Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
Did you try RE-BUILDING the server when you only had one version of
OpenSSL installed?
I did that and the SSL_CTX_ERROR message is now gone and radiusd runs
successfully. However it won't accept encrypted authentication requests:
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to secureldapcentral.stvincents.com.au:636, authentication
0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert File to certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as
cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU/abc123 to
secureldapcentral.stvincents.com.au:636
rlm_ldap: waiting for bind result ...
rlm_ldap: ldap_result()
rlm_ldap: cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU bind to
secureldapcentral.stvincents.com.au:636 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
I can authenticate to the ldap backend with an ldap client using port 636 but
not
with freeradius.
The complete -X output:
radius02:/etc/freeradius# radiusd -X
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 16 2009 at
11:45:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/roles_search
including configuration file /etc/freeradius/modules/patient_search
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/people_search
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = /etc
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir =
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
You have two different versions of OpenSSL installed.
I'm really stumped by this. I'm replaced the default debian openssl libraries
(as per... ldconfig -v | grep ssl) with openssl 0.9.8.j and am still getting the
pesky error, radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so:
undefined symbol: SSL_CTX_set_info_callback
Is libgnutls-openssl.so.13 referenced by freeradius? That's the only file I
haven't been able to replace.
What else can I do? Any help would be greatly appreciated!
cheers
Peter
-X output:
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 13 2009 at
09:54:32
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr/local
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
You have two different versions of OpenSSL installed. Thanks for that Alan. I've blown everything away and started from scratch and installed openssl 0.98j and used the following freeradius configuration: ./configure --bindir=/usr/bin \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --localstatedir=/var \ --libdir=/usr/lib \ --includedir=/usr/include \ --with-radacctdir=/var/log/freeradius/radacct \ --with-raddbdir=/etc/freeradius \ --with-openssl-includes=/usr/local/openssl/include \ --with-openssl-libraries=/usr/local/openssl/lib ...but I'm getting the following configuration errors even tho the libraries and includes (and header files mentioned) are in the right places. Can these errors be ignored? (a make file was successfully created) checking openssl/des.h presence... no configure: WARNING: openssl/des.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/des.h: proceeding with the compiler's result checking for openssl/des.h... yes checking openssl/hmac.h usability... yes checking openssl/hmac.h presence... no configure: WARNING: openssl/hmac.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/hmac.h: proceeding with the compiler's result checking for openssl/hmac.h... yes checking openssl/md4.h usability... yes checking openssl/md4.h presence... no configure: WARNING: openssl/md4.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/md4.h: proceeding with the compiler's result checking for openssl/md4.h... yes checking openssl/md5.h usability... yes checking openssl/md5.h presence... no configure: WARNING: openssl/md5.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/md5.h: proceeding with the compiler's result checking for openssl/md5.h... yes checking openssl/sha.h usability... yes checking openssl/sha.h presence... no configure: WARNING: openssl/sha.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/sha.h: proceeding with the compiler's result checking for openssl/sha.h... yes configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs. cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
This is a new installation using openssl0.98j and freeradius 2.1.3. I get this error when running in debug mode: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback prior to running in debug mode, I ran ./bootstrap under freeradius/certs directory. The output: radius02:/etc/freeradius/certs# ./bootstrap openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time +.+..+++...++.++*++*++* openssl req -new -out server.csr -keyout server.key -config ./server.cnf Generating a 2048 bit RSA private key ..+++ ...+++ writing new private key to 'server.key' - openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key ...+++ ..+++ writing new private key to 'ca.key' - openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 11 04:59:02 2009 GMT Not After : Mar 11 04:59:02 2010 GMT Subject: countryName = FR stateOrProvinceName = Radius organizationName = Example Inc. commonName= Example Server Certificate emailAddress = ad...@example.com X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Mar 11 04:59:02 2010 GMT (365 days) Write out database with 1 new entries Data Base Updated openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der radiusd -X output: FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 11 2009 at 14:14:37 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/roles_search including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/patient_search including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/policy including configuration file
Re: Secure FreeRADIUS LDAP
Thanks, i've got it working. Does it work by comparing the generated hash with the hash in the ldap backend? t...@kalik.net 23/02/2009 9:02 pm Does freeradius support SHA hashed passwords (on ldap backend)? Yes. This is documented in doc/rlm_ldap included with the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure FreeRADIUS LDAP
Does freeradius support SHA hashed passwords (on ldap backend)? danhaw...@googlemail.com 20/02/2009 10:36 pm Cool, thanks for the info Ivan. Will give it a go and report back Thanks again Dan 2009/2/20 t...@kalik.net: # Can freeradius talk to the ldap box using TLS/SSL (ldaps) Yes. See tls section in ldap module. # Can freeradius read hashed credentials from the LDAP store and then actually use them??? Yes. You will have to enable auto-headers in pap module if you are storing them with headers in userPassword. # There may be a requirement to use certificates for auth, can the ldap/freeradius module handle certs??? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Dan Hawker danhaw...@googlemail.com 07773 348975 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636)
...but it also supports the latter even tho an acl is set to not allow port 389
use start_tls=no fails also, it seems to have a problem with the cert and/or
cert directory:
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
cheers
Peter
thibault.lem...@supelec.fr 12/02/2009 9:04 pm
Peter Param a écrit :
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port
636) or an LDAP server answering on LDAP connections that are then
secured by Start-TLS (LDAP on port 389 + Start-TLS) ?
These are 2 different options.
ldap people_search {
server = ldap1.stvincents.com.au
port = 636
== This implies an ldaps server
identity = cn=admin,o=org,c=au
password = ***
filter = (cn=%u)
basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
tls {
tls_mode = yes
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = yes
== this is not compliant with and ldaps server
use start_tls=no
By the way, Alan and other Gurus, I think there is a small typo in the
comment:
# using ldaps (port 689) connections
Should be
# using ldaps (port 636) connections
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
use start_tls=no fails also, Maybe but keep it to no did that, still fails with the same message it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success ?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html (but this is a rather old post) The version openssl I'm using is: OpenSSL 0.9.8i 15 Sep 2008 The CA certificate is valid for the ldap server because the client connects when I test with... openssl s_client -CAfile SVMHS_CA_SSL_Server.pem -connect ldap1.stvincents.com.au:636 Freeradius was compiled as follows: /configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --with-radacctdir=/var/log/freeradius/radacct --with-raddbdir=/etc/freeradius --with-openssl-includes=/etc/include/openssl --with-openssl-libraries=/usr/lib cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating to ldaps/tls
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
My freeradius version:
—
radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Nov 21
2008 at 07:54:33
My ldap module settings:
—---
ldap people_search {
server = ldap1.stvincents.com.au
port = 636
identity = cn=admin,o=org,c=au
password = ***
filter = (cn=%u)
basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
tls {
tls_mode = yes
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = yes
cacertfile=
/etc/openssl/certs/SVMHS_CA_SSL_Server.cer note: chained CA cert
cacertdir = /etc/openssl/certs/
#certfile = /etc/openssl/certs/spud-jr.cer
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
#never (don't even bother trying)
#allow (try, but don't fail if the cerificate
# can't be verified)
#demand (fail if the certificate doesn't verify.)
#
# The default is allow
require_cert = allow
}
-X output messages:
—-
[people_search] performing user authorization for pparam
[people_search] expand: (cn=%u) - (cn=pparam)
[people_search] expand: ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au -
ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert File to /etc/openssl/certs/SVMHS_CA_SSL_Server.cer
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
/etc/openssl/certs/SVMHS_CA_SSL_Server.cer
rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Success
rlm_ldap: (re)connection attempt failed
[people_search] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[people_search] returns fail
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested
action.
Delaying reject of request 0 for 1 seconds
Going to the next request
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication with Cisco AP
Hi All, I have been trying, unsuccessfully, to get a windows supplicant (as shipped with Vista) to authenticate via freeradius/ldap. The freeradius/ldap combo works well with the existing VPN authen/auth that we have here on campus but not with EAP. I'm not sure what or where to go from here ...any pointers? freeradius logging: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.56.7.81:1645, id=246, length=130 User-Name = timmy Framed-MTU = 1400 Called-Station-Id = 0013.6067.bcb0 Calling-Station-Id = 001b.7728.a8c0 Service-Type = Login-User Message-Authenticator = 0x7d2246236182294e8085da177383f3b4 EAP-Message = 0x0202000801746e67 NAS-Port-Type = Wireless-802.11 NAS-Port = 6722 NAS-IP-Address = 10.56.7.81 NAS-Identifier = svhwapmed0301 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = timmy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for timmy radius_xlat: '(cn=timmy)' radius_xlat: 'ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap-dev.stvincents.com.au:389, authentication 0 rlm_ldap: bind as cn=superuser,o=schs,c=au/ldapadmin to ldap-dev.stvincents.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au, with filter (cn=timmy) rlm_ldap: checking if remote access for timmy is allowed by cn rlm_ldap: Password header not found in password timmysPASSWORD for user timmy rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value timmysPASSWORD op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user timmy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module people_search returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 246 to 10.56.7.81 port 1645 EAP-Message = 0x010300160410da433545ecf08558fb23fb9d7a1e9251 Message-Authenticator = 0x State = 0x84dc68e3b83cac07d2bdde56656fa45b Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.56.7.81:1645, id=247, length=146 User-Name = timmy Framed-MTU = 1400 Called-Station-Id = 0013.6067.bcb0 Calling-Station-Id = 001b.7728.a8c0 Service-Type = Login-User Message-Authenticator = 0x80896aec4445abeab1b82e57df662896 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 6722 State = 0x84dc68e3b83cac07d2bdde56656fa45b NAS-IP-Address = 10.56.7.81 NAS-Identifier = svhwapmed0301 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = timmy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 modcall[authorize]: module files returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for timmy radius_xlat: '(cn=timmy)' radius_xlat: 'ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0
Re: unable to compile with openssl libraries
Hi again,
Eventually, I was able to create the package and install it on my
debian server. Now when I run it, I get the following output:
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Failed to link EAP-Type/tls:
/usr/lib/freeradius/rlm_eap_tls.so: undefined symbol: cbtls_password
radiusd.conf[1]: eap: Module instantiation failed.
radiusd.conf[365] Unknown module eap.
radiusd.conf[350] Failed to parse authenticate section.
The tls Section:
tls {
private_key_password = whatever
private_key_file =
${raddbdir}/certs/cert-srv.pem
certificate_file =
${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
#fragment_size = 1024
#include_length = yes
#check_crl = yes
#check_cert_cn = %{User-Name}
}
cheers
Peter
[EMAIL PROTECTED] 12/04/06 4:08 PM
Peter Param wrote:
dpkg-checkbuilddeps: Unmet build dependencies: debhelper (= 4.2.32)
dpatch (= 2) autotools-dev libtool (= 1.5) libltdl3-dev libpam0g-dev
libmysqlclient15-dev | libmysqlclient14-dev | libmysqlclient-dev
libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp
libsnmp9-dev | libsnmp5-dev | libsnmp4.2-dev libpq-dev |
postgresql-dev
libssl-dev
Have you tried installing those packages? It gives you a list of
required and optional packages. I would suggest debhelper, dpatch,
autotools-dev, libtool, libltld3-dev, and libssl-dev.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unable to compile with openssl libraries
Hi all, I'm using Linux debian 2.6.8-2-386 and I am unable to compile with openssl libraries even tho openssl has been installed (separately). configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. I downloaded the source for freeradius (1.1.3) and used ./configure --with-openssl-includes=/usr/local/ssl/include/openssl/ --with-openssl-libraries=/lib/ I'm able to compile but get the following runtime error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
Debian licensing prohibits the installation of openssl as part of its packaging and hence why i downloaded the individual tarballs to work around this issue. [EMAIL PROTECTED] 12/04/06 11:12 AM On Mon, Dec 04, 2006 at 10:50:42AM +1100, Peter Param said: Hi all, I'm using Linux debian 2.6.8-2-386 and I am unable to compile with openssl libraries even tho openssl has been installed (separately). configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. I downloaded the source for freeradius (1.1.3) and used ./configure --with-openssl-includes=/usr/local/ssl/include/openssl/ --with-openssl-libraries=/lib/ This looks wrong, at first glance. Did you actually install the headers under /usr/local/ssl/include/openssl/ and install the libraries under /lib ? And why not use the readily accessable Debian openssl packages, that have security support? I'm able to compile but get the following runtime error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory Well, it probably wasn't built, so that's not a huge surprise. -- -- | Stephen Gran | Today is the tomorrow you worried about | | [EMAIL PROTECTED] | yesterday. | | http://www.lobefin.net/~steve | | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
Thanks for clarifying the GPL vs Openssl license issue. I did an apt-get install openssl but still no joy. Stephen Gran [EMAIL PROTECTED] 12/04/06 11:30 AM On Mon, Dec 04, 2006 at 11:19:24AM +1100, Peter Param said: Debian licensing prohibits the installation of openssl as part of its packaging and hence why i downloaded the individual tarballs to work around this issue. No, you've misunderstood the problem (not surprising, many people have). The GPL prohibits distributing GPL binaries linked against GPL incompatible libraries. 'Debian licensing' (were it to exist) has nothing to do with it. Debian is unable to redistribute the binary applications you want - you are free, however, to make them for personal use. You are free to make them from the distributed Debian binaries, even. -- -- | Stephen Gran | Anything cut to length will be too | | [EMAIL PROTECTED] | short. | | http://www.lobefin.net/~steve | | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
is this from the orginal 1.1.3 freeradius tarball or do you mean I
should apt-get freeradius as well?
./configure [no parameters] output as follows:
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for AIX... no
checking whether gcc needs -traditional... no
checking whether we are using SUNPro C... no
checking for ranlib... ranlib
checking whether byte ordering is bigendian... no
checking for gmake... no
checking for make... /usr/bin/make
checking for lt_dlinit in -lltdl... yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for a sed that does not truncate output... /bin/sed
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for /usr/bin/ld option to reload object files... -r
checking for BSD-compatible nm... /usr/bin/nm -B
checking whether ln -s works... yes
checking how to recognise dependent libraries... pass_all
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking dlfcn.h usability... yes
checking dlfcn.h presence... yes
checking for dlfcn.h... yes
checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking whether we are using the GNU C++ compiler... no
checking whether g++ accepts -g... no
checking for g77... no
checking for f77... no
checking for xlf... no
checking for frt... no
checking for pgf77... no
checking for fort77... no
checking for fl32... no
checking for af77... no
checking for f90... no
checking for xlf90... no
checking for pgf90... no
checking for epcf90... no
checking for f95... no
checking for fort... no
checking for xlf95... no
checking for ifc... no
checking for efc... no
checking for pgf95... no
checking for lf95... no
checking for gfortran... no
checking whether we are using the GNU Fortran 77 compiler... no
checking whether accepts -g... no
checking the maximum length of command line arguments... 32768
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for objdir... .libs
checking for ar... ar
checking for ranlib... (cached) ranlib
checking for strip... strip
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC
checking if gcc PIC flag -fPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking whether the gcc linker (/usr/bin/ld) supports shared
libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... no
checking for dlopen in -ldl... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... no
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
configure: creating libtool
appending configuration tag CXX to libtool
appending configuration tag F77 to libtool
checking docdir... ${datadir}/doc/freeradius
checking logdir... ${localstatedir}/log/radius
checking radacctdir... ${logdir}/radacct
checking raddbdir... ${sysconfdir}/raddb
checking for perl... /usr/bin/perl
checking for snmpget... no
configure: WARNING: s
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List
Re: unable to compile with openssl libraries
oops my mail client truncated the text! Attached is the output of configure. cheers Pete Stephen Gran [EMAIL PROTECTED] 12/04/06 12:04 PM On Mon, Dec 04, 2006 at 11:44:56AM +1100, Peter Param said: Thanks for clarifying the GPL vs Openssl license issue. I did an apt-get install openssl but still no joy. Take a look at debian/rules in the source directory of freeradius. There are a couple of variables (buildssl and modulelist) that have one value by default, but are easily switched to another value if you switch the comments. That should do it for you, and if not, please file a bug report or provide output so that I can debug it. Take care, -- -- | Stephen Gran | I'm having an EMOTIONAL OUTBURST!! | | [EMAIL PROTECTED] | But, uh, WHY is there a WAFFLE in my | | http://www.lobefin.net/~steve | PAJAMA POCKET?? | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for AIX... no checking whether gcc needs -traditional... no checking whether we are using SUNPro C... no checking for ranlib... ranlib checking whether byte ordering is bigendian... no checking for gmake... no checking for make... /usr/bin/make checking for lt_dlinit in -lltdl... yes checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for a sed that does not truncate output... /bin/sed checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking whether ln -s works... yes checking how to recognise dependent libraries... pass_all checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking for g77... no checking for f77... no checking for xlf... no checking for frt... no checking for pgf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for f90... no checking for xlf90... no checking for pgf90... no checking for epcf90... no checking for f95... no checking for fort... no checking for xlf95... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for gfortran... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 32768 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... (cached) ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so
Re: unable to compile with openssl libraries
what configure flags should I pass to allow for rlm_eap ...i thought the defaults should work? Stephen Gran [EMAIL PROTECTED] 12/04/06 1:17 PM On Mon, Dec 04, 2006 at 12:13:59PM +1100, Peter Param said: is this from the orginal 1.1.3 freeradius tarball or do you mean I should apt-get freeradius as well? That's what I was working from. They are slightly skewed. On Mon, Dec 04, 2006 at 12:16:59PM +1100, Peter Param said: oops my mail client truncated the text! Attached is the output of configure. configure: WARNING: skipping test for openssl/ssl.h It sounds like you didn't pass the right configure flags. -- -- | Stephen Gran | Rascal, am I? Take THAT! -- Errol | | [EMAIL PROTECTED] | Flynn | | http://www.lobefin.net/~steve | | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
I've tried that but I get the following errors: debian:~/freeradius-1.1.3# dpkg-buildpackage -b -uc dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 1.1.3-0 dpkg-buildpackage: source changed by Nicolas Baradakis [EMAIL PROTECTED] dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 1.1.3-0 dpkg-checkbuilddeps: Unmet build dependencies: debhelper (= 4.2.32) dpatch (= 2) autotools-dev libtool (= 1.5) libltdl3-dev libpam0g-dev libmysqlclient15-dev | libmysqlclient14-dev | libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp libsnmp9-dev | libsnmp5-dev | libsnmp4.2-dev libpq-dev | postgresql-dev libssl-dev dpkg-buildpackage: Build dependencies/conflicts unsatisfied; aborting. dpkg-buildpackage: (Use -d flag to override.) cheers Peter [EMAIL PROTECTED] 12/04/06 1:27 PM Peter Param wrote: Debian licensing prohibits the installation of openssl as part of its packaging and hence why i downloaded the individual tarballs to work around this issue. See the Wiki. There are instructions for building the server on Debian. You do NOT have to play with configure, command-line options, or anything else like that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
The following hasn't worked for me either: ./configure --with-openssl-includes=/usr/local/ssl/include/ --with-openssl-libraries=/usr/local/ssl/lib/ cheers Peter Stephen Gran [EMAIL PROTECTED] 12/04/06 1:42 PM On Mon, Dec 04, 2006 at 01:22:56PM +1100, Peter Param said: what configure flags should I pass to allow for rlm_eap ...i thought the defaults should work? You need to pass at least --with-openssl-libraries, I see now. That is probably a bug in the Debian packaging as well. I'll take a look at that shortly. -- -- | Stephen Gran | aav coffee on an empty stomach is | | [EMAIL PROTECTED] | pretty nasy knghtbrd aav: time to run | | http://www.lobefin.net/~steve | to the vending machine for cheetos | || aav cheetos? :) | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
no good. when I configure with: ./configure --with-openssl-includes=/usr/local/ssl --with-openssl-libraries=/usr/local/ssl cheers Peter Stephen Gran [EMAIL PROTECTED] 12/04/06 1:42 PM On Mon, Dec 04, 2006 at 01:22:56PM +1100, Peter Param said: what configure flags should I pass to allow for rlm_eap ...i thought the defaults should work? You need to pass at least --with-openssl-libraries, I see now. That is probably a bug in the Debian packaging as well. I'll take a look at that shortly. -- -- | Stephen Gran | aav coffee on an empty stomach is | | [EMAIL PROTECTED] | pretty nasy knghtbrd aav: time to run | | http://www.lobefin.net/~steve | to the vending machine for cheetos | || aav cheetos? :) | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems installing
hi all, I'm trying to install FR onto a new box but am getting errors during make. I using Linux debian 2.6.8-2-386. ./configure --with-openssl-libraries=/usr/local/ssl/include/openssl/ --with-rlm-perl-lib-dir=/usr/lib/perl/ --with-snmp=no errors during make: *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/root/freeradius-1.1.3/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /root/freeradius-1.1.3/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.1.3.so -o .libs/rlm_perl-1.1.3.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory `/root/freeradius-1.1.3/src/modules/rlm_perl' make[5]: *** [common] Error 2 make[5]: Leaving directory `/root/freeradius-1.1.3/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/root/freeradius-1.1.3/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/root/freeradius-1.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/freeradius-1.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/root/freeradius-1.1.3' make: *** [all] Error 2 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems installing
ah yes. Thanks it worked. [EMAIL PROTECTED] 12/01/06 11:21 AM On Fri, Dec 01, 2006 at 10:06:07AM +1100, Peter Param said: hi all, I'm trying to install FR onto a new box but am getting errors during make. I using Linux debian 2.6.8-2-386. ./configure --with-openssl-libraries=/usr/local/ssl/include/openssl/ --with-rlm-perl-lib-dir=/usr/lib/perl/ --with-snmp=no errors during make: *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/root/freeradius-1.1.3/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /root/freeradius-1.1.3/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.1.3.so -o .libs/rlm_perl-1.1.3.so /usr/bin/ld: cannot find -lperl apt-get install libperl-dev -- -- | Stephen Gran | Though I'll admit readability suffers | | [EMAIL PROTECTED] | slightly... -- Larry Wall | | http://www.lobefin.net/~steve | in [EMAIL PROTECTED] | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant LDAP servers
hi all,
is it possible to have multiple ldap servers for lookup for redundancy
purposes in a similar way below?
ldap {
server = ldap1.myorg.com, ldap2.myorg.com,
ldap3.myorg.com
login= cn=admin,o=myorg,c=au
password = mypass
}
cheers
Peter
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple search contexts in LDAP
hey all,
I would like to have multiple search contexts to get around ambiguous
search results due to duplicate object names found in branches under the
same basedn = ou=darlinghurst,ou=nsw,o=myorg,c=au
For instance, I would like to search
ou=people,ou=darlinghurst,ou=nsw,o=myorg,c=au
ou=roles,ou=darlinghurst,ou=nsw,o=myorg,c=au only and not all other
branches under the ou=darlinghurst branch. Is this possible?
currently I've got set in radiusd.conf for LDAP searches:
ldap {
server = myldap
identity = cn=superuser,o=myorg,c=au
password = mypassword
filter = (cn=%u)
basedn = ou=darlinghurst,ou=nsw,o=myorg,c=au
#basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au
-
-
}
cheers
Peter
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple search contexts in LDAP
multiple 'ldap { }' in radiusd.conf?
cheers
Peter
[EMAIL PROTECTED] 11/13/06 11:49 AM
Peter Param wrote:
hey all,
I would like to have multiple search contexts to get around ambiguous
search results due to duplicate object names found in branches under
the
same basedn = ou=darlinghurst,ou=nsw,o=myorg,c=au
Peter
Hi Peter,
You could try using multiple instances of the ldap module, one to search
one ou and the other to search the other ou, then invoke them one after
the other wherever you currently invoke the single ldap instance.
Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.
Phone: 03 5227 8690 International: +61 3 5227 8690
Fax: 03 5227 8866 International: +61 3 5227 8866
E-mail: [EMAIL PROTECTED]
Website: http://www.deakin.edu.au
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiline line values for Cisco-AVPair (in ldap.attrmap)
hey, I've got Cisco-AVPair for an ldap.attrmap entry and it works ...but unfortunately only for the first occurence of that attribute from the LDAP schema (it will pick the first in the schema). How do I map and return four Cisco-AVPair entries? Is there a particular multiline separator that I should use ...or do I use the attribute re-entrantly? The device in question is a Cisco VPN3000 concentrator and I'm running ver 1.1.1 freeradius. cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
