
ramoore [Sat, 2 Mar 2002 03:31:37 +0000 (03:31 +0000)]
This patch changes the return code within the CISCO_ACCOUNTING_HACK from FAIL to NOOP.
If a FAIL is returned, freeradius does not sent an ACK to the NAS that sent the stop
packet, so it just keeps resending. NOOP is more appropriate.
fcusack [Fri, 1 Mar 2002 16:57:18 +0000 (16:57 +0000)]
Remove GPL text; sha1.c is in the public domain.
fcusack [Fri, 1 Mar 2002 16:53:23 +0000 (16:53 +0000)]
reload now just sends -HUP
raghu [Thu, 28 Feb 2002 21:44:29 +0000 (21:44 +0000)]
TLS_Message_Length is made configurable
aland [Wed, 27 Feb 2002 15:32:07 +0000 (15:32 +0000)]
Minor fixups
from bj@zuto.de (Rainer Clasen)
aland [Tue, 26 Feb 2002 21:46:17 +0000 (21:46 +0000)]
If both 'authhost' and 'accthost' in a realm are LOCAL, then we
don't need a shared secret.
Bug noted by "Vector" <cistron@itpsg.com>
aland [Tue, 26 Feb 2002 19:22:24 +0000 (19:22 +0000)]
If fgetspnam() returns NULL, then it means that the shadow password
entry does NOT exist.
This probably fixes the bug where non-cached passwords don't work...
raghu [Tue, 26 Feb 2002 00:57:30 +0000 (00:57 +0000)]
More debugging statements
raghu [Tue, 26 Feb 2002 00:56:35 +0000 (00:56 +0000)]
Made Length field configurable.
Now Total length can be included in every packet or
only in the first fragment of the message.
Initial patch provided by Adam <adam@cfar.umd.edu>.
aland [Mon, 25 Feb 2002 22:44:09 +0000 (22:44 +0000)]
Check for gethostbyFOO_r(), and use them, if they exist.
aland [Mon, 25 Feb 2002 22:34:27 +0000 (22:34 +0000)]
Use gmtime_r by default, so that we're thread-safe.
aland [Mon, 25 Feb 2002 18:47:55 +0000 (18:47 +0000)]
<grumble> work around variations in gdbm from version to version.
For gdbm pre version 1.8, we can't use NOLOCK, as it doesn't exist.
This means that the DB file is *always* locked, and NO ONE ELSE can
get access to it ANYTIME.
aland [Mon, 25 Feb 2002 18:44:36 +0000 (18:44 +0000)]
Check if gdbm has gdbm_fdesc
aland [Mon, 25 Feb 2002 17:19:40 +0000 (17:19 +0000)]
Removed use of internal autoconf variable which is set to patently
absurd value.
aland [Mon, 25 Feb 2002 16:19:20 +0000 (16:19 +0000)]
Added new file describing the variables as defined by the server.
Added some more text in the configuration file, describing the
difference between ${foo} and %{foo}
aland [Mon, 25 Feb 2002 16:02:50 +0000 (16:02 +0000)]
Removed text describing variables and variable substitution
aland [Mon, 25 Feb 2002 16:02:23 +0000 (16:02 +0000)]
Added %{proxy-reply:Attribute-Name} for xlat
aland [Mon, 25 Feb 2002 15:51:43 +0000 (15:51 +0000)]
Updated comments on sql_user_name
aland [Mon, 25 Feb 2002 15:40:26 +0000 (15:40 +0000)]
Corrected typo in function name
aland [Fri, 22 Feb 2002 16:02:28 +0000 (16:02 +0000)]
Open the DB unlocked, and do file locking ourselves using the
new functions.
aland [Fri, 22 Feb 2002 15:53:05 +0000 (15:53 +0000)]
Call new rad_lockfd() function, instead of having ifdef in the
code for lockf/flock.
Remove *horrid* cast of a 'FILE*' to 'int', to "convert" a FILE*
into an integer file descriptor. This just won't work. fileno()
is what we want.
aland [Fri, 22 Feb 2002 15:40:54 +0000 (15:40 +0000)]
Use new library file lock/unlock functions
aland [Fri, 22 Feb 2002 15:37:18 +0000 (15:37 +0000)]
removed copies of file locking code.
Use new rad_lockfd() and rad_unlockfd() functions.
aland [Fri, 22 Feb 2002 15:36:27 +0000 (15:36 +0000)]
New functions: rad_lockfd() and rad_unlockfd(), to get rid of
duplication of file locking code.
aland [Thu, 21 Feb 2002 22:46:40 +0000 (22:46 +0000)]
Don't use a global 'acctfd'
As a result, update 'session_zap' to take an fd as an argument.
Update radutmp to use 'request->packet->fd', instead of the global
acctfd
aland [Thu, 21 Feb 2002 20:36:34 +0000 (20:36 +0000)]
Enable passwd caching by default.
Add a note that turning caching off may cause problems.
aland [Thu, 21 Feb 2002 19:11:01 +0000 (19:11 +0000)]
If we match a huntgroup, then add an attribute saying that
to the request. This is so it can be used && examined later.
Based on a patch from Simon Allard <simon.allard@staff.ihug.co.nz>
aland [Thu, 21 Feb 2002 16:23:47 +0000 (16:23 +0000)]
Patch to PostgreSQL schema for operators.
From Igor Chen <cron@office.lintec.com.ua>
kkalev [Thu, 21 Feb 2002 00:04:11 +0000 (00:04 +0000)]
Update documentation
kkalev [Thu, 21 Feb 2002 00:03:03 +0000 (00:03 +0000)]
Remove the auth_type directive. Change the ldap caching default to no (ldap_cache_timeout = 0)
aland [Wed, 20 Feb 2002 21:35:36 +0000 (21:35 +0000)]
Clear more fields of the request when deleting it, and if
debugging, mark up the secret so that it's easier to tell that
the request has been deleted.
aland [Wed, 20 Feb 2002 16:42:14 +0000 (16:42 +0000)]
Added patch for heimdal code, from
"Kevin C. Miller" <kevinm@andrew.cmu.edu>
Added note that this is NOT configurable, as the patch deletes
existing functionality, and replaces it with different code.
This kind of non-configurable code which removes existing, tested,
and working code is not very polite.
aland [Wed, 20 Feb 2002 16:22:15 +0000 (16:22 +0000)]
postgresql's 'PQcmdTuples' used in function 'affected_rows'
doesn't returns number of affected rows for SELECT statement, but
returns empty string. Use PQntuples(), instead.
Patch from Andrew Kukhta <andy@wubn.net>
aland [Wed, 20 Feb 2002 16:19:13 +0000 (16:19 +0000)]
If the tag is invalid, rad_send() should ignore it, and set tag
to 0x00.
rad_decode(), if the type of attribute is string and has an invalid
tag, it should recognize the first octet as being part of the string.
If the attribute is "Tunnel-Password", and has invalid tag, then
the tag should be ignored.
Patch from Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp>
aland [Wed, 20 Feb 2002 16:12:27 +0000 (16:12 +0000)]
Added URL's for tips on configuring MySQL.
This doesn't really belong here, but there isn't a better place for
it right now.
aland [Wed, 20 Feb 2002 16:09:22 +0000 (16:09 +0000)]
use dir name macros in all configure options
libtool is required only when building the package
misc clean ups (reorder "header" to follow general RPM style)
make sure /var/log/radius and /var/log/radius/radacct are owned by
root and only readable by root.
Patch from Marko Myllynen
aland [Wed, 20 Feb 2002 16:03:46 +0000 (16:03 +0000)]
use condrestart instead of reload, so radiusd is not started by
logrotate if it was not already running
Added keyword "missingok" so logrotate execution won't stop if
some FreeRADIUS files are not found (e.g., FreeRADIUS hasn't
started after install and thus some files are not yet created).
Added rotating of radutmp
rotate detail files using "radacct/*/detail" so all detail files
are automatically rotated, no need to add NAS names to the path.
missingok parameter ensures that this works whether * matches
to anything or not.
Patch from Marko Myllynen
aland [Wed, 20 Feb 2002 16:01:00 +0000 (16:01 +0000)]
do not use radwatch (it's deprecated)
test that config file exists
return proper return value, not 0 always
added condrestart support, used by logrotate (see next patch)
misc clean ups
Patch from Marko Myllynen
aland [Tue, 19 Feb 2002 22:50:53 +0000 (22:50 +0000)]
In proxy_send(), if there is no realm to proxy the request to,
then return an error.
In rad_respond(), check if proxy_send() returns an error, and
reject the request if so.
Also, fix up a possible race condition in refresh_request(), where
we were marking the request finished, and THEN still accessing it.
aland [Tue, 19 Feb 2002 18:29:58 +0000 (18:29 +0000)]
Don't call fopen on syslog, if the logging destination is syslog
aland [Tue, 19 Feb 2002 15:46:04 +0000 (15:46 +0000)]
Corrected logic in delay request code.
Bug noted by Eddie Stassen <eddie@saix.net>
aland [Tue, 19 Feb 2002 15:41:50 +0000 (15:41 +0000)]
Added define for librad_max_attributes
aland [Mon, 18 Feb 2002 22:09:55 +0000 (22:09 +0000)]
There are cases where IF all of the matching realms are marked
dead, that we do NOT want to fall through to the default realm.
Based on a patch from bj@zuto.de (Rainer Clasen)
aland [Mon, 18 Feb 2002 21:43:37 +0000 (21:43 +0000)]
Added note that the pid file is written only in daemon mode.
aland [Mon, 18 Feb 2002 21:38:40 +0000 (21:38 +0000)]
Added log message when marking a realm dead.
aland [Mon, 18 Feb 2002 19:43:14 +0000 (19:43 +0000)]
Sanity checks and more cleanups for new "reject_delay"
aland [Mon, 18 Feb 2002 19:42:10 +0000 (19:42 +0000)]
Added configuration section "security", with "max_attributes" and
"reject_delay"
aland [Mon, 18 Feb 2002 19:26:05 +0000 (19:26 +0000)]
New security configuration items: max_attributes && reject_delay.
roland.haenel@qsc.de says that a delaying the reject helps slow
down a DoS attack. This probably only helps for well-behaved NAS
boxes, but slowing down authentication rejects is probably a good
idea in any case.
raghu [Wed, 13 Feb 2002 20:32:55 +0000 (20:32 +0000)]
Avoid compiler warning
raghu [Wed, 13 Feb 2002 20:32:16 +0000 (20:32 +0000)]
TLS-Length contains Total Length as expected by MS
raghu [Wed, 13 Feb 2002 20:30:01 +0000 (20:30 +0000)]
TLS-Length contains total length as expected by MS
aland [Wed, 13 Feb 2002 20:04:57 +0000 (20:04 +0000)]
Minor cleanups.
Patch from Marko Myllynen
aland [Wed, 13 Feb 2002 15:09:52 +0000 (15:09 +0000)]
A *much* better method for finding Python.
Patch from Gordon Messmer <yinyang@eburg.com>
aland [Wed, 13 Feb 2002 14:33:25 +0000 (14:33 +0000)]
Don't clobber the password if we're using SNMP
Patch from "scott.list" <scott.list@mlec.net>
aland [Mon, 11 Feb 2002 20:39:24 +0000 (20:39 +0000)]
Added a note on building statically, for people who don't have
some shared libraries.
aland [Mon, 11 Feb 2002 20:36:25 +0000 (20:36 +0000)]
Added comments on how to use && set 'libdir'
Added sample python module config, from migs paraz <mparaz@yahoo.com>
aland [Mon, 11 Feb 2002 20:24:30 +0000 (20:24 +0000)]
Whoops... corrected a typo
aland [Mon, 11 Feb 2002 20:23:06 +0000 (20:23 +0000)]
Preliminary Python module from migs paraz <mparaz@yahoo.com>
To get it to build, go to the rlm_python directory, and do:
LIBS="-lpthread -ldl -lutil" ./configure --with-rlm-python-lib-dir=/usr/lib/python2.0/config/ --with-rlm-python-include-dir=/usr/include/python2.0/ --with-rlm-python-version=2.0
... at least on my system, with python 2.0. The 'configure' scripts
should be fixed in the future to do this automagically, but that's
for the future.