FreeBSD 11.3-RELEASE-p5, freeRADIUS 3.0.20, openssl 1.1.1d -> segfault

Ferdinand Goldmann Ferdinand.Goldmann at jku.at
Mon Jan 20 14:26:49 CET 2020


Hi,

I am trying to upgrade a freeRADIUS installation running on FreeBSD 11.3 p5.

This particular radius server connects to our LDAP load balancer using
openssl. When compiling against the openssl port from the ports
tree (1.1.1d) freeRADIUS crashes with a segmentation violation on startup.

When compiling against openssl 1.0.2s (shipped with FreeBSD 11.3) the server
starts up and processes requests just fine.

Output when being run with -X (sensitive information X'ed out):

# /usr/local/sbin/radiusd -X
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/ldap
including configuration file /usr/local/etc/raddb/mods-enabled/f-ticks
including configuration file /usr/local/etc/raddb/mods-enabled/ldapmac
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/auth-reject
including configuration file /usr/local/etc/raddb/sites-enabled/XXXXXX-inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/XXXXXX
including configuration file /usr/local/etc/raddb/sites-enabled/ldaponly
including configuration file /usr/local/etc/raddb/sites-enabled/ldaponly2
including configuration file /usr/local/etc/raddb/sites-enabled/mac2ldap
main {
  security {
         user = "freeradius"
         group = "freeradius"
         allow_core_dumps = no
  }
         name = "radiusd"
         prefix = "/usr/local"
         localstatedir = "/var"
         logdir = "/var/log"
         run_dir = "/var/run/radiusd"
}
main {
         name = "radiusd"
         prefix = "/usr/local"
         localstatedir = "/var"
         sbindir = "/usr/local/sbin"
         logdir = "/var/log"
         run_dir = "/var/run/radiusd"
         libdir = "/usr/local/lib/freeradius-3.0.20"
         radacctdir = "/var/log/radacct"
         hostname_lookups = no
         max_request_time = 30
         cleanup_delay = 5
         max_requests = 16384
         pidfile = "/var/run/radiusd/radiusd.pid"
         checkrad = "/usr/local/sbin/checkrad"
         debug_level = 0
         proxy_requests = yes
  log {
         stripped_names = no
         auth = yes
         auth_badpass = yes
         auth_goodpass = no
         msg_badpass = " [ via %{Virtual-Server} ][ %{reply:Reply-Message} ]"
         colourise = yes
         msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
         max_attributes = 200
         reject_delay = 1.000000
         status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
         retry_delay = 5
         retry_count = 3
         default_fallback = no
         dead_time = 120
         wake_all_if_all_dead = no
  }
  home_server localhost {
         ipaddr = 127.0.0.1
         port = 1812
         type = "auth"
         secret = <<< secret >>>
         response_window = 20.000000
         response_timeouts = 1
         max_outstanding = 65536
         zombie_period = 40
         status_check = "status-server"
         ping_interval = 30
         check_interval = 30
         check_timeout = 4
         num_answers_to_alive = 3
         revive_interval = 120
   limit {
         max_connections = 16
         max_requests = 0
         lifetime = 0
         idle_timeout = 0
   }
   coa {
         irt = 2
         mrt = 16
         mrc = 5
         mrd = 30
   }
  }
  home_server XXXXXXX {
         ipaddr = XXXXXXXXXXX.130
         port = 1812
         type = "auth+acct"
         secret = <<< secret >>>
         response_window = 30.000000
         response_timeouts = 1
         max_outstanding = 65536
         zombie_period = 40
         status_check = "none"
         ping_interval = 30
         check_timeout = 4
         num_answers_to_alive = 3
         revive_interval = 300
   limit {
         max_connections = 16
         max_requests = 0
         lifetime = 0
         idle_timeout = 0
   }
   coa {
         irt = 2
         mrt = 16
         mrc = 5
         mrd = 30
   }
  }
  home_server XXXXXXX {
         ipaddr = XXXXXXXXXXX.82
         port = 1812
         type = "auth+acct"
         secret = <<< secret >>>
         response_window = 30.000000
         response_timeouts = 1
         max_outstanding = 65536
         zombie_period = 40
         status_check = "none"
         ping_interval = 30
         check_timeout = 4
         num_answers_to_alive = 3
         revive_interval = 300
   limit {
         max_connections = 16
         max_requests = 0
         lifetime = 0
         idle_timeout = 0
   }
   coa {
         irt = 2
         mrt = 16
         mrc = 5
         mrd = 30
   }
  }
  home_server XXXXX {
         ipaddr = XXXXXXXX.86
         port = 1812
         type = "auth+acct"
         secret = <<< secret >>>
         response_window = 30.000000
         response_timeouts = 1
         max_outstanding = 65536
         zombie_period = 40
         status_check = "none"
         ping_interval = 30
         check_timeout = 4
         num_answers_to_alive = 3
         revive_interval = 300
   limit {
         max_connections = 16
         max_requests = 0
         lifetime = 0
         idle_timeout = 0
   }
   coa {
         irt = 2
         mrt = 16
         mrc = 5
         mrd = 30
   }
  }
  home_server_pool my_auth_failover {
         type = fail-over
         home_server = localhost
  }
  realm example.com {
         auth_pool = my_auth_failover
  }
  realm LOCAL {
  }
  realm jku.at {
  }
  realm NULL {
         nostrip
         virtual_server = auth-reject
  }
  realm ~\\.3gppnetwork\\.org$ {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm AddTrust External CA Root {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm DigiCert Assured ID Root CA {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm testing123.com {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm yahoo.com {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm outlook.com {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm gmx.at {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm gmail.com {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm yahoo.de {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm students.jku.at {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  realm myabc.com {
         nostrip
         virtual_server = auth-reject
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
  }
  home_server_pool XXXXX {
         type = fail-over
         home_server = XXXXXXX
         home_server = XXXXXXX
  }
  realm ~.+$ {
         pool = aconet
         nostrip
  }
radiusd: #### Loading Clients ####
  client localhost {
         ipaddr = 127.0.0.1
         require_message_authenticator = no
         secret = <<< secret >>>
         nas_type = "other"
         virtual_server = "ldaponly"
         proto = "*"
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
  client localhost_ipv6 {
         ipv6addr = ::1
         require_message_authenticator = no
         secret = <<< secret >>>
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
  client test-network {
         ipaddr = XXXXXXXX.0/24
         require_message_authenticator = no
         secret = <<< secret >>>
         virtual_server = "XXXXXXX"
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
  client XXXXXXXXXXXXXXXXX {
         ipaddr = XXXXXXXX.60
         require_message_authenticator = no
         secret = <<< secret >>>
         virtual_server = "XXXXX"
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
  client XXXXXXXXXXXXXX {
         ipaddr = XXXXXXXXX.130
         require_message_authenticator = no
         secret = <<< secret >>>
         virtual_server = "XXXXXXX"
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
  client XXXXXXXXXXXXX {
         ipaddr = XXXXXXXXXXX
         require_message_authenticator = no
         secret = <<< secret >>>
         virtual_server = "XXXXXXX"
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
  client XXXXXXXX {
         ipaddr = XXXXXXXXXXX
         require_message_authenticator = no
         secret = <<< secret >>>
         virtual_server = "ldaponly"
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
  client XXXXXXXXXXX {
         ipaddr = XXXXXXXXXXX
         require_message_authenticator = no
         secret = <<< secret >>>
         virtual_server = "ldaponly"
   limit {
         max_connections = 16
         lifetime = 0
         idle_timeout = 30
   }
  }
Debugger not attached
  # Creating Auth-Type = eap
  # Creating Auth-Type = PAP
  # Creating Auth-Type = CHAP
  # Creating Auth-Type = MS-CHAP
  # Creating Auth-Type = digest
  # Creating Auth-Type = symlpt
radiusd: #### Instantiating modules ####
  modules {
   # Loaded module rlm_utf8
   # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
         filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
         key = "%{Realm}"
         relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
         filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
         key = "%{Realm}"
         relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
         filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
         key = "%{User-Name}"
         relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
         filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
         key = "%{User-Name}"
         relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
         filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
         key = "%{User-Name}"
         relaxed = no
   }
   # Loaded module rlm_cache
   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
   cache cache_eap {
         driver = "rlm_cache_rbtree"
         key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
         ttl = 15
         max_entries = 0
         epoch = 0
         add_stats = no
   }
   # Loaded module rlm_chap
   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
   # Loaded module rlm_detail
   # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
   detail {
         filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
         header = "%t"
         permissions = 384
         locking = no
         escape_filenames = no
         log_packet_header = no
   }
   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
   detail auth_log {
         filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
         header = "%t"
         permissions = 384
         locking = no
         escape_filenames = no
         log_packet_header = no
   }
   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
   detail reply_log {
         filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
         header = "%t"
         permissions = 384
         locking = no
         escape_filenames = no
         log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
   detail pre_proxy_log {
         filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
         header = "%t"
         permissions = 384
         locking = no
         escape_filenames = no
         log_packet_header = no
   }
   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
   detail post_proxy_log {
         filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
         header = "%t"
         permissions = 384
         locking = no
         escape_filenames = no
         log_packet_header = no
   }
   # Loaded module rlm_dhcp
   # Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp
   # Loaded module rlm_digest
   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
   # Loaded module rlm_eap
   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
   eap {
         default_eap_type = "md5"
         timer_expire = 60
         ignore_unknown_eap_types = no
         cisco_accounting_username_bug = no
         max_sessions = 16384
   }
   # Loaded module rlm_exec
   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
   exec echo {
         wait = yes
         program = "/bin/echo %{User-Name}"
         input_pairs = "request"
         output_pairs = "reply"
         shell_escape = yes
   }
   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
   exec {
         wait = no
         input_pairs = "request"
         shell_escape = yes
         timeout = 10
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
   # Loaded module rlm_expr
   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
   expr {
         safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_files
   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
   files {
         filename = "/usr/local/etc/raddb/mods-config/files/authorize"
         acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
         preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
   }
   # Loaded module rlm_linelog
   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
   linelog {
         filename = "/var/log/linelog"
         escape_filenames = no
         syslog_severity = "info"
         permissions = 384
         format = "This is a log message for %{User-Name}"
         reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
   linelog log_accounting {
         filename = "/var/log/linelog-accounting"
         escape_filenames = no
         syslog_severity = "info"
         permissions = 384
         format = ""
         reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   # Loaded module rlm_logintime
   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
   logintime {
         minimum_timeout = 60
   }
   # Loaded module rlm_mschap
   # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
   mschap {
         use_mppe = yes
         require_encryption = no
         require_strong = no
         with_ntdomain_hack = yes
    passchange {
    }
         allow_retry = yes
         winbind_retry_with_normalised_username = no
   }
   # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
   exec ntlm_auth {
         wait = yes
         program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
         shell_escape = yes
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
   pap {
         normalise = yes
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
   passwd etc_passwd {
         filename = "/etc/passwd"
         format = "*User-Name:Crypt-Password:"
         delimiter = ":"
         ignore_nislike = no
         ignore_empty = yes
         allow_multiple_keys = no
         hash_size = 100
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
   preprocess {
         huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
         hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
         with_ascend_hack = no
         ascend_channels_per_line = 23
         with_ntdomain_hack = no
         with_specialix_jetstream_hack = no
         with_cisco_vsa_hack = no
         with_alvarion_vsa_hack = no
   }
   # Loaded module rlm_radutmp
   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
   radutmp {
         filename = "/var/log/radutmp"
         username = "%{User-Name}"
         case_sensitive = yes
         check_with_nas = yes
         permissions = 384
         caller_id = yes
   }
   # Loaded module rlm_realm
   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
   realm IPASS {
         format = "prefix"
         delimiter = "/"
         ignore_default = no
         ignore_null = no
   }
   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
   realm suffix {
         format = "suffix"
         delimiter = "@"
         ignore_default = no
         ignore_null = no
   }
   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
   realm realmpercent {
         format = "suffix"
         delimiter = "%"
         ignore_default = no
         ignore_null = no
   }
   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
   realm ntdomain {
         format = "prefix"
         delimiter = "\\"
         ignore_default = no
         ignore_null = no
   }
   # Loaded module rlm_replicate
   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
   # Loaded module rlm_soh
   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
   soh {
         dhcp = yes
   }
   # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
   radutmp sradutmp {
         filename = "/var/log/sradutmp"
         username = "%{User-Name}"
         case_sensitive = yes
         check_with_nas = yes
         permissions = 420
         caller_id = no
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
   unix {
         radwtmp = "/var/log/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_unpack
   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
   # Loaded module rlm_always
   # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
   always reject {
         rcode = "reject"
         simulcount = 0
         mpp = no
   }
   # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
   always fail {
         rcode = "fail"
         simulcount = 0
         mpp = no
   }
   # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
   always ok {
         rcode = "ok"
         simulcount = 0
         mpp = no
   }
   # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
   always handled {
         rcode = "handled"
         simulcount = 0
         mpp = no
   }
   # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
   always invalid {
         rcode = "invalid"
         simulcount = 0
         mpp = no
   }
   # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
   always userlock {
         rcode = "userlock"
         simulcount = 0
         mpp = no
   }
   # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
   always notfound {
         rcode = "notfound"
         simulcount = 0
         mpp = no
   }
   # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
   always noop {
         rcode = "noop"
         simulcount = 0
         mpp = no
   }
   # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
   always updated {
         rcode = "updated"
         simulcount = 0
         mpp = no
   }
   # Loaded module rlm_ldap
   # Loading module "symlpt" from file /usr/local/etc/raddb/mods-enabled/ldap
   ldap symlpt {
         server = "ldaps://XXXXXXXXXXXXXXXX:639"
         identity = "cn=XXXXXXX,o=XXXXXX"
         password = <<< secret >>>
    sasl {
    }
         valuepair_attribute = "radiusAttribute"
         edir = yes
    user {
         scope = "sub"
         access_positive = yes
     sasl {
     }
    }
    group {
         filter = "(objectClass=posixGroup)"
         scope = "sub"
         name_attribute = "cn"
         membership_attribute = "memberOf"
         cacheable_name = no
         cacheable_dn = no
         allow_dangling_group_ref = no
    }
    client {
         filter = "(objectClass=radiusClient)"
         scope = "sub"
         base_dn = "o=XXXXXXX"
    }
    profile {
    }
    options {
         ldap_debug = 40
         chase_referrals = yes
         rebind = yes
         net_timeout = 1
         res_timeout = 10
         srv_timelimit = 3
         idle = 60
         probes = 3
         interval = 3
    }
    tls {
         start_tls = no
         require_cert = "never"
    }
   }
Creating attribute symlpt-LDAP-Group
   # Loading module "f_ticks" from file /usr/local/etc/raddb/mods-enabled/f-ticks
   linelog f_ticks {
         filename = "syslog"
         escape_filenames = no
         syslog_facility = "local0"
         syslog_severity = "info"
         permissions = 384
         format = ""
         reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
   }
   # Loading module "ldapmac" from file /usr/local/etc/raddb/mods-enabled/ldapmac
   ldap ldapmac {
         server = "ldaps://XXXXXXXXXXXXXXXX:639"
         identity = "cn=XXXXXXXXXXXXX,o=XXXXXX"
         password = <<< secret >>>
    sasl {
    }
    user {
         scope = "sub"
         access_positive = yes
     sasl {
     }
    }
    group {
         scope = "sub"
         name_attribute = "cn"
         cacheable_name = no
         cacheable_dn = no
         allow_dangling_group_ref = no
    }
    client {
         scope = "sub"
         base_dn = ""
    }
    profile {
    }
    options {
         ldap_debug = 40
         chase_referrals = yes
         rebind = yes
         net_timeout = 1
         res_timeout = 10
         srv_timelimit = 3
         idle = 60
         probes = 3
         interval = 3
    }
    tls {
         start_tls = no
         require_cert = "never"
    }
   }
Creating attribute ldapmac-LDAP-Group
   instantiate {
   }
   # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay"  found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec"     found in filter list for realm "DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
   # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
   # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
   # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
   # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
   # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_leap
    # Linked to sub-module rlm_eap_gtc
    gtc {
         challenge = "Password: "
         auth_type = "PAP"
    }
    # Linked to sub-module rlm_eap_tls
    tls {
         tls = "tls-common"
    }
    tls-config tls-common {
         verify_depth = 0
         ca_path = "/usr/local/etc/raddb/certs"
         pem_file_type = yes
         private_key_file = "/usr/local/etc/raddb/certs/XXXXXXXXXXXX_2016.key"
         certificate_file = "/usr/local/etc/raddb/certs/XXXXXXXXXXXX_2019.pem"
         dh_file = "/usr/local/etc/raddb/certs/dh"
         fragment_size = 1024
         include_length = yes
         auto_chain = yes
         check_crl = no
         check_all_crl = no
         cipher_list = "DEFAULT"
         ecdh_curve = "prime256v1"
         tls_max_version = ""
         tls_min_version = "1.0"
     cache {
         enable = yes
         lifetime = 24
         max_entries = 255
     }
     verify {
         skip_if_ocsp_ok = no
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://127.0.0.1/ocsp/"
         use_nonce = yes
         timeout = 0
         softfail = no
     }
    }
The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned using only TLS 1.2 for security
Please set: min_tls_version = "1.2"
    # Linked to sub-module rlm_eap_ttls
    ttls {
         tls = "tls-common"
         default_eap_type = "md5"
         copy_request_to_tunnel = yes
         use_tunneled_reply = no
         virtual_server = "XXXXXX-inner-tunnel"
         include_length = yes
         require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_peap
    peap {
         tls = "tls-common"
         default_eap_type = "mschapv2"
         copy_request_to_tunnel = yes
         use_tunneled_reply = no
         proxy_tunneled_request_as_eap = yes
         virtual_server = "XXXXXX-inner-tunnel"
         soh = no
         require_client_cert = no
    }
tls: Using cached TLS configuration from previous invocation
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
         with_ntdomain_hack = no
         send_error = no
    }
   # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
   # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
   # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
   # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
   # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
   # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
   # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
   # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
   # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
   # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
   # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
   # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
   # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
   # Instantiating module "symlpt" from file /usr/local/etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20448
    accounting {
         reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
         reference = "."
    }
rlm_ldap (symlpt): Initialising connection pool
    pool {
         start = 5
         min = 3
         max = 32
         spare = 10
         uses = 0
         lifetime = 0
         cleanup_interval = 30
         idle_timeout = 60
         retry_delay = 30
         spread = no
    }
rlm_ldap (symlpt): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (symlpt): Connecting to ldaps://XXXXXXXXXXXX:639
zsh: segmentation fault  /usr/local/sbin/radiusd -X

Any ideas?

TIA & Regards
Ferdinand Goldmann
-- 
Ferdinand Goldmann
System Administrator
Information Management

JOHANNES KEPLER
UNIVERSITY LINZ
Altenberger Straße 69
Hochschulfond Building, HF9902
4040 Linz, Austria
P +43 732 2468 3925
ferdinand.goldmann at jku.at
www.jku.at/im
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3948 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200120/a35009f9/attachment-0001.bin>


More information about the Freeradius-Users mailing list