3.2.0: dynamic_home_servers ?
Hi, I'm giving dynamic_home_servers a try. I didn't get very far though: - started with the default shipped config - enabled sites-enabled/control-socket - enabled dynamic=true and the default directory - added one single entry in the directory, with filename "testrealm.lu": home_server testrealm.lu { # ipv6addr = "2001:db8::6" ipaddr = "192.168.20.5" proto = udp secret = "radsec" } - started FreeRADIUS, looked at the following error: including configuration file /home/stefan/RESTENA/freeradius-build/etc/raddb/home_servers/testrealm.lu home_server testrealm.lu { ipaddr = 192.168.20.5 port = 0 proto = "udp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } Failed reading home_server from /home/stefan/RESTENA/freeradius-build/etc/raddb/home_servers/testrealm.lu - Dynamic home_server 'testrealm.lu' cannot have 'server' or 'auth+acct' So the configuration is parsed correctly, but then... I didn't specify "auth+acct" (and if I do, same error); nor do I know what is meant with "server" (and switching between ipaddr and ipv6addr didn't change anything)? Adding a port = 1812 doesn't change anything either. When I read in the docs that these should be "normal" home_server definitions, I wonder... they are seemingly not quite that normal? Greetings, Stefan Winter -- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
On May 30, 2022, at 4:24 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
I'm giving dynamic_home_servers a try. I didn't get very far though:
Oops. That should work. I'll take a look and get back to you. We'll also get tests added, so CI will catch any regressions. Alan DeKok.
On May 30, 2022, at 4:24 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
- added one single entry in the directory, with filename "testrealm.lu":
home_server testrealm.lu { # ipv6addr = "2001:db8::6" ipaddr = "192.168.20.5" proto = udp secret = "radsec" }
You don't have: type = auth in the configuration section. The default is "type = auth+acct", but that's not printed out in debug mode. :( I'll fix the error messages to be more clear. Alan DeKok.
Hello,
You don't have:
type = auth
in the configuration section. The default is "type = auth+acct", but that's not printed out in debug mode. :(
I'll fix the error messages to be more clear.
Ah! Could have figured that out myself, I guess. With this, I now have a patchset to fully automate dynamic lookup, using the naptr-eduroam.sh script from radsecproxy as a discovery base (adapted to also work with RFC7585 NAPTR targets and with that, OpenRoaming). This is WIP here: https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:... I'm almost ready to send a PR, but noticed a runtime oddity that may need actual code to smoothen. The first time I run a request (with -fxx -l stdout to enable multithreading), * realm discovery script is run * radmin is called to update the config * Home-Server-Name gets set *after radmin is finished* ... and then proxying fails with (0) WARNING: No such home server %{1} The second and subsequent times I try to authenticate, the home server config *is* honoured and proxying to the dest server is attempted. Looks like the config update is not immediately in effect for the request that triggered discovery. You may need to see the full debug output below of two such requests to see what I mean (the TLS failure at the very end is expected due to cert chain mismatch): Ready to process requests Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 130 from 127.0.0.1:34531 to 127.0.0.1:1812 length 95 (0) User-Name = "stefan@education.lu" (0) User-Password = "abc" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 123 (0) Message-Authenticator = 0x1fd9821b1e8ba7503abf9fcec4d16548 (0) Framed-Protocol = PPP (0) # Executing section authorize from file /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "education.lu" for User-Name = "stefan@education.lu" (0) suffix: No such realm "education.lu" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 167 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}: (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh (0) --> /home/swinter/scratch/freeradius-patch-build/bin/naptr-eduroam-freeradius.sh (0) EXPAND %{1} (0) --> education.lu (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix} (0) --> /home/swinter/scratch/freeradius-patch-build ... new connection request on command socket Listening on command file /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock Waking up in 0.2 seconds. radmin> add home_server file /home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu including configuration file /home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu home_server education.lu { ipaddr = tld1.eduroam.lu IPv4 address [158.64.1.26] port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } tls { verify_depth = 0 ca_path = "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/" pem_file_type = yes private_key_file = "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.key" certificate_file = "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem" fragment_size = 1024 include_length = yes check_crl = no ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_min_version = "1.2" } Waking up in 0.2 seconds. ... shutting down socket command file /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock Waking up in 0.2 seconds. (0) Program returned code (0) and output 'home_server education.lu { ipaddr = tld1.eduroam.lu port = 2083 ipad dr = tld2.eduroam.lu port = 2083 proto = tcp type = auth secret = radsec tls { certificate_file = /home/swi nter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem private_key_file = /home/swinter/scratch/freeradius-patch-build/etc/ raddb/certs/server.key ca_path = /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/ } }' (0) &Temp-Home-Server-String := home_server education.lu { ipaddr = tld1.eduroam.lu port = 2083 ipaddr = tld2.eduro am.lu port = 2083 proto = tcp type = auth secret = radsec tls { certificate_file = /home/swinter/scratch/fre eradius-patch-build/etc/raddb/certs/server.pem private_key_file = /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/serv er.key ca_path = /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/ } } (0) } # update control = noop (0) if ("%{control:Temp-Home-Server-String}" == "" ) { (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> FALSE (0) else { (0) update control { (0) &Home-Server-Name := %{1} (0) } # update control = noop (0) } # else = noop (0) } # case = noop (0) } # switch %{home_server_dynamic:%{1}} = noop (0) } # if (User-Name =~ /@(.*)$/) = noop (0) } # authorize = ok (0) Proxying due to Home-Server-Name (0) WARNING: No such home server %{1} (0) There was no response configured: rejecting request (0) Using Post-Auth-Type Reject (0) # Executing group from file /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> stefan@education.lu (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Thread 5 waiting to be assigned a request Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 130 from 127.0.0.1:1812 to 127.0.0.1:34531 length 20 Waking up in 1.9 seconds. ... cleaning up socket command file /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock Waking up in 1.9 seconds. (0) Cleaning up request packet ID 130 with timestamp +2 due to cleanup_delay was reached Ready to process requests Waking up in 0.3 seconds. Thread 3 got semaphore Thread 3 handling request 1, (1 handled so far) (1) Received Access-Request Id 252 from 127.0.0.1:34174 to 127.0.0.1:1812 length 95 (1) User-Name = "stefan@education.lu" (1) User-Password = "abc" (1) NAS-IP-Address = 127.0.1.1 (1) NAS-Port = 123 (1) Message-Authenticator = 0xe68f95793b848723c77bdf38690952b2 (1) Framed-Protocol = PPP (1) # Executing section authorize from file /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "education.lu" for User-Name = "stefan@education.lu" (1) suffix: No such realm "education.lu" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry DEFAULT at line 167 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (1) pap: WARNING: Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) if (User-Name =~ /@(.*)$/) { (1) if (User-Name =~ /@(.*)$/) -> TRUE (1) if (User-Name =~ /@(.*)$/) { (1) switch %{home_server_dynamic:%{1}} { (1) EXPAND %{home_server_dynamic:%{1}} (1) --> 1 (1) case 1 { (1) update control { (1) EXPAND %{1} (1) --> education.lu (1) &Home-Server-Name := education.lu (1) } # update control = noop (1) } # case 1 = noop (1) } # switch %{home_server_dynamic:%{1}} = noop (1) } # if (User-Name =~ /@(.*)$/) = noop (1) } # authorize = ok (1) Proxying due to Home-Server-Name (1) Starting proxy to home server 158.64.1.26 port 2083 (1) server default { (1) } (TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) -> home_server (158.64.1.26, 2083) Requiring Server certificate (0) (TLS) Handshake state - before SSL initialization (0) (TLS) Handshake state - Client before SSL initialization (0) (TLS) send TLS 1.2 Handshake, ClientHello (0) (TLS) Handshake state - Client SSLv3/TLS write client hello (0) (TLS) Handshake state - Client SSLv3/TLS write client hello (0) (TLS) recv TLS 1.2 Handshake, ServerHello (0) (TLS) Handshake state - Client SSLv3/TLS read server hello (0) (TLS) recv TLS 1.2 Handshake, Certificate (0) (TLS) Creating attributes from server certificate (0) TLS-Cert-Serial := "01" (0) TLS-Cert-Expiration := "301103101536Z" (0) TLS-Cert-Valid-Since := "101108101536Z" (0) TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Cert-Common-Name := "eduPKI CA G 01" (0) ERROR: (TLS) OpenSSL says error 19 : self signed certificate in certificate chain (0) (TLS) send TLS 1.2 Alert, fatal unknown_ca (0) ERROR: (TLS) Alert write:fatal:unknown CA (0) ERROR: (TLS) Client : Error in error tls: (TLS) Failed in connecting TLS session.: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed tls: (TLS) System call (I/O) error (-1) (TLS) Failed opening connection on proxy socket 'proxy (0.0.0.0, 0) -> home_server (158.64.1.26, 2083)' (1) Failed to insert request into the proxy list (1) There was no response configured: rejecting request (1) Using Post-Auth-Type Reject (1) # Executing group from file /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> stefan@education.lu (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Sent Access-Reject Id 252 from 127.0.0.1:1812 to 127.0.0.1:34174 length 20 (1) Finished request Thread 3 waiting to be assigned a request Waking up in 4.6 seconds. (1) Cleaning up request packet ID 252 with timestamp +30 due to cleanup_delay was reached Ready to process requests
-- This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
Eek.
Or, I forgot double quotes in the discovery case.
So, all works. Ready to send a PR :-)
Stefan
On 31.05.22 10:32, Stefan Winter wrote:
> Hello,
>
>
>> You don't have:
>>
>> type = auth
>>
>> in the configuration section. The default is "type = auth+acct",
>> but that's not printed out in debug mode. :(
>>
>> I'll fix the error messages to be more clear.
>
>
> Ah! Could have figured that out myself, I guess.
>
>
> With this, I now have a patchset to fully automate dynamic lookup,
> using the naptr-eduroam.sh script from radsecproxy as a discovery base
> (adapted to also work with RFC7585 NAPTR targets and with that,
> OpenRoaming).
>
>
> This is WIP here:
> https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:restena-sw-patch-1
>
>
> I'm almost ready to send a PR, but noticed a runtime oddity that may
> need actual code to smoothen.
>
>
> The first time I run a request (with -fxx -l stdout to enable
> multithreading),
>
> * realm discovery script is run
>
> * radmin is called to update the config
>
> * Home-Server-Name gets set *after radmin is finished*
>
> ... and then proxying fails with (0) WARNING: No such home server %{1}
>
> The second and subsequent times I try to authenticate, the home server
> config *is* honoured and proxying to the dest server is attempted.
>
>
> Looks like the config update is not immediately in effect for the
> request that triggered discovery. You may need to see the full debug
> output below of two such requests to see what I mean (the TLS failure
> at the very end is expected due to cert chain mismatch):
>
>
> Ready to process requests
> Threads: total/active/spare threads = 5/0/5
> Waking up in 0.3 seconds.
> Thread 5 got semaphore
> Thread 5 handling request 0, (1 handled so far)
> (0) Received Access-Request Id 130 from 127.0.0.1:34531 to
> 127.0.0.1:1812 length 95
> (0) User-Name = "stefan@education.lu"
> (0) User-Password = "abc"
> (0) NAS-IP-Address = 127.0.1.1
> (0) NAS-Port = 123
> (0) Message-Authenticator = 0x1fd9821b1e8ba7503abf9fcec4d16548
> (0) Framed-Protocol = PPP
> (0) # Executing section authorize from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "education.lu" for User-Name =
> "stefan@education.lu"
> (0) suffix: No such realm "education.lu"
> (0) [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) files: users: Matched entry DEFAULT at line 167
> (0) [files] = ok
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good"
> password is available
> (0) [pap] = noop
> (0) if (User-Name =~ /@(.*)$/) {
> (0) if (User-Name =~ /@(.*)$/) -> TRUE
> (0) if (User-Name =~ /@(.*)$/) {
> (0) switch %{home_server_dynamic:%{1}} {
> (0) EXPAND %{home_server_dynamic:%{1}}
> (0) -->
> (0) case {
> (0) update control {
> (0) Executing:
> %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}:
> (0) EXPAND prefix
> (0) --> prefix
> (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh
> (0) -->
> /home/swinter/scratch/freeradius-patch-build/bin/naptr-eduroam-freeradius.sh
> (0) EXPAND %{1}
> (0) --> education.lu
> (0) EXPAND prefix
> (0) --> prefix
> (0) EXPAND %{config:prefix}
> (0) --> /home/swinter/scratch/freeradius-patch-build
> ... new connection request on command socket
> Listening on command file
> /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
> Waking up in 0.2 seconds.
> radmin> add home_server file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
> including configuration file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/home_servers/education.lu
> home_server education.lu {
> ipaddr = tld1.eduroam.lu IPv4 address [158.64.1.26]
> port = 2083
> type = "auth"
> proto = "tcp"
> secret = <<< secret >>>
> response_window = 30.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "none"
> ping_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 300
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> recv_coa {
> }
> }
> tls {
> verify_depth = 0
> ca_path =
> "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/"
> pem_file_type = yes
> private_key_file =
> "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.key"
> certificate_file =
> "/home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> ca_path_reload_interval = 0
> ecdh_curve = "prime256v1"
> tls_min_version = "1.2"
> }
> Waking up in 0.2 seconds.
> ... shutting down socket command file
> /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
> Waking up in 0.2 seconds.
> (0) Program returned code (0) and output 'home_server
> education.lu { ipaddr = tld1.eduroam.lu port = 2083
> ipad
> dr = tld2.eduroam.lu port = 2083 proto = tcp type = auth
> secret = radsec tls { certificate_file = /home/swi
> nter/scratch/freeradius-patch-build/etc/raddb/certs/server.pem
> private_key_file =
> /home/swinter/scratch/freeradius-patch-build/etc/
> raddb/certs/server.key ca_path =
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/
> } }'
> (0) &Temp-Home-Server-String := home_server education.lu {
> ipaddr = tld1.eduroam.lu port = 2083 ipaddr = tld2.eduro
> am.lu port = 2083 proto = tcp type = auth secret =
> radsec tls { certificate_file =
> /home/swinter/scratch/fre
> eradius-patch-build/etc/raddb/certs/server.pem
> private_key_file =
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/serv
> er.key ca_path =
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/certs/ } }
> (0) } # update control = noop
> (0) if ("%{control:Temp-Home-Server-String}" == "" ) {
> (0) if ("%{control:Temp-Home-Server-String}" == "" ) -> FALSE
> (0) else {
> (0) update control {
> (0) &Home-Server-Name := %{1}
> (0) } # update control = noop
> (0) } # else = noop
> (0) } # case = noop
> (0) } # switch %{home_server_dynamic:%{1}} = noop
> (0) } # if (User-Name =~ /@(.*)$/) = noop
> (0) } # authorize = ok
> (0) Proxying due to Home-Server-Name
> (0) WARNING: No such home server %{1}
> (0) There was no response configured: rejecting request
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> stefan@education.lu
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Thread 5 waiting to be assigned a request
> Waking up in 0.7 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 130 from 127.0.0.1:1812 to 127.0.0.1:34531
> length 20
> Waking up in 1.9 seconds.
> ... cleaning up socket command file
> /home/swinter/scratch/freeradius-patch-build/var/run/radiusd/radiusd.sock
> Waking up in 1.9 seconds.
> (0) Cleaning up request packet ID 130 with timestamp +2 due to
> cleanup_delay was reached
> Ready to process requests
> Waking up in 0.3 seconds.
> Thread 3 got semaphore
> Thread 3 handling request 1, (1 handled so far)
> (1) Received Access-Request Id 252 from 127.0.0.1:34174 to
> 127.0.0.1:1812 length 95
> (1) User-Name = "stefan@education.lu"
> (1) User-Password = "abc"
> (1) NAS-IP-Address = 127.0.1.1
> (1) NAS-Port = 123
> (1) Message-Authenticator = 0xe68f95793b848723c77bdf38690952b2
> (1) Framed-Protocol = PPP
> (1) # Executing section authorize from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: Looking up realm "education.lu" for User-Name =
> "stefan@education.lu"
> (1) suffix: No such realm "education.lu"
> (1) [suffix] = noop
> (1) eap: No EAP-Message, not doing EAP
> (1) [eap] = noop
> (1) files: users: Matched entry DEFAULT at line 167
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) pap: WARNING: No "known good" password found for the user. Not
> setting Auth-Type
> (1) pap: WARNING: Authentication will fail unless a "known good"
> password is available
> (1) [pap] = noop
> (1) if (User-Name =~ /@(.*)$/) {
> (1) if (User-Name =~ /@(.*)$/) -> TRUE
> (1) if (User-Name =~ /@(.*)$/) {
> (1) switch %{home_server_dynamic:%{1}} {
> (1) EXPAND %{home_server_dynamic:%{1}}
> (1) --> 1
> (1) case 1 {
> (1) update control {
> (1) EXPAND %{1}
> (1) --> education.lu
> (1) &Home-Server-Name := education.lu
> (1) } # update control = noop
> (1) } # case 1 = noop
> (1) } # switch %{home_server_dynamic:%{1}} = noop
> (1) } # if (User-Name =~ /@(.*)$/) = noop
> (1) } # authorize = ok
> (1) Proxying due to Home-Server-Name
> (1) Starting proxy to home server 158.64.1.26 port 2083
> (1) server default {
> (1) }
> (TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) ->
> home_server (158.64.1.26, 2083)
> Requiring Server certificate
> (0) (TLS) Handshake state - before SSL initialization
> (0) (TLS) Handshake state - Client before SSL initialization
> (0) (TLS) send TLS 1.2 Handshake, ClientHello
> (0) (TLS) Handshake state - Client SSLv3/TLS write client hello
> (0) (TLS) Handshake state - Client SSLv3/TLS write client hello
> (0) (TLS) recv TLS 1.2 Handshake, ServerHello
> (0) (TLS) Handshake state - Client SSLv3/TLS read server hello
> (0) (TLS) recv TLS 1.2 Handshake, Certificate
> (0) (TLS) Creating attributes from server certificate
> (0) TLS-Cert-Serial := "01"
> (0) TLS-Cert-Expiration := "301103101536Z"
> (0) TLS-Cert-Valid-Since := "101108101536Z"
> (0) TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
> (0) TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
> (0) TLS-Cert-Common-Name := "eduPKI CA G 01"
> (0) ERROR: (TLS) OpenSSL says error 19 : self signed certificate in
> certificate chain
> (0) (TLS) send TLS 1.2 Alert, fatal unknown_ca
> (0) ERROR: (TLS) Alert write:fatal:unknown CA
> (0) ERROR: (TLS) Client : Error in error
> tls: (TLS) Failed in connecting TLS session.: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> tls: (TLS) System call (I/O) error (-1)
> (TLS) Failed opening connection on proxy socket 'proxy (0.0.0.0, 0) ->
> home_server (158.64.1.26, 2083)'
> (1) Failed to insert request into the proxy list
> (1) There was no response configured: rejecting request
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file
> /home/swinter/scratch/freeradius-patch-build/etc/raddb/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject: --> stefan@education.lu
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) [eap] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Sent Access-Reject Id 252 from 127.0.0.1:1812 to 127.0.0.1:34174
> length 20
> (1) Finished request
> Thread 3 waiting to be assigned a request
> Waking up in 4.6 seconds.
> (1) Cleaning up request packet ID 252 with timestamp +30 due to
> cleanup_delay was reached
> Ready to process requests
>
>
>> --
>> This email may contain information for limited distribution only,
>> please treat accordingly.
>>
>> Fondation Restena, Stefan WINTER
>> Chief Technology Officer
>> 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
On May 31, 2022, at 4:32 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
Ah! Could have figured that out myself, I guess.
It took me a bit of staring at things (and checking the code) to figure it out. I'm a big fan of useful error messages, so that one had to be fixed/
With this, I now have a patchset to fully automate dynamic lookup, using the naptr-eduroam.sh script from radsecproxy as a discovery base (adapted to also work with RFC7585 NAPTR targets and with that, OpenRoaming).
Nice!
This is WIP here: https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:...
I'll take a look at the PR, thanks. Alan DeKok.
Hi again, I'm now trying this out in a more near-life environment with a long list of statically defined realms from proxy.conf AND dynamic discovery. It appears that the case "0" - realm exists and is statically defined - doesn't really work, or I misunderstand what statically defined means in this context. In authorize, I call suffix and later the "case" conditional for dynamic home servers. - suffix finds the realm, sets Proxy-To-Realm - switch does NOT consider the realm statically defined and triggers dynamic discovery instead. This looks as follows: EXPAND %{home_server_dynamic:%{1}} --> even though suffix has loaded the realm list and has already set Proxy-To-Realm. Full debug below, plus the realm definition: I'm musing whether "statically defined" merely means that a realm was in the home_servers/ directory at startup already; and dynamic means it was added during runtime? That would make the whole statement much less useful... Stefan home_server server_158.64.1.8 { ipaddr = 158.64.1.8 port = 0 type = "auth+acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } home_server server_158.64.1.43 { ipaddr = 158.64.1.43 port = 0 type = "auth+acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } home_server_pool education.lu_pool { type = fail-over home_server = server_158.64.1.8 home_server = server_158.64.1.43 } realm education.lu { pool = education.lu_pool nostrip } Ready to process requests Thread 1 waiting to be assigned a request Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 254 from 127.0.0.1:56410 to 127.0.0.1:11812 length 95 (0) User-Name = "stefan@education.lu" (0) User-Password = "test123" (0) NAS-IP-Address = 158.64.1.52 (0) NAS-Port = 123 (0) Message-Authenticator = 0x169c5902b42c13cc9e5b4a06aa5f419a (0) Framed-Protocol = PPP (0) # Executing section authorize from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "education.lu" for User-Name = "stefan@education.lu" (0) suffix: Found realm "education.lu" (0) suffix: Adding Realm = "education.lu" (0) suffix: Proxying request from user stefan@education.lu to realm education.lu (0) suffix: Preparing to proxy authentication request to realm "education.lu" (0) [suffix] = updated (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}: (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh (0) --> /opt/freeradius/3.2.0/bin/naptr-eduroam-freeradius.sh (0) EXPAND %{1} (0) --> education.lu (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix} (0) --> /opt/freeradius/3.2.0 ... new connection request on command socket On 31.05.22 14:35, Alan DeKok wrote:
On May 31, 2022, at 4:32 AM, Stefan Winter<stefan.winter@restena.lu> wrote:
Ah! Could have figured that out myself, I guess. It took me a bit of staring at things (and checking the code) to figure it out. I'm a big fan of useful error messages, so that one had to be fixed/
With this, I now have a patchset to fully automate dynamic lookup, using the naptr-eduroam.sh script from radsecproxy as a discovery base (adapted to also work with RFC7585 NAPTR targets and with that, OpenRoaming). Nice!
This is WIP here:https://github.com/FreeRADIUS/freeradius-server/compare/v3.2.x...restena-sw:... I'll take a look at the PR, thanks.
Alan DeKok.
- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
-- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
On May 31, 2022, at 8:51 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
I'm now trying this out in a more near-life environment with a long list of statically defined realms from proxy.conf AND dynamic discovery.
It's gone through some tests, but not a lot.
It appears that the case "0" - realm exists and is statically defined - doesn't really work, or I misunderstand what statically defined means in this context.
Or maybe the behavior is just wrong. :(
In authorize, I call suffix and later the "case" conditional for dynamic home servers.
- suffix finds the realm, sets Proxy-To-Realm
- switch does NOT consider the realm statically defined and triggers dynamic discovery instead. This looks as follows:
EXPAND %{home_server_dynamic:%{1}}
-->
Hmm... that seems wrong. It looks like the %{1} isn't being used? Yeah, the underlying function assumes that it's argument is a static string. Which is not overly useful. So this will work: %{home_server_dynamic:example.com} but this won't work: %{home_server_dynamic:%{foo}} I've pushed a fix: https://github.com/FreeRADIUS/freeradius-server/commit/231b3d0a1caa096c897d2...
even though suffix has loaded the realm list and has already set Proxy-To-Realm. Full debug below, plus the realm definition:
I'm musing whether "statically defined" merely means that a realm was in the home_servers/ directory at startup already; and dynamic means it was added during runtime? That would make the whole statement much less useful...
Statically defined SHOULD mean that the realm is in the home_servers/ directory, AND it doesn't have "dynamic=true" set. Alan DeKok.
Hm, that doesn't change anything: (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "education.lu" for User-Name = "stefan@education.lu" (0) suffix: Found realm "education.lu" (0) suffix: Adding Realm = "education.lu" (0) suffix: Proxying request from user stefan@education.lu to realm education.lu (0) suffix: Preparing to proxy authentication request to realm "education.lu" (0) [suffix] = updated (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) update control { (0) Executing: %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}: (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh (0) --> /opt/freeradius/3.2.0/bin/naptr-eduroam-freeradius.sh
Statically defined SHOULD mean that the realm is in the home_servers/ directory, AND it doesn't have "dynamic=true" set.
Reading this I wonder... how are realms.conf realms / home_server_pool / home_server and home_servers/* meant to co-exist? Isn't a realms.conf defined realm "education.lu" just as static as one that is defined via home_servers/ ? If there is no way to detect that a realm is already handled via normal "suffix" style Proxy-To-Realm, then this would mean one has to choose one or the other way of defining realms? (And how/where/why do I set "dynamic=true" for a given realm/home_server? The setting in proxy.conf is a global setting?) FWIW, freshly starting 3.2.0 with my config lists all the realms.conf style realms with radmin: tld2bin #../sbin/radmin -e "show home_server list all" [...] 158.64.1.8 1812 udp auth+acct unknown 0 (name=server_158.64.1.8, dynamic=no) 158.64.1.8 1813 udp acct unknown 0 (name=server_158.64.1.8, dynamic=no) 158.64.1.43 1812 udp auth+acct unknown 0 (name=server_158.64.1.43, dynamic=no) 158.64.1.43 1813 udp acct unknown 0 (name=server_158.64.1.43, dynamic=no) So I kind of expected the expansion home_server_dynamic:%{1} to find them as "case 0". Anyway, once it does discovery as above, the new entry is listed, and is considered dynamic, and future expansions go to "case 1": 158.64.1.26 2083 tcp auth unknown 0 (name=education.lu, dynamic=yes) Maybe one complication is that the home_servers defined in realms.conf do not have a name that gives away the realm they serve (i.e. server_158.64.1.8 etc.). Greetings, Stefan Winter
-- This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
On May 31, 2022, at 10:32 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
that doesn't change anything:
Arg. You should see %{1} getting expanded to something, and then %{home_server_dynamic:something} get expanded to "0" or "1" I'll find some more time for testing this.
Reading this I wonder... how are realms.conf realms / home_server_pool / home_server and home_servers/* meant to co-exist?
Dynamic home servers are just home_servers which are loaded while the server is running. Any home_server MUST define a unique home server. A home_server_pool can only contain static home servers. Adding / deleting dynamic servers to pools is hard. Realms can only point to a static home_server_pool. The realm / home_server_pool / home_server name spaces are separate. So you can use the same name in each one, and they don't conflict. They also don't have any relationship, so "realm foo" doesn't need to point to "home_server_pool foo"
Isn't a realms.conf defined realm "education.lu" just as static as one that is defined via home_servers/ ?
Dynamic home_servers don't define realms, tho. They just define home_servers. You can't dynamically define a "realm". The whole "realm" thing is a throwback to 1995 or so, and is in v3 for historical reasons, and for ease of configuration.
If there is no way to detect that a realm is already handled via normal "suffix" style Proxy-To-Realm, then this would mean one has to choose one or the other way of defining realms?
There's only one way to define realms, via a "realm" definition. That's why the server accepts: Proxy-To-Realm = "foo" proxies to a "realm foo", which in turn points to a home_server_pool, which points to home_server(s) Home-Server-Pool = "bar" proxies to "home_server_pool bar", which generally points to home_server(s) this also doesn't use any "realm" definition Home-Server = "bar" proxies to "home_server bar", but doesn't use any fail-over / load-balancing of a "home_server_pool"
(And how/where/why do I set "dynamic=true" for a given realm/home_server? The setting in proxy.conf is a global setting?)
The setting in proxy.conf is whether or nor dynamic home servers are allowed at all. There's no similar "dynamic = true" in the home servers read from the home_servers/ directory. That's added automatically.
FWIW, freshly starting 3.2.0 with my config lists all the realms.conf style realms with radmin:
tld2bin #../sbin/radmin -e "show home_server list all"
[...]
158.64.1.8 1812 udp auth+acct unknown 0 (name=server_158.64.1.8, dynamic=no) 158.64.1.8 1813 udp acct unknown 0 (name=server_158.64.1.8, dynamic=no) 158.64.1.43 1812 udp auth+acct unknown 0 (name=server_158.64.1.43, dynamic=no) 158.64.1.43 1813 udp acct unknown 0 (name=server_158.64.1.43, dynamic=no)
So I kind of expected the expansion home_server_dynamic:%{1} to find them as "case 0". Anyway, once it does discovery as above, the new entry is listed, and is considered dynamic, and future expansions go to "case 1":
158.64.1.26 2083 tcp auth unknown 0 (name=education.lu, dynamic=yes)
That's good.
Maybe one complication is that the home_servers defined in realms.conf do not have a name that gives away the realm they serve (i.e. server_158.64.1.8 etc.).
Yes. There's no strong tie between home_server and realm. Because you can have multiple realms use the same home server. And the same home server can be in multiple home_server_pools. Alan DeKok.
Okay, so the whole test |%{home_server_dynamic:%{1}} | really means "does a home_server with the stanza name %{1} exist, either in the list of home_servers defined in proxy.conf -> expands to 0; or in the home_servers/* list -> expands to 1; or nowhere -> expands to <nothing>. So I'd have to rename my server_x home_server stanzas inside realms.conf to the realm they serve to make that match, and get my "case 0" out of it. Real life has the complication though that one such home_server serves multiple realms. But the stanza can have only one name. I guess so long as stanzas with different names (=matching realms) can exist with the same destination server IP inside, that can be done. But then still this is not as flexible as realms.conf, e.g. regex realm matches are missing etc. (and not having a _pool hurts too) So, the workaround I referred to earlier, about checking whether suffix has already found something and then not going dynamic, is maybe the better option after all. Greetings, Stefan Winter On 31.05.22 16:53, Alan DeKok wrote:
On May 31, 2022, at 10:32 AM, Stefan Winter<stefan.winter@restena.lu> wrote:
that doesn't change anything: Arg. You should see %{1} getting expanded to something, and then %{home_server_dynamic:something} get expanded to "0" or "1"
I'll find some more time for testing this.
Reading this I wonder... how are realms.conf realms / home_server_pool / home_server and home_servers/* meant to co-exist? Dynamic home servers are just home_servers which are loaded while the server is running.
Any home_server MUST define a unique home server.
A home_server_pool can only contain static home servers. Adding / deleting dynamic servers to pools is hard.
Realms can only point to a static home_server_pool.
The realm / home_server_pool / home_server name spaces are separate. So you can use the same name in each one, and they don't conflict. They also don't have any relationship, so "realm foo" doesn't need to point to "home_server_pool foo"
Isn't a realms.conf defined realm "education.lu" just as static as one that is defined via home_servers/ ? Dynamic home_servers don't define realms, tho. They just define home_servers. You can't dynamically define a "realm".
The whole "realm" thing is a throwback to 1995 or so, and is in v3 for historical reasons, and for ease of configuration.
If there is no way to detect that a realm is already handled via normal "suffix" style Proxy-To-Realm, then this would mean one has to choose one or the other way of defining realms? There's only one way to define realms, via a "realm" definition. That's why the server accepts:
Proxy-To-Realm = "foo"
proxies to a "realm foo", which in turn points to a home_server_pool, which points to home_server(s)
Home-Server-Pool = "bar"
proxies to "home_server_pool bar", which generally points to home_server(s) this also doesn't use any "realm" definition
Home-Server = "bar"
proxies to "home_server bar", but doesn't use any fail-over / load-balancing of a "home_server_pool"
(And how/where/why do I set "dynamic=true" for a given realm/home_server? The setting in proxy.conf is a global setting?) The setting in proxy.conf is whether or nor dynamic home servers are allowed at all. There's no similar "dynamic = true" in the home servers read from the home_servers/ directory. That's added automatically.
FWIW, freshly starting 3.2.0 with my config lists all the realms.conf style realms with radmin:
tld2bin #../sbin/radmin -e "show home_server list all"
[...]
158.64.1.8 1812 udp auth+acct unknown 0 (name=server_158.64.1.8, dynamic=no) 158.64.1.8 1813 udp acct unknown 0 (name=server_158.64.1.8, dynamic=no) 158.64.1.43 1812 udp auth+acct unknown 0 (name=server_158.64.1.43, dynamic=no) 158.64.1.43 1813 udp acct unknown 0 (name=server_158.64.1.43, dynamic=no)
So I kind of expected the expansion home_server_dynamic:%{1} to find them as "case 0". Anyway, once it does discovery as above, the new entry is listed, and is considered dynamic, and future expansions go to "case 1":
158.64.1.26 2083 tcp auth unknown 0 (name=education.lu, dynamic=yes) That's good.
Maybe one complication is that the home_servers defined in realms.conf do not have a name that gives away the realm they serve (i.e. server_158.64.1.8 etc.). Yes. There's no strong tie between home_server and realm. Because you can have multiple realms use the same home server. And the same home server can be in multiple home_server_pools.
Alan DeKok.
- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
-- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
On May 31, 2022, at 11:17 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
so the whole test
|%{home_server_dynamic:%{1}} |
really means "does a home_server with the stanza name %{1} exist, either in the list of home_servers defined in proxy.conf -> expands to 0; or in the home_servers/* list -> expands to 1; or nowhere -> expands to <nothing>.
Yes.
So I'd have to rename my server_x home_server stanzas inside realms.conf to the realm they serve to make that match, and get my "case 0" out of it.
That should work, yes.
Real life has the complication though that one such home_server serves multiple realms. But the stanza can have only one name. I guess so long as stanzas with different names (=matching realms) can exist with the same destination server IP inside, that can be done. But then still this is not as flexible as realms.conf, e.g. regex realm matches are missing etc. (and not having a _pool hurts too)
That is definitely a problem. The dynamic home servers are just that... home servers, and only home servers. :( For now it's too hard to add dynamic pools of home servers. And I don't think there's ever a reason to mix statically defined home servers, and dynamically defined home servers for the same realm / pool.
So, the workaround I referred to earlier, about checking whether suffix has already found something and then not going dynamic, is maybe the better option after all.
Yes. If there are additional features which could help, that's easy enough to add. Maybe perhaps relaxing the restrictions on home server names, and then adding some new configuration which says "this home server is for realm FOO". Even something like the following might work: * add a list of dynamically mapped realms -> home servers. The home servers can be named anything * read in a dynamic home server from raddb/home_servers/, * the filename is the realm / domain name * the "home_server NAME { ... }" can be anything, we don't care about it * there can be multiple soft links to the same file, in which case each filename maps to a realm, which uses the same home server. I think that's compatible with the existing scheme. And should be a bit more useful. It still doesn't get pools of home servers, or failover, but it is a step forwards. Alan DeKok.
FWIW, a workaround is to wrap the "case <nothing>" with an additional check whether suffix has previously set Proxy-To-Realm: case { if (!control:Proxy-To-Realm) { # no home server exists, ask DNS That's okay as a workaround (so long as no DEFAULT realm is defined in proxy.conf; otherwise, dynamic discovery is never triggered). But I think it would be worthwhile to make the home_server_dynamic to work as expected as the root cause. Stefan On 31.05.22 15:53, Alan DeKok wrote:
On May 31, 2022, at 8:51 AM, Stefan Winter<stefan.winter@restena.lu> wrote:
I'm now trying this out in a more near-life environment with a long list of statically defined realms from proxy.conf AND dynamic discovery. It's gone through some tests, but not a lot.
It appears that the case "0" - realm exists and is statically defined - doesn't really work, or I misunderstand what statically defined means in this context. Or maybe the behavior is just wrong. :(
In authorize, I call suffix and later the "case" conditional for dynamic home servers.
- suffix finds the realm, sets Proxy-To-Realm
- switch does NOT consider the realm statically defined and triggers dynamic discovery instead. This looks as follows:
EXPAND %{home_server_dynamic:%{1}}
--> Hmm... that seems wrong. It looks like the %{1} isn't being used? Yeah, the underlying function assumes that it's argument is a static string. Which is not overly useful.
So this will work:
%{home_server_dynamic:example.com}
but this won't work:
%{home_server_dynamic:%{foo}}
I've pushed a fix:https://github.com/FreeRADIUS/freeradius-server/commit/231b3d0a1caa096c897d2...
even though suffix has loaded the realm list and has already set Proxy-To-Realm. Full debug below, plus the realm definition:
I'm musing whether "statically defined" merely means that a realm was in the home_servers/ directory at startup already; and dynamic means it was added during runtime? That would make the whole statement much less useful... Statically defined SHOULD mean that the realm is in the home_servers/ directory, AND it doesn't have "dynamic=true" set.
Alan DeKok.
- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
-- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
participants (2)
-
Alan DeKok -
Stefan Winter