postgresqlippool

[David Wood]

Hi Maxim,

In message <001501c8f58c$f3bd38b0$c2d3000a at surfer>, Maxim Sirenko 
<freeradius at mail.rv.ua> writes
>Could you answer the question on the basis of your experience?
>Since what version of freeradius you was successfull in using 
>rlm_sqlippool with postgresql and what little fixes you had to do to 
>make it work?
>I have 1.1.7_3 port on FreeBSD 6.2 and I'm unsuccessfull in forcing to 
>assign an IP from sql pool rather from NAS configuration pool.
>In docs we encouraged to use 2.0.x to have this feature working.
>
>I cannot upgrade to 2.0.x now because my radius is under 24*7 load and 
>I don't have spare server to test it.

FreeBSD 6.2 is End of Life - there is no support from the FreeBSD 
security team, and the ports tree no longer supports 6.2. You are 
recommended to upgrade to FreeBSD 6.3-RELEASE (plus security patches) or 
FreeBSD 7.0-RELEASE (plus security patches). 6.3 will be the easier 
upgrade, as you won't have to rebuild all your ports.

Obviously you should back up your server before doing this.

The actual downtime for a 6.3 upgrade should be minimal. It may be worth 
going via the c(v)sup, make buildworld, make buildkernel, make 
installkernel, (downtime starts) reboot in single user mode, make 
installworld, mergemaster, make delete-old, reboot in multi user route 
(downtime ends) - but if you're going to do that, make sure you read the 
instructions in the FreeBSD handbook and in /usr/src/UPDATING first.


Once you've done that, create yourself a jail as a RADIUS configuration 
sandbox. This will need a spare IPv4 address on your network, and will 
give you somewhere to install a completely separate FreeRADIUS for 
testing.

Probably the easiest way to do this is ezjail - the sysutils/ezjail 
port. This is where having done a make buildworld, and hence a populated 
/usr/obj, helps - you can use ezjail_update -i to build your basejail.


Get yourself an up to date ports tree in the jail - portsnap fetch 
extract should do the job.

Build the net/freeradius2 port, which is FreeRADIUS 2.0.5. There's 
several enhancements in the net/freeradius2 port that I haven't 
backported to the net/freeradius port - and the 2.x server is much 
better than the 1.x one.

Configure FreeRADIUS 2.0.5 to your requirements, testing each change. 
(To that end, I'm intending to create an eapol_test port when I have the 
time - though your system doesn't sound like it would need it).


It's then a case of deploying the net/freeradius2 based setup on your 
live server when you're ready. It may be worth continuing to run 
FreeRADIUS in an ezjail if the restriction of a single IPv4 address 
isn't an issue - it makes it so much easier to switch testing and live 
configurations around, or to switch FreeRADIUS to a different FreeBSD 
host machine by moving the jail.

Of course, jails are valuable to help secure your servers as well - 
they're one of the nicest features of FreeBSD in my opinion.

Hopefully the single IPv4 address per jail restriction will be solved by 
the time that FreeBSD 8 is released - full network virtualisation for 
jails has been mooted, but I'm not sure whether anyone is actively 
working on it.


Best wishes,




David
-- 
David Wood
david at wood2.org.uk