Oracle database failover
Hi, We're currently using an Oracle database with freeradius. We had a concern with database failover and redundancy issues. One issue was if the database was down freeradius should be directed to another one - bearing in mind that freeradius and the database are on different machines. This was done succesfully through the sql.conf file and is working fine. The other issue we had was if the network connection between the freeradius server machine and the database machine is down, freeradius should still be redirected to an alternative database. Has anyone found a way of doing this, again through freeradius configuration files? thanks in advance, Sally Fetouh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait
Hi Alan, Well you do have a point! We're only setting the environment variables that Oracle needs to be able to connect to the database - but still, you do have a point. If there's a better way of doing this I think it could be less of a worry for us. So if you have any suggestions we'd be most grateful. thanks, Sally Fetouh >Message: 3 >From: "Alan DeKok" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Exec-Program-Wait > > That's called "security". Are you *sure* that you want shell >scripts executed with all of the login environment variables set? The >answer is almost always NO. > > More information given to a shell script means more possibilities >for that information to be abused to attack your system. e.g. Sending >User-Name with magic shell characters in it, in the hope that dumb >scripts will use them as-is. > > > I would strongly recommend setting only the MINIMUM environment >variables in the script. That will make things much safer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait
Hi Daryl, Thanks very much for your help! We found out that the environment was being reset somehow by freeradius and managed to call a wrapper unix shell script (like you suggested) that first sets the environment variables (in exactly the same way as .profile) before calling the program. It all works nicely now! Thanks, Sally Fetouh > I'd call a wrapper script around your program, with a printenv command > dumping the output to a file in /tmp. > > Is this the same _unix_ user ID, or Oracle user id? > > Are you manually (or automatically, through .profile) calling oraenv > to set your environment (ORACLE_SID, etc)? Does your program (which > I haven't seen a lot of detail on) require these variables, like > sqlplus typically does? Does it use OCI? > > It will inherit the environment of its parent process - if it's started > as a typical Unix daemon, then that isn't a lot (I don't know whether it > scrubs the environment it passes on to sub-processes, either). > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait
Hi, How do we check whether the environment is set correctly or not? The same userid is being used. Is freeradius using its own internal way of accessing and defining the environment variables? The freeradius server and sample radius client and the external program are all on the same server and have the same unix environment. I'm thinking maybe freeradius tries to execute the external program within its own redefined environment? Sally > -Original Message- > From: Daryl Tester [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 11, 2002 11:03 AM > To: 'Sally Fetouh '; '[EMAIL PROTECTED] ' > Subject: RE: Exec-Program-Wait > > > Sally Fetouh wrote: > > > So now I'm wondering why it can't seem to resolve it since the > > program connects perfectly ok when executed on its own. > > Are you executing the program with the same user ID that > Freeradius uses? Is the environment set correctly when > Freeradius executes the program? > > > Regards, > Daryl Tester - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait
Hi, Well, the reason we need to use an external program is because we need to authenticate the user against the calling-station-id attribute. This works fine when we modify the authorisation queries in sql.conf to check for this (in the 'where' condition). However, we're trying to account for a situation where the user has just subscribed to the service and his calling-station-id is not yet stored in the database. In this case we need to be able to update the database with the calling-station-id only after checking that the user exists, which is why using Exec-Program-Wait is great here. All that the external program does is connect to the database, execute an update statement then disconnects. We were doing some more testing yesterday and it turns out the error we're getting back from Oracle is ORA-12154 which happens when it hits the connect statement. The error seems to refer to "Could not resolve service name". So now I'm wondering why it can't seem to resolve it since the program connects perfectly ok when executed on its own. Am I missing something here? Sally Fetouh > >Message: 11 >Date: Mon, 10 Jun 2002 12:20:24 -0500 >To: [EMAIL PROTECTED] >From: Chris Parker <[EMAIL PROTECTED]> >Subject: Re: Exec-Program-Wait >Reply-To: [EMAIL PROTECTED] > >At 07:18 AM 6/9/2002 +0400, Sally Fetouh wrote: >>Hi, >> >>We're trying to use the Exec-Program-Wait attribute to call an external >>program that is supposed to update an Oracle database table. The external >>program is written in proC and involves connecting to the database, >>executing an UPDATE statement then disconnecting. We're using freeradius >>0.5's snapshot dated 3 June 2002 on a Solaris 8 system. > >Any reason why not using FreeRADIUS talking to Oracle natively, rather >than through an external program? > >You can tailor the queries in 'sql.conf' to do whatever you need, I would >think. > >-Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Exec-Program-Wait
Hi, Yes, the external program works fine on its own. It's only when I try to get freeradius to execute it that the integration doesn't seem to work. Any ideas, anyone? Sally Fetouh > >Have you checked your external program individually? >Hooman >--- Sally Fetouh <[EMAIL PROTECTED]> wrote: >> Hi, >> >> We're trying to use the Exec-Program-Wait attribute to call an external >> program that is supposed to update an Oracle database table. The external >> program is written in proC and involves connecting to the database, >> executing an UPDATE statement then disconnecting. We're using freeradius >> 0.5's snapshot dated 3 June 2002 on a Solaris 8 system. We've looked at the >> documentation available and even tried the examples given and all seems to >> work fine - it's only when we try to interact with the database that we >> always get a return value of 1. Also, our own logs show that the problem >> seems to be that it fails to connect to the database, either because it's >> already connected or because there's a communication problem between the >> external program and Oracle. Does anyone have any idea what could be >> happening here? Or if someone could give us a hint whether this has anything >> to do with the way freeradius uses sockets to connect to the database? >> >> Any help would be greatly appreciated! >> >> Sally Fetouh >> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait
Hi, Yes, the external program works fine on its own. It's only when I try to get freeradius to execute it that the integration doesn't seem to work. Any ideas, anyone? Sally Fetouh >Have you checked your external program individually? >Hooman >--- Sally Fetouh <[EMAIL PROTECTED]> wrote: >> Hi, >> >> We're trying to use the Exec-Program-Wait attribute to call an external >> program that is supposed to update an Oracle database table. The external >> program is written in proC and involves connecting to the database, >> executing an UPDATE statement then disconnecting. We're using freeradius >> 0.5's snapshot dated 3 June 2002 on a Solaris 8 system. We've looked at the >> documentation available and even tried the examples given and all seems to >> work fine - it's only when we try to interact with the database that we >> always get a return value of 1. Also, our own logs show that the problem >> seems to be that it fails to connect to the database, either because it's >> already connected or because there's a communication problem between the >> external program and Oracle. Does anyone have any idea what could be >> happening here? Or if someone could give us a hint whether this has anything >> to do with the way freeradius uses sockets to connect to the database? >> >> Any help would be greatly appreciated! >> >> Sally Fetouh >> >> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait
Hi, We're trying to use the Exec-Program-Wait attribute to call an external program that is supposed to update an Oracle database table. The external program is written in proC and involves connecting to the database, executing an UPDATE statement then disconnecting. We're using freeradius 0.5's snapshot dated 3 June 2002 on a Solaris 8 system. We've looked at the documentation available and even tried the examples given and all seems to work fine - it's only when we try to interact with the database that we always get a return value of 1. Also, our own logs show that the problem seems to be that it fails to connect to the database, either because it's already connected or because there's a communication problem between the external program and Oracle. Does anyone have any idea what could be happening here? Or if someone could give us a hint whether this has anything to do with the way freeradius uses sockets to connect to the database? Any help would be greatly appreciated! Sally Fetouh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running radiusd problem
Hi, I recently downloaded the latest 0.5 version of freeradius on Solaris 8 and managed to configure and compile it successfully. When I came to run it in debug mode though, I got the following messages. Am I missing something anywhere? I'd appreciate it if someone could point out what could be wrong here. Thanks, Sally Fetouh Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded System unix: cache = yes unix: passwd = "/etc/passwd" unix: shadow = "(null)" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 HASH: Reinitializing hash structures and lists for caching... rlm_unix: You MUST specify a shadow password file! HASH: unable to create user hash table. disable caching and run debugs radiusd.conf[426]: unix: Module instantiation failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
