Freeradius-Devel Digest, Vol 60, Issue 16

Fred MAISON fred.maison at gmail.com
Fri Apr 30 12:17:22 CEST 2010 

Le vendredi 30 avril 2010 à 12:00 +0200,
freeradius-devel-request at lists.freeradius.org a écrit :
> Send Freeradius-Devel mailing list submissions to
> 	freeradius-devel at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-devel
> or, via email, send a message with subject or body 'help' to
> 	freeradius-devel-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-devel-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Devel digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: cannot get core dump of crashing freeradius (Jakob Hirsch)
>    2. GIT Log for 2010-04-29 23:33 GMT (aland)
>    3. rlm_ldap & TCP KeepAlive (Fred MAISON)
>    4. Re: rlm_ldap & TCP KeepAlive (Alan DeKok)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 29 Apr 2010 18:01:27 +0200
> From: Jakob Hirsch <jh at plonk.de>
> Subject: Re: cannot get core dump of crashing freeradius
> To: FreeRadius developers mailing list
> 	<freeradius-devel at lists.freeradius.org>
> Message-ID: <4BD9AD57.3010807 at Message-ID.plonk.de>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Hi,
> 
> follow from the users list, belongs not really there, I think.
> 
> Alan DeKok, 2010-04-26 17:24:
> >> This will become a non-issue when the prctl() calls are moved into the
> >> fr_suid_* functions. :)
> >> Would you like me to prepare a patch for that or would you rather do
> >> that yourself?
> >   Patch, please.  It's just easier.
> 
> Is attached.
> I found no way to enable the process's dumpable flag permanently, so I
> just re-enable it on every uid/gid change. Not really elegant...
> 
> I also propose a second (one-line) patch that allows core dumps also
> when running in debug mode (as mentioned on the users list).
> 
> Note that the patches are not really tested, will probably do that
> tomorrow...
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: PR_SET_DUMPABLE.patch
> Url: <https://lists.freeradius.org/pipermail/freeradius-devel/attachments/20100429/b720e4ed/attachment.ksh>
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: debug_with_coredump.patch
> Url: <https://lists.freeradius.org/pipermail/freeradius-devel/attachments/20100429/b720e4ed/attachment-0002.pl>
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 30 Apr 2010 01:33:01 +0200 (CEST)
> From: aland at deployingradius.com (aland)
> Subject: GIT Log for 2010-04-29 23:33 GMT
> To: <freeradius-devel at lists.freeradius.org>
> Message-ID: <20100429233301.EFB91123425F at liberty.deployingradius.com>
> 
> commit 19fc3940db2e2bbd354c59303c50b230c77d7653
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Thu Apr 29 10:26:47 2010 +0200
> 
>     Document more proxy functionality
>     
>     If the NAS doesn't retransmit, we don't either.
> 
> Files changed:
>  raddb/proxy.conf |    7 +++++++
>  1 files changed, 7 insertions(+), 0 deletions(-)
> 
> ======================================================================
> commit fd06854aa64fd6dbf3794f1e695a4ac613637a56
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Thu Apr 29 10:25:47 2010 +0200
> 
>     More debugging messages
>     
>     So that the user knows when a socket is closed due to lifetime or max_queries
> 
> Files changed:
>  src/modules/rlm_sql/sql.c |    8 +++++---
>  1 files changed, 5 insertions(+), 3 deletions(-)
> 
> ======================================================================
> commit 8dbc696916652fca8e10d2c001d1a2f96187d9ab
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Thu Apr 29 10:25:12 2010 +0200
> 
>     Removed unnecessary fflush()
> 
> Files changed:
>  src/modules/frs_dhcp/dhcp.c |    1 -
>  1 files changed, 0 insertions(+), 1 deletions(-)
> 
> ======================================================================
> commit 8d6622aa511c9c803e3bd020a15b437723a4738a
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Thu Apr 29 10:16:59 2010 +0200
> 
>     Ignore autoconf files
>     
>     Hopefully for 2.2.0, we can start getting rid of that horrible
>     system
> 
> Files changed:
>  .gitignore |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> ======================================================================
> commit 5b5fc292113861b65b8bb786e260fbccc7ba98af
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Wed Apr 28 16:52:05 2010 +0200
> 
>     Add sub-options to Option 82
> 
> Files changed:
>  share/dictionary.dhcp |   21 ++++++++++++++++++++-
>  1 files changed, 20 insertions(+), 1 deletions(-)
> 
> ======================================================================
> commit 97c36635617bc8330f21d2b7a7474d6ece462525
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Wed Apr 28 16:50:13 2010 +0200
> 
>     Large code cleanups.
>     
>     Fix error messages (no fprintf)
>     Enable option 82 sub-options
>     Allow it to originate DHCP packets, too
> 
> Files changed:
>  src/modules/frs_dhcp/dhcp.c |  588 +++++++++++++++++++++++++++----------------
>  1 files changed, 374 insertions(+), 214 deletions(-)
> 
> ======================================================================
> commit e0736545494890e825ec28fbb46c1321480a17e4
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Wed Apr 28 13:47:35 2010 +0200
> 
>     Make dhcp_socket_t structure fall in line with listen_socket_t
> 
> Files changed:
>  src/modules/frs_dhcp/frs_dhcp.c |   11 +++++++----
>  1 files changed, 7 insertions(+), 4 deletions(-)
> 
> ======================================================================
> commit 67d995975096c7fa8ece4693161ad3674f600c21
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Wed Apr 28 13:39:46 2010 +0200
> 
>     Fixed typo
> 
> Files changed:
>  src/modules/frs_dhcp/frs_dhcp.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> ======================================================================
> commit ed96d5b83d2f3c53fe316699450257acc7249924
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Wed Apr 28 11:01:14 2010 +0200
> 
>     Use readline only if we have the header files
>     
>     Otherwise people install libreadline, and then the compile stage
>     fails because there's no header files
> 
> Files changed:
>  src/main/radmin.c |   25 +++++++++++++------------
>  1 files changed, 13 insertions(+), 12 deletions(-)
> 
> ======================================================================
> commit 46de542209627674034535ee2a8970ddb94bdd81
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Tue Apr 27 18:53:17 2010 +0200
> 
>     Fix error message for people who don't understand it
> 
> Files changed:
>  src/main/modcall.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> ======================================================================
> commit c66a88291f75dad80a73a9c47705768a3dafb869
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Tue Apr 27 11:02:54 2010 +0200
> 
>     Corrected documentation
> 
> Files changed:
>  raddb/certs/README |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> ======================================================================
> commit e7118e7e2d88a07d8d7078f8a9a8daf294f9afb3
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Tue Apr 27 09:47:38 2010 +0200
> 
>     Try to fix link issues, as posted to the list
> 
> Files changed:
>  src/modules/rlm_python/configure.in |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> ======================================================================
> commit 044b291410a3c6d3cc8c4e52b4a2764f6b2a47df
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Tue Apr 27 09:46:37 2010 +0200
> 
>     Use  rebind_proc only if args==3
>     
>     This means that systems which have args != 3 will still build
> 
> Files changed:
>  src/modules/rlm_ldap/rlm_ldap.c |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> ======================================================================
> commit 4d976d1234f0e04beda8de74247f59c66282678d
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Mon Apr 26 17:24:41 2010 +0200
> 
>     Work around for bug #35.
>     
>     The packet is apparently getting freed when the request structure is still
>     in the list.  Since it's hard to tell when / why this is happening,
>     the short-term fix is to work around it.
>     
>     It's better to leak memory slowly than to crash quickly.
> 
> Files changed:
>  src/lib/packet.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> ======================================================================
> commit bf6bc8b9be4176c35b1fd4c4be69e1a2394114d6
> Author: Alan T. DeKok <aland at freeradius.org>
> Date:   Mon Apr 26 19:56:54 2010 +0200
> 
>     Remove from proxy hash after packet has been verified
>     
>     This avoids some esoteric conditions where an attacker who can monitor
>     the RADIUS packet stream could cause the server to sometimes forget
>     about packets that it proxied.
>     
>     Also cleaned up other issues related to counters (home/listener) when
>     proxying.
> 
> Files changed:
>  src/main/event.c |  114 +++++++++++++++++++++++++++++++-----------------------
>  1 files changed, 65 insertions(+), 49 deletions(-)
> 
> ======================================================================
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 30 Apr 2010 10:57:31 +0200
> From: Fred MAISON <fred.maison at gmail.com>
> Subject: rlm_ldap & TCP KeepAlive
> To: freeradius-devel at lists.freeradius.org
> Message-ID: <1272617851.3324.18.camel at localhost>
> Content-Type: text/plain; charset="UTF-8"
> 
> Hello,
> 
> Some stateful equipments like firewall or load-balancers tends to drop
> long-time idle tcp session to protect their session tables.
> To keep idle tcp session active and avoid this kind of deconnections, I
> found it could be useful to be able to configure TCP KeepAlive from
> rlm_ldap config file, exposing TCP KeepAlive options available in
> Openldap libraries to rlm_ldap config file :
> LDAP_OPT_X_KEEPALIVE_IDLE, LDAP_OPT_X_KEEPALIVE_PROBES,
> LDAP_OPT_X_KEEPALIVE_INTERVAL
> 
> Unfortunately, as Redhat released his 5.5, I don't have anymore access
> to jdennis binary repository, so I am in trouble to recompile 2.1.8 for
> CentOS 5.4 on x86_64.
> I have tried to recompile freeradius 2.1.8 with this patch from
> fedoraproject cvs sources, but I don't know how to integrate this patch
> in the source tree.
> 
> Can you help ?
> 
> Once validated, could this kind of code be integrated in a future
> release ?
> 
> Best regards,
> Fred MAISON
> 
> hg diff
> diff -r 9bc9e5b4d605 rlm_ldap.c
> --- a/rlm_ldap.c	Fri Apr 30 10:18:42 2010 +0000
> +++ b/rlm_ldap.c	Fri Apr 30 10:32:05 2010 +0000
> @@ -173,8 +173,12 @@
>  	int		 edir_account_policy_check;
>  #endif
>  	int		 set_auth_type;
> +	int		keepalive_idle;
> +	int		keepalive_probes;
> +	int		keepalive_interval;
>  }  ldap_instance;
>  
> +
>  /* The default setting for TLS Certificate Verification */
>  #define TLS_DEFAULT_VERIFY "allow"
>  
> @@ -315,6 +319,9 @@
>  #endif
>  
>  	{"set_auth_type", PW_TYPE_BOOLEAN,
> offsetof(ldap_instance,set_auth_type), NULL, "yes"},
> +	{"keepalive_idle", PW_TYPE_INTEGER,
> offsetof(ldap_instance,keepalive_idle), NULL, "60"}
> +	{"keepalive_probes", PW_TYPE_INTEGER,
> offsetof(ldap_instance,keepalive_probes), NULL, "3"}
> +	{"keepalive_interval", PW_TYPE_INTEGER,
> offsetof(ldap_instance,keepalive_interval), NULL, "30"}
>  	{NULL, -1, 0, NULL, NULL}
>  };
>  
> @@ -2272,6 +2279,24 @@
>  		radlog(L_ERR, "  [%s] Could not set LDAP version to V3: %s",
> inst->xlat_name, ldap_err2string(ldap_errno));
>  	}
>  
> +	if (ldap_set_option(ld, LDAP_OPT_X_KEEPALIVE_IDLE,
> +			    (void *) &(inst->keepalive_idle)) != LDAP_OPT_SUCCESS) {
> +		ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
> +		radlog(L_ERR, "  [%s] Could not set LDAP_OPT_X_KEEPALIVE_IDLE %d: %
> s", inst->xlat_name, inst->keepalive_idle, ldap_err2string(ldap_errno));
> +	}
> +	if (ldap_set_option(ld, LDAP_OPT_X_KEEPALIVE_PROBES,
> +			    (void *) &(inst->keepalive_probes)) != LDAP_OPT_SUCCESS) {
> +		ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
> +		radlog(L_ERR, "  [%s] Could not set LDAP_OPT_X_KEEPALIVE_PROBES %d: %
> s", inst->xlat_name, inst->keepalive_probes,
> ldap_err2string(ldap_errno));
> +	}
> +	if (ldap_set_option(ld, LDAP_OPT_X_KEEPALIVE_INTERVAL,
> +			    (void *) &(inst->keepalive_interval)) != LDAP_OPT_SUCCESS) {
> +		ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
> +		radlog(L_ERR, "  [%s] Could not set LDAP_OPT_X_KEEPALIVE_INTERVAL %d:
> %s", inst->xlat_name, inst->keepalive_interval,
> ldap_err2string(ldap_errno));
> +	}
> +
> +
> +
>  #ifdef HAVE_LDAP_START_TLS
>          if (inst->tls_mode) {
>  		DEBUG("  [%s] setting TLS mode to %d", inst->xlat_name,
> inst->tls_mode);
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 30 Apr 2010 11:56:25 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: rlm_ldap & TCP KeepAlive
> To: FreeRadius developers mailing list
> 	<freeradius-devel at lists.freeradius.org>
> Message-ID: <4BDAA949.3020100 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Fred MAISON wrote:
> > Some stateful equipments like firewall or load-balancers tends to drop
> > long-time idle tcp session to protect their session tables.
> > To keep idle tcp session active and avoid this kind of deconnections, I
> > found it could be useful to be able to configure TCP KeepAlive from
> > rlm_ldap config file, exposing TCP KeepAlive options available in
> > Openldap libraries to rlm_ldap config file :
> > LDAP_OPT_X_KEEPALIVE_IDLE, LDAP_OPT_X_KEEPALIVE_PROBES,
> > LDAP_OPT_X_KEEPALIVE_INTERVAL
> 
>   Yup.
> 
> > Unfortunately, as Redhat released his 5.5, I don't have anymore access
> > to jdennis binary repository, so I am in trouble to recompile 2.1.8 for
> > CentOS 5.4 on x86_64.
> > I have tried to recompile freeradius 2.1.8 with this patch from
> > fedoraproject cvs sources, but I don't know how to integrate this patch
> > in the source tree.
> 
>   Use the "patch" program:
> 
> $ hg diff > patch
> $ cd src/modules/rlm_ldap
> $ patch -p1 < ../../patch
> 
>   Then build it.
> 
>   This can be done after the "configure" stage.
> 
> > Once validated, could this kind of code be integrated in a future
> > release ?
> 
>   Yes.  John has a number of LDAP patches pending.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> 
> 
> End of Freeradius-Devel Digest, Vol 60, Issue 16
> ************************************************

I am interested with John's patches.
Where are they available ?
I am also interested with Alexander Coulter patches you talked about in
a post dated 28 Jan 2010 17:36:46 +0100 regarding ldap redundancy &
Ldap-Group checkItem in user file (message
4B61BD1E.1090005 at deployingradius.com)

As you talked about integration of those patches in 2.2.0, How can I
access freeradius 2.2.x cvs ?
I tried cvs -d :pserver:anoncvs at cvs.freeradius.org:/source checkout
radiusd, but the version retrieved there seems to be 2.0.6 ...

Best regards,
Fred MAISON

More information about the Freeradius-Devel mailing list