Re: FreeRADIUS 2.1.10 regression in logging behaviour
Josip Rodin wrote: > On Fri, Nov 26, 2010 at 10:46:54PM +0100, Alan DeKok wrote: >> Before, it wouldn't re-open the file, even if you did HUP it. I'm not >> sure why you thought it was rotating the log files before... that just >> didn't work. It opened the log file when the server started, and never >> touched it again after that. > > You keep repeating this, yet a trivial git log search for the HUP change > finds cf43a8261cd89829f12e69fdb066fdec8b18579c where the removed code > included: .. > So logrotate would move the log file away, and the next log message from FR > would run this code, which would stat the existing log_fp pointing to a > missing file, and proceed to close the fp and then reopen it. IIRC, that had issues when I tested it, which is why the code was changed. One obvious issue is that it's not thread-safe. The log file is closed for a while, and messages can be lost. > Please don't add insult to injury... I'm not trying to. Another issue with the previous code is that it would reopen the log file only when it had a message to write. This is also arguably wrong. See http://bugs.mysql.com/bug.php?id=55711 for a similar bug. I understand that changing the behavior is unwanted, but is it really that much of a burden to HUP the server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication SOLVED with unlang
Hi Alan
got E V E R Y T H I N G working
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices?base?
eckAllowedServices=%{NAS-Identifier}}") {
ok
}
else {
reject
}
thank you anyway - you put me on the right way
Within a few days I'll publish a new version of ECK with freeradius2
(the actual uses freeradius, and that let a granular service
authorization by LDAP), ...
thank you for all the time you spent and you are spending on
freeradius project, ... I know what it mean
Good luck
Marco Carcano
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan
OK - Got working - did a look at rlm_ldap.c, and ldap.h
(ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one
issue more, ... se below
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {
ok
}
else {
reject
}
debug is
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" )
rlm_ldap: - ldap_xlat
expand: ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap://
127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null)
rlm_ldap: Adding attribute eckAllowedServices, value: ftp
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
expand: %{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp
expand: %{NAS-Identifier} -> ftp
? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {...}
+++[ok] returns ok
++- if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) returns ok
++ ... skipping else for request 0: Preceding "if" was taken
Found Auth-Type = PAM
but it works only if eckAllowedServices has only one value.
eckAllowedServices is a multi-string attribute, that is for example
eckAllowedServices[0]=httpProxy
eckAllowedServices[1]=ftp
eckAllowedServices[2]=VPN
ecc
it works only for the first element of the array, ... so in the
preceding example only if eckAllowedServices[0]=ftp
is there a way to have it recursively process all the elements of the
array to do the comparison?
I tried
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "%
{NAS-Identifier}" )
and
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "%
{NAS-Identifier}" )
but had no luck
Marco Carcano
just for info (for other users that may read this post in the future):
I was wondering if it performed an anonymous bind to the directory -
LDAP URL does not contain credentials, so I raised up ldap server
verbosity and gave a look to the log,
it works authenticated as in modules/ldap - I think this is really
important: in my server I prohibited anonymous binding also from
localhost
Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto:
Marco Carcano wrote:
I RTM unlang, but I have to admit I only got confused - The only
thing I
have understood is to write a simple statement like this (in
authorize
section)
if (NAS-Identifier == "ftp" ) {
ok
}
else {
reject
}
and I think is even wrong because returns always OK :(
And what does debug mode say?
I noticed on some posts people using a syntax like if (NAS-
Identifier ==
%{sql: SELECT ... BLA BLA} )
See "man unlang". This is documented.
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost
like this
if (NAS-Identifier ==
"ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have
*meaning*: %{}
See "man unlang".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan,
just to let you know:
if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) {
ok
}
message:
++? if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" )
rlm_ldap: - ldap_xlat
expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices) -> cn=testuser,ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)
rlm_ldap: String passed does not look like an LDAP URL.
expand: %{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ->
it seems to me that it "fires" the ldap module but it don't like my
syntax.
the same is for
if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local}" ) {
ok
}
++? if (NAS-Identifier == "%{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local}" )
rlm_ldap: - ldap_xlat
expand: cn=%{User-Name},ou=Users,dc=marcolinux,dc=local ->
cn=testuser,ou=Users,dc=marcolinux,dc=local
rlm_ldap: String passed does not look like an LDAP URL.
I do not understand why the message complains about LDAP URL - ldap
URL is the address of the server - what I provided is an LDAP DN
I tought it is not necessary to supply the LDAP URL because they are
already provided in modules/ldap file
Now I'm sure I have undestood absolutely nothing about this module
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.10 regression in logging behaviour
On Fri, Nov 26, 2010 at 10:46:54PM +0100, Alan DeKok wrote:
> Alan Buxey wrote:
> > one eagle-eyed member spotted a small issue with our systems after the
> > upgrade to 2.1.10
>
> It's actually in 2.1.9.
>
> > the sudden obvious fix is to add the HUP/restart part to the logrotate
> > script but
> > we've never ever had to do this in the past...and I'm loathe to do such a
> > thing...i wonder
> > what has changed regarding file handling ?
>
> You now have to HUP after logrotate.
>
> Before, it wouldn't re-open the file, even if you did HUP it. I'm not
> sure why you thought it was rotating the log files before... that just
> didn't work. It opened the log file when the server started, and never
> touched it again after that.
You keep repeating this, yet a trivial git log search for the HUP change
finds cf43a8261cd89829f12e69fdb066fdec8b18579c where the removed code
included:
[...] if (log_fp) {
struct stat buf;
if (stat(myconfig->log_file, &buf) < 0) {
fclose(log_fp);
log_fp = fr_log_fp = NULL;
}
}
if (!log_fp && myconfig->log_file) {
fp = fopen(myconfig->log_file, "a");
[...]
log_fp = fp;
So logrotate would move the log file away, and the next log message from FR
would run this code, which would stat the existing log_fp pointing to a
missing file, and proceed to close the fp and then reopen it.
Please don't add insult to injury...
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Hi Alan
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost
like this
if (NAS-Identifier ==
"ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have
*meaning*: %{}
if (NAS-Identifier == {ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} ) {
ok
}
when start radiusd in debug mode I got:
Expected string or numbers at: ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)} )
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
is for that reason I did not use brackets - I got a syntax error, so I
tought it was wrong to use them in this way
if I modify to the following in
if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) {
ok
}
radiusd starts well, but when tring to authenticate I got the
following message:
++? if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" )
expand: {ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)} ->
{ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}
? Evaluating (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE
++? if (NAS-Identifier == "{ldap:cn=%{User-
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)}" ) -> FALSE
++- entering else else {...}
+++[reject] returns reject
++- else else returns reject
Using Post-Auth-Type Reject
%{User-Name} is expanded right, ... is my syntax that is certainly
wrong so that unlang see is just like a string to compare
Alan, ... why you don't just provide a working example - I'm working
on a GPL'ed app - ECK, if you give a look to sourceforge you can find
it - and now are almost two years I spent many of my nights - I have
to work during the day - and part of my weekends in a project that I
think somebody could find usefull. Maybe one day many people will use
it to build their base system and simply do not write to this list
asking ho to have freeradius working with PAM, LDAP and so on because
thanks to ECK they'll got a working environment in less than an hour.
Maybe they'll stress you just on how to improve it
you work on freeradius because you belive in your project, I work on
mine because I belive in mine. I belive in your project and put it
into mine. We both work without beeing paid by anybody, just for passion
Now I'm at the final race, ... I really do not understand why you
cannot provide just an example - maybe I am a stupid, but I re-read
more times unlang manual without beeing able to figure the right syntax
Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.10 regression in logging behaviour
On Fri, 2010-11-26 at 21:08 +, Alan Buxey wrote: > hi, > > one eagle-eyed member spotted a small issue with our systems after the > upgrade to 2.1.10 > (which, frankly I'd overlooked because to me its more important that people > can actually > authenticate and we've got good accounting etc :-) ) > > anyway, its this. > > the standard radius.log file which records a few items of interest is no > longer logrotated > correctlyie logrotate comes along, the file gets a new number/name and a > new file > is created for radiusd to keep using...except it doesnt. in the end you end > up with eg > > radius.log.5 > radius.log.4 > radius.log.3 > radius.log.2 > radius.log.1 > radius.log > > > where all the newer ones are zero bytes and radius.log.5 is several meg in > size > > the sudden obvious fix is to add the HUP/restart part to the logrotate script > but > we've never ever had to do this in the past...and I'm loathe to do such a > thing... > In our log rotation (on CentOS) we use: prerotate /sbin/service radiusd stop >/dev/null endscript postrotate /sbin/service radiusd start >/dev/null endscript This occurs at around 4am. We have not had any problems with it. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2.1.10 regression in logging behaviour
Alan Buxey wrote: > one eagle-eyed member spotted a small issue with our systems after the > upgrade to 2.1.10 It's actually in 2.1.9. > the sudden obvious fix is to add the HUP/restart part to the logrotate script > but > we've never ever had to do this in the past...and I'm loathe to do such a > thing...i wonder > what has changed regarding file handling ? You now have to HUP after logrotate. Before, it wouldn't re-open the file, even if you did HUP it. I'm not sure why you thought it was rotating the log files before... that just didn't work. It opened the log file when the server started, and never touched it again after that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS 2.1.10 regression in logging behaviour
hi, one eagle-eyed member spotted a small issue with our systems after the upgrade to 2.1.10 (which, frankly I'd overlooked because to me its more important that people can actually authenticate and we've got good accounting etc :-) ) anyway, its this. the standard radius.log file which records a few items of interest is no longer logrotated correctlyie logrotate comes along, the file gets a new number/name and a new file is created for radiusd to keep using...except it doesnt. in the end you end up with eg radius.log.5 radius.log.4 radius.log.3 radius.log.2 radius.log.1 radius.log where all the newer ones are zero bytes and radius.log.5 is several meg in size the sudden obvious fix is to add the HUP/restart part to the logrotate script but we've never ever had to do this in the past...and I'm loathe to do such a thing...i wonder what has changed regarding file handling ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
Marco Carcano wrote:
> I RTM unlang, but I have to admit I only got confused - The only thing I
> have understood is to write a simple statement like this (in authorize
> section)
>
> if (NAS-Identifier == "ftp" ) {
> ok
> }
> else {
> reject
> }
>
> and I think is even wrong because returns always OK :(
And what does debug mode say?
> I noticed on some posts people using a syntax like if (NAS-Identifier ==
> %{sql: SELECT ... BLA BLA} )
See "man unlang". This is documented.
> but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
> thinking at the %{sql:SELECT ...} example I tough I syntax almost like this
>
> if (NAS-Identifier ==
> "ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
> (eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have
*meaning*: %{}
See "man unlang".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
