Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
Did you try RE-BUILDING the server when you only had one version of OpenSSL installed? I did that and the SSL_CTX_ERROR message is now gone and radiusd runs successfully. However it won't accept encrypted authentication requests: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to secureldapcentral.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: setting TLS CACert File to certs/SVMHS_CA_SSL_Server.pem rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to certs/SVMHS_CA_SSL_Server.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU/abc123 to secureldapcentral.stvincents.com.au:636 rlm_ldap: waiting for bind result ... rlm_ldap: ldap_result() rlm_ldap: cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU bind to secureldapcentral.stvincents.com.au:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed I can authenticate to the ldap backend with an ldap client using port 636 but not with freeradius. The complete -X output: radius02:/etc/freeradius# radiusd -X FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 16 2009 at 11:45:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/roles_search including configuration file /etc/freeradius/modules/patient_search including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/people_search including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /etc localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir =
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
You have two different versions of OpenSSL installed. I'm really stumped by this. I'm replaced the default debian openssl libraries (as per... ldconfig -v | grep ssl) with openssl 0.9.8.j and am still getting the pesky error, radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback Is libgnutls-openssl.so.13 referenced by freeradius? That's the only file I haven't been able to replace. What else can I do? Any help would be greatly appreciated! cheers Peter -X output: FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 13 2009 at 09:54:32 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /usr/local localstatedir = /var logdir = /var/log/radius libdir = /usr/lib radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Loading Realms and
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
You have two different versions of OpenSSL installed. Thanks for that Alan. I've blown everything away and started from scratch and installed openssl 0.98j and used the following freeradius configuration: ./configure --bindir=/usr/bin \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --localstatedir=/var \ --libdir=/usr/lib \ --includedir=/usr/include \ --with-radacctdir=/var/log/freeradius/radacct \ --with-raddbdir=/etc/freeradius \ --with-openssl-includes=/usr/local/openssl/include \ --with-openssl-libraries=/usr/local/openssl/lib ...but I'm getting the following configuration errors even tho the libraries and includes (and header files mentioned) are in the right places. Can these errors be ignored? (a make file was successfully created) checking openssl/des.h presence... no configure: WARNING: openssl/des.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/des.h: proceeding with the compiler's result checking for openssl/des.h... yes checking openssl/hmac.h usability... yes checking openssl/hmac.h presence... no configure: WARNING: openssl/hmac.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/hmac.h: proceeding with the compiler's result checking for openssl/hmac.h... yes checking openssl/md4.h usability... yes checking openssl/md4.h presence... no configure: WARNING: openssl/md4.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/md4.h: proceeding with the compiler's result checking for openssl/md4.h... yes checking openssl/md5.h usability... yes checking openssl/md5.h presence... no configure: WARNING: openssl/md5.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/md5.h: proceeding with the compiler's result checking for openssl/md5.h... yes checking openssl/sha.h usability... yes checking openssl/sha.h presence... no configure: WARNING: openssl/sha.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: openssl/sha.h: proceeding with the compiler's result checking for openssl/sha.h... yes configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs. cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
This is a new installation using openssl0.98j and freeradius 2.1.3. I get this error when running in debug mode: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback prior to running in debug mode, I ran ./bootstrap under freeradius/certs directory. The output: radius02:/etc/freeradius/certs# ./bootstrap openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time +.+..+++...++.++*++*++* openssl req -new -out server.csr -keyout server.key -config ./server.cnf Generating a 2048 bit RSA private key ..+++ ...+++ writing new private key to 'server.key' - openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key ...+++ ..+++ writing new private key to 'ca.key' - openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 11 04:59:02 2009 GMT Not After : Mar 11 04:59:02 2010 GMT Subject: countryName = FR stateOrProvinceName = Radius organizationName = Example Inc. commonName= Example Server Certificate emailAddress = ad...@example.com X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Mar 11 04:59:02 2010 GMT (365 days) Write out database with 1 new entries Data Base Updated openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` MAC verified OK openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der radiusd -X output: FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 11 2009 at 14:14:37 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/roles_search including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/patient_search including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/policy including configuration file
Re: Secure FreeRADIUS LDAP
Thanks, i've got it working. Does it work by comparing the generated hash with the hash in the ldap backend? t...@kalik.net 23/02/2009 9:02 pm Does freeradius support SHA hashed passwords (on ldap backend)? Yes. This is documented in doc/rlm_ldap included with the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Secure FreeRADIUS LDAP
Does freeradius support SHA hashed passwords (on ldap backend)? danhaw...@googlemail.com 20/02/2009 10:36 pm Cool, thanks for the info Ivan. Will give it a go and report back Thanks again Dan 2009/2/20 t...@kalik.net: # Can freeradius talk to the ldap box using TLS/SSL (ldaps) Yes. See tls section in ldap module. # Can freeradius read hashed credentials from the LDAP store and then actually use them??? Yes. You will have to enable auto-headers in pap module if you are storing them with headers in userPassword. # There may be a requirement to use certificates for auth, can the ldap/freeradius module handle certs??? Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Dan Hawker danhaw...@googlemail.com 07773 348975 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) ...but it also supports the latter even tho an acl is set to not allow port 389 use start_tls=no fails also, it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ cheers Peter thibault.lem...@supelec.fr 12/02/2009 9:04 pm Peter Param a écrit : Hi all, I'm trying to authenticate to a LDAPS backend but failing. Any suggestions? Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port 636) or an LDAP server answering on LDAP connections that are then secured by Start-TLS (LDAP on port 389 + Start-TLS) ? These are 2 different options. ldap people_search { server = ldap1.stvincents.com.au port = 636 == This implies an ldaps server identity = cn=admin,o=org,c=au password = *** filter = (cn=%u) basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au tls { tls_mode = yes # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = yes == this is not compliant with and ldaps server use start_tls=no By the way, Alan and other Gurus, I think there is a small typo in the comment: # using ldaps (port 689) connections Should be # using ldaps (port 636) connections HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to ldaps/tls
use start_tls=no fails also, Maybe but keep it to no did that, still fails with the same message it seems to have a problem with the cert and/or cert directory: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success ?? this is confusing... could that mean that your ldap library wasn't compiled with ssl support... I'm not sure see http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09575.html (but this is a rather old post) The version openssl I'm using is: OpenSSL 0.9.8i 15 Sep 2008 The CA certificate is valid for the ldap server because the client connects when I test with... openssl s_client -CAfile SVMHS_CA_SSL_Server.pem -connect ldap1.stvincents.com.au:636 Freeradius was compiled as follows: /configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --with-radacctdir=/var/log/freeradius/radacct --with-raddbdir=/etc/freeradius --with-openssl-includes=/etc/include/openssl --with-openssl-libraries=/usr/lib cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating to ldaps/tls
Hi all, I'm trying to authenticate to a LDAPS backend but failing. Any suggestions? My freeradius version: — radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu, built on Nov 21 2008 at 07:54:33 My ldap module settings: —--- ldap people_search { server = ldap1.stvincents.com.au port = 636 identity = cn=admin,o=org,c=au password = *** filter = (cn=%u) basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au tls { tls_mode = yes # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = yes cacertfile= /etc/openssl/certs/SVMHS_CA_SSL_Server.cer note: chained CA cert cacertdir = /etc/openssl/certs/ #certfile = /etc/openssl/certs/spud-jr.cer # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: #never (don't even bother trying) #allow (try, but don't fail if the cerificate # can't be verified) #demand (fail if the certificate doesn't verify.) # # The default is allow require_cert = allow } -X output messages: —- [people_search] performing user authorization for pparam [people_search] expand: (cn=%u) - (cn=pparam) [people_search] expand: ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au - ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: setting TLS CACert File to /etc/openssl/certs/SVMHS_CA_SSL_Server.cer rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to /etc/openssl/certs/SVMHS_CA_SSL_Server.cer rlm_ldap: setting TLS CACert Directory to /etc/openssl/certs/ rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTDIR option to /etc/openssl/certs/ rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Success rlm_ldap: (re)connection attempt failed [people_search] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[people_search] returns fail Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 0 for 1 seconds Going to the next request ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication with Cisco AP
Hi All, I have been trying, unsuccessfully, to get a windows supplicant (as shipped with Vista) to authenticate via freeradius/ldap. The freeradius/ldap combo works well with the existing VPN authen/auth that we have here on campus but not with EAP. I'm not sure what or where to go from here ...any pointers? freeradius logging: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.56.7.81:1645, id=246, length=130 User-Name = timmy Framed-MTU = 1400 Called-Station-Id = 0013.6067.bcb0 Calling-Station-Id = 001b.7728.a8c0 Service-Type = Login-User Message-Authenticator = 0x7d2246236182294e8085da177383f3b4 EAP-Message = 0x0202000801746e67 NAS-Port-Type = Wireless-802.11 NAS-Port = 6722 NAS-IP-Address = 10.56.7.81 NAS-Identifier = svhwapmed0301 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = timmy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module files returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for timmy radius_xlat: '(cn=timmy)' radius_xlat: 'ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap-dev.stvincents.com.au:389, authentication 0 rlm_ldap: bind as cn=superuser,o=schs,c=au/ldapadmin to ldap-dev.stvincents.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au, with filter (cn=timmy) rlm_ldap: checking if remote access for timmy is allowed by cn rlm_ldap: Password header not found in password timmysPASSWORD for user timmy rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value timmysPASSWORD op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user timmy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module people_search returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 246 to 10.56.7.81 port 1645 EAP-Message = 0x010300160410da433545ecf08558fb23fb9d7a1e9251 Message-Authenticator = 0x State = 0x84dc68e3b83cac07d2bdde56656fa45b Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.56.7.81:1645, id=247, length=146 User-Name = timmy Framed-MTU = 1400 Called-Station-Id = 0013.6067.bcb0 Calling-Station-Id = 001b.7728.a8c0 Service-Type = Login-User Message-Authenticator = 0x80896aec4445abeab1b82e57df662896 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 6722 State = 0x84dc68e3b83cac07d2bdde56656fa45b NAS-IP-Address = 10.56.7.81 NAS-Identifier = svhwapmed0301 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = timmy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 modcall[authorize]: module files returns notfound for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for timmy radius_xlat: '(cn=timmy)' radius_xlat: 'ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0
Re: unable to compile with openssl libraries
Hi again, Eventually, I was able to create the package and install it on my debian server. Now when I run it, I get the following output: rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Failed to link EAP-Type/tls: /usr/lib/freeradius/rlm_eap_tls.so: undefined symbol: cbtls_password radiusd.conf[1]: eap: Module instantiation failed. radiusd.conf[365] Unknown module eap. radiusd.conf[350] Failed to parse authenticate section. The tls Section: tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random #fragment_size = 1024 #include_length = yes #check_crl = yes #check_cert_cn = %{User-Name} } cheers Peter [EMAIL PROTECTED] 12/04/06 4:08 PM Peter Param wrote: dpkg-checkbuilddeps: Unmet build dependencies: debhelper (= 4.2.32) dpatch (= 2) autotools-dev libtool (= 1.5) libltdl3-dev libpam0g-dev libmysqlclient15-dev | libmysqlclient14-dev | libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp libsnmp9-dev | libsnmp5-dev | libsnmp4.2-dev libpq-dev | postgresql-dev libssl-dev Have you tried installing those packages? It gives you a list of required and optional packages. I would suggest debhelper, dpatch, autotools-dev, libtool, libltld3-dev, and libssl-dev. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unable to compile with openssl libraries
Hi all, I'm using Linux debian 2.6.8-2-386 and I am unable to compile with openssl libraries even tho openssl has been installed (separately). configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. I downloaded the source for freeradius (1.1.3) and used ./configure --with-openssl-includes=/usr/local/ssl/include/openssl/ --with-openssl-libraries=/lib/ I'm able to compile but get the following runtime error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
Debian licensing prohibits the installation of openssl as part of its packaging and hence why i downloaded the individual tarballs to work around this issue. [EMAIL PROTECTED] 12/04/06 11:12 AM On Mon, Dec 04, 2006 at 10:50:42AM +1100, Peter Param said: Hi all, I'm using Linux debian 2.6.8-2-386 and I am unable to compile with openssl libraries even tho openssl has been installed (separately). configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. I downloaded the source for freeradius (1.1.3) and used ./configure --with-openssl-includes=/usr/local/ssl/include/openssl/ --with-openssl-libraries=/lib/ This looks wrong, at first glance. Did you actually install the headers under /usr/local/ssl/include/openssl/ and install the libraries under /lib ? And why not use the readily accessable Debian openssl packages, that have security support? I'm able to compile but get the following runtime error: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory Well, it probably wasn't built, so that's not a huge surprise. -- -- | Stephen Gran | Today is the tomorrow you worried about | | [EMAIL PROTECTED] | yesterday. | | http://www.lobefin.net/~steve | | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
Thanks for clarifying the GPL vs Openssl license issue. I did an apt-get install openssl but still no joy. Stephen Gran [EMAIL PROTECTED] 12/04/06 11:30 AM On Mon, Dec 04, 2006 at 11:19:24AM +1100, Peter Param said: Debian licensing prohibits the installation of openssl as part of its packaging and hence why i downloaded the individual tarballs to work around this issue. No, you've misunderstood the problem (not surprising, many people have). The GPL prohibits distributing GPL binaries linked against GPL incompatible libraries. 'Debian licensing' (were it to exist) has nothing to do with it. Debian is unable to redistribute the binary applications you want - you are free, however, to make them for personal use. You are free to make them from the distributed Debian binaries, even. -- -- | Stephen Gran | Anything cut to length will be too | | [EMAIL PROTECTED] | short. | | http://www.lobefin.net/~steve | | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
is this from the orginal 1.1.3 freeradius tarball or do you mean I should apt-get freeradius as well? ./configure [no parameters] output as follows: checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for AIX... no checking whether gcc needs -traditional... no checking whether we are using SUNPro C... no checking for ranlib... ranlib checking whether byte ordering is bigendian... no checking for gmake... no checking for make... /usr/bin/make checking for lt_dlinit in -lltdl... yes checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for a sed that does not truncate output... /bin/sed checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking whether ln -s works... yes checking how to recognise dependent libraries... pass_all checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking for g77... no checking for f77... no checking for xlf... no checking for frt... no checking for pgf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for f90... no checking for xlf90... no checking for pgf90... no checking for epcf90... no checking for f95... no checking for fort... no checking for xlf95... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for gfortran... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 32768 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... (cached) ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking for shl_load... no checking for shl_load in -ldld... no checking for dlopen... no checking for dlopen in -ldl... yes checking whether a program can dlopen itself... yes checking whether a statically linked program can dlopen itself... no checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes configure: creating libtool appending configuration tag CXX to libtool appending configuration tag F77 to libtool checking docdir... ${datadir}/doc/freeradius checking logdir... ${localstatedir}/log/radius checking radacctdir... ${logdir}/radacct checking raddbdir... ${sysconfdir}/raddb checking for perl... /usr/bin/perl checking for snmpget... no configure: WARNING: s ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List
Re: unable to compile with openssl libraries
oops my mail client truncated the text! Attached is the output of configure. cheers Pete Stephen Gran [EMAIL PROTECTED] 12/04/06 12:04 PM On Mon, Dec 04, 2006 at 11:44:56AM +1100, Peter Param said: Thanks for clarifying the GPL vs Openssl license issue. I did an apt-get install openssl but still no joy. Take a look at debian/rules in the source directory of freeradius. There are a couple of variables (buildssl and modulelist) that have one value by default, but are easily switched to another value if you switch the comments. That should do it for you, and if not, please file a bug report or provide output so that I can debug it. Take care, -- -- | Stephen Gran | I'm having an EMOTIONAL OUTBURST!! | | [EMAIL PROTECTED] | But, uh, WHY is there a WAFFLE in my | | http://www.lobefin.net/~steve | PAJAMA POCKET?? | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for AIX... no checking whether gcc needs -traditional... no checking whether we are using SUNPro C... no checking for ranlib... ranlib checking whether byte ordering is bigendian... no checking for gmake... no checking for make... /usr/bin/make checking for lt_dlinit in -lltdl... yes checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for a sed that does not truncate output... /bin/sed checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking whether ln -s works... yes checking how to recognise dependent libraries... pass_all checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking for g77... no checking for f77... no checking for xlf... no checking for frt... no checking for pgf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for f90... no checking for xlf90... no checking for pgf90... no checking for epcf90... no checking for f95... no checking for fort... no checking for xlf95... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for gfortran... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 32768 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... (cached) ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so
Re: unable to compile with openssl libraries
what configure flags should I pass to allow for rlm_eap ...i thought the defaults should work? Stephen Gran [EMAIL PROTECTED] 12/04/06 1:17 PM On Mon, Dec 04, 2006 at 12:13:59PM +1100, Peter Param said: is this from the orginal 1.1.3 freeradius tarball or do you mean I should apt-get freeradius as well? That's what I was working from. They are slightly skewed. On Mon, Dec 04, 2006 at 12:16:59PM +1100, Peter Param said: oops my mail client truncated the text! Attached is the output of configure. configure: WARNING: skipping test for openssl/ssl.h It sounds like you didn't pass the right configure flags. -- -- | Stephen Gran | Rascal, am I? Take THAT! -- Errol | | [EMAIL PROTECTED] | Flynn | | http://www.lobefin.net/~steve | | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
I've tried that but I get the following errors: debian:~/freeradius-1.1.3# dpkg-buildpackage -b -uc dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 1.1.3-0 dpkg-buildpackage: source changed by Nicolas Baradakis [EMAIL PROTECTED] dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 1.1.3-0 dpkg-checkbuilddeps: Unmet build dependencies: debhelper (= 4.2.32) dpatch (= 2) autotools-dev libtool (= 1.5) libltdl3-dev libpam0g-dev libmysqlclient15-dev | libmysqlclient14-dev | libmysqlclient-dev libgdbm-dev libldap2-dev libsasl2-dev libiodbc2-dev libkrb5-dev snmp libsnmp9-dev | libsnmp5-dev | libsnmp4.2-dev libpq-dev | postgresql-dev libssl-dev dpkg-buildpackage: Build dependencies/conflicts unsatisfied; aborting. dpkg-buildpackage: (Use -d flag to override.) cheers Peter [EMAIL PROTECTED] 12/04/06 1:27 PM Peter Param wrote: Debian licensing prohibits the installation of openssl as part of its packaging and hence why i downloaded the individual tarballs to work around this issue. See the Wiki. There are instructions for building the server on Debian. You do NOT have to play with configure, command-line options, or anything else like that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
The following hasn't worked for me either: ./configure --with-openssl-includes=/usr/local/ssl/include/ --with-openssl-libraries=/usr/local/ssl/lib/ cheers Peter Stephen Gran [EMAIL PROTECTED] 12/04/06 1:42 PM On Mon, Dec 04, 2006 at 01:22:56PM +1100, Peter Param said: what configure flags should I pass to allow for rlm_eap ...i thought the defaults should work? You need to pass at least --with-openssl-libraries, I see now. That is probably a bug in the Debian packaging as well. I'll take a look at that shortly. -- -- | Stephen Gran | aav coffee on an empty stomach is | | [EMAIL PROTECTED] | pretty nasy knghtbrd aav: time to run | | http://www.lobefin.net/~steve | to the vending machine for cheetos | || aav cheetos? :) | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unable to compile with openssl libraries
no good. when I configure with: ./configure --with-openssl-includes=/usr/local/ssl --with-openssl-libraries=/usr/local/ssl cheers Peter Stephen Gran [EMAIL PROTECTED] 12/04/06 1:42 PM On Mon, Dec 04, 2006 at 01:22:56PM +1100, Peter Param said: what configure flags should I pass to allow for rlm_eap ...i thought the defaults should work? You need to pass at least --with-openssl-libraries, I see now. That is probably a bug in the Debian packaging as well. I'll take a look at that shortly. -- -- | Stephen Gran | aav coffee on an empty stomach is | | [EMAIL PROTECTED] | pretty nasy knghtbrd aav: time to run | | http://www.lobefin.net/~steve | to the vending machine for cheetos | || aav cheetos? :) | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems installing
hi all, I'm trying to install FR onto a new box but am getting errors during make. I using Linux debian 2.6.8-2-386. ./configure --with-openssl-libraries=/usr/local/ssl/include/openssl/ --with-rlm-perl-lib-dir=/usr/lib/perl/ --with-snmp=no errors during make: *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/root/freeradius-1.1.3/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /root/freeradius-1.1.3/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.1.3.so -o .libs/rlm_perl-1.1.3.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory `/root/freeradius-1.1.3/src/modules/rlm_perl' make[5]: *** [common] Error 2 make[5]: Leaving directory `/root/freeradius-1.1.3/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/root/freeradius-1.1.3/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/root/freeradius-1.1.3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/freeradius-1.1.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/root/freeradius-1.1.3' make: *** [all] Error 2 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems installing
ah yes. Thanks it worked. [EMAIL PROTECTED] 12/01/06 11:21 AM On Fri, Dec 01, 2006 at 10:06:07AM +1100, Peter Param said: hi all, I'm trying to install FR onto a new box but am getting errors during make. I using Linux debian 2.6.8-2-386. ./configure --with-openssl-libraries=/usr/local/ssl/include/openssl/ --with-rlm-perl-lib-dir=/usr/lib/perl/ --with-snmp=no errors during make: *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! gcc -shared .libs/rlm_perl.o -Wl,--rpath -Wl,/root/freeradius-1.1.3/src/lib/.libs -Wl,--rpath -Wl,/usr/local/lib /root/freeradius-1.1.3/src/lib/.libs/libradius.so -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.1.3.so -o .libs/rlm_perl-1.1.3.so /usr/bin/ld: cannot find -lperl apt-get install libperl-dev -- -- | Stephen Gran | Though I'll admit readability suffers | | [EMAIL PROTECTED] | slightly... -- Larry Wall | | http://www.lobefin.net/~steve | in [EMAIL PROTECTED] | -- ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant LDAP servers
hi all, is it possible to have multiple ldap servers for lookup for redundancy purposes in a similar way below? ldap { server = ldap1.myorg.com, ldap2.myorg.com, ldap3.myorg.com login= cn=admin,o=myorg,c=au password = mypass } cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple search contexts in LDAP
hey all, I would like to have multiple search contexts to get around ambiguous search results due to duplicate object names found in branches under the same basedn = ou=darlinghurst,ou=nsw,o=myorg,c=au For instance, I would like to search ou=people,ou=darlinghurst,ou=nsw,o=myorg,c=au ou=roles,ou=darlinghurst,ou=nsw,o=myorg,c=au only and not all other branches under the ou=darlinghurst branch. Is this possible? currently I've got set in radiusd.conf for LDAP searches: ldap { server = myldap identity = cn=superuser,o=myorg,c=au password = mypassword filter = (cn=%u) basedn = ou=darlinghurst,ou=nsw,o=myorg,c=au #basedn = ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au - - } cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple search contexts in LDAP
multiple 'ldap { }' in radiusd.conf? cheers Peter [EMAIL PROTECTED] 11/13/06 11:49 AM Peter Param wrote: hey all, I would like to have multiple search contexts to get around ambiguous search results due to duplicate object names found in branches under the same basedn = ou=darlinghurst,ou=nsw,o=myorg,c=au Peter Hi Peter, You could try using multiple instances of the ldap module, one to search one ou and the other to search the other ou, then invoke them one after the other wherever you currently invoke the single ldap instance. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiline line values for Cisco-AVPair (in ldap.attrmap)
hey, I've got Cisco-AVPair for an ldap.attrmap entry and it works ...but unfortunately only for the first occurence of that attribute from the LDAP schema (it will pick the first in the schema). How do I map and return four Cisco-AVPair entries? Is there a particular multiline separator that I should use ...or do I use the attribute re-entrantly? The device in question is a Cisco VPN3000 concentrator and I'm running ver 1.1.1 freeradius. cheers Peter ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been virus scanned and although no viruses were detected by the system, St Vincents Mater Health Sydney accepts no liability for any consequential damage resulting from email containing any computer viruses. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html