RE: Kerberos krb5
You need a key for host/[hostname] in the krb5 keytab by default. You can use the 'service_principal' configuration parameter to change the principal required; for example you could specify 'radius' and then the krb5 authenticator would look for radius/[hostname] in the krb5 keytab. Aside from that, there is no other configuration done in the RADIUS server. To specifically address a previous question, the krb5 authenticator just requests tickets using the supplied password, and generates the appropriate accept/reject from the success of obtaining valid tickets. The tickets are then discarded. -Kevin --On Tuesday, November 11, 2003 6:10 PM +0200 Juha Sievi-Korte <[EMAIL PROTECTED]> wrote: What I thought is that you just need a working kerberos environment in your box to use that module. So configure your machine first (/etc/krb5.conf). I never got it working but it was with freeradius 0.5 or 0.6, so it might be better now. ----------- Kevin C. Miller <[EMAIL PROTECTED]> Network Development Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing Kerberos Service Principal
Presumably you would want to look in src/modules/rlm_krb5, open rlm_krb5.c and search-and-replace "host" with whatever service principal you want to use. This should probably be a runtime option, but isn't. Note that if you have MIT krb5 libraries the default is "host", if you have heimdal it's "radius". -Kevin --On Wednesday, June 25, 2003 3:44 PM -0400 Chris Akens <[EMAIL PROTECTED]> wrote: I am looking for a way to change the kerberos service principal that Freeradius uses. By default this appears to be " host " . I came across a patch written earlier but it does not seem to patch correctly for me. If anyone has any experience changing the service principal to an arbitrary value and could share this information, it would be ecspecially helpful. ------- Kevin C. Miller <[EMAIL PROTECTED]> Network Development Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two steps authentication
Judhi Prasetyo [3/27/2002 4:23 PM -0800]: > Is it possible to check users based on two sets of > password files? RADIUS is a AAA server - authentication, authorization, and accounting. So what you really want is for the authentication to check your password file, but the authorization section only allows those 10 users. Look in the radiusd.conf for the authentication {} and authorization {} blocks. -Kevin --- Kevin C. Miller <[EMAIL PROTECTED]> Network Group Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help
What does radiusd -X say when starting? That should give you a good pointer to what's happening. Assuming it can find rlm_sql and rlm_sql_mysql, verify that rlm_sql_mysql can find libmysqlclient -- run 'ldd rlm_sql_mysql.so' (assuming you are in the directory containing rlm_sql_mysql.so) -- if it comes back and can't find libmysqlclient, that's your problem.. -Kevin --On Saturday, February 09, 2002 1:57 PM -0600 Tim Monaghan <[EMAIL PROTECTED]> wrote: > I did an upgrade today and it would not run after I upgraded it, it > was missing some .so lib files, so I tried to revert to my backup, > and now nothing authenticates. > > I was wondering if anyone can give me some QUICK descisive steps on > how to get authenticating via mysql , do i need extra modules > running or anything., etc etc > > Or point me to some existing docs on how to do so, I have had a > horrible morning, this was a production radius server, and with > customer calls and all, I can hardly put together a full thought, > so If anyone could help Id appreciate it. > > Thanks > Tim > > . > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html --- Kevin C. Miller <[EMAIL PROTECTED]> Network Group Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help
What does radiusd -X say when starting? That should give you a good pointer to what's happening. Assuming it can find rlm_sql and rlm_sql_mysql, verify that rlm_sql_mysql can find libmysqlclient -- run 'ldd rlm_sql_mysql.so' (assuming you are in the directory containing rlm_sql_mysql.so) -- if it comes back and can't find libmysqlclient, that's your problem.. -Kevin --On Saturday, February 09, 2002 1:57 PM -0600 Tim Monaghan <[EMAIL PROTECTED]> wrote: > I did an upgrade today and it would not run after I upgraded it, it > was missing some .so lib files, so I tried to revert to my backup, > and now nothing authenticates. > > I was wondering if anyone can give me some QUICK descisive steps on > how to get authenticating via mysql , do i need extra modules > running or anything., etc etc > > Or point me to some existing docs on how to do so, I have had a > horrible morning, this was a production radius server, and with > customer calls and all, I can hardly put together a full thought, > so If anyone could help Id appreciate it. > > Thanks > Tim > > . > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html --- Kevin C. Miller <[EMAIL PROTECTED]> Network Group Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql cisco accounting hack...
Hello- We are using freeradius-0.4, and noticed a couple log entries for 'zero session length'. I tracked it down to the block (below) in rlm_sql.c. Now, we only got a couple log entries, but in both cases we had "open" sessions in the database that were not closed due to a 0-length session time (so we are treating them as "valid".) My question is basically: The comment here notes that you only want to return RLM_MODULE_FAIL if the session length is 0 AND no previous session was found. Does this actually check for previous sessions? A cursory glance did not reveal where it was checking this. -Kevin #ifdef CISCO_ACCOUNTING_HACK /* * If stop but zero session length AND no previous * session found, drop it as in invalid packet * This is to fix CISCO's aaa from filling our * table with bogus crap */ if ((pair = pairfind(request->packet->vps, PW_ACCT_SESSION_TIME)) != NULL) acctsessiontime = pair->lvalue; if ((acctsessiontime <= 0) && (acctstatustype == PW_STATUS_STOP)) { radius_xlat(logstr, MAX_QUERY_LEN, "rlm_sql: Stop packet with zero session length. (user ' %{User-Name}', nas '%{NAS-IP-Address}')", request, NULL); radlog(L_ERR, logstr); sql_release_socket(inst, sqlsocket); return RLM_MODULE_FAIL; } #endif --- Kevin C. Miller <[EMAIL PROTECTED]> Network Group Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap lib/includes
It appears that the problem here is actually because -llber appears before -lldap_r on the link link, thus the symbols in ldap_r that require lber are not defined. I changed freeradius-0.4/aclocal.m4: line 928: LIBS="-l$1 $LIBS -l$1" line 938: LIBS=" -L$try -l$1 $old_LIBS" and after running autoconf in src/modules/rlm_ldap, it built nicely. -Kevin --On Wednesday, December 19, 2001 2:14 PM -0500 "Kevin C. Miller" <[EMAIL PROTECTED]> wrote: > Hello- > > I'm working on compiling freeradius 0.4 here, and specifically rlm_ldap. > I'm using configure with --with-rlm-ldap-lib-dir=/usr/local/lib > --with-rlm-ldap-include-dir=/usr/local/include. However it doesn't seem > like configure is actually using those options. > > In src/modules/rlm_ldap: > config.status: ># ./configure --sysconfdir=/home/radius/etc ># --localstatedir=/home/radius/etc --disable-ltdl-install --without-snmp ># --with-r > lm_ldap=yes --with-logdir=/home/radius/logs > --with-rlm-krb5-lib-dir=/usr/local/lib > --with-rlm-krb5-include-dir=/usr/local/in clude > --with-rlm-ldap-lib-dir=/usr/local/lib > --with-rlm-ldap-include-dir=/usr/local/include --enable-ltdl-install=no > --cache -file=../../.././config.cache --srcdir=. > > config.log: > configure:1534: gcc -o conftest -D_REENTRANT -Wall -D_GNU_SOURCE > -DNDEBUG conftest.c -lresolv -lnsl -lresolv -lpthrea d -lpthread > -lpthread -lsasl -lcrypto -lssl -llber -lldap_r 1>&5 > /usr/local/lib/libldap_r.a(open.o): In function `ldap_create': > /usr/obj/local/openldap/012/libraries/libldap_r/open.c:134: undefined > reference to `ber_memcalloc' > /usr/obj/local/openldap/012/libraries/libldap_r/open.c:149: undefined > reference to `ber_strdup' > /usr/obj/local/openldap/012/libraries/libldap_r/open.c:151: undefined > reference to `ber_strdup' > > ... and thus won't build the LDAP module. Is there something obviously > wrong with this config? > > Thanks, > -Kevin > --- > Kevin C. Miller <[EMAIL PROTECTED]> > Network Group > Carnegie Mellon University > > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html --- Kevin C. Miller <[EMAIL PROTECTED]> Network Group Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap lib/includes
Hello- I'm working on compiling freeradius 0.4 here, and specifically rlm_ldap. I'm using configure with --with-rlm-ldap-lib-dir=/usr/local/lib --with-rlm-ldap-include-dir=/usr/local/include. However it doesn't seem like configure is actually using those options. In src/modules/rlm_ldap: config.status: # ./configure --sysconfdir=/home/radius/etc --localstatedir=/home/radius/etc --disable-ltdl-install --without-snmp --with-r lm_ldap=yes --with-logdir=/home/radius/logs --with-rlm-krb5-lib-dir=/usr/local/lib --with-rlm-krb5-include-dir=/usr/local/in clude --with-rlm-ldap-lib-dir=/usr/local/lib --with-rlm-ldap-include-dir=/usr/local/include --enable-ltdl-install=no --cache -file=../../.././config.cache --srcdir=. config.log: configure:1534: gcc -o conftest -D_REENTRANT -Wall -D_GNU_SOURCE -DNDEBUG conftest.c -lresolv -lnsl -lresolv -lpthrea d -lpthread -lpthread -lsasl -lcrypto -lssl -llber -lldap_r 1>&5 /usr/local/lib/libldap_r.a(open.o): In function `ldap_create': /usr/obj/local/openldap/012/libraries/libldap_r/open.c:134: undefined reference to `ber_memcalloc' /usr/obj/local/openldap/012/libraries/libldap_r/open.c:149: undefined reference to `ber_strdup' /usr/obj/local/openldap/012/libraries/libldap_r/open.c:151: undefined reference to `ber_strdup' ... and thus won't build the LDAP module. Is there something obviously wrong with this config? Thanks, -Kevin ----------- Kevin C. Miller <[EMAIL PROTECTED]> Network Group Carnegie Mellon University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html