RE: Error binding port to ipv6 address
Thanks for the suggestion but of course I tried different ways to try to grep the process :) I just mentioned one of the command I used to make people understand that I checked the process list :) Still no clue about the problem anyway... Try just 'ps -e|grep radius' that will catch freeradius aswell as radiusd which it is called on some. -- Leigh On Mon, Feb 9, 2009 at 12:02 PM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. Thanks for the quick answer. I have thought the same because also some old mailing list post seemed to be related to this problem. I checked this possible problem before posting, but as far as I can see there is no other instance of freeradius running (ps -e | grep freeradius returns empty), and nothing is listening on that port (according to netstat). I also tried to change port several times but it's not working In /etc/services the port 1812 both tcp and udp are correctly assigned to radius (in fact in the error message it correctly use the port 1812). Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius support of EAP-AKA
Hi, Does anyone know if the FreeRadius supports EAP-AKA or not? I am using Version 2.1.3 and it seems that the EAP-AKA is not supported. Is there any plan to support that in the future releases? Thanks, Aaron Lai - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict access to certain groups
Hi I have a Freeradius which checks if an user has right to connect to a network equipment via LDAP. For security reasons, i want to restrict access to certain users (network administrator). At the beginning, I wanted to do it by adding host attribute to a user, it will contain all allowed hosts he can connect : I don't find a solution. But, i found another way : in my schema I added an OU which contains all computers in the network, and to allow a user to connect to one of them, I make it member of this host. So, I want to check if the user is member of the host he try to connect, to give him corresponding access. I don't know if it's possible and how to do this (if it's possible). May I change users file ? radiusd.conf ? cleints.conf ? I'm lost whereas I'm on it since the last week :( thanx for all possible solutions -- KeV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP in FreeRADIUS 2
Andrew Rikhlivsky wrote: Where I can read information about using DHCP opt. 82 in FreeRADIUS 2 ? Can you describe what you want to do with it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSSQL, bugs and a patch
Hello everybody,
i try to work with a mssql-database. The connection to the database works fine,
but there are some things missing and wrong in the schema and the dialup.conf.
I added the following part to the schema.sql to make sure, that there is a
radpostauth-table in the mssql-database:
-
CREATE TABLE radpostauth (
[id] [int] IDENTITY (1, 1) NOT NULL,
[UserName] [varchar] (64) NOT NULL,
[pass] [varchar] (64) NOT NULL,
[reply] [varchar] (32) NOT NULL,
[authdate] [datetime] NOT NULL,
) on [PRIMARY]
GO
ALTER TABLE [radpostauth] WITH NOCHECK ADD
CONSTRAINT [DF_radpostauth_UserName] DEFAULT ('') FOR [UserName],
CONSTRAINT [DF_radpostauth_pass] DEFAULT ('') FOR [pass],
CONSTRAINT [DF_radpostauth_reply] DEFAULT ('') FOR [reply],
CONSTRAINT [DF_radpostauth_authdate] DEFAULT ('1900-01-01 00:00:00')
FOR [authdate],
CONSTRAINT [PK_radpostauth] PRIMARY KEY NONCLUSTERED
(
[id]
) ON [PRIMARY];
GO
-
Maybe someone can verify this, if it is correct and maybe it is even worth to
be supplied as a patch to the current version of the server.
In the next days, i will try to correct some other issues about the
mssql-configuration and i will try to convert the missing dialup.conf from
mysql to mssql.
--
Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen:
http://www.gmx.net/de/go/multimessenger01
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius support of EAP-AKA
aaron...@gdnt.com.cn wrote: Does anyone know if the FreeRadius supports EAP-AKA or not? I am using Version 2.1.3 and it seems that the EAP-AKA is not supported. Is there any plan to support that in the future releases? There was a patch on bugs.freeradius.org, but the machine has suffered a HD crash. If you can find that patch again, it needs some fixes before it's integrated. The original author used the EAP-SIM code as a basis for EAP-AKA, and duplicated many functions. That needs to be fixed before the code is integrated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup_admin New user page is empty
Hi, I am trying to get dialup_admin running. I have ldap directory and FR+LDAP works. I have the webserver running, see the start page and Check Server works. When I click New User I see a blank page. Nothing in the /var/log/apache2 files. Any help or hints? Thanks. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict access to certain groups
To remember : I want only user1 can access to host1.
To illustrate it:
root
|
--
||
hosts users
||
--
|||
host1 user1 user2
|
| members:
|
user1
I find a possible way.
in radiusd.conf, I put:
groupname_attribute = cn
group_membership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
In the users file, I put:
Ldap-Group == X Auth-Type:= LDAP
X will be the IP/hostname of the host which try to connect.
Is there any variable like %{LDAP-UserDN} which could give me this
information ??
thanks for any help
--
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup_admin New user page is empty
Am Dienstag, 10. Februar 2009 13:02:11 schrieb Michael Schwartzkopff: Hi, I am trying to get dialup_admin running. I have ldap directory and FR+LDAP works. I have the webserver running, see the start page and Check Server works. When I click New User I see a blank page. Nothing in the /var/log/apache2 files. Any help or hints? Thanks. Found the problem. Forgot to install php-ldap. Now it seems to work. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding port to ipv6 address
No problem :) Maybe a shot in the dark but is selinux enabled? check your logs to see if any policies are blocking it or type 'echo 0 /selinux/enforce' then try to start it again. -- Leigh On Tue, Feb 10, 2009 at 3:19 AM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: Thanks for the suggestion but of course I tried different ways to try to grep the process :) I just mentioned one of the command I used to make people understand that I checked the process list :) Still no clue about the problem anyway... Try just 'ps -e|grep radius' that will catch freeradius aswell as radiusd which it is called on some. -- Leigh On Mon, Feb 9, 2009 at 12:02 PM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: *Be sure that no other freeradius is running and also that you have enough rights to open such a port.* * * *Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius.* Thanks for the quick answer. I have thought the same because also some old mailing list post seemed to be related to this problem. I checked this possible problem before posting, but as far as I can see there is no other instance of freeradius running (ps -e | grep freeradius returns empty), and nothing is listening on that port (according to netstat). I also tried to change port several times but it's not working In /etc/services the port 1812 both tcp and udp are correctly assigned to radius (in fact in the error message it correctly use the port 1812). Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSQL, bugs and a patch
Hello,
forget this mail. I worked with an old version of the schema. In the new
version, the radpostauth-table is already there...
Original-Nachricht
Datum: Tue, 10 Feb 2009 11:58:20 +0100
Von: Sebastian Heil s...@gmx.de
An: freeradius-users@lists.freeradius.org
Betreff: MSSQL, bugs and a patch
Hello everybody,
i try to work with a mssql-database. The connection to the database works
fine, but there are some things missing and wrong in the schema and the
dialup.conf.
I added the following part to the schema.sql to make sure, that there is a
radpostauth-table in the mssql-database:
-
CREATE TABLE radpostauth (
[id] [int] IDENTITY (1, 1) NOT NULL,
[UserName] [varchar] (64) NOT NULL,
[pass] [varchar] (64) NOT NULL,
[reply] [varchar] (32) NOT NULL,
[authdate] [datetime] NOT NULL,
) on [PRIMARY]
GO
ALTER TABLE [radpostauth] WITH NOCHECK ADD
CONSTRAINT [DF_radpostauth_UserName] DEFAULT ('') FOR [UserName],
CONSTRAINT [DF_radpostauth_pass] DEFAULT ('') FOR [pass],
CONSTRAINT [DF_radpostauth_reply] DEFAULT ('') FOR [reply],
CONSTRAINT [DF_radpostauth_authdate] DEFAULT ('1900-01-01 00:00:00') FOR
[authdate],
CONSTRAINT [PK_radpostauth] PRIMARY KEY NONCLUSTERED
(
[id]
) ON [PRIMARY];
GO
-
Maybe someone can verify this, if it is correct and maybe it is even worth
to be supplied as a patch to the current version of the server.
In the next days, i will try to correct some other issues about the
mssql-configuration and i will try to convert the missing dialup.conf from
mysql
to mssql.
--
Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen:
http://www.gmx.net/de/go/multimessenger01
--
Jetzt 1 Monat kostenlos! GMX FreeDSL - Telefonanschluss + DSL
für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
I don't have selinux installed on the machine, the only installed package about selinux is the shared library libselinux1, so I don't think that is the problem. I am thinking that it is something about the ipv6 config in ubuntu but I am not sure. What I am doing right now is trying to backtrace the exact function that creates the problem. I just started right now and I see that it is somewhere inside listen_init() in listen.c. When I will get the exact function that it is not working as it should be maybe there will be some more ideas about what's going on... No problem :) Maybe a shot in the dark but is selinux enabled? check your logs to see if any policies are blocking it or type 'echo 0 /selinux/enforce' then try to start it again. -- Leigh On Tue, Feb 10, 2009 at 3:19 AM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: Thanks for the suggestion but of course I tried different ways to try to grep the process :) I just mentioned one of the command I used to make people understand that I checked the process list :) Still no clue about the problem anyway... Try just 'ps -e|grep radius' that will catch freeradius aswell as radiusd which it is called on some. -- Leigh On Mon, Feb 9, 2009 at 12:02 PM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. Thanks for the quick answer. I have thought the same because also some old mailing list post seemed to be related to this problem. I checked this possible problem before posting, but as far as I can see there is no other instance of freeradius running (ps -e | grep freeradius returns empty), and nothing is listening on that port (according to netstat). I also tried to change port several times but it's not working In /etc/services the port 1812 both tcp and udp are correctly assigned to radius (in fact in the error message it correctly use the port 1812). Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Ok I have traced where the problem is (of course it was in the actual
binding of the port).
Listen_init() calls listen_parse() that calls common_socket_parse().
Inside this function around line 510 of listen.c there is this line:
/*
* And bind it to the port.
*/
if (listen_bind(this) 0) {
the call to listen_bind() actually returns -1 and that's the problem.
Because I am new at ipv6 too I will get sometime to examine what
listen_bind() exactly do (and why it returns -1), anyway meanwhile I
printed the variable this passed to it and the variable this-data
that inside the function is assigned to sock. Here are the results:
print *this
$30 = {next = 0x0, type = RAD_LISTEN_AUTH, fd = -1, server = 0x0, status
= 0,
recv = 0x8059ba0 auth_socket_recv, send = 0x8057640
auth_socket_send,
encode = 0x8057960 client_socket_encode,
decode = 0x8057880 client_socket_decode, print = 0x8057b40
socket_print,
data = 0x8cd40a0, stats = {total_requests = 0, total_invalid_requests
= 0,
total_dup_requests = 0, total_responses = 0, total_access_accepts =
0,
total_access_rejects = 0, total_access_challenges = 0,
total_malformed_requests = 0, total_bad_authenticators = 0,
total_packets_dropped = 0, total_no_records = 0, total_unknown_types
= 0}
print *(listen_socket_t *) this-data
$33 = {ipaddr = {af = 10, ipaddr = {ip4addr = {s_addr = 288}, ip6addr =
{
__in6_u = {__u6_addr8 = \001, '\0' repeats 12 times,
\003P,
__u6_addr16 = {288, 0, 0, 0, 0, 0, 0, 20483}, __u6_addr32 =
{288, 0,
0, 1342373888}, port = 0, interface = 0x8bdea7e eth3,
clients = 0x0}
(I couldn't print directly sock because gdb didn't allow me to access
that memory address).
If somebody sees something wrong please tells me (I have still to check
how the two structs are organized so for the moment I still don't know)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Exactly the problem is in the udpfromto_init() call inside the listen_bind() function. Inside this function the return value is set to be: return setsockopt(s, proto, flag, opt, sizeof(opt)); with the ipv6 address, it returns -1 (and after a couple of calls and error logs, the program exits) with the ipv4 address it returns the correct 0 value. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Problem
Nice, Thanks Will I'll try it ... I had to stay with 2.1.1, because I didn't have time ... Thanks for sharing ... - Original Message - From: Will D. Spann ;willdsp...@yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding port to ipv6 address
D'AVELLA STEFANO wrote: Exactly the problem is in the udpfromto_init() call inside the listen_bind() function. Then disable udpfromto. It is NOT enabled in the default build of the server, so the only way you can run into this problem is if you enable a non-standard feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pool-Name woes with sqlippool
Hi all,
I have, what I think is a simple problem, with a simple answer that
doesn't work.
The environment I am supply authentication requests to, require that I
respond with a fixed IP address in each NAS domain.
eg NAS-IP-Addresses 192.168.1.0/28 should get an IP from the pool
10.0.0.0/16
While
NAS-IP-Addresses 192.168.1.128/28 should get an IP from the 10.1.0.0/16
Users have no control from which of NASs they come into. All the normal
user name/password stuff works fine (many thanks!)
What I would love to do is set up Huntgroups (OK so that bit works too!)
and then in the sqlippool.conf just assign pool-name = %{Huntgroup-Name}
This doesn't work, and all I get is pool-name is undefined.
Does anyone have any ideas?
Kind regards
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:outer identity anonymous is being rejected (solved)
Apologies, I didn't read all the MAN pages, found the answer I needed My FR 2.1 is set to authenticate users via PEAP + EAP-TTLS, this works fine but some users are being rejected So it's being rejected. How do I get the inner identity which contains a valid username to be processed instead of the outer identity. I've seen some posts about using* Autz-type INNER* options but have merely succeded in breaking my test system when tryng it out. At present this is my users file: #If you are not in either group, no access is allowed #FreeRADIUS 2.1 #These are the groups we are checking for Lunar Building staff DEFAULT Ldap-Group == lunar-staff Aruba-User-Role = employee DEFAULT Ldap-Group == lunar-member Aruba-User-Role = member DEFAULT SQL-Group == Guests Aruba-User-Role = guest DEFAULT Ldap-group != lunar-staff, Auth-Type := Reject DEFAULT Ldap-group != lunar-member, Auth-Type := Reject #End - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius support of EAP-AKA
I could not find that patch, it seems the only way is to download it from bugs.freeradius.org. Could you please tell me when will that website be recovered from the crash? Thanks, Kevin- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling hashed passwords
Hi I've trawled looking for a solution for this, but there doesn't seem to be a clearcut answer. I am using Freeradius 1.1.7. I'm trying to make it so that in the users file, passwords are stored as a SHA hash. So my users file looks like this: asdf SHA-Password == 3da541559918a808c2402bba5012f6c60b27661c When I try to login, it with the -X option, it says: rad_recv: Access-Request packet from host 127.0.0.1:3381, id=73, length=89 User-Name = asdf User-Password = asdf NAS-Identifier = vty0 NAS-Port = 2356 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = :::192.168.1.10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = asdf, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [asdf] (from client 127.0.0.1 port 2356 cli :::192.168.1.10) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 73 to 127.0.0.1 port 3381 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 73 with timestamp 4993eaec Nothing to do. Sleeping until we see a request. However when I change the users file to: asdf User-Password == asdf With the -X option, I can now login: rad_recv: Access-Request packet from host 127.0.0.1:3414, id=60, length=89 User-Name = asdf User-Password = asdf NAS-Identifier = vty0 NAS-Port = 2389 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = :::192.168.1.10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = asdf, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry asdf at line 4 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module pap returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password asdf rlm_pap: Using clear text password asdf. rlm_pap: User authenticated successfully modcall[authenticate]: module pap returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Login OK: [asdf] (from client 127.0.0.1 port 2389 cli :::192.168.1.10) Sending Access-Accept of id 60 to 127.0.0.1 port 3414 Service-Type = Administrative-User Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 60 with timestamp 4993edaf Nothing to do. Sleeping until we see a request. --- Is it as simple as changing User-Password to SHA-Password? There are various solutions which require changing the pap encryption_scheme attribute but I think these were made obsolete? It is this line at which they differ: success: modcall[authorize]: module eap returns noop for request 0 users: Matched entry asdf at line 4 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module pap returns updated for request 0 fail: modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 I had a look in the code just to see why it was failing and file_authorize (in
Fwd: using IP address of vpn users in radius server
-- Forwarded message -- From: Eric bbah...@gmail.com Date: Mon, Feb 9, 2009 at 9:10 AM Subject: Re: using IP address of vpn users in radius server To: freeradius-users@lists.freeradius.org yes.but how can I specify Calling-Station-Ids based on valid and invalid ips? I want that radius checks that if Calling-Station-Id is valid radius sends ippool 1 for vpn server and if Calling-Station-Id is invalid sends ippool2. Where this compare is set in radius server? Message: 2 Date: Sat, 07 Feb 2009 16:12:10 +0100 From: t...@kalik.net Subject: Re: using IP address of vpn users in radius server To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 5yfqtwpv.1234019530.4835870@kalik.net Content-Type: text/plain; charset=ISO-8859-2 I have a radius server that uses ldap server for authentication and authorization. The client of radius server is a vpn server. now they are working. I want to have two groups of vpn users in vpn server base on their IP addresses. Could radius server check IP address of users Yes. IP address should be in Calling-Station-Id attribute in the request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
