External program calling and return values - was: Locking user accounts
Hi Alan,
ok that's not really what I asked for originally. I'll explain you my
application:
I have an authentication application with a mysql db that writes on changes in
the db a users file for the radius server. That file contains one time
passwords that have a lifetime of several minutes. But we also have bought a
second otp application that can be accessed by radius too (= therefore I need
the proxy functionality). After I had a first version running fine, my boss
complained that no user locking is done on brute force attacks. That was my
first question here.
For user locking I have written a small c programm that is called on every
request. But if I have the expense of running an external program for locking,
this app can also do the authentication for me and I don't need to write the
users file and send the SIGHUP to radiusd on every db change. This lead to my
idea using two default sections in the user file, one for authenticating and
locking and a second for proxying if needed (that means if the first default
section fails). My current question is how to implement that behavior with
freeradius.
I thought about using the mysql db in freeradius as users database but it
seemed to much work for me. I don't know if/how the proxying in a default
section works if a sql db is used (any clues for me?).
How would you setup freeradius for my needs?
I tried without success:
DEFAULT Auth-Type = `%{exec:/path/to/auth %{User-Name} %{User-Password}}`
... my pairs on success ...
Auth returned REJECT or ACCEPT, but how can I fall through to my second
(proxying) DEFAULT on REJECT and not fall through on ACCEPT?
Thank you very much for your help :-).
Have a nice weekend!
Daniel
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Auftrag von Alan
DeKok
Gesendet: Freitag, 18. März 2005 19:43
An: freeradius-users@lists.freeradius.org
Betreff: Re: AW: AW: Locking user accounts
Fiederling, Daniel [EMAIL PROTECTED] wrote:
today I upgraded my freeradius to 1.0.2. The exec module seems to be the
right thing for me, but I can't really figure out how to setup my 3
cases:
1) if user is known and password is ok, accept with special attributes
2) if user is known and password is wrong, reject
3) if user is unknown, proxy to other radius server
I'm not sure that's what you originally asked for.
In 1.0.2, this can be done via a perl script. See rlm_perl.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
I never said to use stunnel on the box with MySQL. Use it on the box with Freeradius and dont use untested patches on what I take is gonna be a production server. Stunnel is very stable and reliable. Anyway, I'd rather make SSL connection between two MySQL servers with database replication and make your radius talk to the one local to it. And be nice, Yeah, right is not something you say asking strangers for advices. On Sat, 19 Mar 2005 04:14:11 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Marcin Jessa [EMAIL PROTECTED] [2005-03-19 04:05]: On Sat, 19 Mar 2005 03:52:52 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please feel invited to test it and eventually fix any bugs you find :-) All you need is stunnel. Yeah, right -- because MySQL supports SSL right out of the box, I will use another piece of external software. EBADIDEA. With MySQL-4, there's no need for such a kludgy workaround anymore. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
* Marcin Jessa [EMAIL PROTECTED] [2005-03-19 13:17]: On Sat, 19 Mar 2005 04:14:11 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Marcin Jessa [EMAIL PROTECTED] [2005-03-19 04:05]: On Sat, 19 Mar 2005 03:52:52 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please feel invited to test it and eventually fix any bugs you find :-) All you need is stunnel. Yeah, right -- because MySQL supports SSL right out of the box, I will use another piece of external software. EBADIDEA. With MySQL-4, there's no need for such a kludgy workaround anymore. I never said to use stunnel on the box with MySQL. Use it on the box with Freeradius As far as I can tell MySQL doesn't use SSL as one might think at first, it uses the standard (unencrypted) MySQL protocol to make a handshake with the peer and negotiate SSL flags, then it switches to SSL secured communication, so I doubt it'd work the way you suggested. I'm open to a counter-evidence, of course :) and dont use untested patches on what I take is gonna be a production server. That's what I'm doing all this for, to get it tested and maybe some kind of approved by the FreeRADIUS maintainers. Nonetheless this patch is only for _enabling_ already tested functionality (from the MySQL client library), so it won't be a big deal anyway -- either it works, or it doesn't, you'll notice it right at the start :) Stunnel is very stable and reliable. I think you are right, but that still doesn't make me want to use it for the forementioned scenario :) I use stunnel for software which doesn't support SSL _at all_, but MySQL does -- FreeRADIUS just lacks a few lines of code for enabling it. Anyway, I'd rather make SSL connection between two MySQL servers with database replication and make your radius talk to the one local to it. That would be even more overhead than the use of stunnel. I still don't see a logical reason to forego the native MySQL4 SSL implementation for an external 3rd party one. Anyway, this discussion was not meant to be about personal taste. So, if you'd go for stunnel, I'm absolutely fine with that :) If you have to say something regarding the patch _besides_ philosophical aspects, feel free to participate. Thanks. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
* Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. Ok, sorry. And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. That said, this patch looks OK to me, although it does raise the question of when that function was added to the mySQL client library. 4.0.x IIRC It's not a problem if the client was built without SSL support, as the function will still exist and run, but is effectively a no-op. [3] Yup. I'd maybe be happier if it was a configure option, so that people who _need_ to link against the LGPL libmysqlclient10 (or whatever it's called outside Debian. ^_^) don't get stuck unable to build rlm_sql_mysql. And with that configure option, I expect the configure help to mention what version of the client library is needed. ^_^ Good idea. (For reference, a quick check in Debian suggests that in 3.23.49, the function is only present if mySQL was compiled with --with-ssl, while in 4.0.23 it was always available. So this _does_ have to be done before it can be accepted.) Oh, I didn't know 3.23.x did support SSL to whatever extent :) If you like, you can probably make it a configure test that checks for mysql_ssl_set being available in mysql.h, and flags it accordingly to make it easier for the user. (eg. They have to do exactly nothing to use their SSL-enabled libmysqlclient with FreeRADIUS.) This should only be a line or two in configure.in. ^_^ Agreed. I guess I'll email the -devel list and ask the developers about their opionion to probe for a possible inclusion of the SSL functionality into upstream. Thanks for your input! [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291945 [2] http://bugs.mysql.com/bug.php?id=8508 [3] http://dev.mysql.com/doc/mysql/en/mysql-ssl-set.html -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by mac adress, username and password
hi alexandre,
this is a very nice idea, thank you for that! (using an external script helped
me with another problem ;-) )
but actually i prefere to have all the authentication data in one place.
meanwhile i managed to check username, password and calling-station-id against
the data in an ldap-database. i would like to have the data in a file like
/etc/freeradius/users but i could not figure out how this has to be done, i
tried something like:
8 part of /etc/freeradius/users --
testuser Auth-Type := Local, User-Password == testing, Calling-Station-Id ==
AABBCCDDEEFF
Service-Type = Framed-User,
Framed-IP-Address = 192.168.0.111,
8
but freeradius returns
modcall[authorize]: module files returns notfound for request 0
where can i found information about the syntax of the users file or how can i
add the data for calling-station-id in this file?
thanks in advance for any hints!
markus
Zitat von Alexandre Coninx [EMAIL PROTECTED]:
On Thu, Mar 17, 2005, Markus Krause wrote:
hi all,
i want to authenticate users at a cisco router by checking the mac-adress,
the username and the password. (how) can this be done using freeradius?
Hello,
I manage to do that by first checking the MAC during the authorization
process with an external script (using the exec module), and then
authenticating the user with user/password with wathever method you
want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should
work).
My radiusd.conf looks like this :
modules {
...
exec mac_check {
wait = yes
program = /path/to/your/script.pl %{User-Name}
%{Calling-Station-Id}
input_pairs = request
output_pairs = reply
packet_type = Access-Request
...
}
}
authorize {
preprocess
auth_log
mac_check
mschap
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
The script is a simple perl script that connects to our members
database, checks if the MAC is registered and belongs to the
member trying to connect, and refuse (exit 1;) or accept (exit 0;)
authorization based on that.
There is probably a cleaner way to do that, but it works well.
--
Endy
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Markus Krause email: [EMAIL PROTECTED]
Computing CenterTel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98
-
This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling freeradius 1.0.2 with mssql support
hi all, ok - i got it. my freerad is now working with mssql perfectly. I use now unixodbc+freetds. If anybody is interessted - drop me an email. cu, achim Quoting Paul Hampson [EMAIL PROTECTED]: On Wed, Mar 16, 2005 at 01:46:09PM +0100, Achim Schmidt wrote: Hello, I'm stoill trying to compile freeradius-1.0.2 with mssql support and without mysql. Freetds is installed and working. I cant find that the lib is builded in the make run. Also i'm missing an other file. If I look into the source-tree of the freeradius, in subdir: src/modules/rlm_sql/drivers/rlm_sql_freetds I saw a only a Makefile. In this there is a reference to a file called sql_freetds.c You'd have to pull it from the CVS Attic, it's been removed for over two years for causing problems. FreeTDS was (according to upstream advice at the time) an internal API and it was a moving target, so it got dropped. http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_freetds/ -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Achim Schmidt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: External program calling and return values - was: Locking user accounts
Fiederling, Daniel [EMAIL PROTECTED] wrote: For user locking I have written a small c programm that is called on every request. That's not necessary, if you have a DB. Just write a program to write a locked record to MySQL when the user is rejected. But if I have the expense of running an external program for locking, this app can also do the authentication for me and I don't need to write the users file and send the SIGHUP to radiusd on every db change. You don't have to HUP the server if you change data in the MySQL DB. I thought about using the mysql db in freeradius as users database but = it seemed to much work for me. It is the best way to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + Unix PAM + Password Change
K Bhaskar [EMAIL PROTECTED] wrote: I would like to know how do i control the password change in the linux server. Can i configure the change password to effect the changes in radius. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
l2tp and checkrad script patch
Hello.
I've found that checkrad script is using SNMP_Session perl module
that doesn't works correctly, so I would like to post little
patch for checkrad script to support Simultaneous-Use check with
l2tp LNS/NAS. You have to install Net::SNMP perl module to get
this thing working.
--- /usr/ports/net/freeradius/work/freeradius-1.0.2/src/main/checkrad.pl
Thu Mar 17 06:00:31 2005
+++ checkradFri Mar 18 16:50:06 2005
@@ -28,7 +28,7 @@
# netserver_telnet 1.0Author: [EMAIL PROTECTED]
# versanet_snmp1.0Author: [EMAIL PROTECTED]
# bay_finger 1.0Author: [EMAIL PROTECTED]
-# cisco_l2tp 1.14 Author: [EMAIL PROTECTED]
+# cisco_l2tp 0.1Author: Volodya Vaynshteyn [EMAIL
PROTECTED]
# mikrotik_telnet 1.1Author: Evren Yurtesen [EMAIL
PROTECTED]
# mikrotik_snmp1.0Author: Evren Yurtesen [EMAIL
PROTECTED]
# redback_telnet Author: Eduardo Roldan
@@ -43,6 +43,7 @@
# $naspass is the location of your NAS admin password file
#
+
$prefix= /usr/local;
$localstatedir = /var;
$logdir= /var/log;
@@ -50,7 +51,7 @@
$raddbdir = ${sysconfdir}/raddb;
$debug = ;
-#$debug= $logdir/checkrad.log;
+$debug = $logdir/checkrad.log;
$snmpget = /usr/local/bin/snmpget;
$snmpwalk = /usr/local/bin/snmpwalk;
@@ -76,6 +77,7 @@
# Do not complain if we cannot find it.
# Prefer a locally installed copy.
#
+
BEGIN {
unshift @INC, /usr/local/lib/site_perl;
@@ -1114,47 +1116,89 @@
# Make sure you set the $realm variable at the begining of the file if
# needed. The new type for naslist is cisco_l2tp
-sub find_l2tp_login
-{
- my($host, $community, $port_num) = @_;
- my $l2tp_oid = '.1.3.6.1.4.1.9.10.24.1.3.2.1.2.2';
- my $port_oid =
'.iso.org.dod.internet.private.enterprises.9.10.51.1.2.1.1.2.2';
- my $port = 'Vi' . $port_num;
-
- my $sess = new SNMP::Session(DestHost = $host, Community = $community);
- my $snmp_var = new SNMP::Varbind([$port_oid]);
- my $val = $sess-getnext($snmp_var);
-
- do
- {
-$sess-getnext($snmp_var);
- } until ($snmp_var-[$SNMP::Varbind::val_f] =~ /$port/) ||
- (!($snmp_var-[$SNMP::Varbind::ref_f] =~ /^$port_oid\.(\d+)\.(\d+)$/))
||
- ($sess-{ErrorNum});
-
- my $val1 = $snmp_var-[$SNMP::Varbind::ref_f];
-
- if ($val1 =~ /^$port_oid/) {
-$result = substr($val1, length($port_oid));
-$result =~ /^\.(\d+)\.(\d+)$/;
-$tunID = $1;
-$sessID = $2;
- }
-
- my $snmp_var1 = new SNMP::Varbind([$l2tp_oid\.$tunID\.$sessID]);
- $val = $sess-get($snmp_var1);
- my $login = $snmp_var1-[$SNMP::Varbind::val_f];
-
- return $login;
-}
-
-sub cisco_l2tp_snmp
-{
- my $login = find_l2tp_login($ARGV[1], $cmmty_string, $ARGV[2]);
- print LOG user at port S$ARGV[2]: $login\n if ($debug);
- ($login eq [EMAIL PROTECTED]) ? 1 : 0;
+
+sub
+cisco_l2tp_snmp {
+
+use Net::SNMP qw(oid_lex_sort oid_base_match SNMP_VERSION_1 DEBUG_ALL);
+
+ my ($nas_ip,$user) = @_;
+my ($method, $community) = naspasswd($nas_ip, 1);
+
+if ($method eq '') {
+$community = $cmmty_string;
+} elsif ($method ne 'SNMP') {
+ print LOG Error: Need SNMP community string for $nas_ip\n if
($debug);
+ return 2;
}
+my ($s, $e) = Net::SNMP-session(
+-hostname = $nas_ip,
+-community = $community,
+-version= 2c,
+);
+
+ if (!defined($s)) {
+print LOG $e if ($debug);
+return 255;
+ } else {
+
+use vars qw( %t_logname %t_port );
+
+ ## check cvpdnSessionAttrUserName
+%t_logname =
get_table_as_hash($s,'.1.3.6.1.4.1.9.10.24.1.3.2.1.2.2.');
+%t_port=
get_table_as_hash($s,'.1.3.6.1.4.1.9.10.51.1.2.1.1.2.2.');
+
+foreach $port_table_id (keys(%t_port)) {
+ if ($t_logname{$port_table_id} eq $user){
+ print LOG User $t_logname{$port_table_id} already
logged in at port $t_port{$port_table_id}\n if ($debug);
+ return 1;
+ }
+}
+ print LOG User $user successfully logged in at port
$t_port{$port_table_id}\n if ($debug);
+ return 0;
+$s-close();
+ }
+
+}
+
+sub
+get_table_as_hash() {
+
+use vars qw( $num $val $oid %buf );
+my ($s,$oid) = @_;
+
+my @args = (
+-varbindlist= [$oid],
+-maxrepetitions = 25,
+);
+
+outer: while (defined($s-get_bulk_request(@args))) {
+my @oids = oid_lex_sort(keys(%{$s-var_bind_list}));
+foreach (@oids) {
+if (!oid_base_match($oid, $_)) {
+last outer;
+}
+$num = $_;
+$num =~ s/$oid//;
+
FreeRADIUS Win32 Binary Distribution?
Is there any reason no one has yet made available FreeRADIUS Win32 binaries for Distribution? I have built 1.0.2 with Cygwin and have put together a basic install wrapper. I have done some investigation with respect to distribution of the required Cygwin binaries... and could find no obvious reason these could not be included with the package as long as the source was available upon request. With a little guidance I'm sure this could be made available to freely download, I am willing to host. Any thoughts or objections? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Win32 Binary Distribution?
Jeff Reilly [EMAIL PROTECTED] wrote: Is there any reason no one has yet made available FreeRADIUS Win32 binaries for Distribution? No one has built them, I guess. I do some testing under Interix, but I'm not sure if those binaries will work on a plain XP system. With a little guidance I'm sure this could be made available to freely download, I am willing to host. Sure. Build them. put them on a web page, and we'll point to them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Sat, Mar 19, 2005 at 02:06:56PM +0100, Wolfram Schlich wrote: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. Ok, sorry. And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) Yeah, sorry about that. I didn't notice this was on -user intead of -devel, and treated it as if it was on the latter. _ I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* Basically, things going into 1.0.3 (if it happens) are bug fixes, not feature changes. The fact that you have to recompile your mySQL locally anyway to enable SSL makes it reasonable to me to say this change is something you can patch in yourself as well. If upstream binaries were coming SSL-enabled, we could almost build a case that this is a bug, rather than a new feature. Still, it has to get into HEAD before I'll consider it for 1.0.3, so one hurdle at a time. They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. It matters as far as distributing binaries goes. You can't distribute a binary that links GPL code without any exception (such as FreeRADIUS and many of its depended-on libraries) with OpenSSL. It's slightly more complicated than that, but there is a license issue of some kind which needs to be looked out for. It doesn't really affect _us_, but it's something to be mindful of when playing with these things. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS Win32 Binary Distribution?
The Site and the binaries are still well under construction... but both appear to function at first glance ;) I've done some successful testing with radclient.exe... I expect in the next few days I will test further against some real gear with various eap-types. If you are interested in trying a win32 version of FreeRADIUS please feel free to visit http://www.bootstick.com/freeradius. Any and all feedback is welcome... be kind I'm new at this. Thanks, Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Saturday, March 19, 2005 7:50 PM To: freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS Win32 Binary Distribution? Jeff Reilly [EMAIL PROTECTED] wrote: Is there any reason no one has yet made available FreeRADIUS Win32 binaries for Distribution? No one has built them, I guess. I do some testing under Interix, but I'm not sure if those binaries will work on a plain XP system. With a little guidance I'm sure this could be made available to freely download, I am willing to host. Sure. Build them. put them on a web page, and we'll point to them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
