aland | 3 Jan 01:33 2009

GIT Log for 2009-01-03 00:33 GMT

commit 6b364fbbf1e6f535b90aa0d90280da9480d1fb3a
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Fri Jan 2 19:43:53 2009 +0100

    Corrected typo

Files changed:
 src/main/event.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

======================================================================
commit b557db5fe35af220c1808978d64d5df2354fbae5
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Fri Jan 2 16:44:24 2009 +0100

    Enable the server to originate CoA-Request && Disconnect-Request

    This is a fairly large change in the server, but is protected
    by WITH_COA, so you can build without it, if you want to do that.

    Conflicts:

    	src/include/radiusd.h
    	src/main/listen.c

Files changed:
 man/man5/unlang.5                    |   17 +-
 raddb/proxy.conf                     |   42 --
 raddb/sites-available/originate-coa  |  190 ---------
 share/dictionary.freeradius.internal |   13 -
(Continue reading)

aland | 5 Jan 01:33 2009

GIT Log for 2009-01-05 00:33 GMT

commit fb941e6bbebe0a2ea39a197f27bab9feba389687
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Thu Jan 1 10:31:23 2009 +0100

    Added "make cert" commands to bootstrap file

    This helps it work when people don't have "make" installed
 raddb/certs/bootstrap |   31 +++++++++++++++++++++++++++++++
 1 files changed, 31 insertions(+), 0 deletions(-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

aland | 6 Jan 01:33 2009

GIT Log for 2009-01-06 00:33 GMT

commit 885d4329748651fae019a9907ff34acd2d054a80
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Fri Nov 28 11:42:59 2008 +0100

    Limit the maximum number of queries over one SQL socket.

    Similar to the "lifetime" change.  If there are issues such as DB
    memory leaks per client socket, then it is a good idea to periodically
    close the client sockets.

Files changed:
 raddb/sql.conf                |    5 -----
 src/modules/rlm_sql/conf.h    |    1 -
 src/modules/rlm_sql/rlm_sql.c |    2 --
 src/modules/rlm_sql/rlm_sql.h |    1 -
 src/modules/rlm_sql/sql.c     |   13 -------------
 5 files changed, 0 insertions(+), 22 deletions(-)

======================================================================
commit e77f5126525db69cfbf04627d6e3357a0d384ecc
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Fri Nov 28 11:00:25 2008 +0100

    Add "lifetime" to SQL sockets.

    After "lifetime" seconds, an open connection is closed.  This can help
    address issues such as firewalls that time out open connections...

Files changed:
 raddb/sql.conf                |    7 -------
(Continue reading)

aland | 7 Jan 01:33 2009

GIT Log for 2009-01-07 00:33 GMT

commit fb12a47d98e6bf919243f83180b95a9624166203
Author: Alan T. DeKok <aland <at> freeradius.org>
Date:   Tue Jan 6 11:37:37 2009 +0100

    listen.c needs ltdl.h
 src/main/Makefile.in |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

Alan DeKok | 7 Jan 10:44 2009

FreeRADIUS and OpenSSL Linkage

  It would be useful to be able to link FreeRADIUS with OpenSSL, for
systems like Debian that have restrictive license policies.  Upon
auditing the source code (and some offline discussion), it looks like it
may be possible.

  The code using OpenSSL is:

src/main/threads.c
src/modules/rlm_eap/
src/modules/rlm_otp/
src/modules/rlm_wimax/

  The ownership of the relevant code is largely myself, a bankrupt
company (rlm_eap), and Tri-D systems (rlm_otp).  We've tried contacting
Tri-D systems (now owned by RedHat), but have had little response.

  My suggestion is to do the following:

1) add a license exception to the main LICENSE file:

   In addition, as a special exception, the copyright holders give
   permission to link the code of portions of this program with the
   OpenSSL library, and distribute linked combinations including the
   two.  This exception does not apply to the "rlm_otp" module.
   You must obey the GNU General Public License in all respects
   for all of the code used other than OpenSSL.  If you modify
   file(s) with this exception, you may extend this exception to your
   version of the file(s), but you are not obligated to do so.  If you
   do not wish to do so, delete this exception statement from your
   version.
(Continue reading)

Stephen Gran | 7 Jan 11:02 2009
Picon

Re: FreeRADIUS and OpenSSL Linkage

On Wed, Jan 07, 2009 at 10:44:52AM +0100, Alan DeKok said:
>   It would be useful to be able to link FreeRADIUS with OpenSSL, for
> systems like Debian that have restrictive license policies.  Upon
> auditing the source code (and some offline discussion), it looks like it
> may be possible.
> 
>   The code using OpenSSL is:
> 
> src/main/threads.c
> src/modules/rlm_eap/
> src/modules/rlm_otp/
> src/modules/rlm_wimax/
> 
>   The ownership of the relevant code is largely myself, a bankrupt
> company (rlm_eap), and Tri-D systems (rlm_otp).  We've tried contacting
> Tri-D systems (now owned by RedHat), but have had little response.
> 
>   My suggestion is to do the following:
> 
> 1) add a license exception to the main LICENSE file:
> 
>    In addition, as a special exception, the copyright holders give
>    permission to link the code of portions of this program with the
>    OpenSSL library, and distribute linked combinations including the
>    two.  This exception does not apply to the "rlm_otp" module.
>    You must obey the GNU General Public License in all respects
>    for all of the code used other than OpenSSL.  If you modify
>    file(s) with this exception, you may extend this exception to your
>    version of the file(s), but you are not obligated to do so.  If you
>    do not wish to do so, delete this exception statement from your
(Continue reading)

Alexander Clouter | 7 Jan 11:21 2009
Picon

Re: FreeRADIUS and OpenSSL Linkage

Alan DeKok <aland <at> deployingradius.com> wrote:
>
> [snipped]
> 
> 2) remove rlm_otp from the "stable" module list.  It's not being
> maintained, and I'm not sure anyone is using it.
> 
>  This will make life easier for package maintainers, as they can just
> configure --without-rlm_otp.  The result will be a version of the server
> that can be linked with OpenSSL on Debian-based systems.
> 
>  Thoughts?
> 
I was thinking of using playing with EAP-GTC and OTP's at some stage, 
probably more likely EAP-TTLS/OTP or something if such a thing can be 
put together.

Of course 'some stage' is after the 101 other things more pressing I 
have to do...

Users can obviously not be trusted with passwords, SecureW2 with 
jfreesafe[1] would make for a nice combination.

Cheers

Alex

[1] http://stuff.digriz.org.uk/mobile/jfreesafe.jad

--

-- 
(Continue reading)

Alan DeKok | 7 Jan 12:16 2009

Re: FreeRADIUS and OpenSSL Linkage

Alexander Clouter wrote:
> I was thinking of using playing with EAP-GTC and OTP's at some stage, 
> probably more likely EAP-TTLS/OTP or something if such a thing can be 
> put together.

  rlm_otp does *not* implement the EAP-OTP protocol.  It implements X9.9
and related "one time password" systems.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

Chris Moules | 7 Jan 14:32 2009
Picon

Debian and RTLD_GLOBAL (again)

Hi,

I have been following the development of the 2.x branch of FreeRADIUS for awhile. We have been looking at
moving our Debian 
systems running FreeRADIUS 1.1.x to the 2.x release. Most things are fine, more than that, the FR 2.x
release is great.

There is a sticking point however, on systems that use the sqlippool module there is still the crash due to a
symbol lookup 
error, the known Debian RTLD_GLOBAL (or lack thereof) issue (I have tried resolving some of this myself,
but it is beyond my 
ken). I have seen that there has been work towards resolving this, The last I (productively) saw written on
this was:
<http://lists.freeradius.org/pipermail/freeradius-users/2008-November/msg00110.html>

Alan, what would your "one more fix" be? I can try to work on this if you can point me in the right direction.
I would really like to get this working so that I can decommission the last remaining 1.1.x servers.

Thanks for any input.

Regards

Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

Alan DeKok | 7 Jan 21:06 2009

Re: Debian and RTLD_GLOBAL (again)

Chris Moules wrote:
> There is a sticking point however, on systems that use the sqlippool
> module there is still the crash due to a symbol lookup error, the known
> Debian RTLD_GLOBAL (or lack thereof) issue (I have tried resolving some
> of this myself, but it is beyond my ken). I have seen that there has
> been work towards resolving this, The last I (productively) saw written
> on this was:
> http://lists.freeradius.org/pipermail/freeradius-users/2008-November/msg00110.html

  This should have been fixed in 2.1.3.  Please try that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html


Gmane