Re: FreeRADIUS 2.1.10 regression in logging behaviour
Josip Rodin wrote: > On Fri, Nov 26, 2010 at 10:46:54PM +0100, Alan DeKok wrote: >> Before, it wouldn't re-open the file, even if you did HUP it. I'm not >> sure why you thought it was rotating the log files before... that just >> didn't work. It opened the log file when the server started, and never >> touched it again after that. > > You keep repeating this, yet a trivial git log search for the HUP change > finds cf43a8261cd89829f12e69fdb066fdec8b18579c where the removed code > included: .. > So logrotate would move the log file away, and the next log message from FR > would run this code, which would stat the existing log_fp pointing to a > missing file, and proceed to close the fp and then reopen it. IIRC, that had issues when I tested it, which is why the code was changed. One obvious issue is that it's not thread-safe. The log file is closed for a while, and messages can be lost. > Please don't add insult to injury... I'm not trying to. Another issue with the previous code is that it would reopen the log file only when it had a message to write. This is also arguably wrong. See http://bugs.mysql.com/bug.php?id=55711 for a similar bug. I understand that changing the behavior is unwanted, but is it really that much of a burden to HUP the server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication SOLVED with unlang
Hi Alan got E V E R Y T H I N G working if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices?base? eckAllowedServices=%{NAS-Identifier}}") { ok } else { reject } thank you anyway - you put me on the right way Within a few days I'll publish a new version of ECK with freeradius2 (the actual uses freeradius, and that let a granular service authorization by LDAP), ... thank you for all the time you spent and you are spending on freeradius project, ... I know what it mean Good luck Marco Carcano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan OK - Got working - did a look at rlm_ldap.c, and ldap.h (ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one issue more, ... se below if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) { ok } else { reject } debug is ++? if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) rlm_ldap: - ldap_xlat expand: ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap:// 127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null) rlm_ldap: Adding attribute eckAllowedServices, value: ftp rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - ldap_xlat end expand: %{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp expand: %{NAS-Identifier} -> ftp ? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) -> TRUE ++? if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) -> TRUE ++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) {...} +++[ok] returns ok ++- if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS- Identifier}" ) returns ok ++ ... skipping else for request 0: Preceding "if" was taken Found Auth-Type = PAM but it works only if eckAllowedServices has only one value. eckAllowedServices is a multi-string attribute, that is for example eckAllowedServices[0]=httpProxy eckAllowedServices[1]=ftp eckAllowedServices[2]=VPN ecc it works only for the first element of the array, ... so in the preceding example only if eckAllowedServices[0]=ftp is there a way to have it recursively process all the elements of the array to do the comparison? I tried if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "% {NAS-Identifier}" ) and if ("%{ldap:ldap://127.0.0.1/CN=%{User- Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "% {NAS-Identifier}" ) but had no luck Marco Carcano just for info (for other users that may read this post in the future): I was wondering if it performed an anonymous bind to the directory - LDAP URL does not contain credentials, so I raised up ldap server verbosity and gave a look to the log, it works authenticated as in modules/ldap - I think this is really important: in my server I prohibited anonymous binding also from localhost Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto: Marco Carcano wrote: I RTM unlang, but I have to admit I only got confused - The only thing I have understood is to write a simple statement like this (in authorize section) if (NAS-Identifier == "ftp" ) { ok } else { reject } and I think is even wrong because returns always OK :( And what does debug mode say? I noticed on some posts people using a syntax like if (NAS- Identifier == %{sql: SELECT ... BLA BLA} ) See "man unlang". This is documented. but I have not been able to see a working example using ldap, if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") { thinking at the %{sql:SELECT ...} example I tough I syntax almost like this if (NAS-Identifier == "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) { You didn't use the same form as the SQL example. The brackets have *meaning*: %{} See "man unlang". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan, just to let you know: if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) { ok } message: ++? if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) rlm_ldap: - ldap_xlat expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices) -> cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices) rlm_ldap: String passed does not look like an LDAP URL. expand: %{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} -> it seems to me that it "fires" the ldap module but it don't like my syntax. the same is for if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local}" ) { ok } ++? if (NAS-Identifier == "%{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local}" ) rlm_ldap: - ldap_xlat expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local -> cn=testuser,ou=Users,dc=marcolinux,dc=local rlm_ldap: String passed does not look like an LDAP URL. I do not understand why the message complains about LDAP URL - ldap URL is the address of the server - what I provided is an LDAP DN I tought it is not necessary to supply the LDAP URL because they are already provided in modules/ldap file Now I'm sure I have undestood absolutely nothing about this module Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.10 regression in logging behaviour
On Fri, Nov 26, 2010 at 10:46:54PM +0100, Alan DeKok wrote: > Alan Buxey wrote: > > one eagle-eyed member spotted a small issue with our systems after the > > upgrade to 2.1.10 > > It's actually in 2.1.9. > > > the sudden obvious fix is to add the HUP/restart part to the logrotate > > script but > > we've never ever had to do this in the past...and I'm loathe to do such a > > thing...i wonder > > what has changed regarding file handling ? > > You now have to HUP after logrotate. > > Before, it wouldn't re-open the file, even if you did HUP it. I'm not > sure why you thought it was rotating the log files before... that just > didn't work. It opened the log file when the server started, and never > touched it again after that. You keep repeating this, yet a trivial git log search for the HUP change finds cf43a8261cd89829f12e69fdb066fdec8b18579c where the removed code included: [...] if (log_fp) { struct stat buf; if (stat(myconfig->log_file, &buf) < 0) { fclose(log_fp); log_fp = fr_log_fp = NULL; } } if (!log_fp && myconfig->log_file) { fp = fopen(myconfig->log_file, "a"); [...] log_fp = fp; So logrotate would move the log file away, and the next log message from FR would run this code, which would stat the existing log_fp pointing to a missing file, and proceed to close the fp and then reopen it. Please don't add insult to injury... -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan but I have not been able to see a working example using ldap, if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") { thinking at the %{sql:SELECT ...} example I tough I syntax almost like this if (NAS-Identifier == "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) { You didn't use the same form as the SQL example. The brackets have *meaning*: %{} if (NAS-Identifier == {ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ) { ok } when start radiusd in debug mode I got: Expected string or numbers at: ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. is for that reason I did not use brackets - I got a syntax error, so I tought it was wrong to use them in this way if I modify to the following in if (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) { ok } radiusd starts well, but when tring to authenticate I got the following message: ++? if (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) expand: {ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} -> {ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ? Evaluating (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE ++? if (NAS-Identifier == "{ldap:cn=%{User- Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE ++- entering else else {...} +++[reject] returns reject ++- else else returns reject Using Post-Auth-Type Reject %{User-Name} is expanded right, ... is my syntax that is certainly wrong so that unlang see is just like a string to compare Alan, ... why you don't just provide a working example - I'm working on a GPL'ed app - ECK, if you give a look to sourceforge you can find it - and now are almost two years I spent many of my nights - I have to work during the day - and part of my weekends in a project that I think somebody could find usefull. Maybe one day many people will use it to build their base system and simply do not write to this list asking ho to have freeradius working with PAM, LDAP and so on because thanks to ECK they'll got a working environment in less than an hour. Maybe they'll stress you just on how to improve it you work on freeradius because you belive in your project, I work on mine because I belive in mine. I belive in your project and put it into mine. We both work without beeing paid by anybody, just for passion Now I'm at the final race, ... I really do not understand why you cannot provide just an example - maybe I am a stupid, but I re-read more times unlang manual without beeing able to figure the right syntax Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.10 regression in logging behaviour
On Fri, 2010-11-26 at 21:08 +, Alan Buxey wrote: > hi, > > one eagle-eyed member spotted a small issue with our systems after the > upgrade to 2.1.10 > (which, frankly I'd overlooked because to me its more important that people > can actually > authenticate and we've got good accounting etc :-) ) > > anyway, its this. > > the standard radius.log file which records a few items of interest is no > longer logrotated > correctlyie logrotate comes along, the file gets a new number/name and a > new file > is created for radiusd to keep using...except it doesnt. in the end you end > up with eg > > radius.log.5 > radius.log.4 > radius.log.3 > radius.log.2 > radius.log.1 > radius.log > > > where all the newer ones are zero bytes and radius.log.5 is several meg in > size > > the sudden obvious fix is to add the HUP/restart part to the logrotate script > but > we've never ever had to do this in the past...and I'm loathe to do such a > thing... > In our log rotation (on CentOS) we use: prerotate /sbin/service radiusd stop >/dev/null endscript postrotate /sbin/service radiusd start >/dev/null endscript This occurs at around 4am. We have not had any problems with it. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.10 regression in logging behaviour
Alan Buxey wrote: > one eagle-eyed member spotted a small issue with our systems after the > upgrade to 2.1.10 It's actually in 2.1.9. > the sudden obvious fix is to add the HUP/restart part to the logrotate script > but > we've never ever had to do this in the past...and I'm loathe to do such a > thing...i wonder > what has changed regarding file handling ? You now have to HUP after logrotate. Before, it wouldn't re-open the file, even if you did HUP it. I'm not sure why you thought it was rotating the log files before... that just didn't work. It opened the log file when the server started, and never touched it again after that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2.1.10 regression in logging behaviour
hi, one eagle-eyed member spotted a small issue with our systems after the upgrade to 2.1.10 (which, frankly I'd overlooked because to me its more important that people can actually authenticate and we've got good accounting etc :-) ) anyway, its this. the standard radius.log file which records a few items of interest is no longer logrotated correctlyie logrotate comes along, the file gets a new number/name and a new file is created for radiusd to keep using...except it doesnt. in the end you end up with eg radius.log.5 radius.log.4 radius.log.3 radius.log.2 radius.log.1 radius.log where all the newer ones are zero bytes and radius.log.5 is several meg in size the sudden obvious fix is to add the HUP/restart part to the logrotate script but we've never ever had to do this in the past...and I'm loathe to do such a thing...i wonder what has changed regarding file handling ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Marco Carcano wrote: > I RTM unlang, but I have to admit I only got confused - The only thing I > have understood is to write a simple statement like this (in authorize > section) > > if (NAS-Identifier == "ftp" ) { > ok > } > else { > reject > } > > and I think is even wrong because returns always OK :( And what does debug mode say? > I noticed on some posts people using a syntax like if (NAS-Identifier == > %{sql: SELECT ... BLA BLA} ) See "man unlang". This is documented. > but I have not been able to see a working example using ldap, if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") { > thinking at the %{sql:SELECT ...} example I tough I syntax almost like this > > if (NAS-Identifier == > "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local > (eckAllowedServices)" ) { You didn't use the same form as the SQL example. The brackets have *meaning*: %{} See "man unlang". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html