ads questions and multiple values
Greetings, A few more questions :) I've now gone through the book ( I feel like such a snob reading it on the bus ==) and have a better understanding of how Freeradius works. I have gotten it to search for an attribute in LDAP and return it the NAS. What I would like to do is to have it be able to query the memberOf attribute in the acrtive directory server and then verify if the user is in any of those groups and than permit access based on that membership. Heres what im wondering a) When I query the attribute it returns multiple cn=... results. In the debug log I see it setting this as xxx. which is understood by our nas equipment. It does it four times, But in the reply packet I only see it sending one and not four. Am I correct to assume that it will only send one of the responses to the Nas. b) I think I can use the Users file to determine which group the user is a member of and then have it send an attribute back to the Nas telling it which role to set. Is the the attribute returning multiple groups a problem (not multiple attributes, one attribute several bits of data seperated by a delimiter) ? c) can I strip the leading cn= bit from the response the ldap server sends ( I saw an article somewhere about using an operator in the LDAP.attrmap file) and once thats done can it use the groups returned in the users file? Thanks! Liz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log question
On Sat 08 Apr 2006 00:36, Miguel wrote: hi, i have a reporting system, this will perform intensive calculations, agregate functions etc using accounting data, so i dont want to run this system in the same server where the account is stored, i plan to use the sql_log/sql-relay combo, however i do need that the account data be stored online in the database running in the radius server, because i have triggers in the stoptable that calculate the h323-credit-amount using a modified excelent peter nixon's voip schema. the line in radius.conf says accounting { # # Instead of sending the query to the SQL server, # write it into a log file. # sql_log } cant i have both sql account feature and sql_log at the same time? Hi Miguel I am glad you like my schema :-) If you have any modifications that you think would be of general use to others, please report them back to me so that I can check them out. I personally have not used sql_log in combination with sql however I see no reason why you wouldn't be able to use both at the same time. Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpi9k2d8ek5h.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius - Cisco 7204 - L2TP Tunnel
Hi all Im having major issues with getting Freeradius to authenticate from a Cisco 7204 that is terminating an L2TP tunnel and sending radius auth to a FreeRadius server. Using a default install of Freeradius and configuring it to accept auth requests from the Cisco in clients.conf it just fails on authentication. Even though the username and password in the users files is correct, proven using radtest. From radius -X without changing any config options it gives me Login is incorrect sending a plain text password. No matter what I change in the config files it always fails. I've tried adding Auth-Type's to the users entry such as Local and this gives me things like no password is configured for the user. Removing the Default Auth-Type from the top of the users file and setting an Auth-Type in the users entry gives me no Auth-Type set. Really not sure where the error is. So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success? If so is it possible to supply: - The virtual template section that specifies the ppp authentication? - A copy of the radius.conf file? - The users file with an example users entry that works. Then I can see if I've got it all setup correctly. This used to work fine when I was using a Linux server to terminate the L2TP tunnel, I used L2TPNS to do the termination and it sent radius authentication to the FreeRadius server. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - Cisco 7204 - L2TP Tunnel
TS wrote: So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success? Almost certainly. If so is it possible to supply: I don't know about the 7204 but if you post the output of radiusd -X and the users file, someone can probably spot the problem. Since you're terminating L2TP and radtest works, I'll take a guess that possibly the L2TP is using CHAP, whereas radtest sends PAP requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius - Cisco 7204 - L2TP Tunnel
Here's hoping The radius -X debug is: ### Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 192.168.0.3 IP address [192.168.0.3] main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.0.3:1645 Listening on accounting 192.168.0.3:1646 Listening on proxy 192.168.0.3:1647 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.250:1645, id=168, length=97 Framed-Protocol = PPP User-Name = [EMAIL PROTECTED] User-Password = mysecret NAS-Port-Type = Virtual NAS-Port = 726 Service-Type = Framed-User NAS-IP-Address =
Re: FreeRadius - Cisco 7204 - L2TP Tunnel
Ok, I see the problem: users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module files returns ok for request 6 My users file (without all the commented out lines) DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP There's no Fall-Through = Yes on this entry (the default entries in the users file in current release are a bit historic and not especially helpful to be in there uncommented by default, but compatibility concerns I imagine block their removal). So processing stops here, and never reaches the desired entry: [EMAIL PROTECTED] Auth-Type = Local, User-Password == mysecret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP So, you can either add a Fall-Though = Yes to the PPP entry, or delete it (since you've got the attributes defined on the users entry anyway you don't need it, or the Framed-Protocol match further up). Personally I tend to do: cp users users.example users ...and start with a clean slate, reading the examples from the old file. FYI the users file in CVS has by default none of these semi-historic uncommented examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ads questions and multiple values
liz wrote: What I would like to do is to have it be able to query the memberOf attribute in the acrtive directory server and then verify if the user is in any of those groups and than permit access based on that membership. The memberOf attribute (groups on the user entry) is supported by the groupmembership_attribute config item, which it seems from reading the code is ONLY consulted AFTER the searches for group objects returns no values. Since AD maintains the group objects and the memberOf in concert, you'll never reach there. The Ldap-Group support allows you to check if a user is in a group at the server, and works like so (you probably know this): DEFAULT Ldap-Group = shortname Or: DEFAULT Ldap-Group = cn=shortname,ou=path,dc=domain,dc=com If you use the first form, the search that's done is: base: standard LDAP baseDN filter: cn=shortname AND (GROUPMEMBERSHIP_FILTER) If you use the 2nd form, the search that's done is: base: cn=shortname,ou=path,dc=domain,dc=com filter: GROUPMEMBERSHIP_FILTER GROUPMEMBERSHIP_FILTER being the config item of the same name in the radiusd.conf - in the case of AD, an appropriate config is: groupmembership_filter = ((objectClass=group)(member=%{Ldap-UserDn})) As I say, only after those searches have been done and returned no entries is memberOf consulted, which will never happen for an AD LDAP server. But the results of looking up the group entry versus looking up memberOf on the user entry should be identical. Heres what im wondering a) When I query the attribute it returns multiple cn=... results. In the debug log I see it setting this as xxx. which is understood by our nas equipment. It does it four times, But in the reply packet I only see it sending one and not four. Am I correct to assume that it will only send one of the responses to the Nas. I'm not sure I understand this part - could you expand on it? How are you putting the LDAP groups into the reply (that's not the normal use-case - you would normally do group-based checks at the server rather than the NAS, not that there's anything wrong with the latter) b) I think I can use the Users file to determine which group the user is a member of and then have it send an attribute back to the Nas telling it which role to set. Is the the attribute returning multiple groups a problem (not multiple attributes, one attribute several bits of data seperated by a delimiter) ? When doing LDAP group checks at the server side, you would normally have something like (examples using the long/DN form for group - you can just put the short name, see above): DEFAULT Ldap-Group == cn=nasadmin,dc=domain,dc=com NAS-Role = Administrator DEFAULT Ldap-Group == cn=nasoper,dc=domain,dc=com NAS-Role = Operator DEFAULT Auth-Type := Reject Reply-Message = You are not able to admin the NAS The fact the user may be in 1 group is not a problem - the LDAP search looks for the user and the group combination. c) can I strip the leading cn= bit from the response the ldap server sends ( I saw an article somewhere about using an operator in the LDAP.attrmap file) and once thats done can it use the groups returned in the users file? I'm not sure I understand this. The rlm_ldap module does not by default put the groups into the reply. Via the ldap.attrmap entry you can put anything you like into the reply, but modifying the value that comes out of the LDAP server is non-trivial. If you could describe more precisely what you're trying to do I may be able to give a more specific answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ads questions and multiple values
Phil Mayers wrote: If you could describe more precisely what you're trying to do I may be able to give a more specific answer. Actually I've just had a quick look at your earlier email and it's a bit clearer what you want to do - take NT groups from AD via LDAP, send them to your Aruba after stripping the name from cn=name,ou=path and have it process them - correct? You could do this: ldap.attrmap: # append memberOf to radius reply as Whatever-Attribute replyItem Whatever-Attribute memberOf += radiusd.conf: modules { # bulk of modules, then ldap { # ldap config } # chop end off attr_rewrite stripGroupDn1 { attribute = Whatever-Attribute searchin = reply searchfor = ,.* replacewith = ignore_case = yes new_attribute = no max_matches = 1 append = no } # chop start off attr_rewrite stripGroupDn2 { attribute = Whatever-Attribute searchin = reply searchfor = ^cn= replacewith = ignore_case = yes new_attribute = no max_matches = 1 append = no } # rest of modules } authorize { preprocess ldap stripGroupDn1 stripGroupDn2 files } # rest of radiusd.conf ...however, you'll need CVS HEAD for the ldap.attrmap 4th item (operator) and for fixes to the extraction of replyItems from LDAP attributes - or the (scantily tested) backport I've just written to 1.1.0 (attached) --- src/modules/rlm_ldap/rlm_ldap.c~ 2005-12-29 21:52:53.0 + +++ src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 13:01:49.0 +0100 @@ -919,7 +919,7 @@ return 1; } -if (!radius_xlat(basedn, sizeof(basedn), inst-basedn, req, NULL)) { +if (!radius_xlat(basedn, sizeof(basedn), inst-basedn, req, ldap_escape_func)) { DEBUG(rlm_ldap::ldap_groupcmp: unable to create basedn.); return 1; } @@ -964,7 +964,7 @@ ldap_msgfree(result); } -if(!radius_xlat(gr_filter, sizeof(gr_filter), inst-groupmemb_filt, req, NULL)){ +if(!radius_xlat(gr_filter, sizeof(gr_filter), inst-groupmemb_filt, req, ldap_escape_func)){ DEBUG(rlm_ldap::ldap_groupcmp: unable to create filter.); return 1; } @@ -1235,7 +1235,7 @@ } if (!radius_xlat(basedn, sizeof(basedn), inst-basedn, - request, NULL)) { + request, ldap_escape_func)) { radlog (L_ERR, rlm_ldap: unable to create basedn.\n); return RLM_MODULE_INVALID; } @@ -1703,13 +1703,13 @@ while((vp_user_dn = pairfind(request-packet-vps, PW_LDAP_USERDN)) == NULL) { if (!radius_xlat(filter, sizeof(filter), inst-filter, -request, NULL)) { +request, ldap_escape_func)) { radlog (L_ERR, rlm_ldap: unable to create filter.\n); return RLM_MODULE_INVALID; } if (!radius_xlat(basedn, sizeof(basedn), inst-basedn, - request, NULL)) { + request, ldap_escape_func)) { radlog (L_ERR, rlm_ldap: unable to create basedn.\n); return RLM_MODULE_INVALID; } --- src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 15:12:28.0 +0100 +++ src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 15:17:17.0 +0100 @@ -248,6 +248,7 @@ struct TLDAP_RADIUS { char* attr; char* radius_attr; + LRAD_TOKENoperator; struct TLDAP_RADIUS* next; }; typedef struct TLDAP_RADIUS TLDAP_RADIUS; @@ -657,6 +658,8 @@ /* all buffers are of MAX_LINE_LEN so we can use sscanf without being afraid of buffer overflows */ char buf[MAX_LINE_LEN], itemType[MAX_LINE_LEN], radiusAttribute[MAX_LINE_LEN], ldapAttribute[MAX_LINE_LEN]; int linenumber; + LRAD_TOKEN operator; + char opstring[MAX_LINE_LEN]; /* open the mappings file for reading */ @@ -688,23 +691,39 @@ if (buf[0] == 0) continue; /* extract tokens from the string */ - token_count = sscanf(buf, %s %s %s, itemType, radiusAttribute, ldapAttribute); + token_count = sscanf(buf, %s %s %s %s, itemType, radiusAttribute, ldapAttribute, opstring); if (token_count = 0) /* no tokens */ continue; - if (token_count != 3) { - radlog(L_ERR, rlm_ldap: Skipping %s line %i: %s, filename, linenumber, buf); - radlog(L_ERR, rlm_ldap: Expected 3 tokens - (Item type, RADIUS Attribute and LDAP Attribute) but found only %i, token_count); + if ((token_count 3) || (token_count 4)) { + radlog(L_ERR, rlm_ldap: Skipping %s line %i: %s, + filename, linenumber, buf); + radlog(L_ERR, rlm_ldap: Expected 3 to 4 tokens + (Item type, RADIUS Attribute and LDAP Attribute) but found only %i, token_count); continue; } + + if (token_count == 3) { + operator = T_INVALID; /* use defaults */ + } else { + char *ptr; + + ptr = opstring; + operator = gettoken(ptr, buf, sizeof(buf)); + if ((operator T_OP_ADD) || (operator T_OP_CMP_EQ)) { +radlog(L_ERR, rlm_ldap: file %s: skipping line %i: unknown or
RE: FreeRadius - Cisco 7204 - L2TP Tunnel
Hi Phil Good call. Thanks for that. Works a treat now. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Phil Mayers Sent: 08 April 2006 13:17 To: FreeRadius users mailing list Subject: Re: FreeRadius - Cisco 7204 - L2TP Tunnel Ok, I see the problem: users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module files returns ok for request 6 My users file (without all the commented out lines) DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP There's no Fall-Through = Yes on this entry (the default entries in the users file in current release are a bit historic and not especially helpful to be in there uncommented by default, but compatibility concerns I imagine block their removal). So processing stops here, and never reaches the desired entry: [EMAIL PROTECTED] Auth-Type = Local, User-Password == mysecret Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP So, you can either add a Fall-Though = Yes to the PPP entry, or delete it (since you've got the attributes defined on the users entry anyway you don't need it, or the Framed-Protocol match further up). Personally I tend to do: cp users users.example users ...and start with a clean slate, reading the examples from the old file. FYI the users file in CVS has by default none of these semi-historic uncommented examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 stops responding
I'm seeing the same thing here with 1.1.1. I have 2 servers with identical hardware/software configs. Both servers hang at the same time. stopping/starting the daemon doesn't resolve the issue, rebooting the box does. I was assuming it had something to do with the sql module because that is where it paused (see: sql hangs, was (conflicts/duplicates need)) - Original Message - From: King, Michael [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, March 23, 2006 9:24 AM Subject: Version 1.1.1 stops responding So I built 1.1.1 on Debian. After a period of so many hours (variable) it stops responding. (Sometimes 2hours, sometimes 16hours) Now here's where it get's weird, (and makes me suspect it might not be freeRADIUS at the root cause) If I stop and restart the freeRADIUS service, it continues to ignore RADIUS packets. But if I restart the server (hard reboot) it works fine. Till it stops responding again. Obviously this is not enough information to help you diagnose the problem. How do I gather that information? The box is a 233 Pentium with 64 megs of ram. Has about 15 AP's, with around 100 users (not simultaneous, maybe 30 simultaneous) So what's the suggested way of gathering more info? Running debug mode piping to a text file? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS stops responding after a while
Alex M [EMAIL PROTECTED] wrote: I'm using MySQL 4.1.7 and it is located on remote server (not even on the same subnet as the radius) I have seen it before where a firewall drops state, and it looks like the SQL server is down. New connections go through fine, but old connections are dead. One way to test this would be to edit rlm_sql so that it opens a new connection to the SQL server for *every* request. That would be slower than what it does now, but it might work. I would also suggest putting a test SQL server on the same subnet as the RADIUS server. Havr it do nothing more than log data, and if connections to it are OK, the problem is most likely the firewall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald [EMAIL PROTECTED] wrote: Thanks Alan!!! Can we look forward to this clause in the next version of FreeRadius? Is the next version due to come out anytime soon? The developers have to discuss this, and we have to get buy-in from people, but I don't expect there's too much of a problem. As for the next release, it may be a month or so. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
What do you mean by Have it do nothing more than log data? And how would I do that? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Saturday, April 08, 2006 1:24 PM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Alex M [EMAIL PROTECTED] wrote: I'm using MySQL 4.1.7 and it is located on remote server (not even on the same subnet as the radius) I have seen it before where a firewall drops state, and it looks like the SQL server is down. New connections go through fine, but old connections are dead. One way to test this would be to edit rlm_sql so that it opens a new connection to the SQL server for *every* request. That would be slower than what it does now, but it might work. I would also suggest putting a test SQL server on the same subnet as the RADIUS server. Havr it do nothing more than log data, and if connections to it are OK, the problem is most likely the firewall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald wrote: It appears that several other GPL apps have added a special clause to their license that allows them to be linked against OpenSSL. Could this be done for freeradius/freeradius-postgresql as well? Personally I really dislike the idea: FreeRADIUS code is released under the GPL and there is nothing wrong with that. I note there are many other ways to get a freeradius-postgresql package in Debian. - Ask Debian to provide a SSL-free package of the PostgreSQL libraries, so our freeradius-postgresql package can depend on that. - Add GnuTLS support to PostgreSQL (someone suggested to work on that in the pgsql-general mailing list) http://archives.postgresql.org/pgsql-general/2006-04/msg00367.php - Ask OpenSSL to remove the advertising clause from their license. I also note the current situation is really a minor problem for our users, because we're maintaining the necessary files to build the Debian packages in our CVS. Anybody can easily build a Debian package of the freeradius-postgresql module from a sources tarball with a single command line. (dpkg-buildpackage) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis [EMAIL PROTECTED] wrote: - Ask OpenSSL to remove the advertising clause from their license. This is the most compelling alternative on your list, since this clause is the reason why all these other software packages have had to add special clauses to their own licenses. Has this been attempted before, I wonder... I also note the current situation is really a minor problem for our users, because we're maintaining the necessary files to build the Debian packages in our CVS. Anybody can easily build a Debian package of the freeradius-postgresql module from a sources tarball with a single command line. (dpkg-buildpackage) I agree that it's still trivial to get freeradius-postgresql *onto* a server, but I don't think that makes the problem minor. It requires that the user has development tools installed on their server, which is not the most secure thing to do. Either that, or they have to roll their own package on one system and upload it to their server and maintain that separately from the rest of their installation. This can have security implications too, since the end user will have to manually keep an eye out for security updates instead of just upgrading against security.debian.org. So you provide a way of debianizing freeradius packages easily, even ones that aren't included with debian. Given that, another alternative (admittedly with it's own set of problems) would be an official freeradius apt repository. Cheers, Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis [EMAIL PROTECTED] wrote: Personally I really dislike the idea: FreeRADIUS code is released under the GPL and there is nothing wrong with that. You are right, there is nothing wrong with that. But is there anything wrong with the FreeRADIUS code released under the GPL with an additional clause allowing linking against OpenSSL, even as a temporary measure until either OpenSSL fixes it's license or PostgreSQL supports gnu TLS? I can't think of anybody or anything that would hurt, and it would have the immediate practical benefit of allowing the freeradius-postgresql package into the official debian repo. - Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS stops responding after a while
Alex M [EMAIL PROTECTED] wrote: What do you mean by Have it do nothing more than log data? And how would I do that? You can configure the SQL module in either the authorize section, where it will affect user authentication, or in the accounting section, where it won't affect anything. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
Ok, will do that and post back with results Thanks! -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Saturday, April 08, 2006 3:54 PM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Alex M [EMAIL PROTECTED] wrote: What do you mean by Have it do nothing more than log data? And how would I do that? You can configure the SQL module in either the authorize section, where it will affect user authentication, or in the accounting section, where it won't affect anything. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
On 4/8/06, Tyler MacDonald [EMAIL PROTECTED] wrote: I can't think of anybody or anything that would hurt, and it would have the immediate practical benefit of allowing the freeradius-postgresql package into the official debian repo. Beside the postgresql support, this also opens the door to peap/eap-tls enabled Debian FreeRadius packages. All those 802.1x Debian users currently have to build their own packages for this support (although that's really easy with Debian ready upstream source, as Nicolas mentioned earlier) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald wrote: This can have security implications too, since the end user will have to manually keep an eye out for security updates instead of just upgrading against security.debian.org. In theory, you're right. In reality, FreeRADIUS has disclosed a security problem on 20 March and there's still no official Debian package available yet :( So finally if you really care about security you'd better build packages from sources anyway. So you provide a way of debianizing freeradius packages easily, even ones that aren't included with debian. Given that, another alternative (admittedly with it's own set of problems) would be an official freeradius apt repository. This doesn't solve anything. The problem is that such packages aren't distributable in binary form. If someone provides a repository, he becomes an outlaw. (exaggeratedly) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis [EMAIL PROTECTED] wrote: So you provide a way of debianizing freeradius packages easily, even ones that aren't included with debian. Given that, another alternative (admittedly with it's own set of problems) would be an official freeradius apt repository. This doesn't solve anything. The problem is that such packages aren't distributable in binary form. If someone provides a repository, he becomes an outlaw. (exaggeratedly) *sigh* You're right. And I wouldn't want to suggest an illegal apt repo either (although I've used ones in the past, like one that provides a nice .deb full of win32 codec dlls for use with mplayer). It's rediculous that this is so simple to achieve technically, and all products involved are being provided for free, yet there's still all this beaurocratic red tape involved in getting them to play nice together... - Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Tyler MacDonald wrote: Personally I really dislike the idea: FreeRADIUS code is released under the GPL and there is nothing wrong with that. You are right, there is nothing wrong with that. But is there anything wrong with the FreeRADIUS code released under the GPL with an additional clause allowing linking against OpenSSL, even as a temporary measure until either OpenSSL fixes it's license or PostgreSQL supports gnu TLS? Well, I'm not in position to decide for a FreeRADIUS license change or not, I'm just manifesting my personal opinion. If the other developpers agree, I won't go against them, of course. However I believe it's better for FreeRADIUS to keep a plain GPL license (without any modification) because it simplifies any legal issue: - license violation with our code in another non-GPL software (it has already happened in the past) - adding contribution from an external company (they have questions concerning the license of the submitted material) Even if it's based on the GPL, a FreeRADIUS license is more confusing. I can't think of anybody or anything that would hurt, and it would have the immediate practical benefit of allowing the freeradius-postgresql package into the official debian repo. Altering the FreeRADIUS license will make only *one* package enter in the Debian repository. I'm not inclined to choose this solution while other solutions could solve the problem for *all* GPL programs depending on the PostgreSQL libraries. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Jorgen Rosink wrote: Beside the postgresql support, this also opens the door to peap/eap-tls enabled Debian FreeRadius packages. All those 802.1x Debian users currently have to build their own packages for this support (although that's really easy with Debian ready upstream source, as Nicolas mentioned earlier) Indeed, these modules are a problem in Debian as well, for legal and technical reasons too: until version 1.1.1 I didn't manage to build rlm_eap_peap and rlm_eap_ttls properly. After the technical problems have been solved, we discussed the legal issues on the developpement mailing list a few weeks ago, and we planed to add support for GnuTLS, which is released under the LGPL. It will take more time to write source code than to edit the license, but I believe it's a better solution in the long term. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radaccounting, what does octets mean?
In accounting, what does an octet mean? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radaccounting, what does octets mean?
Alex M wrote: In accounting, what does an octet mean? An octet is 8 bits. A byte is almost always 8 bits, but can be other sizes in some obscure circumstances. Which is why the term octet exists. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html