This is the third mainenance release for 0.9.12. A security bug was fixed
in the LDAP module.
Details: if the DN-as-pseudo-attribute feature was activated on by adding 'dn'
to your radldap.attrmap, long DN values could trigger a buffer overflow in the
radldap sub module, possibly allowing arbitrary code originating from the
database to be run as the user radldap runs as, which is the same as the user
the main server runs as in default installations.
Workarounds: remove the 'dn' from radldap.attrmap if it's not needed by your
behaviour file, consider your LDAP database trusted, or upgrade to 0.9.12c.
This is the second mainenance release for 0.9.12, containing a number of fixes
for LDAP backends. LDAP support had not been updated to reflect
recent changes in the internal dictionary, causing it to fail completely.
Also, the LDAP module's error handling when dealing with server side
disconnects has been improved, removing the need for setting the
'rebind-after-every-search' flag in many installations, thus improving
performance.
This is the first maintenance release for 0.9.12, fixing a problem in the
installation script and removing unused EAP stub work, as that was unusable
and is done completely differently in 0.9.13 anyway.
Because 0.9.13 will break compatibility so severely that no existing behaviour
file will run unchanged, I will do bugfixes and maintenance on 0.9.12 and
release them as letter-revisions.
Consider 0.9.12 the "last stable release before the big behaviour language
changes".
This release mostly concerns new features for use with SQL backends. The
example configuration and behaviour files for SQL are modernized to reflect
recent improvements. You can now use SQL transactions without being limited to
a single radsql subprocess, because of an elegant way to allow all subsequent
calls to a module to be routed to the same subprocess, even if the module
interface defines more than one. Also, radsql allows you to obtain the sequence
number that was used as the primary key for newly inserted records, for
databases that support it.
Some minor changes were made to the behaviour language as well. Please see the
changelog for more details.
In 0.9.11, I completely forgot to verify that the distributed configuration
files where up to date with my development set. This caused a non-functioning
default install. Sorry. For the remainder of the release notes and the
changelog, please see below.
A lot of time has passed, during which a lot of bugfixes and new features were
done. New language operators, updated example behaviour files, a fix that
prevented the server to work on AMD64 at all (and other platforms with
'interesting' stdarg implementations), complete RFC2869 support, including
Message-Authenticator and a framework for EAP support, including a subserver to
decode EAP packets and execute EAP policies (that module is work in progress,
don't rely on it yet) attribute splitting and joining, long password support,
and much more good things. Please see the
changelog.
One important thing to note: if you have written binary modules, you must
update your check for the received magic value in the header, as the value has
been changed. The change is necessary to prepare for modules that may send
'RADIUS' requests via the module interface to the main server as well as
regular module responses. Please see the changelog for more details.
A complete example configuration for keeping metered pre-paid accounts in MySQL
has been added. The dictionary has been restructured to allow access to the
whole packet. Together with the new 'pokeav' operator, this makes checking of
packet signatures much cleaner and easier, preparing for Message-Authenticator
support. A contributed improvement to radldap allows you to bind on an object
that was returned by a prior search. Logging has been made friendlier. An
operator was added to rewrite MAC addresses in a canonical format. Some minor
bugfixes were made as well; for details, please see the changelog.
This release adds an example schema and configuration/behaviour combo for
PostgreSQL, and a feature to radsql to turn autocommit off for databases
that support it. The new behaviour files demonstrates how you can use that
to create multi-statement transactions.
Much more important is that complete proxying support is finally done!
This was achieved by extending the radius client to allow specification of
target servers, ports and secrets in RADIUS attributes, and enhancing the
module interface to allow modules to generate interleaved responses. This
feature can be enabled on a per-interface basis in the configuration file, by
increasing the default window size of 1 and specifying an attribute to hold job
reference numbers. See the new configuration- and behaviour files for ASCII
files and Postgres for details.
This work was sponsored by WinQ B.V.,
many thanks.
Note: this release contains a minor bug in the default example configuration.
Please run 'touch /usr/local/etc/openradius/legacy/nases' if you see an
instance of 'ascfile' restarting every second. There is also a recommended
patch that fixes
a compiler error and a border case when recovering from a crashing module.
This release contains a number of enhancements to the behaviour language,
most notably the accept, reject and acctresp versions of the halt operator,
that set RAD-Code and filter inappropriate reply attributes for the response
as defined in the dictionary.
It's been out for a quite while, but I hadn't announced it because I first
wanted to move the mailing list to a new machine, in order to make it available
24/7 again. This project suffered a few delays, sadly, but it's finally
done.
There's also a few bugs fixed, some enhancements to the example MySQL
configuration, a tool for creating precompiled Ascend-Data-Filter attributes,
some enhancements to radlogger, radldap and radclient, and a new module to
authenticate users using SMB (Windows NT). Thanks, Brian BcGraw and Brian
Candler, for your contributions!
This release's focus is SQL support. OpenRADIUS now supports MySQL, Postgres, Oracle, Sybase, DB2, Informix, Interbase, and others, through Perl's stable and powerful DBD drivers. A few small improvements were made in other areas as well.
See the changelog for more
information.
a completely new build system that handles
transparent automatic dependency tracking and contains a lot of platform
compatibility enhancements;
a full featured RADIUS client and debugging tool that handles
multiple simultaneous queries, redundant target servers and PAP and CHAP
password encoding.
Starting with this version, configuration files are installed in
/usr/local/etc/openradius by default, as opposed to
/usr/local/etc/raddb; this makes it more obvious that the
configuration files are not compatible with Lucent-, Cistron- or FreeRADIUS.
Also, the installation procedure will not install any files in that directory
if it already exists, but inform you that your old configuration will be used
instead.
As always, please see the changelog for more information.
This is a long overdue cleanup and bugfix release, that also includes some
changes to the behaviour language.
These changes were indicated earlier, but sadly cause some incompatibilities
that cannot be avoided if the current mess in the naming of the conversion
operators is to be cleaned up. Instead of the 'as...' operators that sometimes
indicated the source type and sometimes the destination type, a clearer scheme
is implemented now that uses these unary postfix operators:
toint, toip, todate and tostr
convert any type to the type indicated by the name. If both the source and the
destination type is an ordinal value, the conversion is just a typecast;
otherwise the standard auto-conversion behaviour applies, using the selected
destination type. (When converting strings to ints, the base is autodetected,
so that a 0x-prefix indicates hexadecimal, a 0-prefix
indicates octal, otherwise the number is decimal; and when converting strings
to dates or vice versa, the format is yyyymmddHHMMSS).
fromoct, fromdec, fromhex and fromraw
convert strings in the indicated format to integer values. These can be used
if the default auto-base detection is undesired, such as when you want to
convert a zero-padded decimal string to its value (under the normal
rules the number would be treated as an octal string because of its
0-prefix), and also to convert binary strings in network order to
their integer values.
tooct, todec, tohex and toraw do
the reverse and convert integer values to strings in the indicated format.
After version 1.0, no such changes will be done other than through
phased depreciation.
As for the bugfixes, most notably the second vulnerability in CERT CA-2002-06
has now been addressed as well. The first hasn't been present since 0.9.3 - see
also this message. As a nice side effect, it now gives much better
diagnostic information about invalid packets.
For all other changes, please refer to the changelog. And as always, test before upgrading, and make a
copy of your raddb directory before typing 'make install', as that installs
the distributed example files, overwriting your current configuration.
A couple of important bugs in last release's sample behaviour files were fixed;
specifically one that caused CHAP to not work at all, and one in
behaviour.sample-ldap-authbind that allowed all non-PAP users in, regardless of
their password, if a user's LDAP object could be accessed using an anonymous
bind.
Another bug was introduced in last release caused by a last-minute change to
the current directory setting for modules, which caused the ascfile module as
used in some of the example behaviour files to look for its data in the wrong
place. This has been fixed; modules now get the raddb directory used by the
server as their cwd, and their configuration files will be stored under
raddb/modules.
The last release wasn't a particularly successful one. This one should be
better; see the changelog for
more information.
This release adds a lot of LDAP functionality: an example schema, a more
complete LDAP-to-RADIUS mapping file, and working examples for the
configuration- and behaviour files.
Other than that, this is most of all a bugfix release: some cleanups were done,
some rare corner cases properly tested and fixed where necessary, and a few
memory leaks were plugged. There should be none left.
Also, some portability enhancements have been made; the server now runs on
GNU/Linux, NetBSD, BSDi, Solaris (only tested with gcc) and Compaq Tru64 Unix
(built with Compaq's own compiler). Note that still only GNU make is supported,
although NetBSD's appeared to work as well.
As always, make sure your raddb directory is backed up before doing 'make
install' after compiling; there is no automated upgrade procedure.
The most important thing in this release is the new LDAP module. It can be used
to perform arbitrary directory searches from the behaviour file, and for doing
authentication using LDAP bind operations. It supports persistent connections
and a fully configurable LDAP to RADIUS attribute mapping.
The module was tested with OpenLDAP, but should also support the University
of Michigan's implementaion and others based on it.
As always, make sure your raddb directory is backed up before doing 'make
install' after compiling; there is no automated upgrade procedure.
Contrary to the previous (0.9) release, this one has been actually tested again
on the three platforms I currently have access to (GNU/Linux, BSDi and
Solaris). It should work on many more, so please tell me about problems and
successes, especially when building.
Some other minor bugfixes and feature additions were done as well; see
the changelog for more
details.
This release adds a simple Unix password database module, an example behaviour
file that makes use of that, a lot more documentation and a few less bugs.
See the changelog for more
details.
There is no automated upgrade procedure, so be sure to back up your raddb
directory before doing 'make install'.
Sadly, some incompatible changes to the dictionary and behaviour file language
were necessary. Review your current configuration-, behaviour- and/or legacy
users files to check if you used any of the following attributes before
copying any of them back over the newly installed files in raddb:
Auth-Type (now auth-type, lowercase. See the changelog for details);
Clear-Password (idem)
Md5-Hex-Password (idem)
Trusted-Proxy (idem)
Strip-Realm (idem)
You will have to convert these attribute names to lowercase in each of the
files you intend to copy back from the previous release. If you used a
Livingston-style users file, this will most likely have to be updated.
As part of the language cleanup, the precedence of the operators '.',
'md5' and 'hex' was changed, to group them more sensibly.
Now, all unary operators have precedence above binary ones, and all ordinal
operators have precedence over string handling ones. See the language
documentation, paragraph 4.1 and
below for more details.
In some very rare cases (eg. if you placed a term immediately after
'abort'), you may need to verify that the behaviour file is still
accepted when the server is started. This is due to the change made to a few
operators which now return an integer (context) instead of resetting the
context, which caused terms to be re-allowed immediately after they are closed.
The affected operators are:
halt
abort
del
delall
moveall
Lastly, the comma operator is not allowed anymore in context 'none', so
expressions like 1,,2 or 1+(,3) are not valid anymore.
This is the first public release. The server should definitely be stable, but
hasn't been proven yet. Although great care went into error handling and
memory leak prevention, I'm sure that bugs will still be present. So please,
try it out, and report any problems you may find.
The server and modules distributed in this release were built and tested
successfully on the following platforms:
Debian GNU/Linux 2.2 i386 / glibc 2.1.3 / gcc 2.95.2 / GNU make
Debian GNU/Linux 2.2 Alpha (64-bit) / glibc 2.1.3 / gcc 2.95.2 / GNU make
SunOS 5.7 sparcv9 (32-bit) / gcc 2.95.2 / GNU make
BSD/OS 4.0 i386 / gcc 2.95.2 / GNU make
I haven't tried any other compiler myself, but I've taken good care to avoid
GCC extensions, and my aim is to support any halfway decent ANSI-C compiler.
I'm interested to hear your reports on other platforms.
I also haven't been able to get the same makefiles to work on both GNU and BSD
make - if anybody knows a portable way of doing makefile includes, please let
me know.
This release includes the following:
Main server, with fully complete dictionary/VSA handling support, behaviour rule language and ASCII and binary module interfaces
ASCII file reader module
Accounting- and request logging module
Quick and dirty script to generate md5-hex passwords
A sample configuration and behaviour file that make it work quite similar
to a Livingston-type server, supporting standard ASCII clients- and users
files. Be sure to read the notes in the behaviour file and the ascfile module
before using it as a drop-in replacement though.
NOT yet included are, in random order:
DNS resolver module
RADIUS client (proxying) module
Duplicate detection module
LDAP module
Sub-dictionaries defining VSAs for NAS vendors other than Cisco