FreeBSD 8.0 port + perl hook problem
Nick Rogers
ncrogers at gmail.com
Fri Jan 8 00:16:38 CET 2010
I'm having problems getting the latest FreeBSD port of freeradius2 to work
with a perl hook that requires the IO perl module. I realize this is likely
a FreeBSD ports compilation problem but I am hoping someone here can shed
some light.
There seems to be some kind of shared library linking issue between the
freeradius2 and perl packages compiled from RELEASE_8_0 ports tree branch.
If one tries to use freeradius in conjunction with a perl hook (script) for
authentication, and the perl script requires a perl module relying on a
compiled shared object file (e.g., IO), then freeradius will fail to load
the perl script and throws errors.
Below is a dump that should make it easy to replicate the problem. This was
done after freshly installing 8.0-RELEASE-i386 onto a system from the
official ISO.
Note that I have also tried to compile the ports myself and run into the
same problem on i386 and amd64 architectures. I am going to try and compile
the ports using portupgrade as suggested by someone on this list and see if
that changes anything. Any further help would be greatly appreciated.
Thanks!
# uname -a
FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009
root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
# pkg_info
#
#
# pkg_add -r freeradius
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/freeradius.tbz...
Done.
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/python26-2.6.2_3.tbz...
Done.
====
Note that some of the standard modules are provided as separate
ports since they require extra dependencies:
bsddb databases/py-bsddb
gdbm databases/py-gdbm
sqlite3 databases/py-sqlite3
tkinter x11-toolkits/py-tkinter
Install them as needed.
====
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/perl-5.8.9_3.tbz...
Done.
Removing stale symlinks from /usr/bin...
Skipping /usr/bin/perl
Skipping /usr/bin/perl5
Done.
Creating various symlinks in /usr/bin...
Symlinking /usr/local/bin/perl5.8.9 to /usr/bin/perl
Symlinking /usr/local/bin/perl5.8.9 to /usr/bin/perl5
Done.
Cleaning up /etc/make.conf... Done.
Spamming /etc/make.conf... Done.
Cleaning up /etc/manpath.config... Done.
Spamming /etc/manpath.config... Done.
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/libltdl-2.2.6a.tbz...
Done.
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gdbm-1.8.3_3.tbz...
Done.
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/libiconv-1.13.1.tbz...
Done.
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gettext-0.17_1.tbz...
Done.
Fetching
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gmake-3.81_3.tbz...
Done.
===> Created group freeradius
===> Created user freeradius
===> Setting user and group in radiusd.conf
===> Bootstrapping default certificates, please wait...
===> Adjusting ownership of directory /usr/local/etc/raddb
===> Adjusting ownership of directory /var/log/radacct
===> Adjusting ownership of directory /var/run/radiusd
===> Adjusting ownership of /var/log/radius.log
===> Adjusting ownership of /var/log/radutmp
===> Adjusting ownership of /var/log/radwtmp
===> Updating libdir in /usr/local/etc/raddb/radiusd.conf
===============================================================================
To enable FreeRADIUS, put the following line in /etc/rc.conf
radiusd_enable="YES"
The sample configuration can be found at
/usr/local/share/examples/freeradius/raddb
If you are upgrading FreeRADIUS, you are advised to use this as a reference
for updating your configuration.
FreeRADIUS will look for its configuration directory at
/usr/local/etc/raddb by default.
If you did not already have a configuration at this location, the sample
configuration has been copied to this location and has been bootstrapped.
If you wish to point FreeRADIUS to a configuration at a different
location, put the following line in /etc/rc.conf
radiusd_flags="-d /path/to/raddb"
To start the server in normal (daemon) mode, run:
/usr/local/etc/rc.d/radiusd start
and to stop the server, run:
/usr/local/etc/rc.d/radiusd stop
To start the server in debugging mode, run:
/usr/local/etc/rc.d/radiusd debug
You are advised to make cautious changes to the configuration, and to test
frequently, using debugging mode where necessary. Try to resist the
temptation to disable or delete things that you don't understand - you may
well break things!
The documentation has been installed at /usr/local/share/doc/freeradius
Useful configuration advice can be found in the FreeRADIUS Wiki at
http://wiki.freeradius.org
===============================================================================
#
# pkg_info
en-freebsd-doc-20090913 Documentation from the FreeBSD Documentation Project
freeradius-2.1.6 A free RADIUS server implementation
gdbm-1.8.3_3 The GNU database manager
gettext-0.17_1 GNU gettext package
gmake-3.81_3 GNU version of 'make' utility
libiconv-1.13.1 A character set conversion library
libltdl-2.2.6a System independent dlopen wrapper
perl-5.8.9_3 Practical Extraction and Report Language
python26-2.6.2_3 An interpreted object-oriented programming language
#
# cat /usr/local/etc/raddb/radiusd.conf
user = freeradius
group = freeradius
raddbdir = /usr/local/etc/raddb
logdir = /var/log
libdir = /usr/local/lib
pidfile = /var/run/radiusd/radiusd.pid
prefix = /usr/local
exec_prefix = ${prefix}
localstatedir = /var
sbindir = ${exec_prefix}/sbin
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = /var/log/radius.log
log_destination = files
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
proxy_requests = no
snmp = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
thread pool {
start_servers = 1
max_servers = 16
min_spare_servers = 0
max_spare_servers = 5
max_requests_per_server = 0
}
modules {
perl {
module = /tmp/freeradius_hook
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
challenge = "Password: "
auth_type = perl
}
tls {
private_key_password =
private_key_file = /etc/ssl/server.key
certificate_file = /etc/ssl/server.crt
CA_file = /etc/ssl/server.crt
dh_file = /usr/local/etc/raddb/dhparam
random_file = /space/rxg/rxgd/bin/random
}
ttls {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
peap {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
}
authorize {
preprocess
eap
perl
}
authenticate {
Auth-Type PERL {
perl
}
eap
}
preacct {
preprocess
acct_unique
}
accounting {
detail
radutmp
perl
}
session {
radutmp
}
#
#
# cat /tmp/freeradius_hook
#!/usr/bin/perl
use strict;
use diagnostics;
use IO ();
#
#
# perl /tmp/freeradius_hook
#
# radiusd -X
FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd8.0, built on Oct 23
2009 at 17:50:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
group = freeradius
user = freeradius
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 256
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
radiusd: #### Instantiating modules ####
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = "/tmp/freeradius_hook"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
}
Can't load '/usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so' for module IO:
/usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so: Undefined symbol
"PL_sv_undef" at /usr/local/lib/perl5/5.8.9/mach/XSLoader.pm line 70.
at /usr/local/lib/perl5/5.8.9/mach/IO.pm line 11
Compilation failed in require at /tmp/freeradius_hook line 6.
BEGIN failed--compilation aborted at /tmp/freeradius_hook line 6 (#1)
(F) The module you tried to load failed to load a dynamic extension.
This
may either mean that you upgraded your version of perl to one that is
incompatible with your old dynamic extensions (which is known to happen
between major versions of perl), or (more likely) that your dynamic
extension was built against an older version of the library that is
installed on your system. You may need to rebuild your old dynamic
extensions.
Uncaught exception from user code:
Can't load '/usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so' for module IO:
/usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so: Undefined symbol
"PL_sv_undef" at /usr/local/lib/perl5/5.8.9/mach/XSLoader.pm line 70.
at /usr/local/lib/perl5/5.8.9/mach/IO.pm line 11
Compilation failed in require at /tmp/freeradius_hook line 6.
BEGIN failed--compilation aborted at /tmp/freeradius_hook line 6.
at /tmp/freeradius_hook line 6
rlm_perl: perl_parse failed: /tmp/freeradius_hook not found or has syntax
errors.
/usr/local/etc/raddb/radiusd.conf[65]: Instantiation failed for module
"perl"
/usr/local/etc/raddb/radiusd.conf[169]: Failed to find module "perl".
/usr/local/etc/raddb/radiusd.conf[169]: Failed to parse "perl" entry.
Errors initializing modules
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100107/df2ab7fe/attachment.html>
More information about the Freeradius-Users
mailing list