Last call for 3.0.8
Can we get that tested? Especially with the TLSv1 / TLSv1.1 / TLSv1.2 changes that went in today. I think we're otherwise good to go. Alan DeKok.
Stefan has just noticed that the trustrouter code fails kind of spectacularly if you don't have a trustrouter configured. My recommendation is that if trustrouter is null/empty string/the string "none" (set in rlm_realm.c as the default) that tr_query_realm should return NULL. Here's a patch I've confirmed compiles but have not tested. I'm unfortunately in the middle of something else and it'll be a bit before I can test. Stefan, can you confirm that this helps your problem and especially that it doesn't break trustrouter usage? diff --git a/src/modules/rlm_realm/trustrouter.c b/src/modules/rlm_realm/trustrouter.c index 338f497..47ed024 100644 --- a/src/modules/rlm_realm/trustrouter.c +++ b/src/modules/rlm_realm/trustrouter.c @@ -355,6 +355,9 @@ REALM *tr_query_realm(REQUEST *request, char const *realm, struct resp_opaque cookie; if (!realm) return NULL; + if (!trustrouter || (strcmp(trustrouter, "none") == 0)) + return NULL; + /* clear the cookie structure */ memset (&cookie, 0, sizeof(cookie));
I see no place where this code is wrong. So I've pushed the fix.
if (!trustrouter || (strcmp(trustrouter, "none") == 0))
Sam, Alan, Have just built this and tried... It's working ok. Thanks for that, Sam. Sorry for the oversight... I think we dropped the ball somewhere and not logged a bug for it. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Stefan, can you confirm that this helps your problem and especially that it doesn't break trustrouter usage?
I'll add this to the package and spin a build... Then I can check, yes. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Tue, Mar 31, 2015 at 01:14:36PM -0400, Alan DeKok wrote:
Can we get that tested? Especially with the TLSv1 / TLSv1.1 / TLSv1.2 changes that went in today.
I think we're otherwise good to go.
I'm at a conference and have nothing to do this evening apart from write a couple of lightning talks about FreeRADIUS... so when I've done that I'll try and tidy up the elasticsearch stuff I've been working on for detail logs. As one of the talks is about that, it would be good to get in if possible. Nothing complicated - a short logstash config and readme. Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I'm at a conference and have nothing to do this evening apart from write a couple of lightning talks about FreeRADIUS... so when I've
I didn't per chance see you at the Imperial in Exeter earlier, did I? ;-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Tue, Mar 31, 2015 at 11:21:17PM +0000, Stefan Paetow wrote:
I didn't per chance see you at the Imperial in Exeter earlier, did I? ;-)
Not at the Imperial, but I'm around here somewhere. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
I'm at a conference and have nothing to do this evening apart from write a couple of lightning talks about FreeRADIUS... so when I've done that I'll try and tidy up the elasticsearch stuff I've been working on for detail logs. As one of the talks is about that, it would be good to get in if possible. Nothing complicated - a short logstash config and readme.
drats.... i'll have to go to the lightning talk session now ;-) alan
drats.... i'll have to go to the lightning talk session now ;-)
Hee hee hee. :-) I'll be there... Sponge^H^H^H^H^H^HSoak up more FR knowledge ;-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Wed, Apr 01, 2015 at 08:44:22AM +0000, Stefan Paetow wrote:
drats.... i'll have to go to the lightning talk session now ;-)
Hee hee hee. :-)
I'll be there... Sponge^H^H^H^H^H^HSoak up more FR knowledge ;-)
Don't worry, it's nothing that hasn't been mentioned on this list before - ntlm_auth/AD stuff, and logging with elasticsearch. Just trying to push people with enough reasons to upgrade to v3... Networkshop is a good time to hit lots of universities in one go, just a shame the deadline for proper talk submissions is such a rediculously long time before the conference. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
What workshop and where? Do you have internet live feed? Here our federation is receiving live data to feed their redis/elastic search through an unlang linelog routine I wrote to syslog+a daemon to parse the resulting logs. I believe with FR 3.x that configuration can be improved, haven't looked yet at it. On 1 April 2015 at 11:22, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Apr 01, 2015 at 08:44:22AM +0000, Stefan Paetow wrote:
drats.... i'll have to go to the lightning talk session now ;-)
Hee hee hee. :-)
I'll be there... Sponge^H^H^H^H^H^HSoak up more FR knowledge ;-)
Don't worry, it's nothing that hasn't been mentioned on this list before - ntlm_auth/AD stuff, and logging with elasticsearch.
Just trying to push people with enough reasons to upgrade to v3... Networkshop is a good time to hit lots of universities in one go, just a shame the deadline for proper talk submissions is such a rediculously long time before the conference.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Regards, -- Rui Ribeiro Senior Sysadm ISCTE-IUL https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
Hi,
What workshop and where? Do you have internet live feed?
Here our federation is receiving live data to feed their redis/elastic search through an unlang linelog routine I wrote to syslog+a daemon to parse the resulting logs. I believe with FR 3.x that configuration can be improved, haven't looked yet at it.
networkshop 43 - JISC annual networking conference, being hed in Exeter, UK. no live streams alan
Hi,
Can we get that tested? Especially with the TLSv1 / TLSv1.1 / TLSv1.2 changes that went in today.
I think we're otherwise good to go.
Just testing. First thing I noticed is that the "sql statement is empty" warning does not cover all instances of query configs. I had four such "empty" statements in one of my modules, but only got three warnings like: My also empty "authorize_repply_query" went through the config check unnoticed. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
I had four such "empty" statements in one of my modules, but only got three warnings like:
My also empty "authorize_repply_query" went through the config check unnoticed.
Ah, it's actually something else. My config erroneously contains *two* such config items, and one of them is empty: authorize_reply_query = \ "SELECT * FROM reply_aai_firstname WHERE username='%{SQL-User-Name}' \ UNION ALL \ SELECT * FROM reply_aai_lastname WHERE username='%{SQL-User-Name}' \ UNION ALL \ SELECT * FROM reply_aai_mail WHERE username='%{SQL-User-Name}' \ UNION ALL \ SELECT * FROM reply_aai_eduPersonAffiliation WHERE username='%{SQL-User-Name}' \ UNION ALL \ SELECT * FROM reply_aai_fullname WHERE username='%{SQL-User-Name}' \ UNION ALL \ SELECT * FROM reply_aai_commonname WHERE username='%{SQL-User-Name}' \ UNION ALL \ SELECT id, username, 'RESTENA-AAI-Attribute', CONCAT('urn:oid:1.3.6.1.4.1.23735.100.3=',id), '+=' FROM check_aai_ssha1 WHERE username='%{SQL-User-Name}' \ " authorize_reply_query = "" I guess the server would spit out the warning if the latter entry was the only one. But this makes me think: would it be nice to introduce a config WARNING level output that an entry is duplicate? And I always thought later entries overwrite previous ones. But funny enough, I do get all those attributes. Oh well. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
Can we get that tested? Especially with the TLSv1 / TLSv1.1 / TLSv1.2 changes that went in today.
I think we're otherwise good to go.
So here's a real issue. We use TLS session caching on persistent storage. After the update to today's GIT, I get: Error: /var/log/radius/tlscache-eduroam-users/a319a7e33299be31688cd787330c3a5660314ef758b397266a03c72b392004ca.vps[4]: Invalid comma after the reply attributes. Please delete it. This file contains the comma at the end ... (shell) # cat a319a7e33299be31688cd787330c3a5660314ef758b397266a03c72b392004ca.vps # SSL cached session a319a7e33299be31688cd787330c3a5660314ef758b397266a03c72b392004ca User-Name = '...redacted...', Chargeable-User-Identity := 0x65616535316438643436666430366665643437643034383731376464643634323832336163383666, (shell) # ... but so does a file from yesterday produced with 3.0.6. So it looks like a (righteous) complaint was added for 3.0.8, but that the session state saving code has always and continues to produce files which are incorrect. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Apr 1, 2015, at 3:25 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
So here's a real issue. We use TLS session caching on persistent storage. After the update to today's GIT, I get:
Error: /var/log/radius/tlscache-eduroam-users/a319a7e33299be31688cd787330c3a5660314ef758b397266a03c72b392004ca.vps[4]: Invalid comma after the reply attributes. Please delete it.
This file contains the comma at the end ...
I've pushed a fix for the session state code. The complaint comes from a re-write of the "users" file parsing code. Old code: WTF? New code: Hm...that makes sense. And better errors, too. Alan DeKok.
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Matthew Newton -
Rui Ribeiro -
Sam Hartman -
Stefan Paetow -
Stefan Winter