cleaning house on radius server?
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? is it also safe to assume that any file with no uncommented lines is also safe to remove? I'm most interrested in removing the SQL directories and all the unused modules in the modules directory.
On 01/17/2011 03:36 PM, Christ Schlacta wrote:
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working?
No. Because different client use different authentication methods. There really is no value to be gained by removing configuration files and entries, in the end you're far more likely to break something. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
I have everyone setup to use tls authentication, with authorization via ldap check on the hostname and the mac address. that's the ONLY path. On 1/17/2011 13:28, John Dennis wrote:
On 01/17/2011 03:36 PM, Christ Schlacta wrote:
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working?
No. Because different client use different authentication methods.
There really is no value to be gained by removing configuration files and entries, in the end you're far more likely to break something.
Christ Schlacta <lists@aarcane.org> wrote:
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? is it also safe to assume that any file with no uncommented lines is also safe to remove? I'm most interrested in removing the SQL directories and all the unused modules in the modules directory.
That's a terrible idea. Think about what you are trying to accomplish. I would recommend you either put your configuration in some revision control system or alternatively accept that Mr DeKok knows what he is doing and thus not straying far from the 'Path of Light' is a Good Idea(tm). If you take up the latter you should: * install from fresh a copy of FreeRADIUS (even if it is from $DISTRO[favourite]) * assuming Debian, 'cp -a /etc/freeradius /etc/freeradius.orig' * apply your needed changes to /etc/freeradius * try to make the output of 'diff -u -r -N freeradius.org freeradius' as small as possible whilst suiting your needs (learn to use templates and policy.conf extensively) This means that when you come to upgrading your FreeRADIUS installation, you are applying a diff/patch file rather than trying to work everything out from scratch. You can also trivially see what you have been changing. Cheers -- Alexander Clouter .sigmonster says: does your DRESSING ROOM have enough ASPARAGUS?
Alexander Clouter wrote:
I would recommend you either put your configuration in some revision control system or alternatively accept that Mr DeKok knows what he is doing and thus not straying far from the 'Path of Light' is a Good Idea(tm).
I don't think we can put *that* in the documentation. What we can say is "sure, go ahead and butcher the configuration. But if it breaks, don't ask for help on the list, because everyone will tell you that it's *your* fault".
This means that when you come to upgrading your FreeRADIUS installation, you are applying a diff/patch file rather than trying to work everything out from scratch. You can also trivially see what you have been changing.
Or use revision control on the files. It's *so* much easier. Alan DeKok.
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? is it also safe to assume that any file with no uncommented lines is also safe to remove? I'm most interrested in removing the SQL directories and all the unused modules in the modules directory.
"Cleaning house" on FreeRADIUS is NOT recommended and NOT required. FreeRADIUS is a complex piece of software and takes some time to completely understand. Until you completely understand FreeRADIUS, you should not randomly delete files and change the configuration. Do you clean house with other software and OSes that you run? Do you delete the files you don't need on MySQL, Linux or a Windows PC? Probably not. The human body has many vestigial organs. Have you contacted a surgeon to remove your appendix, tonsils, adenoids, gall bladder and that spare kidney? Tim
On Mon, Jan 17, 2011 at 12:36:54PM -0800, Christ Schlacta wrote:
I've got a radius server up and running, and I want to clean up my configuration as much as possible. is it a safe assumption that if I remove a file (actually move it out of the way) and attempt to authenticate a client that if the client can successfully authenticate that everything is working? is it also safe to assume that any file with no uncommented lines is also safe to remove? I'm most interrested in removing the SQL directories and all the unused modules in the modules directory.
It is perfectly possible to weed out everything that is not needed - but to determine what is not needed simply by ad hoc testing wouldn't necessarily be possible, because there's always the possiblity that you wouldn't be testing some missing parts of the configuration that are tested by some other process. People seem to have thrown around a fair bit of FUD in this thread, but that's probably because your proposed method seems so shaky. An example for the "removal" of SQL directories is in the Debian FR packages where the SQL bits are split out in several separate packages. So e.g. people who don't install freeradius-mysql also don't get the module's .so files or configuration fragments, at all. Yet, we never weeded out other modules and settings because the overhead seemed negligible - the amount of extra libraries or instantiation work for most modules is not considerable. So if you really need to fit FR e.g. into an embedded environment, and you have your use cases very well defined, it might make sense to bother. Otherwise, there are probably more worthwhile things to do :) -- 2. That which causes joy or happiness.
participants (6)
-
Alan DeKok -
Alexander Clouter -
Christ Schlacta -
John Dennis -
Josip Rodin -
Tim Sylvester