Version 3.0.16 has been released
Lots of fixes! FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. #2078, #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.
Thanks for all the work on this. I've built it and it works for me. I had a thought about packaging for FreeRADIUS. I can't see anywhere that offers really up-to-date packages for FreeRADIUS (we all know the distros drag their feet) so I was wondering if anyone on the team had considered setting up automated builds from tags in GitHub, that could be available either as downloadable artefacts from GitHub or even pushed to a repo somewhere like Packagecloud. If there was an easy-to-use source of recent packages I think it would definitely cut down the number of queries the list receives where novice users are running 3.0.8 because that's what their distro provides, and they don't have enough knowledge to compile by hand. If there is an appetite for something like this I would be happy to look into it. I've started setting up build pipeline for some RPM packages I maintain for my employer, although these are built from private GitLab repos. Cheers, Jonathan On 11/01/18 18:20, Alan DeKok wrote:
Lots of fixes!
FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge.
Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. #2078, #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jonathan Gazeley wrote:
I had a thought about packaging for FreeRADIUS. I can't see anywhere that offers really up-to-date packages for FreeRADIUS (we all know the distros drag their feet)
FWIW: For SLES and openSUSE you can install packages of latest FreeRADIUS release from these repos: https://build.opensuse.org/package/show/network/freeradius-server Ciao, Michael.
On 17 Jan 2018, at 11:57, Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:
I had a thought about packaging for FreeRADIUS. I can't see anywhere that offers really up-to-date packages for FreeRADIUS (we all know the distros drag their feet) so I was wondering if anyone on the team had considered setting up automated builds from tags in GitHub, that could be available either as downloadable artefacts from GitHub or even pushed to a repo somewhere like Packagecloud.
http://networkradius.com/freeradius-packages/index.html Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On 17/01/18 12:02, Adam Bishop wrote:
http://networkradius.com/freeradius-packages/index.html
Regards,
Adam Bishop
Huh! I had no idea, and I even searched quite hard. Thanks :) Cheers, Jonathan
On 01/17/2018 01:02 PM, Adam Bishop wrote:
On 17 Jan 2018, at 11:57, Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:
I had a thought about packaging for FreeRADIUS. I can't see anywhere that offers really up-to-date packages for FreeRADIUS (we all know the distros drag their feet) so I was wondering if anyone on the team had considered setting up automated builds from tags in GitHub, that could be available either as downloadable artefacts from GitHub or even pushed to a repo somewhere like Packagecloud.
Great! Is it ok to use the Centos7 rpms in a RHEL7 environment with LDAPS auth? I remember there was some issue when using LDAP over SSL. Currently I use LDAP but I'd like to change to LDAP over SSL. Yours: Laszlo
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
depends what the LDAP was built against. if your local OpenLDAP stuff isn't built against OpenSSL but the FR OpenLDAP stuff was, you're going to find some issues alan
On Wed, 2018-01-17 at 11:57 +0000, Jonathan Gazeley wrote:
I had a thought about packaging for FreeRADIUS. I can't see anywhere that offers really up-to-date packages for FreeRADIUS (we all know the distros drag their feet) so I was wondering if anyone on the team had considered setting up automated builds from tags in GitHub, that could be available either as downloadable artefacts from GitHub or even pushed to a repo somewhere like Packagecloud.
http://packages.networkradius.com/ -- Matthew
Hello, there appears to be a behaviour change when using proxy-to-vserver. I see missing attributes in such a scenario, and a diff of debug output of 3.0.15 to 3.0.16 tells me this line is new: Finished internally proxied request.
Clearing existing &reply: attributes
That is at least rather explicit, thanks for that debug message. But as it happens I really like those attributes. How can I make them *not* be scrubbed when handing the request back from the vserver in 3.0.16 and onwards? The Changelog doesn't seem to mention that behaviour change or an option to control this behaviour... Greetings, Stefan Winter Am 11.01.2018 um 19:20 schrieb Alan DeKok:
Lots of fixes!
FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge.
Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. #2078, #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Jan 18, 2018, at 2:30 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
there appears to be a behaviour change when using proxy-to-vserver. I see missing attributes in such a scenario, and a diff of debug output of 3.0.15 to 3.0.16 tells me this line is new:
Finished internally proxied request.
Clearing existing &reply: attributes
That is at least rather explicit, thanks for that debug message.
That message has been there since February 2015. So it isn't new.
But as it happens I really like those attributes. How can I make them *not* be scrubbed when handing the request back from the vserver in 3.0.16 and onwards?
The "proxy to virtual server" code has been doing that since about the same time.
The Changelog doesn't seem to mention that behaviour change or an option to control this behaviour...
It wasn't supposed to change. So I'm not sure why it's different. I'll take a look. Alan DeKok.
Hi, ah! A closer look reveals: 3.0.15: } # post-auth = ok Finished internally proxied request. Clearing existing &reply: attributes Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /usr/local/freeradius/config/raddb/sites-enabled/AAI post-auth { 3.0.16: } # post-auth = ok Finished internally proxied request. Clearing existing &reply: attributes Found Auth-Type = Accept Auth-Type = Accept, accepting the user Clearing existing &reply: attributes Found Post-Proxy-Type Fail-Authentication Post-Proxy-Type sub-section not found. Ignoring. # Executing section post-auth from file /usr/local/freeradius/config/raddb/sites-enabled/AAI post-auth { So for some reason it starts to run through the purge /twice/. And there's something about Fail-Authentication? In fact the authentication does not fail, it eventually sends out an Access-Accept - but without attributes. Probably the first occurence is the normal one, and is not actually clearing anything; and the second one is new and confused, and actually does clear attributes. Greetings, Stefan Winter Am 18.01.2018 um 13:40 schrieb Alan DeKok:
On Jan 18, 2018, at 2:30 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
there appears to be a behaviour change when using proxy-to-vserver. I see missing attributes in such a scenario, and a diff of debug output of 3.0.15 to 3.0.16 tells me this line is new:
Finished internally proxied request.
Clearing existing &reply: attributes
That is at least rather explicit, thanks for that debug message.
That message has been there since February 2015. So it isn't new.
But as it happens I really like those attributes. How can I make them *not* be scrubbed when handing the request back from the vserver in 3.0.16 and onwards?
The "proxy to virtual server" code has been doing that since about the same time.
The Changelog doesn't seem to mention that behaviour change or an option to control this behaviour...
It wasn't supposed to change.
So I'm not sure why it's different. I'll take a look.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Jan 18, 2018, at 10:27 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
So for some reason it starts to run through the purge /twice/.
Probably Alex's change in commit 6258b7. If you revert that and it works... that's the problem.
And there's something about Fail-Authentication? In fact the authentication does not fail, it eventually sends out an Access-Accept - but without attributes.
Yeah, that's an issue.
Probably the first occurence is the normal one, and is not actually clearing anything; and the second one is new and confused, and actually does clear attributes.
Yup. Matthew Newton and I are looking at it. We should have a fix later today or tomorrow. Alan DeKok.
Hi,
Yup. Matthew Newton and I are looking at it. We should have a fix later today or tomorrow.
I can confirm that today's 3.0.x behaves much nicer indeed. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello again, here's something else that is a bit strange in 3.0.16: radsqlrelay never gets done with transmitting a .work file to our DB server. This looks like: ll -rw-r----- 1 radiusd radiusd 314 Jan 22 14:08 sql-relay-postauth Started radsqlrelay to get the three lines of SQL insisde done: /usr/local/freeradius/current/bin/radsqlrelay -1 -d mysql -f [...] -b [...] -h [...] -u [...] /var/log/radius/radacct/sql-relay-postauth ... and then that command hangs forever, never getting me back to the command-prompt. Eventually hitting Ctrl+C, I get: ^Cerror: Couldn't lock /var/log/radius/radacct/sql-relay-postauth.work: Interrupted system call Which is like... huh? The file did get its rename to .work though: -rw-r----- 1 radiusd radiusd 314 Jan 22 14:08 sql-relay-postauth.work The same worked fine with 3.0.15. Any clue? Greetings, Stefan Winter Am 11.01.2018 um 19:20 schrieb Alan DeKok:
Lots of fixes!
FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge.
Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. #2078, #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Jan 22, 2018, at 8:22 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
here's something else that is a bit strange in 3.0.16: radsqlrelay never gets done with transmitting a .work file to our DB server. This looks like: ... Eventually hitting Ctrl+C, I get:
^Cerror: Couldn't lock /var/log/radius/radacct/sql-relay-postauth.work: Interrupted system call
Which is like... huh?
The "lock file" code got cleaned up to remove corner cases. I guess another one snuck in...
The file did get its rename to .work though:
-rw-r----- 1 radiusd radiusd 314 Jan 22 14:08 sql-relay-postauth.work
The same worked fine with 3.0.15.
Any clue?
Not sure... please send me the config && sql-relay-postauth file off-line, and I'll take a look. Alan DeKok.
participants (8)
-
Adam Bishop -
Alan Buxey -
Alan DeKok -
Jonathan Gazeley -
Matthew Newton -
Michael Ströder -
Stefan Winter -
Tornóci László