See the download directory.
The kind folks at Wiretapped.net have put up a mirror in Australia. It contains the complete OpenRADIUS download directory. Thanks!
This is the third mainenance release for 0.9.12. A security bug was fixed in the LDAP module.
Details: if the DN-as-pseudo-attribute feature was activated on by adding 'dn' to your radldap.attrmap, long DN values could trigger a buffer overflow in the radldap sub module, possibly allowing arbitrary code originating from the database to be run as the user radldap runs as, which is the same as the user the main server runs as in default installations.
Workarounds: remove the 'dn' from radldap.attrmap if it's not needed by your behaviour file, consider your LDAP database trusted, or upgrade to 0.9.12c.
This is the second mainenance release for 0.9.12, containing a number of fixes for LDAP backends. LDAP support had not been updated to reflect recent changes in the internal dictionary, causing it to fail completely.
Also, the LDAP module's error handling when dealing with server side disconnects has been improved, removing the need for setting the 'rebind-after-every-search' flag in many installations, thus improving performance.
For more information, please see the changelog.
This is the first maintenance release for 0.9.12, fixing a problem in the installation script and removing unused EAP stub work, as that was unusable and is done completely differently in 0.9.13 anyway.
Because 0.9.13 will break compatibility so severely that no existing behaviour file will run unchanged, I will do bugfixes and maintenance on 0.9.12 and release them as letter-revisions. Consider 0.9.12 the "last stable release before the big behaviour language changes".
This release mostly concerns new features for use with SQL backends. The example configuration and behaviour files for SQL are modernized to reflect recent improvements. You can now use SQL transactions without being limited to a single radsql subprocess, because of an elegant way to allow all subsequent calls to a module to be routed to the same subprocess, even if the module interface defines more than one. Also, radsql allows you to obtain the sequence number that was used as the primary key for newly inserted records, for databases that support it.
Some minor changes were made to the behaviour language as well. Please see the changelog for more details.
In 0.9.11, I completely forgot to verify that the distributed configuration files where up to date with my development set. This caused a non-functioning default install. Sorry. For the remainder of the release notes and the changelog, please see below.
A lot of time has passed, during which a lot of bugfixes and new features were done. New language operators, updated example behaviour files, a fix that prevented the server to work on AMD64 at all (and other platforms with 'interesting' stdarg implementations), complete RFC2869 support, including Message-Authenticator and a framework for EAP support, including a subserver to decode EAP packets and execute EAP policies (that module is work in progress, don't rely on it yet) attribute splitting and joining, long password support, and much more good things. Please see the changelog.
One important thing to note: if you have written binary modules, you must update your check for the received magic value in the header, as the value has been changed. The change is necessary to prepare for modules that may send 'RADIUS' requests via the module interface to the main server as well as regular module responses. Please see the changelog for more details.
A complete example configuration for keeping metered pre-paid accounts in MySQL has been added. The dictionary has been restructured to allow access to the whole packet. Together with the new 'pokeav' operator, this makes checking of packet signatures much cleaner and easier, preparing for Message-Authenticator support. A contributed improvement to radldap allows you to bind on an object that was returned by a prior search. Logging has been made friendlier. An operator was added to rewrite MAC addresses in a canonical format. Some minor bugfixes were made as well; for details, please see the changelog.
This release adds an example schema and configuration/behaviour combo for PostgreSQL, and a feature to radsql to turn autocommit off for databases that support it. The new behaviour files demonstrates how you can use that to create multi-statement transactions.
Much more important is that complete proxying support is finally done!
This was achieved by extending the radius client to allow specification of target servers, ports and secrets in RADIUS attributes, and enhancing the module interface to allow modules to generate interleaved responses. This feature can be enabled on a per-interface basis in the configuration file, by increasing the default window size of 1 and specifying an attribute to hold job reference numbers. See the new configuration- and behaviour files for ASCII files and Postgres for details.
This work was sponsored by WinQ B.V., many thanks.
Note: this release contains a minor bug in the default example configuration. Please run 'touch /usr/local/etc/openradius/legacy/nases' if you see an instance of 'ascfile' restarting every second. There is also a recommended patch that fixes a compiler error and a border case when recovering from a crashing module.
This release contains a number of enhancements to the behaviour language, most notably the accept, reject and acctresp versions of the halt operator, that set RAD-Code and filter inappropriate reply attributes for the response as defined in the dictionary.
It's been out for a quite while, but I hadn't announced it because I first wanted to move the mailing list to a new machine, in order to make it available 24/7 again. This project suffered a few delays, sadly, but it's finally done.
There's also a few bugs fixed, some enhancements to the example MySQL configuration, a tool for creating precompiled Ascend-Data-Filter attributes, some enhancements to radlogger, radldap and radclient, and a new module to authenticate users using SMB (Windows NT). Thanks, Brian BcGraw and Brian Candler, for your contributions!
This release's focus is SQL support. OpenRADIUS now supports MySQL, Postgres, Oracle, Sybase, DB2, Informix, Interbase, and others, through Perl's stable and powerful DBD drivers. A few small improvements were made in other areas as well. See the changelog for more information.
This is a minor release that contains some bugfixes and documentation for the new RADIUS client. For details, please see the changelog.
A lot of improvements over 0.9.4. Highlights:
Also, the installation procedure will not install any files in that directory if it already exists, but inform you that your old configuration will be used instead.
As always, please see the changelog for more information.
This is a long overdue cleanup and bugfix release, that also includes some changes to the behaviour language.
These changes were indicated earlier, but sadly cause some incompatibilities that cannot be avoided if the current mess in the naming of the conversion operators is to be cleaned up. Instead of the 'as...' operators that sometimes indicated the source type and sometimes the destination type, a clearer scheme is implemented now that uses these unary postfix operators:
As for the bugfixes, most notably the second vulnerability in CERT CA-2002-06 has now been addressed as well. The first hasn't been present since 0.9.3 - see also this message. As a nice side effect, it now gives much better diagnostic information about invalid packets.
For all other changes, please refer to the changelog. And as always, test before upgrading, and make a copy of your raddb directory before typing 'make install', as that installs the distributed example files, overwriting your current configuration.
A couple of important bugs in last release's sample behaviour files were fixed; specifically one that caused CHAP to not work at all, and one in behaviour.sample-ldap-authbind that allowed all non-PAP users in, regardless of their password, if a user's LDAP object could be accessed using an anonymous bind.
Another bug was introduced in last release caused by a last-minute change to the current directory setting for modules, which caused the ascfile module as used in some of the example behaviour files to look for its data in the wrong place. This has been fixed; modules now get the raddb directory used by the server as their cwd, and their configuration files will be stored under raddb/modules.
The last release wasn't a particularly successful one. This one should be better; see the changelog for more information.
This release adds a lot of LDAP functionality: an example schema, a more complete LDAP-to-RADIUS mapping file, and working examples for the configuration- and behaviour files.
Other than that, this is most of all a bugfix release: some cleanups were done, some rare corner cases properly tested and fixed where necessary, and a few memory leaks were plugged. There should be none left.
Also, some portability enhancements have been made; the server now runs on GNU/Linux, NetBSD, BSDi, Solaris (only tested with gcc) and Compaq Tru64 Unix (built with Compaq's own compiler). Note that still only GNU make is supported, although NetBSD's appeared to work as well.
As always, make sure your raddb directory is backed up before doing 'make install' after compiling; there is no automated upgrade procedure.
The most important thing in this release is the new LDAP module. It can be used to perform arbitrary directory searches from the behaviour file, and for doing authentication using LDAP bind operations. It supports persistent connections and a fully configurable LDAP to RADIUS attribute mapping.
The module was tested with OpenLDAP, but should also support the University of Michigan's implementaion and others based on it.
As always, make sure your raddb directory is backed up before doing 'make install' after compiling; there is no automated upgrade procedure.
Contrary to the previous (0.9) release, this one has been actually tested again on the three platforms I currently have access to (GNU/Linux, BSDi and Solaris). It should work on many more, so please tell me about problems and successes, especially when building.
Some other minor bugfixes and feature additions were done as well; see the changelog for more details.
This release adds a simple Unix password database module, an example behaviour file that makes use of that, a lot more documentation and a few less bugs. See the changelog for more details.
There is no automated upgrade procedure, so be sure to back up your raddb directory before doing 'make install'.
Sadly, some incompatible changes to the dictionary and behaviour file language were necessary. Review your current configuration-, behaviour- and/or legacy users files to check if you used any of the following attributes before copying any of them back over the newly installed files in raddb:
As part of the language cleanup, the precedence of the operators '.', 'md5' and 'hex' was changed, to group them more sensibly. Now, all unary operators have precedence above binary ones, and all ordinal operators have precedence over string handling ones. See the language documentation, paragraph 4.1 and below for more details.
In some very rare cases (eg. if you placed a term immediately after 'abort'), you may need to verify that the behaviour file is still accepted when the server is started. This is due to the change made to a few operators which now return an integer (context) instead of resetting the context, which caused terms to be re-allowed immediately after they are closed. The affected operators are:
Lastly, the comma operator is not allowed anymore in context 'none', so expressions like 1,,2 or 1+(,3) are not valid anymore.
This is the first public release. The server should definitely be stable, but hasn't been proven yet. Although great care went into error handling and memory leak prevention, I'm sure that bugs will still be present. So please, try it out, and report any problems you may find.
The server and modules distributed in this release were built and tested successfully on the following platforms:
I also haven't been able to get the same makefiles to work on both GNU and BSD make - if anybody knows a portable way of doing makefile includes, please let me know.
This release includes the following: