Authenticating groups via LDAP
John Dennis
jdennis at redhat.com
Sat May 22 16:22:12 CEST 2010
On 05/22/2010 04:34 AM, Josip Rodin wrote:
> On Fri, May 21, 2010 at 05:19:55PM -0400, John Dennis wrote:
>>> I just figured this part out. The radiusd.conf file has an Include
>>> /etc/freeradius/modules statement, and there was a file in the modules
>>> directory called ldap.dpkg-old in that directory that was overiding the
>>> ldap config file. That doesn't mean everything works, but at least that
>>> mystery is solved.
>>
>> I think Josip Rodin is maintaining the deb packages. If somehow the old
>> config files are overriding the new config files in the deb packages
>> then you and Josip might want to work out what the problem is, sounds
>> like a packaging bug. I've cc'ed Josip on this email, I know he reads
>> this list but might not be paying attention to this thread.
>
> Thanks. The real problem here is that FreeRADIUS includes *all* files in the
> modules/ directory, whereas excess files are really legitimate - *.dpkg-*
> conffile resolution backups, editor lock files and backup files, etc.
>
> This will be fixed either with code changes to reduce the filename pattern
> matched (e.g. *.conf) or by moving to modules-{available,enabled}/, like
> Apache does it.
>
> Until then, users need to be extra careful to keep modules/ clean.
> This applies everywhere (not just on Debian).
Oh, that's right, I had forgotten FreeRADIUS reads all files in the
modules directory irrespective of it's name or extension. That's a
serious problem. RPM installations will also leave old config files in
those directories (.rpmsave files) when the package is updated.
Alan I didn't see any open bugs on this, should we open one? Is this a
planned modification for 2.2? I recall some discussion of this a while
back on the mailing list. I suppose changing this is 2.1 would be a
version violation. But it has such serious negative consequences I
wonder if we shouldn't bite the bullet and change it in 2.1.9 before
more people get bitten by this. But to be honest I'm not sure which is
worse, an unexpected config file change on upgrade or mysterious
*silent* failures after upgrade.
I think the RPM spec file (and the deb files) could include a script
which would detect the an old modules directory layout and convert it to
modules-{available,enabled} layout automatically during a package upgrade.
Also, I was just looking at our RPM spec file and I noticed that files
in /etc/raddb/sites-enabled (which should just be symlinks) are marked
as config(noreplace) which means RPM will leave backup files there
instead of treating sites-enabled as just a collection of symlinks to be
left alone. I think this represents a packaging bug on my end. However I
noticed the suse freeradius.spec file in the freeradius-server tarballs
also have the exact same config(noreplace) in raddb/sites-enabled so
that packaging bug seems universal.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list