Version 3.0.16 has been released

Stefan Winter stefan.winter at restena.lu
Thu Jan 18 08:30:14 CET 2018


Hello,

there appears to be a behaviour change when using proxy-to-vserver. I
see missing attributes in such a scenario, and a diff of debug output of
3.0.15 to 3.0.16 tells me this line is new:

 Finished internally proxied request.
> Clearing existing &reply: attributes

That is at least rather explicit, thanks for that debug message.

But as it happens I really like those attributes. How can I make them
*not* be scrubbed when handing the request back from the vserver in
3.0.16 and onwards?

The Changelog doesn't seem to mention that behaviour change or an option
to control this behaviour...

Greetings,

Stefan Winter

Am 11.01.2018 um 19:20 schrieb Alan DeKok:
>   Lots of fixes!
> 
> 
> FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low
> 	Feature improvements
> 	* rlm_python now supports multiple lists.  From #2031.
> 	* Add trust router re-keying.  From #2007.
> 	* Add support for Samba / AD LDAP schema.
> 	  See doc/schemas/ldap/samba/README.txt and
> 	  doc/schemas/ldap/samba/
> 	* Add "tls_min_version" and "tls_max_version" to EAP module
> 	  for Debian OpenSSL issues.
> 	* Better documentation for client certificates in PEAP and TTLS:
> 	  it usually doesn't work.  Fixes #2068.
> 	* Distinguish login failure from AD unavailable.  Fixes #2069.
> 	* Update RH spec files.  Fixes #2070.
> 	* Run Post-Proxy-Type if all home servers are dead.
> 	  Fixes #2072.
> 	* Print offending IP addresses when EAP sessions come from
> 	  two upstream home servers, and rate-limit the messages.
> 	* Minor packaging updates.
> 	* Better documentation for rlm_rest.
> 	* EAP-FAST now has it's own "cipher_list", so that it is
> 	  easier to configure.
> 	* EAP-FAST now forcibly disables TLS1.2, until such time
> 	  as we implement the new keying mechanism from TLS1.2.
> 	* Add documentation for allow_expired_crl.
> 	* Update Debian logrotation.  #2093 and #2101.
> 	* DHCP relay can now drop responses.  #2095.
> 	* rlm_sqlippool can now assign Delegated-IPv6-Prefix.
> 	  It also now can assign any IPv4 or IPv6 address.
> 	  Based on patches from maximumG.  #2094.
> 	  See raddb/mods-available/sqlippool for changes.
> 	* radeapclient can now use EAP-SIM-Ki to dynamically
> 	  create the necessary triplets.
> 	* Explain why many LDAP connections are closed.
> 	  Fixes #1969.
> 	* Debian build / package issues fixed by Matthew Newton.
> 	* dictionary.patton updates from Brice Schaffner.  Fixes #2137.
> 	* Added scripts to build "inner-server.pem", and updated
> 	  mods-config/inner-eap and certs/README to match.
> 	* Added provisions for using an external CA.  See raddb/certs/
> 	* Include dhcpclient binary in freeradius-dhcp debian packge.
> 
> 	Bug fixes
> 	* Bind the lifetime of program name and python path to the module
> 	  FR-AD-002 (redone)
> 	* Pass correct statement length into sqlite3_prepare[_v2]
> 	  FR-AD-003 (redone)
> 	* Allow 100-Continue responses with additional headers in rlm_rest.
> 	* fix corner case where detail files were not being locked
> 	  correctly.
> 	* Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group.
> 	  Fixes #1947
> 	* Clean up exfile code.  Which should help to avoid issues
> 	  with reading / writing 100's of detail files.
> 	* Fix build for winbind.  Patch from Alex Clouter.
> 	* Fix checkrad for Mikrotik.  Patch from Muchael Ducharme.
> 	* Fix home server stats lookup.  Patch from Phil Mayers.
> 	* Add libjson-c3 as an optional dependency.
> 	* Require LTB OpenLDAP on CentOS / Redhat, to avoid linking
> 	  against NSS, which breaks the server.  Fixes #2040.
> 	* rlm_python fixes.  Fixes #2041
> 	* Typos in "man" pages.  Fixes #2045
> 	* Expand "next" in %{%{...}:-%{...}}.  Fixes #2048
> 	* Don't add TLS attributes twice.  Fixes #2050.
> 	* Fix memory allocation in rlm_rest.  Fixes #2051.
> 	* Update trustrouter for new API. Fixes #2059.
> 	* Fix SQLite issues on FreeBSD.  Fixes #2060
> 	* Don't do debug logging of bad passwords.  Fixes #2064.
> 	* More graceful handling of "die" in rlm_perl.  Fixes #2073.
> 	* Fix occasional crash when using
> 	  cisco_accounting_username_bug = yes
> 	* EAP-FAST fixes from Isaac Boukris.
> 	  #2078, #2076, and #2082, #2126.
> 	* DHCP fixes, relay, #2092, add run-time check, #2028
> 	* Decode multiple RADIUS packets at a time in highly loaded
> 	  RadSec connections.  Patch from Jan Tomasek.  #2106.
> 	* TunnelPassword is not "single value" in LDAP schema.
> 	  Fixes #2061.
> 	* sql log now opens the expanded filename, not the input one.
> 	  This was a regression introduced in 3.0.15.
> 	* Remove unnecessary UNIQUE constrain in Oracle schemas.
> 	* Fix SSL thread and locking issues when modules also use SSL.
> 	  Fixes #2125 and #2129.
> 	* Re-add dhcpclient "raw packet" changes.  Patches from
> 	  Nicolas Chaigne and Matthew Newton.  Fixes #2155.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180118/04f1cdf1/attachment.sig>


More information about the Freeradius-Users mailing list