commit 349e7cca2cb0676258d547bae969635289a4756a5841d5e80f3fd2f9f4c5584c Author: Adrian Schröter Date: Fri May 3 12:38:20 2024 +0200 Sync from SUSE:SLFO:Main freeradius-server revision b3641ec7b7961c887d43a8c804d71025 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/freeradius-server-3.2.3.tar.bz2 b/freeradius-server-3.2.3.tar.bz2 new file mode 100644 index 0000000..41363a9 --- /dev/null +++ b/freeradius-server-3.2.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4a16aeffbfa1424e1f317fdf71d17e5523a4fd9564d87c747a60595ef93c5d1f +size 3454869 diff --git a/freeradius-server-3.2.3.tar.bz2.sig b/freeradius-server-3.2.3.tar.bz2.sig new file mode 100644 index 0000000..2dadfb0 Binary files /dev/null and b/freeradius-server-3.2.3.tar.bz2.sig differ diff --git a/freeradius-server-enable-python3.patch b/freeradius-server-enable-python3.patch new file mode 100644 index 0000000..59a19af --- /dev/null +++ b/freeradius-server-enable-python3.patch @@ -0,0 +1,20 @@ +Index: freeradius-server-3.2.1/src/modules/rlm_python3/example.py +=================================================================== +--- freeradius-server-3.2.1.orig/src/modules/rlm_python3/example.py ++++ freeradius-server-3.2.1/src/modules/rlm_python3/example.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python3 ++#!/usr/bin/python3 + # + # Python module example file + # Miguel A.L. Paraz +Index: freeradius-server-3.2.1/src/modules/rlm_python3/radiusd.py +=================================================================== +--- freeradius-server-3.2.1.orig/src/modules/rlm_python3/radiusd.py ++++ freeradius-server-3.2.1/src/modules/rlm_python3/radiusd.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/env python3 ++#!/usr/bin/python3 + # + # Definitions for RADIUS programs + # diff --git a/freeradius-server-fix-perl-shbang.patch b/freeradius-server-fix-perl-shbang.patch new file mode 100644 index 0000000..5b3fe02 --- /dev/null +++ b/freeradius-server-fix-perl-shbang.patch @@ -0,0 +1,27 @@ +diff -Nur freeradius-server-3.0.23/doc/rfc/genref.pl new/doc/rfc/genref.pl +--- freeradius-server-3.0.23/doc/rfc/genref.pl 2021-06-10 16:49:17.000000000 +0200 ++++ new/doc/rfc/genref.pl 2021-06-27 17:40:13.946667745 +0200 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + foreach $file (@ARGV) { + open FILE, "<$file" || die "Error opening $file: $!\n"; + +diff -Nur freeradius-server-3.0.23/doc/rfc/per-rfc.pl new/doc/rfc/per-rfc.pl +--- freeradius-server-3.0.23/doc/rfc/per-rfc.pl 2021-06-10 16:49:17.000000000 +0200 ++++ new/doc/rfc/per-rfc.pl 2021-06-27 17:40:32.390794075 +0200 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + + # + # Read in the references, and put into an associative array +diff -Nur freeradius-server-3.0.23/doc/rfc/rewrite.pl new/doc/rfc/rewrite.pl +--- freeradius-server-3.0.23/doc/rfc/rewrite.pl 2021-06-10 16:49:17.000000000 +0200 ++++ new/doc/rfc/rewrite.pl 2021-06-27 17:40:41.162865842 +0200 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + + # + # Read in the references, and put into an associative array diff --git a/freeradius-server-opensslversion.patch b/freeradius-server-opensslversion.patch new file mode 100644 index 0000000..ebac44e --- /dev/null +++ b/freeradius-server-opensslversion.patch @@ -0,0 +1,18 @@ +Author: Adam Majer +Summary: SUSE OpenSSL version scheme does not follow upstream. + Relax, breathe, apply. + +Index: freeradius-server-3.0.20/src/main/version.c +=================================================================== +--- freeradius-server-3.0.20.orig/src/main/version.c ++++ freeradius-server-3.0.20/src/main/version.c +@@ -52,6 +52,9 @@ static long ssl_built = OPENSSL_VERSION_ + */ + int ssl_check_consistency(void) + { ++ // noop, since ABI is compatible for SUSE OpenSSL ++ return 0; ++ + long ssl_linked; + + ssl_linked = SSLeay(); diff --git a/freeradius-server-radclient-init-error-buffer.patch b/freeradius-server-radclient-init-error-buffer.patch new file mode 100644 index 0000000..6d844cf --- /dev/null +++ b/freeradius-server-radclient-init-error-buffer.patch @@ -0,0 +1,12 @@ +Index: freeradius-server-3.0.3/src/main/radclient.c +=================================================================== +--- freeradius-server-3.0.3.orig/src/main/radclient.c ++++ freeradius-server-3.0.3/src/main/radclient.c +@@ -1180,6 +1180,7 @@ int main(int argc, char **argv) + fr_perror("radclient"); + return 1; + } ++ fr_strerror_printf(""); /* Initialize the error buffer */ + fr_strerror(); /* Clear the error buffer */ + + /* diff --git a/freeradius-server-rcradiusd.patch b/freeradius-server-rcradiusd.patch new file mode 100644 index 0000000..c3e5223 --- /dev/null +++ b/freeradius-server-rcradiusd.patch @@ -0,0 +1,13 @@ +--- freeradius-server-3.0.8.orig/suse/rcradiusd 2015-04-22 19:21:34.000000000 +0200 ++++ freeradius-server-3.0.8.suse/suse/rcradiusd 2015-04-23 10:02:01.393574445 +0200 +@@ -50,6 +50,10 @@ + start) + configtest || { rc_failed 150; rc_exit; } + echo -n "Starting RADIUS daemon " ++ # /var/run might be on tmpfs, create runtime directory if needed ++ if [ ! -d /run/radiusd ]; then ++ install -d -m 0700 -g radiusd -o radiusd /run/radiusd ++ fi + startproc $exec >/dev/null + rc_status -v + ;; diff --git a/freeradius-server-rlm_sql_unixodbc-configure.patch b/freeradius-server-rlm_sql_unixodbc-configure.patch new file mode 100644 index 0000000..f331e28 --- /dev/null +++ b/freeradius-server-rlm_sql_unixodbc-configure.patch @@ -0,0 +1,22 @@ +Index: freeradius-server-3.2.3/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure +=================================================================== +--- freeradius-server-3.2.3.orig/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure ++++ freeradius-server-3.2.3/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure +@@ -1884,7 +1884,7 @@ if test "${with_unixodbc_dir+set}" = set + fi + + +-smart_try_dir="$unixodbc_lib_dir /usr/local/unixodbc/lib" ++smart_try_dir="$unixodbc_lib_dir" + ac_ext=c + ac_cpp='$CPP $CPPFLAGS' + ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +@@ -2800,7 +2800,7 @@ fail="$fail libodbc" + + fi + +-smart_try_dir="$unixodbc_include_dir /usr/local/unixodbc/include" ++smart_try_dir="$unixodbc_include_dir" + + + ac_safe=`echo "sql.h" | sed 'y%./+-%__pm%'` diff --git a/freeradius-server-tmpfiles.patch b/freeradius-server-tmpfiles.patch new file mode 100644 index 0000000..952264e --- /dev/null +++ b/freeradius-server-tmpfiles.patch @@ -0,0 +1,6 @@ +--- freeradius-server-3.0.8.orig/suse/freeradius-server-tmpfiles.conf 2015-04-22 19:21:34.000000000 +0200 ++++ freeradius-server-3.0.8.suse/suse/freeradius-server-tmpfiles.conf 2015-04-23 09:56:08.342988185 +0200 +@@ -1 +1,2 @@ +-D /var/run/radiusd 0710 radiusd radiusd - ++D /run/radiusd 0710 radiusd radiusd - ++ diff --git a/freeradius-server.changes b/freeradius-server.changes new file mode 100644 index 0000000..5fa7554 --- /dev/null +++ b/freeradius-server.changes @@ -0,0 +1,3098 @@ +------------------------------------------------------------------- +Thu Aug 31 13:09:06 UTC 2023 - Adam Majer + +- update to version 3.2.3 (jsc#PED-6567) + Feature Improvements + * Add "max_retries" for connection pools. Fixes #4908. + * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and + dictionary.wispr; add dictionary.eleven. + * You can now list "eap" in the "pre-proxy" section. If the packet contains a + malformed EAP message, then the request will be rejected The home server + will either reject (or discard) this packet anyways, so this change can + only help with large proxy scenarios. + * Show warnings if libldap is not using OpenSSL. + * Support RADIUS/1.1. See + https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by + default, can be enabled by passing `--with-radiusv11` to the configure + script. For now, this is for testing interoperability. + * Add extra sanity checks for malformed EAP attributes. + * More TLS debugging output. + * Clear old module instance data before HUP reload. Avoids burst memory use + when e.g. using large data files with rlm_files. + * `rlm_cache_redis` is now included in the freeradius-redis packages. + +Bug Fixes + * Don't leak MD contexts with OpenSSL 3.0. + * Increase internal buffer size for TLS connections, which can help with + high-load proxies. + * Send Status-Server checks for TLS connections. + * Give descriptive error if "update CoA" is used with "fake" packets, as it + won't work. i.e. inner-tunnel and virtual home servers. + * Many small ASAN / LSAN fixes from Jorge Pereira. + * Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a + TLS error, it will now close the socket, so proxies do not have an open + (but dead) TLS connection. + * Fix mutex locking issues on inbound RADIUS/TLS connections This change + avoids random issues with "bad record mac". + * Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950. + * Correctly report the LDAP group a user was found in. Fixes #3084. + * Force correct packet type when running Post-Auth-Type. Helps with #4980. + * Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996. + * Fix TCP socket statistics. Closes #4990. + * Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps with #5010. + + +Changes in version 3.2.2: + +Feature Improvements + + * The "configure" process now gives a much clearer report when it's finished + * Fallback to "uname -n" on missing "hostname". Fixes #4771. + * Export thread details in radmin "stats threads". Fixes #4770. + * Improve queries for processing radacct into periodic usage data + * Update dictionary.juniper. + * Add dictionary.calix. + * Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets". + * Update documentation for robust-proxy-accounting, and be more aggressive about sending packets. + * Add per-module README.md files in the source. + * Add default Visual Studio configuration for developers. + * Postgres can now automatically use alternate queries for errors other than duplicate keys. + * %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This + helps the server track the identity of the client which is connecting. + * Include thread stats in Status-Server attributes. Fixes #4870. + * Mark rlm_unbound stable and add to packages. + * Remove broken/unsupported Dockerfiles for centos8 and debian9. + +Bug Fixes + + * Preliminary support for non-blocking TLS sockets. Helps with #3501. + * Fix support for partial certificate chains after adding reload support. Fixes #4753. + * Fix handling of debug_condition. + * Clean up home server states, and re-sync with the dictionaries. + * Correct certificate order when creating TLS-* attributes Fixes #4785. + * Update use of isalpha() etc. so broken configurations have less impact on the server. + * Outgoing TLS sockets now set SNI correctly from the "hostname" configuration item. + * Support Apple Homebrew on the M1. Fixes #4754. + * Better error messages when %{listen:TLS-...} is used. + * Getting statistics via Status-Server can now be done within a virtual server. Fixes #4868. + * Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878. + * Fix md5 xlat memory leak when using OpenSSL 3.0 + +- freeradius-server-rlm_sql_unixodbc-configure.patch: refreshed +- spec file cleanup: remove duplicate BR: from subpackages + +------------------------------------------------------------------- +Mon Feb 6 16:57:33 UTC 2023 - Adam Majer + +- update to version 3.2.1: + Feature Improvements + * Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries + * Add simultaneous-use queries for MS SQL + * Add radmin command for "stats pool " + which prints out statistics about the connection pools. + * Client statistics now shows "conflicts", + to count conflicting packets. + * New optional "lightweight accounting-on/off" strategy. + When refreshing queries.conf you should also add the new + nasreload table and corresponding GRANTs to your DB schema. + * Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps + with Eduroam. + * Allow auth+acct for TCP sockets, too. + * Add rlm_cache_redis. See raddb/mods-available/cache for details. + * Allow radmin to look up home servers by name, too. + * Ensure that dynamic clients don't create loops on duplicates + * Removed rlm_sqlhpwippool. There was no documentation, no configuration, + and the module was ~15 years old with no one using it. + * Marked rlm_python3 as stable. + * Add sigalgs_list. See raddb/mods-available/eap + * For rlm_linelog, when opening files in /dev, look at "permissions" + to see whether to open them r/w. + * More flexibility for dynamic home servers. See + doc/configuration/dynamic_home_servers.md and + raddb/home_servers/README.md. + * Allow setting of application_name for PostgreSQL. + See mods-available/sql. + + Bug Fixes + * Correct test for open sessions in radacct for MS SQL. + * The linelog module now opens /dev/stdout in "write-only" mode + if the permissions are set to "u+w" (0002). + * Various fixes to rlm_unbound from Nick Porter. + * PEAP now correctly runs Post-Auth-Type Accept. + * Create "TLS-Cert-*" for outbound Radsec, instead of + TLS-Client-Cert-* Fixes #4698. See sites-available/tls, + and fix_cert_order. + * Minor updates and fixes to CI, Dockerfiles and packaging. + * Fix rlm_python3 build with python >= 3.10. Fixes #4441. + + Changes in version 3.2.0: + Feature Improvements + All features from 3.0.x are included in the 3.2.x releases. + In addition: + * Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to + specify which day of the month the counter should be reset. + * Partial backport of rlm_json from v4, providing the json_encode + xlat See mods-available/json for documentation. + * Support for haproxy "PROXY" protocol See sites-available/tls, + "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/. + * Support for sending CoA-Request and Disconnect-Request packets + in "reverse" down RadSec tunnels. Experimental for now, + and undocumented. + * It is now possible to run a virtual server when saving / loading + TLS cache attributes. See sites-available/tls-cache for more + information. + * Removed the "cram" module. It was undocumented, + and used old and insecure authentication methods. + * Remove the "otp" module. The "otpd" program it needs is + no longer available, and the module has not been usable since + at least 2015. + * All features from 3.0.x are included in the 3.2.x releases. + * 3.2.0 requires OpenSSL 1.0.2 or greater. + +Bug Fixes + * All bug fixes from 3.0.x are included in the 3.2.x releases, including + * fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859) + * fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860) + * fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861) + +- freeradius-server-enable-python3.patch: refreshed + +------------------------------------------------------------------- +Fri Jan 13 11:06:06 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Thu Sep 29 08:57:18 UTC 2022 - Michael Ströder + +- use chown with colon instead dot in radiusd.service + +------------------------------------------------------------------- +Thu Jul 21 00:49:49 UTC 2022 - William Brown + +- Resolve issue with linking python3 with rlm-python + +------------------------------------------------------------------- +Wed Feb 2 11:59:44 UTC 2022 - Samuel Cabrero + +- Remove libwbclient-devel BuildRequires in favor of + pkgconfig(wbclient); (jsc#SLE-20577); + +------------------------------------------------------------------- +Thu Oct 7 21:34:06 UTC 2021 - Michael Ströder + +- update to 3.0.25: + * `correct_escapes` has been added back into the default configuration. + * A segfault when trying to proxy to zombie home servers has been fixed. + * A number of other small bugs and compiler warnings were fixed. + * Added support for building with PostgreSQL 14. + +------------------------------------------------------------------- +Thu Oct 7 15:02:11 UTC 2021 - Adam Majer + +- Update to version 3.0.24 (jsc#SLE-21237) + Feature Improvements + * Add sanitizer options to configure script. + * Log information needed by Wireshark to decode TLS sessions. + * Allow more liberal SQL commands in rlm_sql_map. + * Update dictionary.apc, dictionary.h3c. + * Add new Acct-Status-Type Subsystem-On and Subsystem-Off See + dictionary.iana and + https://freeradius.org/rfc/acct_status_type_subsystem.html. + * Add reject_unknown_intermediate_ca. See mods-available/eap. + * Add dynamic loading of certificates via TLS-Session-Cert-File + See raddb/certs/realms/README.md. + * Add Server Name Indication (SNI) for outbound RadSec connections + See raddb/sites-available/tls, and the home server tls + configuration. + * Support SNI for inbound RadSec connections. Certificates will be + loaded from "realm_dir" in the "tls" section. SNI will be cached + in the TLS-Server-Name-Indication attribute. + * Preliminary support for haproxy "PROXY" protocol See sites-available/tls, + "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/. + * Generate parse errors in more circumstances when we know that + the configuration is wrong. + * Add "weeklycounter" to sample sqlcounter configuration. + * Add certificate attributes to the request list, even if + the certificates have expired. + * The Simultaneous-Use code is now IPv6 aware, and can deal + with NAS-IPv6-Address. + * Add dictionary.cambium. + * No longer logs passwords in logfiles (bsc#1184016) + + Bug Fixes + * Fix crash in trustrouter module (#4115) + * Fix crash in state handling. + * Don't alter global options in redhat logrotate scripts. + * EAP-FAST will print errors and continue, rather than exiting + when OpenSSL fails various internal sanity checks. + * Allow admin to manually change core limits, even when core + limits are disabled. + * Fix chunked rlm_rest HTTP body. Closes #4131 + * Many fixes around the SQL ippool queries.conf and schema + * Fix MySQL stored procedures. PR #4170 + * Rework connection pool management for corner cases Fixes #4161, #4162, #4163. + * Final fix for double free in #3188. + * Fix sqlcounter wrong memory free. PR #4192 + * Accept slow writes from proxies over TCP, which allows the server + to make more progress when it receives partial packets. + * Add 'weeklycounter' for rlm_sqlcounter. + * Outbound proxying over TCP / TLS is better able to deal with + partial TCP reads, and has fewer issues with slow networks. + * Fix wrong data-type of Acct-Delay-Time in rlm_unix. + * Fix EAP-FAST PAC lifetime calculation. + * Print correct encoded packet length when debugging. + +- remove python2 build +- drop references to SLE11 +- freeradius-server-radiusd-logrotate.patch: upstreamed + +------------------------------------------------------------------- +Sun Jun 27 15:43:02 UTC 2021 - Ferdinand Thiessen + +- Add ldap-schemas subpackage for OpenLDAP radius schemas +- Add freeradius-server-fix-perl-shbang.patch to fix RPMlint warnings +- Fix RPMlint warnings about macros and permissions + +------------------------------------------------------------------- +Sat Jun 26 21:12:24 UTC 2021 - Ferdinand Thiessen + +- Update to version 3.0.23 + * Feature improvements + * Add "set home_server state ... down" in order to mark the home + server as administratively down. Use "alive" to bring it back + to life. + * Add Post-Auth-Type "Client-Lost" which should make it easier + to log when clients stop responding. + * Cache TLS messages in &session-state, for more debugging. + * Notes in eap configuration about TLS 1.0 / TLS 1.1, and setting + cipher_list = "DEFAULT@SECLEVEL=1" + * Added MANY warning messages about using TLS 1.3 with EAP. + * Bug fixes + * Fix crash in some cases when home server is down, in debug mode. + * Fix (again) "read clients from SQL" functionality. + * Fix sql_map to return values in more situations. + * Silently ignore LEAP configuration instead of erroring out. +- Update to version 3.0.22 + * Feature improvements + * Limited support for dynamic home servers. + * Add support for prepend operator ^=. + * Added rlm_totp, for use with the Google Authenticator app. + * The default minimum TLS version is now TLS 1.2, as per RFC 8996. + Older versions can be allowed by setting tls_min_version, and + updating "cipher_list". + * Significantly improve the readability and contents of TLS + debug messages. + * Allow CoA and Disconnect messages over TLS sockets. + * Automatically set fragment size / MTU, so that PEAP/EAP-TLS + works, and no longer requires manual changes to the configuration. + * Allow "configurable_client_cert=yes" for EAP-TLS. + * Add TLS 1.2 support for EAP-Fast. + * Add ca_path_reload_interval option for tls. + * Add "tls_min_version" to ldap module configuration. + * Support running policies when receiving a RadSec connection. + * Update TLS "ecdh_curve" code to allow for multiple curves. + * Allow delta CRLs. + * add rlm_sql_map, which can handle multiple columns from an SQL + query. See raddb/mods-available/sql_map. + * New xlat for setting status of rlm_always instances and new + resource-check example virtual server for manipulating control flow + in unlang policies based on status of some external resource. + Patches from Terry Burton. + * Update radmin to show more information about the home servers + using "show home_server list all". + * The default configuration now replies with EAP-Key-Name, if it + is available, and was requested. + * Include extensions in generated certificates. + * Ignore user-provided dhparams in FIPS mode. + * Remove native support for Cisco LEAP. It is insecure, and + should not be used. Proxying LEAP is still supported. + * Allow use of password preparation methods with rlm_eap_pwd. + * More RFC compliance for various corner cases of DHCP, + * Use DHCP-specific schemas. + * Add stored procedures for DHCP lease allocation + * Add support for DHCP-Decline. + * Added mods-available/dhcp_sql which is a DHCP-specific instance + of the SQL module. + * Treat DHCP Discover and Request differently for lease allocation times. + * Add support for PBKDF2 keys. + * Update default PostgreSQL schema to use "text" instead of + a fixed-size "varchar". + * Add radmin command "show client list verbose", which gives a lot + more information about each client. + * Add support for EAPS-AKA authentication to rlm_wimax. + * Add rlm_rest support for HTTP/2. + * Add REST-HTTP-Status-Code attribute holding HTTP status code. + * Add option to set http_negotiation in rlm_rest. Fixes #2821. + * Encode / decode NAS-Filter-Rule according to RFC 4849. + * Allow attributes using old names in configuration files, SQL, + or modules to match attributes in the packet which use + new names. + * Allow querying IPv6 stats via FreeRADIUS-Stats-Client-IPv6-Address + and FreeRADIUS-Stats-Server-IPv6-Address + * Add warnings if there is no "real" User-Name to identify users. + * Add sample configuration to update Stripped-User-Name and/or + Class for user sessions. See sites-available/default + * Add configuration to suppress printing values for User-Name, etc. + * Support dictionary.telrad, which is also in WiMAX format. + * PEAP 'proxy_tunneled_request_as_eap' is now configurable + at runtime with Proxy-Tunneled-Request-As-EAP. + * Debug output now lists client/server proposed TLS ciphers. + * Add support for TLS1.3 + * Bug fixes + * Fix long-term double free due to PCRE calling our "free" + function twice. + * Respect the "log_reject" configuration item in more places. + * Run Post-Proxy-Type Fail... when all home servers are down. + * Note that rlm_replicate can only use UDP, and not TCP or TLS. + * DHCP pool lookup is now keyed by Client Identifier (Option 61) + when supplied by client, otherwise the hardware address is used. + Compliant with RFC 2132. This change will not affect existing + systems on upgrade, but new installations will use the new behavior. + * Don't print invalid tags in rlm_cache, among other places. + * Do home_server failover immediately when an initial TCP / Radsec + connection fails. + * Clear error on SQLITE_BUSY to prevent memory leak in corner cases. + * Properly add SQL clients to virtual servers. + * Use better API when decoding DHCP packets, to avoid unnecessary work. + * Parse locale-dependent dates. + * Fix radiusd.conf ENV LD_PRELOAD function. + * Make the "date" module handle UTC more consistently. + * Check for, and complain about, inconsistent use of tls_min_version + versus disable_tlsv1 + * Fix "read client from SQL" code so that it properly ties clients + to a virtual server. Also document the behavior. + * Fix leak with unknown attributes in detail reader. + * Fix parenting issues in rlm_yubikey. +- Drop __DATE__ __TIME__ fixes, implicitly done with source_date_epoch + variable supported by gcc >= 7 +------------------------------------------------------------------- +Mon Jan 4 12:51:06 UTC 2021 - Adam Majer + +- freeradius-server-radiusd-logrotate.patch: move logrotate + options into specific parts for each log as "global" options + will persist past and clobber global options in the + main logrotate config (bsc#1180525) + +------------------------------------------------------------------- +Tue Dec 1 16:52:22 UTC 2020 - pgajdos@suse.com + +- remove redundant definitions of apache rpm macros + +------------------------------------------------------------------- +Wed Aug 26 11:32:15 UTC 2020 - Adam Majer + +- freeradius-server-radiusd-logrotate.patch: fix permissions in + logrotate global section (bsc#1170505, bsc#1174905) + +------------------------------------------------------------------- +Tue Mar 24 15:31:22 UTC 2020 - Adam Majer + +- update to 3.0.21 (jsc#SLE-11896) + +Feature Improvements + + * New stored procedure for allocating IPs with PostgreSQL + Rates of 1500 IPs per second are now possible + See raddb/mods-config/sql/ippool/postgresql/procedure.sql + * Add SQL IP pool support for Microsoft SQL Server + See raddb/mods-config/sql/ippool/mssql/ + * Added RCNTEC dictionary. Closes #3168. + * Added Pica8 dictionary. Closes #3179. + * Add TLS-Client-Cert-Valid-Since attribute holding not + Before date Patch from Boris Lytochkin. Fixes #3157. + * Generate attributes containing unknown OIDs See raddb/sites-available/tls + * Update the WiMAX dictionary. + * Added ability to rlm_python(Python2) show a stacktrace + from errors. #2979. + * Add WiFi Alliance Policy OIDs. + See raddb/certs/xpextensions + * radmin now shows coa stats, too. + * Sample schema extensions for summarizing data in SQL + See mods-config/sql/main/*/process-radacct.sql + * Update dictionary.aerohive, dictionary.fortinet, + dictionary.arista and dictionary.erx. + * Added VAS Experts dictionary. + * Many updates to RPM and jenkins builds from Matthew Newton. + * Added %C (time now in seconds) and %c (microsecond component of now) + back-ported from the "master" branch. + * Add reload capability to systemd unit file in Debian and RedHat. + * Increase timestamp precision in postauth to maximum supported by each + database and simplify (and make more consistent between drivers) + the timestamps in SQL queries by using expansions. + * Option to set dictionary path in raduat script. + +Bug Fixes + + * Various fixes found by PVS-Studio. + * Set permissions of certificates in bootstrap shell script Fixes #3132. + * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. + * Skip processing proxy reply if there are no home servers available. + * Update SQLite IPPool queries. Fixes #3177 + * rlm_sql_unixodbc fixes. Fixes #2822. + * Fixes when building with LibreSSL. + * Fix the rlm_python3 build. Note that this module is experimental. #3183. + * The rlm_python should append the 'python_path' paths in 'sys.path'. + It fixes the expected behavior to use the existing Python modules + Fixes #3180. + * Fix rlm_python to print the script errors properly. + * Bound total query time for PostgreSQL. Fixes #3253. + * Many fixes to Oracle sqlippool. It now does 500 IPs per second + without any tuning. Fixes #3270. + * Reference sqlippool by it's correct name. Fixes #3272. + * Revert 3.0.20 patch which caused crashes on duplicate clients. + * Update WiMAX-MSK attribute. Fixes #3280. + * Fix crash when trying to access non-existant regex capture group. + * Use timestamps (request or server) rather than SQL NOW() + in accounting queries so that these are stable when replayed + from a file buffer. + +- freeradius-python3_patches.patch: upstreamed + +------------------------------------------------------------------- +Tue Mar 17 13:42:37 UTC 2020 - Adam Majer + +- update to 3.0.20 (bsc#1146848) + +Feature Improvements + * Added Force10 dictionary. + * Update dictionary.hp with new attributes. #2690. + * Update dictionary.aruba with new attributes. #2696. + * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) + * Relax OpenSSL version checks, now that their API is both public, and stable. + * Note that tls_min_version/tls_max_version also support "1.3" + Since there is no standard yet for EAP with TLS 1.3, it will not work. + * Added tripplite dictionary from #2760. + * Switch to the async interface for rlm_sql_postgresql so that + we can enforce query_timeout. + * Added new LDAP option 'allow_dangling_group_ref'. + * Updated documentation and functionality for EAP session caching + See "cache" section of mods-available/eap. + * Tighten systemd unit file security. Fixes #2637. + * Disable TLS 1.0 and TLS 1.1 support in the default configuration + We STRONGLY recommend doing this for all installations. + * Add expansions for *outgoing* Radsec connections + "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and + TLS-Cert-* attributes. Fixes #2839. + * Add %{listen:tls} which returns "yes" or "no" for + TLS or non-TLS connections. + * Update dictionary.lancom with new attributes. #2847. + * Added rlm_sql_mongo. See raddb/mods-available/sql. + Note that this module is experimental. + * Added more documentation in sites-available/robust-proxy-accounting. + * sqlippool now re-allocates unexpired leases, to prevent IP pool + exhaustion when clients perform multiple reauthentication attempts + * Add support to radmin keep the history in ~/.radmin_history. + * Add support for ENV and LD_PRELOAD in radiusd.conf. + See the new ENV sub-section of radiusd.conf. + * Update dictionary.aptilo. #3002. + * Update dictionary.airespace. #3039. + * Add sites-available/coa-relay, which makes CoA easier #3045. + * Add example stored procedure for IP Pools in MySQL + See mods-config/sql/ippool/mysql/procedure.sql + * Update dictionary.dhcp dictionary with the recent hardware types. + * Add experimental rlm_python3. This should largely work + the same as rlm_python, which was Python2 only. + * Add Dockerfiles for Debian10 and CentOS8. + * Add RPM spec file compatibility for RHEL/CentOS 8. + * Notes on certificate constraints. See raddb/certs/server.cnf. + * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. + +Bug Fixes + + * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 + * ERX-Acct-Request-Reason is "integer". Closes #2635. + * Fix a slow memory leak in the file management code. + * Try to fix file permissions if they get modified while + the server is running + * Fix slow memory leak with clients. + * Fix request and connection timeouts in rlm_rest. + * Fix systemd issues. + * Fixes from clang analyzer. + * Fix missing include for the dictionaries: + alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, + audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, + infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. + * Fix internal sanity check when running with "-Xx". + * Allow "inner-tunnel" virtual servers to work better + with "accept" and "reject" policies. + * Fix dictionary.huawei data types for + Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. + * Framed-Interface-ID in postgresql/queries.conf is string, + not inet Fixes #2817. + * Fix rlm_cache to complain on unknown attributes in the "update" + section of its configuration. + * Add configure checks for -latomic. This helps on armel, + mips and mipsel. Fixes #2828. + * Add support to Oracle 19 and 18. Via #2857. + * Add support for decoding tags in rlm_rest. Fixes #2848. + * Use correct passwords when updating CRLs in raddb/certs/. + * Properly separate "originate-coa" packets when accounting + packets are read from the detail file reader. + * Use the correct virtual server for pre/post-proxy. + * radsqlrelay fixes backported from "master" branch + * Fix DoS issues due to multithreaded BN_CTX access + (bsc#1166847, CVE-2019-17185) + +- disable python2 for SLE15 and Factory +- freeradius-server-enable-python3.patch: enable Python3 module +- freeradius-python3_patches.patch: backport python3 fixes from upstream +- freeradius-server-opensslversion.patch: updated + +------------------------------------------------------------------- +Wed Mar 11 13:18:37 UTC 2020 - Adam Majer + +- Enable memcached driver on SLE15 + +------------------------------------------------------------------- +Mon Dec 23 15:06:54 UTC 2019 - Johannes Engel + +- Add missing BuildRequire on samba-core-devel required for windbind + support in rlm_mschap. + +------------------------------------------------------------------- +Wed Apr 10 17:01:55 UTC 2019 - Michael Ströder + +- update to 3.0.19 (jira#SLE-5890) + +Feature improvements + * Update dictionary.cisco + * Update sqlippool to allow for stored procedures with + PostgreSQL. This increases performance substantially. + Patch from Nathan Ward. Fixes #2540. + * Re-added "show client config" command to radmin. + * Cleaned up mods-available/sql example so that it is + easier to understand. + * Added pfSense dictionary. Closes #2581 + * Update dictionary.h3c Closes #2592 + * Update elasticsearch/logstash config for v6.7.0. + * EAP-PWD security fixes from Mathy Vanhoef. See + http://freeradius.org/security/ + (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) + +Bug fixes + * Update dynamic_client module and server core so that + the functionality works. This has been broken since + at least v2. + * Fix crash in sqlippool due to escaping changes. + Patch from Nathan Ward. Fixes #2532, #2533. + * Fix systemd notify, watchdog and unit files. + Fixes #2541, #2499. + * Fix erroneous length check in EAP-FAST. + * Update documentation to remove old "ignore_null" + configuration. Fixes #2578. + * Fix default POD port. Should be 3799. Fixes #2591 + * Correctly encode vendor-specific "encrypted" attributes. + Fixes #2600 + +------------------------------------------------------------------- +Wed Feb 27 11:37:53 UTC 2019 - adam.majer@suse.de + +- reformat changelog mostly by wrapping lines +- add missing bug numbers for security fixes + +------------------------------------------------------------------- +Tue Feb 26 21:17:00 UTC 2019 - Michael Ströder + +- update to 3.0.18 + +* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. +* Do-Not-Respond policies can now be set in the "post-auth" section. +* Encode / Decode ADSL Forum DHCP options. +* Fix module ordering issues. e.g. when "sqlippool" needs "sql". + See the "instantiate" section of radiusd.conf. +* Add Big Switch dictionary. Fixes #2252. +* Add sql_session_start policy (raddb/policy.d/accounting) + This minimizes race conditions when using Simultaneous-Use (#2257). +* For rlm_perl, all variables are now tainted by default. + See raddb/mods-available/perl, and the "perl_flags" configuration item. + This change should only affect people who are using variables in + insecure ways. +* Allow "sqlcounter" module to be listed in "post-auth". +* Add support for IPv6 attributes in SQL. Fixes #2280 +* The server is better at handling fail-over for outbound RadSec and + TCP connections. Fixes #2284. +* The server is now more aggressive about retrying failed outbound + RadSec and TCP connections. Fixes #2284. +* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. +* Add expansion for Radsec connections. "%{listen:TLS-...}" for + TLS-Client-Cert-* and TLS-Cert-* attributes. +* Add notes on running "ldapsearch" using the parameters from the LDAP module. +* "ipaddr" attributes can now be cast to "integer" type attributes + in an "update" section. +* Move main thread queue to using atomic queues. This should help + with contention in high load scenarios. +* Add "recv_buff" setting to listeners. For more details, + see sites-available/default. +* The sqlippool module can now use attributes other than "Pool-Name" + to assign IP pools. The "Pool-Name" attribute is still the default. +* The "unpack" expansion can now unpack substrings. + See mods-available/unpack for documentation and examples. +* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair + Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. +* Allow for -LDAP-UserDN. See mods-available/ldap for more information. +* Add sanitizing of control list for moonshot. Fixes #2318. +* Update rlm_sql_mysql to be compatible with MySQL 8 + Fixes https://bugs.launchpad.net/bugs/1795310. +* Allow logging of only Access-Accept or Access-Reject messages + See radiusd.conf, "auth_accept" and "auth_reject". +* Removed Connect-Rate comparison. It was unused and broken. +* Add dictionary.infinera. +* Use OpenSSL HMAC functions instead of local ones. +* Some SQL modules can now use "auto_escape" to escape unsafe strings + See mods-config/sql/main/mysql/queries.conf. +* Add wispr2date conversion in mods-available/date. +* Implement dictionary-based handling in rlm_python. + Fixes #2334 See mods-available/python for details. +* Add support for SKIP LOCKED in sqlippool. This can improve performance + by an order of magnitude or more. + See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 +* Allow PSK and certificates at the same time Except for TLS 1.3 + which does not support that. +* Update docker scripts. Fixes #2306 Patch from Matthew Newton. +* Add crypt xlat. +* MySQL connections can now skip verifying the server certificate. + Fixes #2481. See mods-available/sql. +* Add better mechanism to detect MariaDB (Old MySQL). +* Add RFC 7532 "bang path" support for realms Fixes #2492. +* Update dictionary.ukerna documentation. Fixes #2493. +* Add support for systemd service and watchdogs Fixes #2499. +* Check for openss/rand.h, and allow building without OpenSSL engine. + Patch from Eneas U de Queiroz Fixes #2517. +* The default PosgtreSQL queries now use "ON CONFLICT" to better + deal with issues. This requires PostgreSQL 9.5 or later. + Please use a recent version of PostgreSQL, or edit the default + queries to remove "ON CONFLICT". + +BUG FIXES +* The session-state list is no longer cleaned in the inner-tunnel. + This lets the outer Access-Reject section access session-state. +* Fix typo in lock initialization for TLS sockets Found by Sergio NNX. +* Add check for crash when home server down Fixes #2233. +* Add username key for postauth table. +* Better libpcap checks, when the header files or libraries are missing. Fixes #2245. +* Allow building with old versions of OpenSSL Fixes #2247. +* Allow non-FreeRADIUS State attributes to be used with the + "session-state" list. i.e. State length != 16. +* Be more aggressive about cleaning up zombie children when running in debug mode. +* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries + exporting LDAP API functions. +* unlock files when asked to unlock them. +* return error instead of asserting in map code. +* Don't write 0 bytes to SSL. Fixes #2270. +* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. +* Various dictionary cleanups and consistency checks Fixes #2281. +* rlm_python has stronger thread locking to prevent reported issues. + Performance may be affected. +* Don't allow Message-Authenticator to overflow past the end of a large packet. +* Fix crash in sqlippool when SQL server goes away Fixes #2300. +* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. +* Fix crash with CoA packets/ Fixes #2304. +* Fix crash in rlm_exec with CoA. Fixes #2328. +* Print errors while parsing the log config, and don't quit when + deprecated log settings are found. +* Fix DHCP encoder xlat so that it can be used with a list of attributes. + It previously only encoded the first member of the list, + and now encodes all members. +* The "expr" module now skips more whitespace. +* Remove internal FreeRADIUS-Response-Delay attributes from + attr_filter Access-Reject. +* Don't send junk to redis when maximum args reached. +* Small updates to IPv6 for accounting schema Fixes #2364. +* Fix OpenDirectory integration in rlm_mschap. +* Fix slow memory leak with dynamic clients. +* Don't artificially truncate debug output for long strings. +* Fix memory leak in EAP-PWD. +* Fix crash in "hints" file with Fall-Through = yes. +* Fix crash / timer issues with many CoA packets. +* Fix attr_filter so that it does not treat vendor attributes of + number 26 as Vendor-Specific. +* Fix reconnect correctly in rlm_sql_mysql. +* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. +* Fix rare occurance of bad xlat expansion. +* Check for rare race condition when a proxy reply arrives too late. + +------------------------------------------------------------------- +Wed Jul 4 14:54:50 UTC 2018 - adam.majer@suse.de + +- install license as %license instead of documentation + +------------------------------------------------------------------- +Tue Jun 26 18:24:21 UTC 2018 - michael@stroeder.com + +- also fix ownership of /var/log/radius in systemd unit + +------------------------------------------------------------------- +Tue Apr 17 22:00:15 UTC 2018 - michael@stroeder.com + +- update to 3.0.17 + +Feature Improvements +* Add CURLOPT_CAINFO. Patch from Nicolas C #2167. +* "stats home server" now supports "src IPADDR", to specify home + server also by source IP. Fixes #2169. +* Add Dockerfiles for a selection of common systems. +* Increase number of permitted file descriptors, for systems with many + home servers. +* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs + Patch from Isaac Boukris. Fixes #2205. +* Update main READMEs. Patches from Matthew Newton. +* Added dictionary.mimosa. + +Bug Fixes +* Don't call post-proxy twice when proxying to a virtual server. + Matthew Newton, #2161. +* Use "raw" string value for shared secrets and dynamic clients + It now parses strings with backslashes and "special characters" + correctly. Fixes #2168. +* Fix RuntimeDirectory for RedHat, from Alan Buxey. +* Relax checks in 'if' parser from Isaac Bourkis. +* Minor cleanups for %{debug_attr:&request} from Isaac Boukris. +* Be more aggressive about cleaning up cached certificate attributes, + due to deficiencies in OpenSSL. Reported by Nicolas Reich. +* Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. +* Fix double free in rlm_sql. Fixes #2180. +* rlm_detail now writes empty Access-Accept packets. +* rlm_python can now create tagged attributes. +* Don't crash on duplicate realm + authhost / accthost +* Allow partial certificate chain to trusted CA. Fixes #2162. +* Treat SSL_read() returning zero as error. Fixes #2164. +* detail writer now checks if the file was renamed or deleted. +* Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. +* RedHat Systemd updates. Fixes #2184. +* Use correct API for State variable in rlm_securid. +* Remove broken radclient option "-i". +* Fix "users" file (and hints, etc). So that it does not get confused + about entry ordering with multiple $INCLUDEs. +* Fix rlm_sql to expand the un-escaped string, not the raw string. +* Link default and inner-tunnel only if they exist. Fixes #2206. +* Don't use both IP_PKTINFO and IP_SENDSRCADDR. +* Always install signal handler for SIGINT (needed by Docker). +* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs + which are not self-signed will now be checked. +* sqlippool now returns "fail" if it fails IP allocation. +* Fix rlm_yubikey to look for correct attribute in replay attack check. + +------------------------------------------------------------------- +Thu Jan 11 23:15:49 UTC 2018 - michael@stroeder.com + +- update to 3.0.16 + +Feature improvements +* rlm_python now supports multiple lists. From #2031. +* Add trust router re-keying. From #2007. +* Add support for Samba / AD LDAP schema. + See doc/schemas/ldap/samba/README.txt and + doc/schemas/ldap/samba/ +* Add "tls_min_version" and "tls_max_version" to EAP module + for Debian OpenSSL issues. +* Better documentation for client certificates in PEAP and TTLS: + it usually doesn't work. Fixes #2068. +* Distinguish login failure from AD unavailable. Fixes #2069. +* Update RH spec files. Fixes #2070. +* Run Post-Proxy-Type if all home servers are dead. + Fixes #2072. +* Print offending IP addresses when EAP sessions come from + two upstream home servers, and rate-limit the messages. +* Minor packaging updates. +* Better documentation for rlm_rest. +* EAP-FAST now has it's own "cipher_list", so that it is + easier to configure. +* EAP-FAST now forcibly disables TLS1.2, until such time + as we implement the new keying mechanism from TLS1.2. +* Add documentation for allow_expired_crl. +* Update Debian logrotation. #2093 and #2101. +* DHCP relay can now drop responses. #2095. +* rlm_sqlippool can now assign Delegated-IPv6-Prefix. + It also now can assign any IPv4 or IPv6 address. + Based on patches from maximumG. #2094. + See raddb/mods-available/sqlippool for changes. +* radeapclient can now use EAP-SIM-Ki to dynamically + create the necessary triplets. +* Explain why many LDAP connections are closed. + Fixes #1969. +* Debian build / package issues fixed by Matthew Newton. +* dictionary.patton updates from Brice Schaffner. Fixes #2137. +* Added scripts to build "inner-server.pem", and updated + mods-config/inner-eap and certs/README to match. +* Added provisions for using an external CA. See raddb/certs/ +* Include dhcpclient binary in freeradius-dhcp debian packge. + +Bug fixes +* Bind the lifetime of program name and python path to the module + FR-AD-002 (redone) +* Pass correct statement length into sqlite3_prepare[_v2] + FR-AD-003 (redone) +* Allow 100-Continue responses with additional headers in rlm_rest. +* fix corner case where detail files were not being locked + correctly. +* Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. + Fixes #1947 +* Clean up exfile code. Which should help to avoid issues + with reading / writing 100's of detail files. +* Fix build for winbind. Patch from Alex Clouter. +* Fix checkrad for Mikrotik. Patch from Muchael Ducharme. +* Fix home server stats lookup. Patch from Phil Mayers. +* Add libjson-c3 as an optional dependency. +* Require LTB OpenLDAP on CentOS / Redhat, to avoid linking + against NSS, which breaks the server. Fixes #2040. +* rlm_python fixes. Fixes #2041 +* Typos in "man" pages. Fixes #2045 +* Expand "next" in %{%{...}:-%{...}}. Fixes #2048 +* Don't add TLS attributes twice. Fixes #2050. +* Fix memory allocation in rlm_rest. Fixes #2051. +* Update trustrouter for new API. Fixes #2059. +* Fix SQLite issues on FreeBSD. Fixes #2060 +* Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) +* More graceful handling of "die" in rlm_perl. Fixes #2073. +* Fix occasional crash when using + cisco_accounting_username_bug = yes +* EAP-FAST fixes from Isaac Boukris. + #2078, #2076, and #2082, #2126. +* DHCP fixes, relay, #2092, add run-time check, #2028 +* Decode multiple RADIUS packets at a time in highly loaded + RadSec connections. Patch from Jan Tomasek. #2106. +* TunnelPassword is not "single value" in LDAP schema. + Fixes #2061. +* sql log now opens the expanded filename, not the input one. + This was a regression introduced in 3.0.15. +* Remove unnecessary UNIQUE constrain in Oracle schemas. +* Fix SSL thread and locking issues when modules also use SSL. + Fixes #2125 and #2129. +* Re-add dhcpclient "raw packet" changes. Patches from + Nicolas Chaigne and Matthew Newton. Fixes #2155. + +------------------------------------------------------------------- +Tue Sep 19 11:18:53 UTC 2017 - adam.majer@suse.de + +- Fix permissions of radiusd.service (bnc#1053654) + +------------------------------------------------------------------- +Fri Aug 25 11:32:56 UTC 2017 - varkoly@suse.com + +- bsc#1055679 - freeradius-server does not provide winbind/AD auth + Added libwbclient-devel as buildrequires + +------------------------------------------------------------------- +Mon Jul 17 13:46:41 UTC 2017 - michael@stroeder.com + +- update to 3.0.15 with security fixes for + issues found via fuzzing by Guido Vranken (bsc#1049086) + https://freeradius.org/security/fuzzer-2017.html + * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() + * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 + * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() + * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes + * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() + * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() + * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly + * FR-AD-002 (v3) String lifetime issues in rlm_python + * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare + +------------------------------------------------------------------- +Mon May 29 12:40:52 UTC 2017 - adam.majer@suse.de + +- update to 3.0.14 (still FATE#322416) + + Feature improvements + * Enforce TLS client certificate expiration on session resumption, + and Session-Timeout. See CVE-2017-9148 (bnc#1041445) + * Updated dictionary.cisco.vpn3000, dictionary.patton + * Added dictionary.dellemc + * Lowered the log output for failed PEAP sessions. + * ALlow utc in rlm_date. + * The internal OpenSSL session cache has been disabled. + Please see mods-available/eap + * Update detail reader documentation. + * Make outgoing RadSec connections non-blocking. + * Add SQL backing to Moonshot-*-TargetedId generation. + + Bug Fixes + * radtest uses Cleartext-Password for EAP, not User-Password. + * Update documentation for mods-enabled/ linking. + * Enhanced checks for moonshot salt. + * Allow session resumption for RadSec connections. + * Update "huntgroups" file to note that port ranges are not supported + * Fix OpenSSL permissions issues on default key files. + * Certificates are not required when PSK is used. + * Allow SubjectAltName as first extension in cert. + * Fixed talloc issue with TLS session resumption. + * "&Attr-26 := 0x01" now produces useful error messages. + * Handle connection error in rlm_ldap_cacheable_groupobj. + * Fix endian issues in DHCP. + * Multiple minor fixes for Coverity complaints. + * Handle unexpected regex. + * Fix minor issues in dictionaries. + * Fix typos and grammar. Patches from Alan Buxey. + * Fix erroneous VP creation in rlm_preproces. + * Fix MIB. Patch from Jeff Gehlbach. + * Trust router updates from Alejandro Perez. + * Allow build with LibreSSL. + * Use correct packet for channel bindings. + * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us + a test license. Please see the git commit history for more info. + * Fix incorrect length check in EAP-PWD. This may be exploitable. + * Stop rotating session database files (radutmp, radwtmp) since + these are not logfiles. + +- freeradius-server-radiusd-logrotate.patch: updated + +------------------------------------------------------------------- +Mon Mar 6 23:07:21 UTC 2017 - michael@stroeder.com + +- removed obsolete freeradius-server-fix-cert-bootstrap.patch + because recent /etc/raddb/certs/bootstrap simply works +- update to 3.0.13 (still FATE#322416) + + Feature improvements + * Add dictionary.rfc7930. Note that we do not implement + the RFC. + * Added 'cipher_server_preference' to mods-available/eap + Patch from #1797. + * OpenSSL 1.1.0 compatibility fixes. + * rlm_perl: radiusd::xlat to evaluate xlat string + within perl script + * Allow authentication retry in winbind. Patch from + Herwin Weststrate. See raddb/mods-available/mschap. + * Added "recv-coa" method to rlm_rest. It behaves the + same as "authorize". + * Document Trust Router tr_port option. Patch from + Stefan Paetow. + * Update elasticsearch/logstash examples so that they work + with elastic stack v5. Patch from Matthew Newton. + * Print information about packets, replies, and contents + in the detail file reader. + * Update abfab-tr policy. Pull request #1893 + from Stefan Paetow. + * Reject packets which contain User-Password and + EAP-Message. + * Add example for filtering Access-Challenge. + See sites-enabled/default. + * Pull symlink fixes from v4.0.x. Fixes #1859. + * Add systemd reload. Not everything is reloaded, but + some is. Fixes #1662. + * Better documentation for listen "ipaddr". Fixes #1921 + * Add dictionary.cnergee, updated dictionary.nomadix. + * radclient no longer needs -x to print statistics with -s. + + Bug fixes + * Minor typos. Fixes #1763 + * Fix typo in RPM build. Closes #1767. + * rlm_mschap check for password expiry only + if password was correct. Fixes #1762. + * Update debian build. + * update rlm_counter "man" page. Fixes #1775. + * Remove erroneous assert. Fixes #1778. + * fix mschap password change test. Fixes #1792. + * Cleanup config file on data remove. Fixes #1795. + * passwd module returns "notfound" if not found. + * Check for old OpenSSL, and don't build rlm_eap_fast + if it necessary. Fixes #1803 + * Cleanup memory better after ldap version query. + Patch from Aleksey Katargin. + * Rename lt_* functions to avoid linker issues with + libtool. Fixes #1277 + * Many miscellaneous fixes and typos. + * Allow long strings in %{%{foo} bar:-%{baz} blah". + Fixes #1866 + * Fix filtering operators, along with more documentation and + more tests for them. + * Fix OpenSSL fixes. Fixes #1876. + * Finish SQL select queries even when SELECT returns no rows. + Fixes #1879. + * Set Module-Failure-Message for more EAP errors. + * Correct typo in dictionary.rfc5580. Fixes #1882 + * Remove obselete systemd syslog.target. + * Client-Port-Balance load-balancing now uses client port. + * Radrelay examples fixed from Alex Clouter. + * Update systemd target. Pull request #1896. + * Trim starting whitespace in xlat strings. + * Get MySQL result lengths using normal API. + * suid down after fchown(). Fixes #1914. + * Fix cases of comparing pointer to NUL character. Fixes #1915. + * OpenSSL v1.1 fixes. Pull request #1921. + * Better Handle v4/v6 host names. Pull request #1919. + * Remove "Auth-Type = System" from docs and examples. + * Don't crash on malformed %{home_server}. Fixes #1922 + * fix erroneous use of talloc destructor in rlm_eap + * Issue trigger modules.sql.fail. Fixes #1923 + * Document python_path gotcha's. Fixes #1845 + * dlopen() the specific version of Python. Fixes #1592 + +------------------------------------------------------------------- +Mon Feb 20 15:27:28 CET 2017 - kukuk@suse.de + +- Don't require insserv if we use systemd +- Remove require for unused fillup + +------------------------------------------------------------------- +Mon Jan 30 15:46:54 UTC 2017 - adam.majer@suse.de + +- Merge changes from SLE to openSUSE (FATE#322416): + * freeradius-server-radclient-init-error-buffer.patch - make sure + we initialize error buffer. bsc#911886: radclient error free() + invalid pointer + * freeradius-server-opensslversion.patch: remove OpenSSL version + check and assume we know what we are doing. (bnc#1013311) + * merge .changes file, mostly. +- do not attempt to detect "vulnerable" OpenSSL versions. SUSE + security fixes do not necessarily bump version numbers as + does upstream OpenSSL (bnc#1021375) +- do not generate certificates in %post. End-user needs to do this + manually. +- keep FreeTDS disabled on SLE12 - we never shipped it enabled +- require OpenSSL 1.0+ +- use pkgconfig(systemd) instead of plain systemd as BuildRequires +- don't list manual pages as %doc + +------------------------------------------------------------------- +Sun Jan 1 13:39:57 UTC 2017 - jengelh@inai.de + +- Remove --with-pic which is for static libs only. +- Use SUSE RPM group names. Trim filler words from description. +- Do not hide errors from groupadd/useradd. + +------------------------------------------------------------------- +Fri Nov 18 14:48:59 UTC 2016 - adam.majer@suse.de + +- Add upstream keyring +- 2 new modules: rlm_sql_freetds and rlm_eap_fast + +------------------------------------------------------------------- +Thu Sep 29 20:14:34 UTC 2016 - michael@stroeder.com + +- update to 3.0.12 - still fate#320481 + The focus of this release is stability. + * Feature improvements + + Add support for =~ and !~ in update sections. See "man unlang" + + Add dictionary.checkpoint. + + Simultaneous-Use prints out more information. + + Print WARNING in debug mode when packets may be truncated. + + Added expansions %{home_server:state} and + %{home_server_pool:state}, which show the state of the + server / pool. + + Mark rlm_sql_freetds as stable. + + Make rlm_perl less fragile. Patch from Herwin Weststrate. + + Allow extended attributes to have "encrypt=2" + + Update dictionary.aruba. + + Add support for EAP-FAST. This is an isolated feature which + does not affect anything else. + + Update OpenSSL vulnerability list. Use a version of OpenSSL + released after September 20, 2016. + + EAP certificate verification is now done when "verify" is + enabled and "ocsp" is disabled. + + New dhcpclient and rlm_rad_counter man pages. + + Minor abfab and moonshot additions. + + Pass CFLAGS through from environment in RPM builds. Allows + more custom builds. + + Build with Heimdal in addtion to libkrb5. + * Bug Fixes + + Use correct typedef for older versions of sqlite. + + Update mssql schema to add priority + + don't complain on /dev/urandom in ldap + + fix == operator in update sections + + Don't create DHCP strings with many trailing zeros. + + Allow MS-CHAP change passwords instead of complaining on + large buffer. + + Allow assignment or equality operator on SQL. + + Update aclocal tests for FreeBSD 10. + + Remove occasional hang in rlm_linelog. + + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + + A few minor bugfixes caught in v3.1.x cleanup, and + back-ported to v3.0.x. + + do_not_respond again works in post-proxy + + Allow realm "~^.*$" {} and User-Name with no realm. + + Fix leak when creating unknown attributes + + Fix Debian / logrotate. + + Make OpenSSL error functions thread-safe. + + Fix crash with rlm_sql and updating SQL-User-Name. + + Debian build updates. + + Allow regular expression comparisons in radclient. + + Fix memory leak on unknown attributes in detail file reader. + + Update example paths in "man" pages when installing them + + Build fixes for rlm_mschap. Fixes #1489. + + BSD build fixes. Patch from issue #1583. + + Be more careful about /lib/ when building. Fixes #1585. + + Correct ifdef placement error. Fixes #1572. + + Allow for more files in internal "exfile" API So it will be + possible to open more than 64 "detail" files at the same + time. + + Remove support for statically built EAP modules. Fixes #1591. + + Many fixes to rlm_python from Guillaume Pannatier. + + Use correct week adjustment in SQLcounter. Fixes #1608 + + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + + Fix checks for module / config file change on HUP. + + Compile regex comparisons when sent via "debug condition". + + Update filenames in documentation and examples. + + Don't crash if SQL connection becomes unavailable. + + Disallow originate_coa when proxy_requests = no. + + Free rad_perlconf_hv in correct perl context. + + Multiple fixes for Debian builds. #1510, among others. + + Set OpenSSL FIPS compatibility flag when necessary. + + Pulled fixes for the build system over from other branches. + + Fix OCSP for RADIUS over TLS. + + Fix skip_if_ocsp_ok behavior. + + Better fixes for systems without closefrom() but which have + /proc. + + Minor build fixes back-ported from v4.0.x. + + build --whout-ascend-binary. Fixes #1761. + + Be more aggressive about not opening new connections in + debug mode after CTRL-C. Address #1604. + + +------------------------------------------------------------------- +Fri Sep 2 12:16:56 UTC 2016 - adam.majer@suse.de + +- use %{with} macro for conditional inclusions instead of hardcoding + version numbers +- improved package descriptions +- fixed builds on SLE12 and SLE11SP4 + +------------------------------------------------------------------- +Mon Jan 25 18:48:55 UTC 2016 - michael@stroeder.com + +- removed installation of experimental module rlm_sqlhpwippool.so +- update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, + bsc#935573, CVE-2015-4680) + * Changes of version 3.0.11 + + Feature improvements + - "unlang" comparisons of IP addresses to IP prefixes are now + detected, and types automatically cast. + - Allow shorthand form of ipv4prefix values e.g. 127/8. + - Add "auto_chain" to raddb/mods-available/eap, tls subsection. + This allows the disabling of OpenSSL auto-chaining of + certificates. Which might be wrong. + - Added printing of coa and disconnect stats (radmin). + - radclient defaults to expecting Access-Accept responses to + Status-Server. + - Updated dictionary.lancom, dictionary.starent. + - Portability fixes for Solaris. + - More errors from ntlm_auth gets passed to MS-CHAP. + - Update abfab-tr-idp virtual server. + - Added "filter_password" in policy.d/filter. This removes + embedded zero bytes in User-Password, for compatibility with + broken clients. + - The server now issues a WARNING message if duplicate + configuration items are found. + - TLS can skip the "verify" section if OCSP returns OK. See + raddb/mods-available/eap, "skip_if_ocsp_ok". + - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the + result from the OCSP check. + - Interoperate with AD and "LmCompatibiltyLevel = 5", by + always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind + in rlm_mschap. + - TTLS and PEAP now require "virtual_server" to be a real + server. + - Print WARNING when TTLS or PEAP identities are spoofed or + not properly anonymized. See RFC 7542 for requirements. + - Various rlm_python fixes from Herwin Weststrate. + - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", + which is useful when the home server does not respond. + - elasticsearch updates from Matthew Newton + + Bug Fixes + - Fix issue where field nas_type would not be accessible via + the %{client:} xlat, for clients loaded from SQL. + - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to + msg_callback with 'pseudo' content types. + - Data type "ipv4prefix" is parsed correctly. + - Use correct talloc context in rlm_exec. Fixes #1338. + - Complain in unlang if "else" is used with no previous "if" + or "elsif". + - Send accounting status packets to the accounting port. + Fixes #1364. + - Print out CFLAGS when doing "radiusd -Xxv" + - Fixed bug with coa/acct stats value #1339. Based on patch + from Jorge Pereira. + - Fixes for LEAP proxying. Don't use LEAP! + - Fix issue with "directory already exists" seen when doing + "make install". + - Fixed bug with radmin related to the option "stats detail + " + - Complain if the detail file reader does not have permission + to read the "detail.work" file. Fixes #1398 + - Fixed SoH. Attributes were not being copied to the virtual + server. + - Used a wrong list to global statistics in "stats". + - Create EAP-PWD identity correctly. Prevents segfaults. + - Dynamically validate authentication types for PEAP and + EAP-MSCHAPv2. + - Fix includes in installed headers. + - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys + correctly. See raddb/mods-available/eap, "disable_tlsv1_2" + - Allow password change to work for MS-CHAP. This requires + 'r=0', because password changes are not retries. + - Fix home server fail-over for home servers using TCP and/or + RadSec. + - Special characters in expanded regexes are now escaped e.g. + User-Name containing '.', and comparing /%{User-Name}/, the + '.' will now be escaped. See src/tests/keywords/regex-escape. + - Use correct authentication vector when sending Access-Reject + replies for RadSec. + - Set FreeRADIUS-Proxied-To in TTLS again. You should use the + "inner-tunnel" virtual server, instead of relying on this + attribute. + - Fix debugging constants in rlm_perl. Patch from Herwin + Weststrate. + - Add samba-dev / samba4-dev to debian builds so that + rlm_mschap can automatically use the new winbind API. + - Automatically skip zero-length attributes when sending + packets, instead of erroring out. + +------------------------------------------------------------------- +Mon Oct 26 12:45:59 UTC 2015 - jkeil@suse.de + +- fix bsc#951404 + * Rebuild of freeradius-server package fails + * fix source url + - ftp://ftp.freeradius.org/pub/freeradius/ + + ftp://ftp.freeradius.org/pub/freeradius/old/ + +------------------------------------------------------------------- +Mon Oct 5 19:50:27 UTC 2015 - michael@stroeder.com + +- update to 3.0.10 + * Changes of version 3.0.10 + + Feature improvements + - Do more optimization of unlang policies. This makes run-time + a bit faster. + - Re-name most of the functions in src/lib. Third-party module + authors will have to do the same. + - More documentation on contributing and how to write modules. + - Update radiusd.service for systemd. + - Open IPv6 proxy socket if the server is listening on IPV6 + auth / acct / coa packets. + - Create debian packages for DHCP. Fixes #1125. + - Add more tests for "update" section parsing. + - Update "man" pages. + - Update attributes for Alcatel 7750 + - Add dictionary for Boingo Wi-Fi + - Add support for DHCP lease queries. + See raddb/sites-available/dhcp + - On HUP, check all modules for config files which have + changed. And only re-load those modules. + - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS + packets. Patch from Herwin Weststrate. + - Documentation fixes from Alan Buxey and Matthew Newton. + - Update "logrotate" script. + - Added more RFCs to doc/rfc for new standards implemented by + FreeRADIUS. + - Don't crash when doing "radmin -e "help hup". Patch from + Matthew Newton. + - The dictionary parser now does more sanity checks, which + prevents run-time problems with invalid attributes. + - Update debian packages. Patches from Christopher Hoskin. + - Many other debian packaging fixes from Matthew Netwon and + Herwin Weststrate. + - Add "session-state" to Perl. Patch from Herwin Weststrate. + + Bug Fixes + - Fix rlm_files so that there are no collisions when loading + 10's of 1000's of users. + - Fix radclient to use our internal v4/v6 parsing functions. + v6 addresses with ports now work correctly. + - Fix sending/receiving packet messages to wrap v6 addresses + in square brackets '[]'. + - Check for sasl/sasl.h when building rlm_ldap, and disable + SASL functionality if unavailable. + - Fix issue which caused a non \0 terminated buffer to be + assigned to attributes if the value being assigned contained + an invalid escape sequence. + - Fix deadlock when reconnecting connections in the connection + pool. + - Fix potential overrun in functions that used fr_utf8_char + with a non nul terminated buffer. + - Fix decoding issue for Tunnel-Password type attributes which + were very long. Found by Denis Andzakovic. + - Fix radclient issue with TCP sockets on FreeBSD. + - The server now creates ${run_dir} and ${logdir} directories + in daemon mode, when running as "root". + - Handle tags when using maps. Fixes #1191. + - Fix crash when CoA packets time out. + - Fix parse error in rediswho + - Fix regex support in SQL radcheck the "users" file and + radsniff. + - Register listen xlat earlier, so that it's available when + the virtual servers are being parsed. + - Parse Ascend-Data-Filter when given as "0x..." + - Print Ascend-Data-Filter correctly. Add test cases for both. + - Allow old-style clients again. They will be disallowed for + 3.1.0 and following. + - Complain instead of crash when "else" and "elsif" are in the + wrong place. + - Clean up memory more aggressively. This lowers the maximum + memory used, most typically for TLS based EAP methods. + - Prevent the server from unlinking the control socket of an + already running instance. + - Fallback to using the configured OCSP URL if one exists, and + no URL is provided in the certificate. + - Return CoA-NAK if proxying CoA fails. Based on patch from + Jorge Pereira. + - Lower peak memory usage by decreasing size of internal + memory pools. + - The control socket is now left in place if a second copy of + the server is accidentally started. + - Allow virtual attributes in "switch", "case", etc. Fixes + #1240 and #1265. + - Many spell check / typo fixes in comments and example + configuration files. + - Better handle multiple DHCP listeners. + - Don't print secrets for old-style realms. Fixes #1267. + - Don't fall through in empty "case" statements. Fixes #1274. + - Update EAP-TTLS so that MPPE keys are correctly calculated + with TLSv1.2. + - Always delete MS-MPPE-* from the TTLS inner tunnel. This + allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. + - Fix off by one error that caused some MSCHAP-Error messages + to be sent without the password change version (V=3) and the + textual message component (M=). + - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 + does not say that any of these fields are optional, and not + including V= caused errors with wpa_supplicant. + - Do not include M= in MSCHAPv1 errors. It's not supported. + +------------------------------------------------------------------- +Fri Aug 7 10:56:29 UTC 2015 - jkeil@suse.de + +- Fix boo#912714: freeradius can't use ntlm_auth + * Create winbind group + * Add radiusd to winbind group + +------------------------------------------------------------------- +Tue Aug 4 15:19:06 UTC 2015 - jkeil@suse.de + +- Remove gpg signature file + * The gpg signature checking is broken and doesn't work + +------------------------------------------------------------------- +Tue Aug 4 14:28:24 UTC 2015 - jkeil@suse.de + +- Fix bsc#935573: Insufficent CRL application for intermediate certificates + * CVE-2015-4680 + * freeradius-server-CVE-2015-4680.patch based on + https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3 + +------------------------------------------------------------------- +Wed Jul 8 20:05:24 UTC 2015 - michael@stroeder.com + +- update to 3.0.9 + * Changes of version 3.0.9 + + Feature improvements + - Make "pool" configurations more consistent, and update + documentation for them. + - Move connection pool logic to "most recently started", + instead of MRU. This should help with pool stability. + - More VSAs for 3GPP2 + - Added examples of multi-value attributes to rlm_perl. + - LDAP-Group and SQL-Group attributes are now dynamically + allocated. + - Only the "sql" module registers SQL-Group. Other instances + register "instance-name-SQL-Group", similarly to "ldap". + - Unknown attributes are now complained about more often when + used in unlang statements. e.g. if (Foo-Bar == 3) used to be + a string to string comparison. It is now a parse error. + - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many + things easier. + - Move to C99 initializers for modules. + - Load modules in raddb/mods-enabled. This allows attributes + like "LDAP-Group" to be used in the "files" module, without + explicit ordering or listing in "instantiate". + - Added 'bootstrap' section to modules. Third-party modules + will need to be updated. + - When adding clients from a DB, add them to a virtual server + if that virtual server has a "listen" section. Otherwise, + add the clients to the global list. + - When reading dynamic clients from a file, don't expire them + if the underlying file is unchanged. + - Allow the server to originate CoA requests from the + post-auth stage. + - The server creates ${run_dir} and ${logdir} in daemon mode, + if they do not already exist. + - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server + now supports all mandatory and optional attributes for this + specification. + - HUP now re-loads the configuration only if the files have + changed. If all files are unchanged, HUP re-opens the log + file, and does nothing else. + - Much better debug messages for EAP-TLS, including which + attributes are cached, and when they are retrieved. + - Increase default max_requests to 16384. Memory is cheap now. + - Added "stats memory" commands to radmin. Debug build only. + - Aptilo controller dictionary updates. + - SQL modules now use Acct-Unique-Session-Id everywhere. + - The redis modules are now stable. + - The LDAP module now supports SASL "interactive bind" method. + This allows Kerberos based administrator and user binds. + - DHCP code is now in libfreeradius-dhcp. + - More DHCP encoding / decoding unit tests. + - rlm_replicate can now be listed in the "accounting" section. + - Better sqlite debugging output. + - Remove "required" option from many sql_ippool directives. + - Set default CA "basic constraints" to "critical". Fixes #1073 + - Updates to help / man pages from Jorge Pereira. + - Added more tests. + + Bug Fixes + - Be more careful about unused config item warnings when + using -Xx. + - Move more defines to be auto-generated. + - Allow virtual servers in proxy fallback. + - Allow %{module:} to work. + - Don't crash in RadSec. Closes #980. + - Return better errors when a unix group / user is not found. + - Re-enable detail module "locking" parameter. + - Don't crash when logging replies from Status-Server packets. + - The couchbase module now uses "update" instead of "map", for + consistent with the rest of the server. + See raddb/mods-available/couchbase + - Don't require NT-Password for MS-CHAP password changes. + - Be a bit more careful about decrypting MS-CHAP-MPPE-Key + attributes. Closes #1013. There is no perfect fix, tho. + - Fix security issues with EAP-PWD. + See http://freeradius.org/security.html#eap-pwd-2015 + - Fix dynamic clients read from SQL in non-debug mode + - MS-CHAP now allows retries (i.e. password change) when + passwords are expired. + - Allow "user=radiusd" when the server is already user + "radiusd" + - suid up/down works on non-Linux systems. This means that the + control socket should have the correct ownership. + - Fix issue which caused the server to sometimes have problems + when a home server was marked zombie. + - Fix format.pl because Perl is now more picky. + - Fix proxy to Packet-Dst-IP-Address, so that it uses the + correct destination port. + - Fix corner case with cursor functions and removal. + - OpenDirectory fixes and documentation. + - Fix leaks in rlm_redis. + - RFC 6929 "evs" attributes are now encoded / decoded properly. + - Fix talloc pool leaks when receiving malformed or + retransmitted Accounting/CoA requests. + - Printed attributes again use double quotes instead of single + quotes. + - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to + eap.conf. Fixes oCert CVE-2015-4680. + - rlm_expr now errors out correctly on malformed attribute + references instead of triggering an assert. + - Make "break" work in "foreach" loops + - Allow dynamic expansions to work again in the "hints" file. + - Correct minor typos in comments and examples from Alan Buxy. + - Re-urlencode the path portion of ldapi:// urls before + passing it to ldap_initialise. +- freeradius-server-rlm_sql_unixodbc-configure.patch removes + hard-coded directory in configure script of rlm_sql_unixodbc +- install new module rlm_sqlhpwippool.so + +------------------------------------------------------------------- +Thu Apr 23 14:22:17 UTC 2015 - vcizek@suse.com + +- minor adjustments/cleanup of spec and changes + +------------------------------------------------------------------- +Wed Apr 22 20:31:44 UTC 2015 - michael@stroeder.com + +- update to 3.0.8 + * Changes of version 3.0.8 + + Feature improvements + - Allow syslog_severity to be set in rlm_linelog. + - Allow defaults to be set for bulk clients in LDAP and + couchbase. + - Updates to dhcpclient. Patches from Nicolas C. + - rlm_mschap now supports direct connections to winbind, + which is faster than ntlm_auth. + See raddb/mods-available/mschap. Patch from Matthew Newton. + - Recommend /dev/urandom for TLS randomness, instead of + ${certdir}/random + - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. + - Allow Expanded EAP types where vendor is 0 (IETF) and type + is normal EAP type. Supplicants sending Expanded EAP types + like this are broken. + - Add support for server side sort controls when searching + for user objects in rlm_ldap. + + Bug Fixes + - Don't complain about "authorize" in "server {}" blocks, but + only if there's no "server" block. + - Fix cosmetic issue where debug from the first packet read by + a detail reader thread would be emited during config parsing. + - Fix ASSERT on truncated detail packets. + - Don't use main server log functions from within panic_action, + as in the case of syslog this would cause deadlocks if the + fault was triggered from within a malloc. + - Fix issue in "switch" when "correct_escapes = false". + Fixes #911. + - Fix sqlcounter configuration to use "%%b" instead of "%b", + otherwise the new syntax validation will fail. + - Allow forward references in configuration items. Modules + aren't always loaded in a sane order. + - Fix more escaping issues. Closes #912. + - Decode MAC addresses correctly for VMPS. + - Fix memory leak with TLS connections. + - Fix state machine threading issues for conflicting packets. + - Fix copy_request_to_tunnel issues for tagged attributes. + - Allow "ok" to over-ride "updated" inside of Auth-Type + sections. + - Update state machine so that post-proxy is run though child + threads for performance, instead of blocking the main thread. + - Allow "netmask" to work again in client definitions. + - Relax restrictions on SQL group queries. + - track outgoing proxy sockets and clean them up more + aggressively. + - track proxy statistics, including CoA and Disconnect. + - If radmin has a connection failure when running a command, + it re-connects and runs the command again. + - mark home servers "unknown" less aggressively. + - Fix potential SEGV in PostgreSQL driver on error. + - Fix issue where fields like nas_type would not be + accessible via the %{client:} xlat, for dynamic clients. + - Set default busy_timeout (of 200ms) in the sqlite driver, so + writes don't cause selects to fail in multithreaded mode. + This is user configurable, and may be increased if required. + - Convert Password-With-Header attributes to binary (from hex + or base64), in the authorize method of rlm_pap. + - Fix invalid assert in state.c, that could cause abort in + post-auth. + - Fix double free when -m flag is used, and connection pools + are referenced by multiple modules. + - RADIUS over TLS accounting uses the same port as + authentication. + - Regularized return codes from radmin commands. + - Fix RHEL spec file so it works correctly for Centos7 which + uses systemd, and didn't like the SystemV init script. + - radwho and radlast now have a -D option to load dictionaries + - DHCP packets are no longer checked for duplicates. + - Don't crash in sql module group comparisons in corner case. + - Calculate MPPE keys correctly when using TLS 1.2. + - Fix load-balance sections. Closes #945 + - TLS certificates are available again in the post-auth + section. They are not available for session resumption. + - radclient encodes CHAP-Password properly when using -c + Closes #955. + - Fix issue in rlm_cache_memcached driver that caused variable + length values to be truncated. + - Fix track functionality in detail reader, so it no longer + fails with a "Failed marking detail request as done: Bad + file descriptor" error. + - Actually add the peer identity (as User-Name) to the inner + tunnel in EAP-PWD requests, so it's available for lookups. + - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. +- new set of consolidated patch files: + deleted: + * freeradius-server-2.1.1-logrotate_su.patch + * freeradius-server-2.1.6-rcradiusd.patch + * freeradius-server-initscript-pidfile.patch + * freeradius-server-radius-reload-logrotate.patch + * freeradius-server-var_run.patch + added: + * freeradius-server-radiusd-logrotate.patch + * freeradius-server-rcradiusd.patch + * freeradius-server-tmpfiles.patch + +------------------------------------------------------------------- +Wed Jan 14 13:10:11 UTC 2015 - tchvatal@suse.com + +- Do not disable as-needed build +- Remove the with_sysconfig switch and just stick with versions + +------------------------------------------------------------------- +Tue Jan 13 09:42:05 UTC 2015 - vcizek@suse.com + +- update to 3.0.6 + - fixes a segmentation fault in PEAP module (bnc#912588) + Feature improvements: + * radmin / raddebug conditional errors are printed to the output, instead of being discarded. + * raddebug will exit if condition set with -c was invalid. + * radmin auto-reconnects if the connection to the server has gone away. + * rlm_cache now has submodule support. See raddb/mods-available/cache + * New memcached driver for rlm_cache. See raddb/mods-available/cache + * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. + * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. + * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. + * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. + * Support JIT compilation of compiled regular expressions when built with libpcre. + * Support named capture groups with "%{regex:}" when built with libpcre. + * Increase regular expression capture groups from 8 to 32. + * Emit error markers for badly formed regular expressions. + * Allow 'm' flag to enable multiline mode in regular expressions. + * Support limited implicit attribute conversion in update sections. + * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:). + +------------------------------------------------------------------- +Mon Dec 22 09:09:16 UTC 2014 - dimstar@opensuse.org + +- Drop .keyring and .sig file: freeradius-server still uses MD5 + signatures, which are no longer validated/accepted by GPG 2.1. + +------------------------------------------------------------------- +Wed Dec 3 14:22:03 UTC 2014 - vcizek@suse.com + +- update to 3.0.5 + Some of the new features: + * Allow LDAP to specify arbitrary attributes for dynamic + clients. + * Allow one level of backslashes (finally). See radiusd.conf, + "correct_escapes" setting. + * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 + in EAP methods. + * Allow multiple new connections to be spawned simultaneously + in the connection pool, to cope with spikes in traffic. + * Use kqueue on systems which support it. This allows for + better scaling when using many sockets. + * Home server "response_window" can now take fractions of a + second. See proxy.conf. + * radmin now supports "show module status", as thee counterpart + to "set module status" + * "ipaddr" will now use v6 if no v4 address is present. You should + use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. + * "client" sections will allow "ipaddr = 192.192.0/24". The old + "netmask" is still accepted, but the new format is preferred. + * Allow custom HTTP headers to be set for rlm_rest requests using + control:REST-HTTP-Header (attributes consumed after use). + * Extend format of %{rest:} expansion to allow HTTP method and POST + data to be specified + and urlquoting. + * Add support for aliases in rlm_ldap. + * Add support for connection pool sharing to all modules that use + the connection pool (pool = ). + * "tls" sections now have a "psk_query" configuration item, for dynamic + queries to discover a key from a PSK identity. + * Preliminary support for EAP channel bindings. + * Foundational work for dynamic home servers. They do not yet work, + but this is now only a matter of updating the "realm" module in + a future release. + * Support &attr[*] syntax to copy all instances of an attribute when + used with the += operator in an update section. May be qualified with + a tag. + * The logintime and expiration modules can now be listed in the + post-auth section. This makes some configurations simpler. + * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get + Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. + Please submit patches. + and numerous; bugfixes +- remove gpg-offline +- create /run/radiusd after install +- drop freeradius-server-opensslversion.patch (upstream) + +------------------------------------------------------------------- +Mon Dec 1 10:52:28 UTC 2014 - meissner@suse.com + +- freeradius-server-opensslversion.patch: do not check the minor + version of openssl, minor versions are supposed to be compatible. + bnc#906682 + +------------------------------------------------------------------- +Sun Aug 3 18:31:49 UTC 2014 - sfalken@opensuse.org + +- added patch to changelog to fix factory-auto failure (Req #242825) + added: + freeradius-server-var_run.patch + +------------------------------------------------------------------- +Mon Jul 28 12:28:44 UTC 2014 - vcizek@suse.com + +- fixed SUSE spelling in a filename (bnc#889034) + * don't install suse/README.SuSE +- remove old tarball and signature file + +------------------------------------------------------------------- +Tue Jul 22 12:17:52 UTC 2014 - vcizek@suse.com + +- spec run through spec-cleaner +- don't install files to /var/run + +------------------------------------------------------------------- +Fri May 16 13:31:41 UTC 2014 - vcizek@suse.com + +- update to 3.0.3 + Many bugfixes + Feature improvements + * Everything now builds with no warnings from the C compiler, + clang static analyzer, or cppcheck. + * rlm_ldap now supports defining the LDAP attribute name via + backticked expansion (i.e. shell command) in + RADIUS <-> LDAP mappings. + * rlm_ldap now supports older style generic attributes. + * dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed + when the server starts. Syntax errors in the strings + are caught, and a descriptive error is printed. + * Static regular expressions (e.g. /a*b/) are now parsed + when the server starts. Syntax errors in the strings + are caught, and a descriptive error is printed. + * dynamic expansions are cached after being parsed. They are + no longer re-parsed at run-time for every request. + * regular expressions are now parsed and cached when the server + starts. + * Added the %{rest:} expansion to rlm_rest, which will send + a GET request to the URL passed as the format string. + Any body text will be written to the expansion buffer. + * rlm_rest now available as a debian package. + * When an 'if' condition statically evaluates to true/false, + unlang does more static optimization. For examples, see + src/tests/keywords/if-skip + * All modules are marked as safe for '-C', which lets the + dynamic expansion checks work in more situations. + * Added 'none' and 'custom' rlm_rest body types. 'custom' + allows sending of arbitrary expanded text and content-type + headers. + * Added "config" section to Perl. See mods-available/perl + * Added '%v' which expands to the server version - Patch + from Alan Buxey. + * more mis-matched casts are caught in "if" conditions, + and descriptive errors are printed. + * Support basic response validation in radclient. This allows + administrators to write local test cases for their + site-specific configurations. + * Removed radconf2xml and radmin "show client config" and + "show home_server config". + * Forbid running with vulnerable versions of OpenSSL. + See "allow_vulnerable_openssl" in the "security" + subsection of "radiusd.conf" + * Catch underlying "heartbleed" problem, so that nothing bad + happens even when using a vulnerable version of OpenSSL. + * Add locking API for sql_null, linelog, and detail modules, + which should improve performance and work around issues + on platforms with bad file locking. + * Allow DHCP NAKs to be delayed, via setting + reply:FreeRADIUS-Response-Delay = 1 + * Allow tag and array references anywhere attributes + are allowed in "unlang". + * many enhancements to radsniff, including output + to collectd, ipv6 support and packet loss statistics. + * Many dictionary updates (ZTE, Brocade, Motorola). + * rlm_yubikey now automatically splits passwords from OTP + strings. + * The detail file reader is now threaded by default. + This should improve performance reading the files. +- dropped freeradius-server-CVE-2014-2015.patch (upstream) + +------------------------------------------------------------------- +Fri Feb 28 09:04:08 UTC 2014 - vcizek@suse.com + +- fix for CVE-2014-2015 (bnc#864576) + * denial of service in rlm_pap hash processing + * added freeradius-server-CVE-2014-2015.patch + +------------------------------------------------------------------- +Wed Jan 29 13:53:30 UTC 2014 - vcizek@suse.com + +- remove the old 3.0.0 sources + +------------------------------------------------------------------- +Sat Jan 25 14:44:31 UTC 2014 - mardnh@gmx.de + +- update to 3.0.1 + Feature improvements + * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. + So that run-away child processes are caught earlier. + * Allow TLS clients to use "proto = tls", in which case + TLS is required. The shared secret is then set to "radsec". + * More documentation in the tls virtual server. + * Add "date" module for date formatting. + See raddb/mods-available/date. + * Added unit test suite for internal server functionality + * When loading "update" sections, check if the RHS is a literal + value. If so, syntax check it immediately. + * Update LDAP module documentation and functionality. + The generic attribute can now update lists. + * Updated dictionary.extreme. + * Update sqlippool to do clears as a separate transaction, + and at most once per second. This should help MySQL. + * Respect control:Response-Packet-Type for all types of + requests. + * Add support for SSL encryption to the MySQL driver. + * Allow arbitrary connection parameters to be used with the + PostgreSQL driver. + * Changes to the OpenLDAP schema to fully expose functionality + of the new LDAP module. + * Update debian packaging to include a freeradius-config + package. This package may be provided as a site local + package to avoid fighting with the preinstalled config + files. + Bug fixes + * Use correct field for ARP setting in DHCP. + * Fix crash on debug condition (#454). + * Fix a number of minor issues caught by the clang + analyzer. + * Set WARNING messages to yellow instead of normal text. + * Correct debug colorise logic. Patch from Phil Mayers. + * Encode attributes of type "ethernet". No one uses them, + but it makes sense. + * Work around regex initialization issues. + * Fix build when linking against OpenSSL. + * Print IDs as positive numbers, which helps for large DHCP + XIDs. + * Fix issue with sql_ippool. + * sqlcounter now uses 64-bit counters, to deal with 4G overflow. + * Fix issues with DHCP subsystem. + * Don't build / install disabled modules, or their config + files. + * Fix build for OSX Mavericks, which hid the header files + in a magical place. + * Fix LEAP buffer issue. You should still avoid LEAP. + * Mark "unknown" WiMAX attributes as being WiMAX. + * Fix typo in packet decoder for fragmented extended attrs + * RPM spec fixes. + * Fix rlm_perl build issues when not using threads. + * Enable %{Response-Packet-Type} again. + * Update configuration file parser to handle "bool" + consistently. + * Update declarations of global boolean variables to use + "bool" consistently. This fixes an issue where some + modules were instantiated in "config check" mode and + did not work correctly. + * Make more messages debug instead of info, to avoid + polluting the logs with messages that can't be fixed. + * Set operator in internal unlang code to suppress spurious + warning messages. + * Fix debian packaging. + * Added "status" to Debian init script. + * Fix "update outer.request" to update the outer request. + * Don't print TLS debugging messages when not in debug mode. + * Correctly manage counters for "limit" sections of TCP / TLS + "listen" sockets. + * Fix libldap debug output. + * Fix rlm_ldap tls functionality. + * Initialise OpenSSL globals early to avoid issues with the + PostgreSQL library. + * Fix typo in sqlcounter expansion code. Fixes #463 + * Overwrite previous instances of SQL-User-Name when adding + it to the request. + * Work around bugs in both MIT and heimdal versions of + krb5_copy_context(), which caused segfaults in + multithreaded mode. + * Provide meaningful error messages if Heimdal krb5 is used. + * Fix attribute supression in rlm_detail. + * Exit with error code if child fails to complete server + initialisation after forking. This allows init scripts to + correctly report whether the server started ok. + +------------------------------------------------------------------- +Mon Oct 21 12:06:19 UTC 2013 - vcizek@suse.com + +- don't build with experimental modules +- fix packaging bugs: + * install init scripts only on <= 11.4 + * install systemd unit + * add %defattr for submodules + +------------------------------------------------------------------- +Tue Oct 15 15:15:24 UTC 2013 - vcizek@suse.com + +- update to 3.0.0 + * new feature release + * see /usr/share/doc/packages/freeradius-server/ChangeLog + for complete list of changes in this release + * documentation for upgrading from 2.x is in /etc/raddb/README.rst +- drop oracle support (wasn't built anyway) +- dropped patches (obsolete): + * freeradius-server-2.1.6-codecleanup.patch + * freeradius-server-2.1.6-dialup_admin.patch + * freeradius-server-2.1.1-edirectory.patch +- added systemd service unit + * radiusd.service +- added systemd-tmpfile for /var/run/radiusd + * freeradius-tmpfiles.conf +- added gpg-offline verification + * freeradius-server.keyring + +------------------------------------------------------------------- +Thu Sep 5 17:22:43 CEST 2013 - mls@suse.de + +- add libperl_requires, as we link against libperl and thus + need a specific version of perl + +------------------------------------------------------------------- +Thu Mar 14 15:17:37 UTC 2013 - vcizek@suse.com + +- fixed a bug in the logrotate script (bnc#797292) + +------------------------------------------------------------------- +Mon Oct 1 11:34:31 UTC 2012 - vcizek@suse.com + +- files in sites-available/ are now %config(noreplace) [bnc#781756] + +------------------------------------------------------------------- +Sat Sep 10 14:20:57 UTC 2012 - vcizek@suse.com + +- update to 2.2.0 + - see /usr/share/doc/packages/freeradius-server/ChangeLog + for complete list of changes in this release + - fixes CVE-2012-3547 (bnc#777834) + - dropped freeradius-server-2.1.6-overflow.patch (upstream) + - dropped freeradius-server-sha1-default.patch (upstream) + - refreshed freeradius-server-fix-cert-bootstrap.patch + +------------------------------------------------------------------- +Mon May 28 11:47:32 UTC 2012 - vcizek@suse.com + +- Use the new 'su' logrotate option (bnc#677335) + +------------------------------------------------------------------- +Mon May 14 21:47:20 UTC 2012 - joop.boonen@opensuse.org + +- Enable the same CFLAGS as for other hardware + +------------------------------------------------------------------- +Wed Oct 19 13:55:27 UTC 2011 - vcizek@suse.com + +- update to 2.1.12 + Feature improvements + * Updates to dictionary.erx, dictionary.siemens, dictionary.starent, + dictionary.starent.vsa1, dictionary.zyxel, added dictionary.symbol + * Added support for PCRE from Phil Mayers + * Configurable file permission in rlm_linelog + * Added "relaxed" option to rlm_attr_filter. This copies attributes + if at least one match occurred. + * Added documentation on dynamic clients. + See raddb/modules/dynamic_clients. + * Added support for elliptical curve cryptography. + See ecdh_curve in raddb/eap.conf. + * Added support for 802.1X MIBs in checkrad + * Added support for %{rand:...}, which generates a uniformly + distributed number between 0 and the number you specify. + * Created "man" pages for all installed commands, and documented + options for all commands. Patch from John Dennis. + * Allow radsniff to decode encrypted VSAs and CoA packets. + Patch from Bjorn Mork. + * Always send Message-Authenticator in radtest. Patch from John Dennis. + radclient continues to be more flexible. + * Updated Oracle schema and queries + * Added SecurID module. See src/modules/rlm_securid/README + Bug fixes + * Fix memory leak in rlm_detail + * Fix "failed to insert event" + * Allow virtual servers to be reloaded on HUP. + It no longer complains about duplicate virtual servers. + * Fix %{string:...} expansion + * Fix "server closed socket" loop in radmin + * Set ownership of control socket when starting up + * Always allow root to connect to control socket, even if + "uid" is set. They're root. They can already do anything. + * Save all attributes in Access-Accept when proxying inner-tunnel + EAP-MSCHAPv2 + * Fixes for DHCP relaying. + * Check certificate validity when using OCSP. + * Updated Oracle "configure" script + * Fixed typos in dictionary.alvarion + * WARNING on potential proxy loop. + * Be more aggressive about clearing old requests from the + internal queue + * Don't open network sockets when using -C +- freeradius-server-snprintf-overflow.patch merged in upstream + +------------------------------------------------------------------- +Tue Sep 27 13:05:59 UTC 2011 - vcizek@suse.com + +- fixed interaction with eDirectory (bnc#720620) + +------------------------------------------------------------------- +Fri Jun 24 09:18:52 UTC 2011 - puzel@novell.com + +- update to 2.1.11 + - see /usr/share/doc/packages/freeradius-server/ChangeLog + for complete list of changes in this release +- add freeradius-server-snprintf-overflow.patch +- use spec-cleaner + +------------------------------------------------------------------- +Tue May 24 19:18:44 UTC 2011 - crrodriguez@opensuse.org + +- Supress timestamps in binaries, breaks build-compare. + +------------------------------------------------------------------- +Mon Oct 4 10:54:23 UTC 2010 - puzel@novell.com + +- update to 2.1.10 + - see /usr/share/doc/packages/freeradius-server/ChangeLog + for complete list of changes in this release +- drop freeradius-server-2.1.6-edir-64bit.patch (fixed upstream) + +------------------------------------------------------------------- +Thu Sep 16 14:22:15 CEST 2010 - pgajdos@suse.cz + +- radiusd reload after logrotate [bnc#634445] + +------------------------------------------------------------------- +Mon Jun 21 19:24:08 UTC 2010 - puzel@novell.com + +- update to 2.1.9 (bnc#615699) + - bugfix release, for list of changes please see + /usr/share/doc/packages/freeradius-server/ChangeLog + +------------------------------------------------------------------- +Mon May 3 13:50:08 UTC 2010 - puzel@novell.com + +- add freeradius-server-initscript-pidfile.patch + - handle /var/run on tmpfs + +------------------------------------------------------------------- +Sun Mar 21 08:43:58 UTC 2010 - puzel@novell.com + +- specfile cleanup + +------------------------------------------------------------------- +Thu Mar 11 12:44:18 UTC 2010 - puzel@novell.com + +- drop freeradius-server-2.1.6-ltdl.patch - not needed anymore +- clean up specfile +- remove bind-libs, zlib-devel from BuildRequires - not needed + +------------------------------------------------------------------- +Tue Mar 9 15:01:46 UTC 2010 - puzel@novell.com + +- update to 2.1.8 + - for full list of changes, please see + /usr/share/doc/packages/freeradius-server/ChangeLog +- drop freeradius-server-no-default-case.patch: fixed upstream + +------------------------------------------------------------------- +Thu Dec 17 15:50:19 UTC 2009 - puzel@novell.com + +- update to 2.1.7 + - for full list of changes, please see + /usr/share/doc/packages/freeradius-server/ChangeLog + +------------------------------------------------------------------- +Thu Oct 22 09:05:35 UTC 2009 - puzel@novell.com + +- freeradius-server-no-default-case.patch (bnc#527742) + +------------------------------------------------------------------- +Thu Oct 15 09:05:18 UTC 2009 - puzel@novell.com + +- freeradius-server-sha1-default.patch (bnc#546042) +- freeradius-server-fix-cert-bootstrap.patch (bnc#546041) + +------------------------------------------------------------------- +Fri Jun 19 10:35:46 CEST 2009 - coolo@novell.com + +- disable as-needed for this package as it fails to build with it + +------------------------------------------------------------------- +Tue Jun 2 15:50:59 CEST 2009 - puzel@suse.cz + +- updated to 2.1.6 + o Feature improvements + * radclient exits with 0 on successful (accept / ack), and 1 + otherwise (no response / reject) + * Added support for %{sql:UPDATE ..}, and insert/delete + Patch from Arran Cudbard-Bell + * Added sample "do not respond" policy. See raddb/policy.conf + and raddb/sites-available/do_not_respond + * Cleanups to Suse spec file from Norbert Wegener + * New VSAs for Juniper from Bjorn Mork + * Include more RFC dictionaries in the default install + * More documentation for the WiMAX module + * Added "chase_referrals" and "rebind" configuration to rlm_ldap. + This helps with Active Directory. See raddb/modules/ldap + * Don't load pre/post-proxy if proxying is disabled. + * Added %{md5:...}, which returns MD5 hash in hex. + * Added configurable "retry_interval" and "poll_interval" + for "detail" listeners. + * Added "delete_mppe_keys" configuration option to rlm_wimax. + Apparently some WiMAX clients misbehave when they see those keys. + * Added experimental rlm_ruby from + http://github.com/Antti/freeradius-server/tree/master + * Add Tunnel attributes to ldap.attrmap + * Enable virtual servers to be reloaded on HUP. For now, only + the "authorize", "authenticate", etc. processing sections are + reloaded. Clients and "listen" sections are NOT reloaded. + * Updated "radwatch" script to be more robust. See scripts/radwatch + * Added certificate compatibility notes in raddb/certs/README, + for compatibility with different operating systems. (i.e. Windows) + o Bug fixes + * Minor changes to allow building without VQP. + * Minor fixes from John Center + * Fixed raddebug example + * Don't crash when deleting attributes via unlang + * Be friendlier to very fast clients + * Updated the "detail" listener so that it only polls once, + and not many times in a row, leaking memory each time... + * Update comparison for Packet-Src-IP-Address (etc.) so that + the operators other than '==' work. + * Did autoconf magic to work around weird libtool bug + * Make rlm_perl keep tags for tagged attributes in more situations + * Update UID checking for radmin + * Added "include_length" field for TTLS. It's needed for RFC + compliance, but not (apparently) for interoperability. + - FreeRADIUS 2.1.5 + * Release number skipped due to procedural issues. + - FreeRADIUS 2.1.4 + o Feature improvements + * Permit multiple "-e" in radmin. + * Add support for originating CoA-Request and Disconnect-Request. + See raddb/sites-available/originate-coa. + * Added "lifetime" and "max_queries" to raddb/sql.conf. + This helps address the problem of hung SQL sockets. + * Allow packets to be injected via radmin. See "inject help" + in radmin. + * Answer VMPS reconfirmation request. Patch from Hermann Lauer. + * Sample logrotate script in scripts/logrotate.freeradius + * Add configurable poll interval for "detail" listeners + * New "raddebug" command. This prints debugging information from + a running server. See "man raddebug. + * Add "require_message_authenticator" configuration to home_server + configuration. This makes the server add Message-Authenticator + to all outgoing Access-Request packets. + * Added smsotp module, as contributed by Siemens. + * Enabled the administration socket in the default install. + See raddb/sites-available/control-socket, and "man radmin" + * Handle duplicate clients, such as with replicated or + load-balanced SQL servers and "readclients = yes" + o Bug fixes + * Clean up control sockets when they are closed, so that we don't + leak memory. + * Define SUN_LEN for systems that don't have it. + * Correct some boundary conditions in the conditional checker ("if") + in "unlang". Bug noted by Arran Cudbard-Bell. + * Work around minor building issues in gmake. This should only + have affected developers. + * Change how we manage unprivileged user/group, so that we do not + create control sockets owned by root. + * Fixed more minor issues found by Coverity. + * Allow raddb/certs/bootstrap to run when there is no "make" + command installed. + * In radiusd.conf, run_dir depends on the name of the program, + and isn't hard-coded to "..../radiusd" + * Check for EOF in more places in the "detail" file reader. + * Added Freeswitch dictionary. + * Chop ethernet frames in VMPS, rather than droppping packets. + * Fix EAP-TLS bug. Patch from Arnaud Ebalard + * Don't lose string for regex-compares in the "users" file. + * Expose more functions in rlm_sql to rlm_sqlippool, which + helps on systems where RTLD_GLOBAL is off. + * Fix typos in MySQL schemas for ippools. + * Remove macro that was causing build issues on some platforms. + * Fixed issues with dead home servers. Bug noted by Chris Moules. + * Fixed "access after free" with some dynamic clients. + +------------------------------------------------------------------- +Thu Mar 26 15:58:44 CET 2009 - crrodriguez@suse.de + +- do not ship static modules + +------------------------------------------------------------------- +Tue Feb 10 10:38:27 CET 2009 - prusnak@suse.cz + +- updated to 2.1.3 + o Feature Improvements + * Allow running with user=radiusd and binding to secure sockets. + * Start sending Status-Server "are you alive" messages earlier, + which helps with proxying multiple realms to a home server. + * Removed thread pool code from rlm_perl. It's not necessary. + * Added example Perl configuration to raddb/modules/perl + * Force OpenSSL to support certificates with SHA256. This seems + to be necessary for WiMAX certs. + o Bug Fixes + * Fix Debian patch to allow it to build. + * Fix potential NULL dereference in debugging mode on certain + platforms for TTLS and PEAP inner tunnels. + * Fix uninitialized memory in handling of vendor definitions + * Fix parsing of quoted (but non-string) attributes in + the users< file. + * Initialize unknown NAS IP to 255.255.255.255, rather than 0.0.0.0 + * use SUN_LEN in control socket, to avoid truncation on some platforms. + * Correct internal handling of debug condition to prevent it + from being over-written. + * Check return code of regcomp in unlang, so that invalid regular + expressions are caught rather than mishandled. + * Make rlm_sql use . Addresses bug #610. + * Document list "type = status" better. Closes bug #580. + * Set "default days" for certificates, because OpenSSL won't do it. + This closes bug #615. + * Reference correct list in example raddb/modules/ldap. Closes #596. + * Increase default schema size for Acct-Session-Id to 64. Closes #540. + * Fix use of temporary files in dialup-admin. Closes #605 + and addresses CVE-2008-4474. + * Addressed a number of minor issues found by Coverity. + * Added DHCP option 150 to the dictionary. Closes #618. + +- removed CVE-2008-4474.patch (included in update) + +- fixed buffer overflow (overflow.patch) + +------------------------------------------------------------------- +Tue Feb 10 10:19:32 CET 2009 - prusnak@suse.cz + +- fixed eDirectory bug on 64bit architectures (edir-64bit.patch) + [bnc#474006] + +------------------------------------------------------------------- +Fri Feb 6 15:19:04 CET 2009 - prusnak@suse.cz + +- moved manpages from section 1 to utils subpackage [bnc#469682] + +------------------------------------------------------------------- +Fri Jan 9 16:04:22 CET 2009 - prusnak@suse.cz + +- fixed bootstraping of certificates in %post [bnc#461998] + +------------------------------------------------------------------- +Thu Oct 9 11:41:06 CEST 2008 - prusnak@suse.cz + +- fixed CVE-2008-4474 [bnc#433762] + +------------------------------------------------------------------- +Thu Oct 9 11:37:04 CEST 2008 - prusnak@suse.cz + +- updated to 2.1.1 + o Feature Improvements + * Many more options and features are available via radmin. + See man radmin and raddb/sites-available/control-socket. + * Many more commands available via the control socket. + Connect via radmin, and type help for more information. + * Added dictionary.networkphysics and dictionary.lancom. + * Calculate WiMAX MIP keys, and added sample WiMAX SQL tables. + o Bug Fixes + * Fixed bug that made radmin not work. + * Fixed Suse && Debian package scripts. + * Fixed issues with dynamic clients. + * Fixed configure checks for -lreadline + * rlm_sqlippool no longer needs to be linked to rlm_sql. + * Add statistics for detail file listeners. This closes bug #593. + * Fixed printing of some WiMAX attributes. + * Fixed double free on exit() in rlm_attr_filter. + * Fixed build issues on Solaris. + * Fixed fast session resumption for EAP-TLS. + +------------------------------------------------------------------- +Mon Sep 15 12:37:31 CEST 2008 - ro@suse.de + +- make radrelay a hardlink to radiusday (instead of identical copy) + +------------------------------------------------------------------- +Tue Sep 9 19:49:08 CEST 2008 - prusnak@suse.cz + +- updated to 2.1.0 + o Feature Improvements + * Clients may now be defined dynamically, based on IP address. + See raddb/sites-available/dynamic-clients. + * SNMP support is now available through an experimental Perl script. + See scripts/snmp-proxy/README + * SNMP statistics are also available through Status-Server packets. + See raddb/sites-available/status + * Added more Microsoft attributes from bug #568. + * The linelog module has more functionality and flexibility. + See raddb/modules/linelog. + * The debugging output has been sanitized. It should be much more + readable. + * Debug logs can now be turned on/off while the server is running, + for a user, group, realm, etc. See the log section of raddb/radiusd.conf. + * Added support for WiMAX Forum attributes. The dynamic keys are + not yet calculated. See share/dictionary.wimax + * Added session resumption for PEAP and TTLS. + See raddb/eap.conf, and the cache sub-section. + * Added radmin command-line tool for administering a running server. + See man radmin and raddb/sites-available/control-socket. + o Bug Fixes + * Double escaping of '\\' in the users (and some other) files + has been fixed. If you have '\\' in the users file, your + configuration will need to be checked, and fixed! + * Parse security section of radiusd.conf. This was accidentally + deleted in 2.0.5. Closes bug #566. + * Bind to interface before IP, which allows DHCP sockets to listen + on "*" for multiple interfaces. + * Fix handling of giaddr in DHCP responses. + * Corrected parsing of status_check in home_server so that it works. + * Fix hints so that "Puser" works again. + * Removed length restrictions on attribute names in the dictionaries. + * Update socket code to avoid C compiler optimizations. + +------------------------------------------------------------------- +Thu Aug 28 01:31:33 CEST 2008 - ro@suse.de + +- remove deprecated startvar from fillup_and_insserv call + +------------------------------------------------------------------- +Tue Aug 26 12:01:12 CEST 2008 - pth@suse.de + +- Fix Required-Stop in init scripts. + +------------------------------------------------------------------- +Wed Jul 23 11:06:13 CEST 2008 - prusnak@suse.cz + +- updated to 2.0.5 + Feature improvements + * Permit SQL authorize_reply_query to be empty. + * Allow setting response packet type in Post-Proxy-Type Fail + handler. + * Added install-chown target to set correct permission and ownership + make RADMIN=radmin RGROUP=radius install-chown + * Support for LDAP-Group and other dynamic comparison attributes + in unlang. Developed from a patch by Jason Alderfer. + * Added chroot support. See radiusd.conf for comments. + * Allow clients of 0/0. We do not recommend using this, though. + * Moved many module configurations into raddb/modules/* + + Bug fixes + * Allow proxying to virtual servers for accounting packets, too. + * Added "num fields" function to PostgreSQL client. + * Updated proxy fallback mechanism to validate fallback servers, + and to process fallback requests in a child thread. + * rlm_realm returns "ok" for LOCAL realms, not "noop". + * Fixed some DHCP code handling. The examples should now work. + +- updated to 2.0.4 + Feature improvements + * Allow "virtual_server" in "realm" and "home_server" sections. + See raddb/proxy.conf and raddb/sites-available/virtual.example.com. + * Allow "passwd" module to be listed in "accounting" and "post-auth". + * Added "fallback" to "home_server_pool" configuration, to handle + the case of all home servers being dead. See raddb/proxy.conf. + * Added sample text to raddb/sites-available/inner-tunnel which + can simplify debugging of inner tunnel configurations. + * Added regular expression matching in realm names. See + raddb/proxy.conf for examples. + * Added simple DHCP server functionality. For comments, see + raddb/sites-available/dhcp. + * Added file globbing capabilities to detail file reader + * Added sample raddb/sites-available/robust-proxy-accounting + * Clients in SQL can now refer to a virtual server. + Patch from Michael Bretterklieber. + * Added some examples of creating RADIUS administrator in SQL, + and assigning appropriate access rights. + + Bug fixes + * Install all files in raddb/sites-available + * Allow non-threaded builds. + * Don't treat '0x' as special for known attributes that are not + of type "octets". + * Fix log error in rlm_pap. + * Remove documentation about non-existent functionality. + * Updated warning messages in debug output. + * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. + This fix was supposed to go into 2.0.3, but did not make it. + * Fix event handling in debug mode for failed proxy requests. + * Fix memleak in fifos. Closes #537. + * Fix memleak on blocked threads. Closes #538. + * Perform additional checks on NULL realms. Closes #541. + * Fix handling of "clients" in "listen" section. + * When detail file cannot process a packet, sleep for longer + to let the rest of the server do something. + * Add missing table to raddb/sql/mssql/schema.sql. Closes #545. + * Updated rlm_sql_postgresql to build with PostgreSQL 7.x. + Closes #533. + * Fix "postauth" of rlm_ldap to look for LDAP-UserDn in the + correct place. + * Update rlm_attr_filter for some corner cases. Closes #543. + * Fixed memory leak in libfreeradius event handler. + * In the SQL Accounting on/off queries, remove the restriction + that the session time had to be zero. + +- dropped obsoleted patches + * event-fifo-threads.patch (included in update) + * raddb.patch (no longer needed) + +- added logrotate to Recommends + +------------------------------------------------------------------- +Tue May 13 18:25:19 CEST 2008 - prusnak@suse.cz + +- fix crashes in events, fifo and threads (event-fifo-threads.patch) + +------------------------------------------------------------------- +Mon May 5 15:02:10 CEST 2008 - pth@suse.de + +- Fix coding errors that made the package fail to build. + +------------------------------------------------------------------- +Wed Mar 19 17:23:48 CET 2008 - prusnak@suse.cz + +- updated to 2.0.3 + Feature improvements + * Updated raddb/certs/ca.cnf with extensions to allow ca.der + to be imported as a CA on Symbian and Windows Mobile devices. + Closes bug #524 + * Enable multiple matches in "hints" via Fall-Through = Yes. + Closes bug #477 + * Added preliminary SQLite driver, contibuted by Apple. + Untested, with no sample configuration. This address bug #470. + * Updated logging sub-system so that log messages from libfreeradius + can go to the log file, and not stdout. + * Added dictionary.rfc5176 + * EAP module now checks for instance name, and uses that for + authentication. This avoids the need to set Auth-Type when + there are multiple instances of the EAP module. + * Added Module-Return-Code attribute, which contains the value + returned by the previous module (ok/fail/update/etc.) + Bug fixes + * Corrected typos in rlm_dbm. Closes bugs #521 and #522. + * Detail file "listen" sections now work much better. + * Don't allow old "log_*" to over-ride new format. Closes bug #525 + * Initialize allocated memory in Oracle SQL driver. This fixes + occasional crashes on some systems. Closes bug #518 + * Call correct function in rlm_protocol_filter. This enables the + module to build. Closes bug #512. + * Added deprecated flag to build for rlm_krb5. This allows it to + run on 64-bit systems. Closes bug #491 + * Corrected error message when parsing invalid configurations + so it doesn't crash. Closes bug #527 + * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. + * Handle $INCLUDE's in "instantiate" section. Closes #528. + * Format updates to "man" pages from Stephen Gran. + +- updated to 2.0.2 + Feature improvements + * Added notes on how to debug the server in radiusd.conf + * Moved all "log_*" in radiusd.conf to log{} section. + The old configurations are still accepted, though. + * Added ca.der target in raddb/certs/Makefile. This is + needed for importing CA certs into Windows. + * Added ability send raw attributes via "Raw-Attribute = 0x0102..." + This is available only debug builds. It can be used + to create invalid packets! Use it with care. + * Permit "unlang" policies inside of Auth-Type{} sub-sections + of the authenticate{} section. This makes some policies easier + to implement. + * "listen" sections can now have "type = proxy". This lets you + control which IP is used for sending proxied requests. + * Added note on SSL performance to raddb/certs/README + Bug fixes + * Fixed reading of "detail" files. + * Allow inner EAP tunneled sessions to be proxied. + * Corrected MySQL schemas + * syslog now works in log{} section. + * Corrected typo in raddb/certs/client.cnf + * Updated raddb/sites-available/proxy-inner-tunnel to + permit authentication to work. + * Ignore zero-length attributes in received packets. + * Correct memcpy when dealing with unknown attributes. + * Corrected debugging messages in attr_rewrite. + * Corrected generation of State attribute in EAP. This + fixes the "failed to remember handler" issues. + * Fall back to DEFAULT realm if no realm was found. + Based on a patch from Vincent Magnin. + * Updated example raddb/sites-available/proxy-inner-tunnel + * Corrected behavior of attr_filter to match documentation. + This is NOT backwards compatible with previous versions! + See "man rlm_attr_filter" for details. + +- dropped patches: + * conf_read.patch (included in update) + * strncat.patch (obsoleted by update) + +------------------------------------------------------------------- +Tue Jan 29 14:33:35 CET 2008 - prusnak@suse.cz + +- replace obsoleted call to conf_read with cf_file_read (conf_read.patch) +- split off -doc subpackage + +------------------------------------------------------------------- +Thu Jan 24 16:39:37 CET 2008 - prusnak@suse.cz + +- fix strncat usage (strncat.patch) + +------------------------------------------------------------------- +Tue Jan 22 16:23:12 CET 2008 - prusnak@suse.cz + +- updated to 2.0.1 + * improve unlang + * update acct_module + * fix parsing of syslog logging + * minor fixes over 2.0.0 + +------------------------------------------------------------------- +Tue Jan 22 13:58:25 CET 2008 - prusnak@suse.cz + +- renamed to freeradius-server (to follow upstream change) +- updated to 2.0.0: + o Feature improvements + * Debugging mode is much clearer and easier to read. + * A new policy language makes many configurations trivial. + See "man unlang" for a complete description. + * Virtual servers are now supported. This permits clear separation + of policies. See raddb/sites-available/README + * EAP-TLS (PEAP, EAP-TTLS) and OpenSSL certificates "just work". + See raddb/certs/README for details. + * Proxying is much more configurable than before. + See proxy.conf for documentation on pools, and new config items. + * Full support for IPv6. + * Much more complete support for the RADIUS SNMP MIBs. + * HUP now works. Only some modules are re-loaded, + and the server configuation is *not* reloaded. + * "check config" option now works. See "man radiusd" + * radrelay functionality is now included in the server core. + See raddb/sites-available/copy-acct-to-home-server + * VMPS support. It is minimal, but functional. + * Cleaned up internal API's and names, including library names. + o Bug fixes + * Many. +- removed obsolete patch: + * type_punning.patch + +------------------------------------------------------------------- +Tue Dec 4 18:08:41 CET 2007 - prusnak@suse.cz + +- remove openldap2 from BuildRequires + +------------------------------------------------------------------- +Tue Nov 6 13:16:58 CET 2007 - prusnak@suse.cz + +- updated to 1.1.7 + Feature Improvements + * Updated LDAP documentation. + * Added note on DH parameters in eap.conf, and debugging messages + which complain if DH is used, but not configured properly. + * Updated the Mikrotik dictionary. Added a note that the sample + dictionary they supply is broken. + * Output more information on blocked threads, which should help + narrow down which modules is causing the problem. + * Added more eDirectory support. + * rlm_ldap now prints out attributes in the standard format + * Enabled server-side handling of procedures in MySQL + Bug Fixes + * Added NT-Hash support for mschap_xlat. + * Corrected documentation to point to correct location of files. + * Checks for more recent FreeBSD versions. + * uses -DLDAP_DEPRECATED to avoid OpenLDAP crashes. + * Use correct value for authentication name in rlm_mschap. + * Fix over-ride for usernames when use_tunneled_reply = yes. + +------------------------------------------------------------------- +Fri Apr 20 15:10:28 CEST 2007 - pth@suse.de + +- Update to 1.1.6. Changes since 1.1.3: + Feature improvements + * Added dictionary.rfc4372 (Chargeable User Identity) + * Added dictionary.rfc4675 (VLAN and Priority) + * Added dictionary.rfc4679 (ADSL Forum) + NOTE some name differences from the RFC, due to dictionary.redback + * Updated rlm_python to something usable + * Added experimental sql "HPW" IPPools. + * Added more dictionaries + * Dictionary files now MUST NOT be globally writable. + * Configuration files now MUST NOT be globally readable, + or globally writable. + * Be more aggressive about freeing memory on clean exit. + This helps track down run-time leaks. + * Updated rlm_python to something usable + * Added experimental sql "HPW" IPPools. + * Major enhancements to rlm_pap, that make "encryption_scheme" + a thing of the past. See "man rlm_pap" for details. + * Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use + work-arounds that enable Windows Vista clients to work. + * Added preliminary code to support Firebird. + Use at your own risk! + * Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more + platforms. + * Add a new "reply-name" directive in rlm_sqlcounter to define the + name of the reply attribute. + * Added more dictionaries and attributes + * Print ntlm_auth failure reason in Module-Failure-Message + * radsqlrelay is able to get the DB password from a file instead + of command line. + + Bug fixes + * Corrected typo in rlm_pap.c + * Corrected typo in src/main/auth.c + * Suppress SSL error messages if error is zero. + * Don't complain about "Error in read client certificate A" + if we expect to read it in the next packet. Fix based on patch + by Dan Lukes. + * Corrected nearly 30 bugs found by Coverity + See also http://scan.coverity.com + * Don't die on HUP. Instead leak memory (sorry). After a few + hundred HUP's, the server will have leaked a few megabytes of + memory, and you should probably re-start it. It's ugly, but + better than dying. + * Corrected a few double free's + * Corrected typo in radrelay, which prevented it from working + * Made Firebird module build + * Fixed bug in PostgreSQL module that caused server crash. + * Fixed bug in SQL module that could cause server to crash. + * Corrected base64 decoding in rlm_pap + * Don't retransmit accounting packets. The NAS should do this. + * Handle Client-Error in EAP-SIM. + * Port OpenSSL locking fixes from CVS head. This makes PEAP + more stable on some systems. + * Require Message-Authenticator in Status-Server packets + * Correct Tunnel-Medium-Type VALUEs in dictionary.rfc2868 + * Be more aggressibe about freeing memory on clean exit. + This isn't strictly a bug fix, but it makes it easier to + find memory leaks + * Increase buffer size for dynamic expansion, which allows + longer SQL qeuries. + * Use correct line number when there's a parse error in one + of the configuration sections. + * Terminate SSL sessions in EAP on error, rather than continuing + in some cases. + * Increase buffer size to allow parsing of long octet strings + * Fix string termination on xlat in rlm_perl + * Fix a parse error in the digest module, where malformed + digest requests would result in the user being accepted. Oops... + * VALUEs can only be defined for 'integer', to catch mistakes + with setting VALUEs for type 'string'. + * Better parsing of VALUE names, so that values starting with + a digit work correctly. + * Check return from malloc. + * Fix a double free() in rlm_eap_tls.c + * Check return code of malloc() during initialization. + * Fix a corner case where the proxy port isn't set either in + radiusd.conf or in proxy.conf. + +------------------------------------------------------------------- +Mon Mar 26 12:45:29 CEST 2007 - rguenther@suse.de + +- add gdbm-devel BuildRequires + +------------------------------------------------------------------- +Sun Feb 11 18:33:47 CET 2007 - ro@suse.de + +- one oversight in last change, build tested + +------------------------------------------------------------------- +Sun Feb 11 12:00:25 CET 2007 - ro@suse.de + +- fix build as non-root + +------------------------------------------------------------------- +Mon Sep 4 11:18:59 CEST 2006 - kukuk@suse.de + +- Make sure that pam_nologin.so will always be executed. + +------------------------------------------------------------------- +Wed Aug 23 20:34:55 CEST 2006 - stark@suse.de + +- update to version 1.1.3 + * autoconf updates + * More dictionary updates + * Security and portability fixes to rlm_otp + * Miscellaneous bug fixes + +------------------------------------------------------------------- +Mon Jun 5 22:31:04 CEST 2006 - stark@suse.de + +- update to version 1.1.2 + * Allow tagged VSA's for Juniper. + * Allow Ascend "abinary" format to be specified as octets, + (e.g. Ascend-Data-Filter = 0x010203...) + * Added "cipher_list" configuration to the EAP-TLS module. + See "eap.conf" and "man 1 cipher" for details. + * Added "check_cert_issuer" configuration to the EAP-TLS module. + See "eap.conf" for details. + * Added "suppress" configuration entry to rlm_detail, + to suppress certain attributes (e.g. User-Password). + * Write SSL errors to log file, rather than stderr. + * Allow a core dump on uid change on Linux + * Bugfixes + +------------------------------------------------------------------- +Wed May 24 15:58:41 CEST 2006 - schwab@suse.de + +- Don't strip binaries. + +------------------------------------------------------------------- +Tue Mar 28 20:22:34 CEST 2006 - stark@suse.de + +- fixed an error on x86_64 machines when reading dictionaries + (#161503) +- make "use_tunneled_reply" work properly for PEAP + +------------------------------------------------------------------- +Mon Mar 27 14:32:09 CEST 2006 - ro@suse.de + +- also use fPIC on s390* + +------------------------------------------------------------------- +Thu Mar 23 20:39:02 CET 2006 - stark@suse.de + +- fixed validation issue with the EAP-MSCHAPv2 module (#160249) + +------------------------------------------------------------------- +Wed Jan 25 21:36:01 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Jan 20 18:19:32 CET 2006 - stark@suse.de + +- fixed directory permissions (#141153) + +------------------------------------------------------------------- +Thu Jan 19 01:23:36 CET 2006 - ro@suse.de + +- changed php requires to generic ones (for php5) + +------------------------------------------------------------------- +Sat Jan 14 16:40:53 CET 2006 - stark@suse.de + +- use --with-udpfromto useful for systems with multiple addresses + +------------------------------------------------------------------- +Thu Jan 12 22:48:30 CET 2006 - stark@suse.de + +- update to version 1.1.0 + +------------------------------------------------------------------- +Wed Jan 11 16:03:44 CET 2006 - stark@suse.de + +- adding stack-protector to CFLAGS +- don't package *.la files for now (#141207) + +------------------------------------------------------------------- +Wed Dec 21 10:14:01 CET 2005 - stark@suse.de + +- fixed realloc() in rlm_pam + +------------------------------------------------------------------- +Tue Nov 15 21:49:18 CET 2005 - stark@suse.de + +- moved dialup_admin to subpackage and integrate it into + Apache 2 configuration + +------------------------------------------------------------------- +Mon Sep 26 01:35:29 CEST 2005 - ro@suse.de + +- added LDAP_DEPRECATED to CFLAGS + +------------------------------------------------------------------- +Fri Sep 23 06:09:08 CEST 2005 - stark@suse.de + +- update to version 1.0.5 +- updated eDirectory integration documentation + +------------------------------------------------------------------- +Fri Sep 23 01:38:53 CEST 2005 - ro@suse.de + +- fix build-dir references in .la files + +------------------------------------------------------------------- +Tue Aug 30 12:50:30 CEST 2005 - stark@suse.de + +- fixed some issues from security audit (#104195) + (is already upstream for 1.0.5 release) + +------------------------------------------------------------------- +Mon Aug 15 19:34:18 CEST 2005 - stark@suse.de + +- fix mysql creation script (#104752) + +------------------------------------------------------------------- +Sat Jun 18 19:37:56 CEST 2005 - stark@suse.de + +- update to version 1.0.4 + +------------------------------------------------------------------- +Sun Jun 5 00:36:51 CEST 2005 - stark@suse.de + +- update to version 1.0.3 +- link radiusd with -pie + +------------------------------------------------------------------- +Mon Apr 11 11:29:05 CEST 2005 - stark@suse.de + +- start daemon correctly (#75979) +- fixed packaging on x86-64 (#75979) + +------------------------------------------------------------------- +Wed Mar 2 07:19:27 CET 2005 - stark@suse.de + +- com_err.h patch not needed anymore +- modified spec-file to work with older distributions + +------------------------------------------------------------------- +Fri Feb 18 11:05:35 CET 2005 - stark@suse.de + +- enabled eDirectory support and added documentation + +------------------------------------------------------------------- +Thu Feb 17 08:34:12 CET 2005 - stark@suse.de + +- update to 1.0.2 + +------------------------------------------------------------------- +Sat Nov 27 13:44:09 CET 2004 - stark@suse.de + +- fixed installation of radeapclient (#48549) + +------------------------------------------------------------------- +Sat Nov 20 12:57:22 CET 2004 - stark@suse.de + +- don't use heimdal for distributions newer than 9.2 + +------------------------------------------------------------------- +Mon Nov 15 14:53:25 CET 2004 - kukuk@suse.de + +- Use common-* PAM configuration + +------------------------------------------------------------------- +Sat Oct 23 20:53:51 CEST 2004 - stark@suse.de + +- update to version 1.0.1 +- moved *.la files to devel package + +------------------------------------------------------------------- +Sat Aug 28 13:33:35 CEST 2004 - stark@suse.de + +- modify logrotate config (#44436) + +------------------------------------------------------------------- +Tue Aug 17 23:55:38 CEST 2004 - sndirsch@suse.de + +- fixed syntax error (Typo?) in init script + +------------------------------------------------------------------- +Fri Aug 13 07:10:34 CEST 2004 - stark@suse.de + +- added some sample scripts to documentation + +------------------------------------------------------------------- +Tue Aug 10 09:35:03 CEST 2004 - stark@suse.de + +- update to 1.0.0 + +------------------------------------------------------------------- +Thu Jun 24 00:03:59 CEST 2004 - ro@suse.de + +- update to 1.0.0pre3 (version set as 0.9.9) + +------------------------------------------------------------------- +Thu Feb 5 13:36:54 CET 2004 - stark@suse.de + +- disabled rlm_sql_iodbc and enabled rlm_sql_unixodb + +------------------------------------------------------------------- +Fri Jan 16 13:38:13 CET 2004 - kukuk@suse.de + +- Add pam-devel to neededforbuild + +------------------------------------------------------------------- +Mon Jan 12 10:26:25 CET 2004 - adrian@suse.de + +- add %defattr + +------------------------------------------------------------------- +Fri Nov 28 06:56:46 CET 2003 - stark@suse.de + +- security update to 0.9.3 + * Fix a remote DoS and possible exploit due to mis-handling + of tagged attributes, and Tunnel-Password attribute. + +------------------------------------------------------------------- +Thu Oct 16 09:02:57 CEST 2003 - stark@suse.de + +- update to 0.9.2 + (see /usr/share/doc/packages/freeradius/ChangeLog) + +------------------------------------------------------------------- +Fri Aug 1 16:02:14 CEST 2003 - ro@suse.de + +- fix include path for com_err.h + +------------------------------------------------------------------- +Thu Jul 31 06:18:03 CEST 2003 - stark@suse.de + +- use stop/restart macros + +------------------------------------------------------------------- +Wed Jul 23 10:53:20 CEST 2003 - stark@suse.de + +- use special user for running radiusd +- modify default configuration to work without changes + (Auth-Type = Local) +- added README.SuSE explaining about radiusd user + +------------------------------------------------------------------- +Mon Jul 21 08:56:54 CEST 2003 - stark@suse.de + +- update to 0.9.0 +- build against libiodbc to enable iodbc module + +------------------------------------------------------------------- +Wed Jun 4 19:47:02 CEST 2003 - schwab@suse.de + +- Add db-devel to neededforbuild. +- Don't use system libtool. +- Fix use of sort. +- Avoid running autoconf. + +------------------------------------------------------------------- +Tue Apr 15 23:46:08 CEST 2003 - ro@suse.de + +- fixed neededforbuild + +------------------------------------------------------------------- +Mon Mar 3 18:20:50 CET 2003 - kukuk@suse.de + +- removed %ghost stuff from filelist + +------------------------------------------------------------------- +Fri Feb 7 13:31:05 CET 2003 - kukuk@suse.de + +- Use pam_unix2.so instead of pam_unix.so + +------------------------------------------------------------------- +Wed Jan 15 15:53:21 CET 2003 - ro@suse.de + +- use sasl2 + +------------------------------------------------------------------- +Tue Jan 14 11:42:24 CET 2003 - nadvornik@suse.cz + +- fixed multi-line string literals + +------------------------------------------------------------------- +Thu Dec 12 10:28:13 CET 2002 - stark@suse.de + +- update to 0.8.1 + * minor bugfixes + +------------------------------------------------------------------- +Mon Dec 2 07:20:10 CET 2002 - stark@suse.de + +- removed radwatch from package + +------------------------------------------------------------------- +Tue Nov 19 08:33:36 CET 2002 - stark@suse.de + +- update to 0.8 + * Support for Status-Server packets + * Fixed memory leak when proxying + * Round-robin load balancing when proxying + * Many bug fixes + * (/usr/share/doc/packages/ChangeLog) +- moved modules to /usr/lib/freeradius + +------------------------------------------------------------------- +Mon Aug 19 00:06:38 CEST 2002 - ro@suse.de + +- don't overwrite README's with each other + +------------------------------------------------------------------- +Fri Aug 16 09:06:03 CEST 2002 - stark@suse.de + +- added PreReq (Bug #17838) + +------------------------------------------------------------------- +Thu Jun 20 01:06:41 CEST 2002 - ro@suse.de + +- hack ltconfig for ppc64 + +------------------------------------------------------------------- +Mon Apr 8 11:11:56 CEST 2002 - stark@suse.de + +- fixed packaging on 64bit platforms +- added logrotate config +- added some sample scripts to doc-dir + +------------------------------------------------------------------- +Fri Mar 22 15:01:10 CET 2002 - stark@suse.de + +- update to 0.5 + * MS-CHAP and MS-CHAPv2 MPPE support, + * EAP/MD5 and experimental EAP/TLS, + * Experimental PHP web administration interface, + * Fixes for *BSD, + * Configurable database queries, executed per packet + (e.g. %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}), + * Fix logic bug which would cause occasional server crashes, + * Server-side quenching of DoS attacks, + * Experimental Python module, + * Aptis, Quintum, and Foundry dictionaries, + * Limited support for IPv6. + +------------------------------------------------------------------- +Mon Feb 25 16:19:26 CET 2002 - stark@suse.de + +- moved *.la back to main-package as it is needed for + dynamic loading of modules + +------------------------------------------------------------------- +Mon Feb 25 07:44:11 CET 2002 - stark@suse.de + +- added patch to work with heimdal-krb5 +- moved *.so to -devel package + +------------------------------------------------------------------- +Fri Feb 8 14:24:51 CET 2002 - stark@suse.de + +- deactivated kerberos support + (seems to be not compatible with heimdal :-() + +------------------------------------------------------------------- +Thu Feb 7 13:27:47 CET 2002 - stark@suse.de + +- changed heimdal libdir + +------------------------------------------------------------------- +Thu Dec 13 07:33:45 CET 2001 - stark@suse.de + +- update to 0.4 +- better use of fillup_and_insserv + +------------------------------------------------------------------- +Mon Dec 3 11:42:15 CET 2001 - stark@suse.de + +- don't use START_RADIUSD anymore +- make use of new fillup_and_insserv macro + +------------------------------------------------------------------- +Fri Oct 12 07:03:07 CEST 2001 - stark@suse.de + +- update to version 0.3 +- packed source-archive as bz2 +- branched package -> devel + +------------------------------------------------------------------- +Fri Aug 3 07:53:54 CEST 2001 - stark@suse.de + +- removed use of watcher-script +- removed config-check (-C) in init script + (it's not supported in freeradius) + +------------------------------------------------------------------- +Thu Aug 2 12:22:00 CEST 2001 - stark@suse.de + +- status fix in init script +- renamed pam-configfile: radius -> radiusd + +------------------------------------------------------------------- +Wed Aug 1 09:57:53 CEST 2001 - stark@suse.de + +- updated to 0.2 + +------------------------------------------------------------------- +Thu Jul 26 10:06:01 CEST 2001 - kukuk@suse.de + +- Fix needed for build + +------------------------------------------------------------------- +Tue Jul 10 15:05:52 CEST 2001 - stark@suse.de + +- added %{suse_update_config} + +------------------------------------------------------------------- +Sat Jun 23 20:52:07 CEST 2001 - schwab@suse.de + +- Fix preprocessor directives inside macro arguments. + +------------------------------------------------------------------- +Mon Jun 18 07:58:08 CEST 2001 - stark@suse.de + +- removed absolute paths from pam-config + +------------------------------------------------------------------- +Wed May 23 13:32:20 CEST 2001 - stark@suse.de + +- first official beta-version 0.1 + +------------------------------------------------------------------- +Wed Mar 21 13:11:34 CET 2001 - stark@suse.de + +- new snapshot 20010321 (pre-BETA) +- replaced start- and killproc to avoid problems with Kernel 2.4 + using the radwatch shell-script +- added built of LDAP and MySQL modules + +------------------------------------------------------------------- +Mon Jan 29 09:58:23 CET 2001 - stark@suse.de + +- %files: /etc/raddb/bay.vendor -> /etc/raddb/dictionary.bay + +------------------------------------------------------------------- +Mon Jan 15 10:52:42 CET 2001 - stark@suse.de + +- new snapshot 20010115 +- initial BETA package (sources are ALPHA!) + +------------------------------------------------------------------- +Thu Jan 4 13:32:26 CET 2001 - stark@suse.de + +- CVS snapshot 20010104 + diff --git a/freeradius-server.spec b/freeradius-server.spec new file mode 100644 index 0000000..d1c91c1 --- /dev/null +++ b/freeradius-server.spec @@ -0,0 +1,842 @@ +# +# spec file for package freeradius-server +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define unitname radiusd +Name: freeradius-server +Version: 3.2.3 +Release: 0 + +# Disable FreeTDS on SLE12. We never shipped it enabled with FreeTDS. +%if 0%{?suse_version} > 1330 || 0%{?is_opensuse} +%bcond_without freetds +%bcond_without memcached +%else +%bcond_with freetds +%bcond_with memcached +%endif + +Summary: RADIUS Server +License: GPL-2.0-only AND LGPL-2.1-only +Group: Productivity/Networking/Radius/Servers +URL: http://www.freeradius.org/ +Source: ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-%{version}.tar.bz2 +Source99: ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-%{version}.tar.bz2.sig +# keyring downloaded via link @ ftp://ftp.freeradius.org/pub/freeradius/README +Source100: freeradius.keyring +Source1: radiusd.service +Source2: freeradius-tmpfiles.conf +Patch0: freeradius-server-fix-perl-shbang.patch +Patch1: freeradius-server-tmpfiles.patch +Patch3: freeradius-server-rcradiusd.patch +Patch5: freeradius-server-rlm_sql_unixodbc-configure.patch +Patch6: freeradius-server-radclient-init-error-buffer.patch +Patch7: freeradius-server-opensslversion.patch +Patch8: freeradius-server-enable-python3.patch +BuildRequires: apache2-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: db-devel +%if %{with freetds} +BuildRequires: freetds-devel +%endif +BuildRequires: gcc-c++ +BuildRequires: gdbm-devel +BuildRequires: gettext-devel +BuildRequires: glibc-devel +BuildRequires: krb5-devel +BuildRequires: libcom_err-devel +BuildRequires: libcurl-devel +BuildRequires: libidn-devel +BuildRequires: libjson-devel +%if %{with memcached} +BuildRequires: libmemcached-devel +%endif +BuildRequires: libmysqlclient-devel +BuildRequires: libpcap-devel +BuildRequires: libtalloc-devel +BuildRequires: libtool +BuildRequires: ncurses-devel +BuildRequires: net-snmp-devel +BuildRequires: openldap2-devel +BuildRequires: openssl-devel > 1.0 +BuildRequires: pam-devel +BuildRequires: perl +BuildRequires: postgresql-devel +BuildRequires: python3-devel +BuildRequires: sqlite3 +BuildRequires: sqlite3-devel +BuildRequires: unixODBC-devel +BuildRequires: pkgconfig(apr-1) +Requires: %{name}-libs = %{version} +Requires: coreutils +Requires: pwdutils +Requires(pre): openssl +Requires(pre): perl +Recommends: logrotate +Provides: freeradius = %{version} +Provides: radiusd +Obsoletes: freeradius < %{version} +%{?libperl_requires} +Conflicts: icradius +Conflicts: radiusd-cistron +Conflicts: radiusd-livingston +BuildRequires: libunbound-devel +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} + +#bsc#1055679 - freeradius-server does not provide winbind/AD auth +BuildRequires: pkgconfig(wbclient) + +%description +Remote Authentication Dial-In User Service (RADIUS) is a networking +protocol that provides centralized Authentication, Authorization, and +Accounting (AAA or Triple A) management for users who connect and +use a network service. + +FreeRADIUS is a modular RADIUS implementation. + +%package libs +Summary: FreeRADIUS shared library +Group: System/Libraries + +%description libs +The FreeRADIUS shared libraries. + +%package utils +Summary: FreeRADIUS Clients +Group: Productivity/Networking/Radius/Clients +Requires: %{name}-libs = %{version} + +%description utils +Collection of FreeRADIUS utilities. + +%package devel +Summary: FreeRADIUS Development Files +Group: Development/Libraries/C and C++ +Requires: %{name}-libs = %{version} + +%description devel +FreeRADIUS header files for development. + +%package doc +Summary: FreeRADIUS Documentation +Group: Documentation/HTML + +%description doc +FreeRADIUS documentation. + +%package ldap +Summary: LDAP support for freeradius +Group: System/Daemons +Requires: %{name} = %{version} + +%description ldap +FreeRADIUS plugin providing LDAP support. + +%package ldap-schemas +Summary: FreeRADIUS support for OpenLDAP +Group: System/Daemons +Requires: openldap2 + +%description ldap-schemas +FreeRADIUS schemas for OpenLDAP. + +%package krb5 +Summary: Kerberos 5 support for freeradius +Group: System/Daemons +Requires: %{name} = %{version} + +%description krb5 +FreeRADIUS plugin providing Kerberos 5 authentication support. + +%package perl +Summary: Perl support for freeradius +Group: System/Daemons +Requires: %{name} = %{version} +Requires: perl + +%description perl +FreeRADIUS plugin providing Perl support. + +%package python3 +Summary: Python3 support for freeradius +Group: System/Daemons +Requires: %{name} = %{version} + +%description python3 +FreeRADIUS plugin providing Python3 support. + +%package mysql +Summary: MySQL support for freeradius +Group: System/Daemons +Requires: %{name} = %{version} + +%description mysql +FreeRADIUS plugin providing MySQL support. + +%package postgresql +Summary: Postgresql support for freeradius +Group: System/Daemons +Requires: %{name} = %{version} + +%description postgresql +FreeRADIUS plugin providing PostgreSQL support. + +%package sqlite +Summary: SQLite support for freeradius +Group: System/Daemons +Requires: %{name} = %{version} + +%description sqlite +FreeRADIUS plugin providing SQLite support. + +%prep +%autosetup -p1 + +%build +autoreconf -fi +export CFLAGS="%{optflags} -DLDAP_DEPRECATED -fstack-protector -fPIC -DPIC" +%if 0%{?suse_version} > 1550 +export LDFLAGS="-pie $(python3-config --embed --libs)" +%else +export LDFLAGS="-pie" +%endif + +%configure \ + --disable-static \ + --libdir=%{_libdir}/freeradius \ + --with-unixodbc-dir=%{_prefix} \ + --disable-ltdl-install \ + --enable-strict-dependencies \ + --with-edir \ + --with-gnu-ld \ + --with-system-libtool \ + --with-system-libltdl \ + --with-udpfromto \ + --without-rlm_eap_ikev2 \ + --without-rlm_eap_tnc \ + --with-rlm-krb5-lib-dir=%{_libdir} \ + --without-rlm_opendirectory \ + --without-rlm_sql_db2 \ + --without-rlm_sql_firebird \ + --without-rlm_sql_iodbc \ + --without-rlm_redis \ + --without-rlm_rediswho \ + --without-rlm_cache_redis \ + --without-rlm_sql_oracle \ + --without-rlm_securid \ + --without-rlm_python \ + --with-rlm-python3-include-dir=%{_includedir}/python%{python3_version}%{py3_abiflags} \ +%if ! %{with memcached} + --without-rlm_cache_memcached \ +%endif +%if ! %{with freetds} + --without-rlm_sql_freetds \ +%endif + --disable-silent-rules \ + --disable-openssl-version-check +make %{?_smp_mflags} + +%install +mkdir -p %{buildroot}%{_localstatedir}/lib/radiusd +make install R=%{buildroot} INSTALLSTRIP= +# Install ldap schema +install -d %{buildroot}%{_sysconfdir}/openldap/schema +install -m 0644 -t %{buildroot}%{_sysconfdir}/openldap/schema doc/schemas/ldap/openldap/*.{ldif,schema} +# modify default configuration +RADDB=%{buildroot}%{_sysconfdir}/raddb +perl -i -pe 's/^#user =.*$/user = radiusd/' $RADDB/radiusd.conf +perl -i -pe 's/^#group =.*$/group = radiusd/' $RADDB/radiusd.conf +/sbin/ldconfig -n %{buildroot}%{_libdir}/freeradius +# logs +touch %{buildroot}%{_localstatedir}/log/radius/radutmp +touch %{buildroot}%{_localstatedir}/log/radius/radius.log +# SUSE +%if 0%{?suse_version} > 1500 +install -d %{buildroot}%{_pam_vendordir} +install -m 644 suse/radiusd-pam %{buildroot}%{_pam_vendordir}/radiusd +%else +install -d %{buildroot}%{_sysconfdir}/pam.d +install -m 644 suse/radiusd-pam %{buildroot}%{_sysconfdir}/pam.d/radiusd +%endif +install -d %{buildroot}%{_sysconfdir}/logrotate.d +install -m 644 suse/radiusd-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/radiusd +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{unitname}.conf +install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{unitname}.service +# name the rc script according to the systemd unit +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcradiusd +cp -al %{buildroot}%{_sbindir}/radiusd %{buildroot}%{_sbindir}/radrelay +install -D -d -m 0710 %{buildroot}%{_rundir}/radiusd +mv -v doc/README doc/README.doc +# remove unneeded stuff +rm %{buildroot}%{_sysconfdir}/raddb/certs/*.crl +rm %{buildroot}%{_sysconfdir}/raddb/certs/*.crt +rm %{buildroot}%{_sysconfdir}/raddb/certs/*.csr +rm %{buildroot}%{_sysconfdir}/raddb/certs/*.der +rm %{buildroot}%{_sysconfdir}/raddb/certs/*.key +rm %{buildroot}%{_sysconfdir}/raddb/certs/*.pem +rm %{buildroot}%{_sysconfdir}/raddb/certs/*.p12 +rm %{buildroot}%{_sysconfdir}/raddb/certs/index.* +rm %{buildroot}%{_sysconfdir}/raddb/certs/serial* +rm %{buildroot}%{_sysconfdir}/raddb/certs/dh +rm doc/source/.gitignore +rm %{buildroot}%{_sbindir}/rc.radiusd +rm -r %{buildroot}%{_datadir}/doc/freeradius* +rm -r %{buildroot}%{_libdir}/freeradius/*.*a +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/dhcp/mssql +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/mssql +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/mssql +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mssql +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/dhcp/oracle +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/oracle +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/oracle +rm -r %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/oracle +rm %{buildroot}%{_sysconfdir}/raddb/mods-available/python +rm %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf +rm %{buildroot}%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf +rm %{buildroot}%{_sysconfdir}/raddb/sites-available/coa-relay + +%pre +getent group radiusd >/dev/null || %{_sbindir}/groupadd -r radiusd +getent passwd radiusd >/dev/null || %{_sbindir}/useradd -r -g radiusd \ + -s /bin/false -c "Radius daemon" -d %{_localstatedir}/lib/radiusd \ + radiusd + +# boo#912714: add radiusd to winbind group for ntlm_auth +# add winbind group and fail silently if it already exists +%{_bindir}/getent group winbind >/dev/null \ + || %{_sbindir}/groupadd -r winbind +# add radiusd to winbind group +%{_bindir}/gpasswd -a radiusd winbind + +%service_add_pre %{unitname}.service +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/lib; save any old .rpmsave +for i in pam.d/radiusd ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done +%endif + +%post +%service_add_post %{unitname}.service +systemd-tmpfiles --create %{_tmpfilesdir}/%{unitname}.conf + +%preun +%service_del_preun %{unitname}.service + +%postun +%service_del_postun %{unitname}.service + +%if 0%{?suse_version} > 1500 +%posttrans +# Migration to /usr/lib, restore just created .rpmsave +for i in pam.d/radiusd ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%files doc +%defattr(-,root,root) +%doc doc/* +%license LICENSE COPYRIGHT + +%files +%defattr(-,root,root) +# doc +%doc CREDITS doc/ChangeLog +%license LICENSE COPYRIGHT +# SUSE +%if 0%{?suse_version} > 1500 +%{_pam_vendordir}/radiusd +%else +%config %{_sysconfdir}/pam.d/radiusd +%endif +%config %{_sysconfdir}/logrotate.d/radiusd +%{_sbindir}/rcradiusd +%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd +# configs +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/trigger.conf +%defattr(-,root,radiusd) +%{_sysconfdir}/raddb/README.rst +%config(noreplace) %{_sysconfdir}/raddb/dictionary +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/clients.conf +%config(noreplace) %{_sysconfdir}/raddb/hints +%config(noreplace) %{_sysconfdir}/raddb/huntgroups +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/proxy.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/radiusd.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/experimental.conf +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/certs +%{_sysconfdir}/raddb/certs/Makefile +%{_sysconfdir}/raddb/certs/passwords.mk +%{_sysconfdir}/raddb/certs/README.md +%{_sysconfdir}/raddb/certs/xpextensions +%{_sysconfdir}/raddb/panic.gdb +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/certs/*.cnf +%attr(750,root,radiusd) %{_sysconfdir}/raddb/certs/bootstrap +%{_tmpfilesdir}/%{unitname}.conf +%{_unitdir}/%{unitname}.service + +# mods-config +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config +%{_sysconfdir}/raddb/mods-config/README.rst +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/attr_filter +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/attr_filter/* +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/files +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/files/* +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/preprocess +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/moonshot-targeted-ids/* +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/realm +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/realm/freeradius-naptr-to-home-server.sh +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/moonshot-targeted-ids +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/preprocess/* +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool/postgresql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/postgresql/procedure.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/counter +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/cui +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/dhcp +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main +#%%attr(640,root,radiusd) %%{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/oracle/queries.conf +#%%attr(640,root,radiusd) %%{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/oracle/schema.sql +%attr(640,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/unbound +%attr(640,root,radiusd) %{_sysconfdir}/raddb/mods-config/unbound/default.conf + +# sites-available +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/sites-available +%{_sysconfdir}/raddb/sites-available/README +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/aws-nlb +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/control-socket +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/decoupled-accounting +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/robust-proxy-accounting +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/soh +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/coa +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/example +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/inner-tunnel +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/dhcp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/check-eap-tls +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/status +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/dhcp.relay +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/virtual.example.com +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/originate-coa +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/vmps +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/default +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/proxy-inner-tunnel +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/dynamic-clients +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/copy-acct-to-home-server +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/buffered-sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/tls +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/abfab-tls +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/abfab-tr-idp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/channel_bindings +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/challenge +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/resource-check +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/totp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/google-ldap-auth +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/sites-available/tls-cache + +# sites-enabled +# symlink: %%{_sysconfdir}/raddb/sites-enabled/xxx -> ../sites-available/xxx +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/sites-enabled +%config(missingok) %{_sysconfdir}/raddb/sites-enabled/inner-tunnel +%config(missingok) %{_sysconfdir}/raddb/sites-enabled/default + +# mods-available +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-available +%{_sysconfdir}/raddb/mods-available/README.rst +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/always +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/attr_filter +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/cache +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/cache_auth +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/chap +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/counter +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/cui +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/date +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/detail +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/detail.example.com +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/detail.log +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/dhcp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/dhcp_files +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/dhcp_passwd +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/dhcp_sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/dhcp_sqlippool +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/digest +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/dynamic_clients +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/eap +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/echo +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available%{_sysconfdir}_group +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/exec +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/expiration +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/expr +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/files +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/idn +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/inner-eap +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/ippool +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/json +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/ldap_google +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/linelog +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/logintime +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mac2ip +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mac2vlan +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/moonshot-targeted-ids +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/mschap +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/ntlm_auth +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/opendirectory +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/pam +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/pap +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/passwd +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/preprocess +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/python3 +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/radutmp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/realm +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/redis +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/rediswho +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/replicate +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/rest +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/smbpasswd +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/smsotp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/soh +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/sometimes +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/sql_map +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/sqlcounter +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/sqlippool +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/sradutmp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/totp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/unix +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/utf8 +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/wimax +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/yubikey +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/unbound +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/unpack +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/abfab_psk_sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/couchbase + +# mods-enabled +# symlink: %%{_sysconfdir}/raddb/mods-enabled/xxx -> ../mods-available/xxx +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-enabled +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/always +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/attr_filter +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/chap +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/date +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/detail +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/detail.log +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/digest +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/dynamic_clients +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/eap +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/echo +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/exec +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/expiration +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/expr +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/files +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/linelog +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/logintime +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/mschap +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/ntlm_auth +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/pap +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/passwd +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/preprocess +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/radutmp +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/realm +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/replicate +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/soh +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/sradutmp +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/totp +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/unix +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/utf8 +%config(missingok) %{_sysconfdir}/raddb/mods-enabled/unpack + +# policy +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/policy.d +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/accounting +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/canonicalization +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/control +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/cui +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/dhcp +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/eap +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/filter +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/moonshot-targeted-ids +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/operator-name +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/abfab-tr +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/debug +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/policy.d/rfc7542 + +%config(noreplace) %{_sysconfdir}/raddb/users +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/templates.conf +%attr(710,radiusd,radiusd) %dir %ghost %{_rundir}/radiusd +# binaries +%defattr(-,root,root) +%{_sbindir}/checkrad +%{_sbindir}/radiusd +%{_sbindir}/radmin +%{_sbindir}/radrelay +%{_sbindir}/raddebug +# man-pages +%{_mandir}/man5/* +%{_mandir}/man8/* +# dictionaries +%attr(755,root,root) %dir %{_datadir}/freeradius +%{_datadir}/freeradius/* +# logs +%attr(700,radiusd,radiusd) %dir %{_localstatedir}/log/radius/ +%attr(700,radiusd,radiusd) %dir %{_localstatedir}/log/radius/radacct/ +%attr(644,radiusd,radiusd) %{_localstatedir}/log/radius/radutmp +%config(noreplace) %attr(600,radiusd,radiusd) %{_localstatedir}/log/radius/radius.log + +# loadable modules +%dir %attr(755,root,root) %{_libdir}/freeradius +%{_libdir}/freeradius/proto_dhcp.so +%{_libdir}/freeradius/proto_vmps.so +%{_libdir}/freeradius/rlm_always.so +%{_libdir}/freeradius/rlm_attr_filter.so +%{_libdir}/freeradius/rlm_cache.so +%{_libdir}/freeradius/rlm_chap.so +%{_libdir}/freeradius/rlm_counter.so +%{_libdir}/freeradius/rlm_date.so +%{_libdir}/freeradius/rlm_detail.so +%{_libdir}/freeradius/rlm_dhcp.so +%{_libdir}/freeradius/rlm_digest.so +%{_libdir}/freeradius/rlm_dynamic_clients.so +%{_libdir}/freeradius/rlm_eap.so +%{_libdir}/freeradius/rlm_eap_fast.so +%{_libdir}/freeradius/rlm_eap_gtc.so +%{_libdir}/freeradius/rlm_eap_md5.so +%{_libdir}/freeradius/rlm_eap_mschapv2.so +%{_libdir}/freeradius/rlm_eap_peap.so +%{_libdir}/freeradius/rlm_eap_pwd.so +%{_libdir}/freeradius/rlm_eap_sim.so +%{_libdir}/freeradius/rlm_eap_tls.so +%{_libdir}/freeradius/rlm_eap_ttls.so +%{_libdir}/freeradius/rlm_exec.so +%{_libdir}/freeradius/rlm_expiration.so +%{_libdir}/freeradius/rlm_expr.so +%{_libdir}/freeradius/rlm_files.so +%{_libdir}/freeradius/rlm_ippool.so +%{_libdir}/freeradius/rlm_json.so +%{_libdir}/freeradius/rlm_linelog.so +%{_libdir}/freeradius/rlm_logintime.so +%{_libdir}/freeradius/rlm_mschap.so +%{_libdir}/freeradius/rlm_pam.so +%{_libdir}/freeradius/rlm_pap.so +%{_libdir}/freeradius/rlm_passwd.so +%{_libdir}/freeradius/rlm_preprocess.so +%{_libdir}/freeradius/rlm_radutmp.so +%{_libdir}/freeradius/rlm_realm.so +%{_libdir}/freeradius/rlm_replicate.so +%{_libdir}/freeradius/rlm_rest.so +%{_libdir}/freeradius/rlm_soh.so +%{_libdir}/freeradius/rlm_sometimes.so +%{_libdir}/freeradius/rlm_sql.so +%{_libdir}/freeradius/rlm_sql_map.so +%{_libdir}/freeradius/rlm_sqlcounter.so +%{_libdir}/freeradius/rlm_sqlippool.so +%if %{with freetds} +%{_libdir}/freeradius/rlm_sql_freetds.so +%endif +%{_libdir}/freeradius/rlm_sql_null.so +%{_libdir}/freeradius/rlm_test.so +%{_libdir}/freeradius/rlm_totp.so +%{_libdir}/freeradius/rlm_unbound.so +%{_libdir}/freeradius/rlm_unix.so +%{_libdir}/freeradius/rlm_utf8.so +%{_libdir}/freeradius/rlm_wimax.so +%{_libdir}/freeradius/rlm_yubikey.so +%{_libdir}/freeradius/rlm_sql_unixodbc.so +%{_libdir}/freeradius/rlm_unpack.so +%if %{with memcached} +%{_libdir}/freeradius/rlm_cache_memcached.so +%endif +%{_libdir}/freeradius/rlm_cache_rbtree.so + +%files utils +%defattr(-,root,root) +%{_mandir}/man1/* +%{_bindir}/* + +%files libs +%defattr(-,root,root) +%license LICENSE COPYRIGHT +# RADIUS shared libs +%attr(755,root,root) %dir %{_libdir}/freeradius +%attr(755,root,root) %{_libdir}/freeradius/lib*.so* + +%files devel +%defattr(-,root,root) +%dir %attr(755,root,root) %{_includedir}/freeradius +%attr(644,root,root) %{_includedir}/freeradius/*.h + +%files krb5 +%defattr(-,root,root) +%{_libdir}/freeradius/rlm_krb5.so +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/krb5 + +%files perl +%defattr(-,root,root) +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/perl + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/perl +%{_sysconfdir}/raddb/mods-config/perl/example.pl + +%{_libdir}/freeradius/rlm_perl.so + +%files python3 +%defattr(-,root,root) +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python3 +%attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python3/example.py +%attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/python3/radiusd.py +%{_libdir}/freeradius/rlm_python3.so + +%files mysql +%defattr(-,root,root) +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/counter/mysql +%attr(640,root,radiusd) %config(noreplace)%{_sysconfdir}/raddb/mods-config/sql/counter/mysql/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace)%{_sysconfdir}/raddb/mods-config/sql/counter/mysql/weeklycounter.conf +%attr(640,root,radiusd) %config(noreplace)%{_sysconfdir}/raddb/mods-config/sql/counter/mysql/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace)%{_sysconfdir}/raddb/mods-config/sql/counter/mysql/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace)%{_sysconfdir}/raddb/mods-config/sql/counter/mysql/noresetcounter.conf + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/cui/mysql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/cui/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/cui/mysql/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/dhcp/mysql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/mysql/schema.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/mysql/setup.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql/schema.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql/procedure.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main/mysql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/process-radacct.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/setup.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/extras +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/extras/wimax +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main/ndb +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/ndb/setup.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/ndb/schema.sql +%{_sysconfdir}/raddb/mods-config/sql/main/ndb/README + +%{_libdir}/freeradius/rlm_sql_mysql.so + +%files postgresql +%defattr(-,root,root) +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/counter/postgresql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/postgresql/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/cui/postgresql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/cui/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/cui/postgresql/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/dhcp/postgresql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/postgresql/schema.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/postgresql/setup.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool/postgresql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/postgresql/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/postgresql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql/process-radacct.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql/setup.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql/extras +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql + +%{_libdir}/freeradius/rlm_sql_postgresql.so + +%files sqlite +%defattr(-,root,root) +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/cui/sqlite +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/cui/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/cui/sqlite/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/counter/sqlite +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/sqlite/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/dhcp/sqlite +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/dhcp/sqlite/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool/sqlite +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool/sqlite/schema.sql + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/sqlite +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf + +%dir %attr(750,root,radiusd) %{_sysconfdir}/raddb/mods-config/sql/main/sqlite +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/sqlite/process-radacct-close-after-reload.pl +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/sqlite/process-radacct-new-data-usage-period.sh +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/sqlite/process-radacct-schema.sql +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-config/sql/main/sqlite/schema.sql + +%{_libdir}/freeradius/rlm_sql_sqlite.so + +%files ldap +%defattr(-,root,root) +%{_libdir}/freeradius/rlm_ldap.so +%attr(640,root,radiusd) %config(noreplace) %{_sysconfdir}/raddb/mods-available/ldap + +%files ldap-schemas +%defattr(-,root,root) +%dir %{_sysconfdir}/openldap +%dir %{_sysconfdir}/openldap/schema +%config %{_sysconfdir}/openldap/schema/freeradius*.schema +%config %{_sysconfdir}/openldap/schema/freeradius*.ldif + +%changelog diff --git a/freeradius-tmpfiles.conf b/freeradius-tmpfiles.conf new file mode 100644 index 0000000..ae94f41 --- /dev/null +++ b/freeradius-tmpfiles.conf @@ -0,0 +1 @@ +D /run/radiusd 0710 radiusd radiusd - diff --git a/freeradius.keyring b/freeradius.keyring new file mode 100644 index 0000000..627ca9f Binary files /dev/null and b/freeradius.keyring differ diff --git a/radiusd.service b/radiusd.service new file mode 100644 index 0000000..4073ae8 --- /dev/null +++ b/radiusd.service @@ -0,0 +1,15 @@ +[Unit] +Description=FreeRADIUS high performance RADIUS server. +After=syslog.target network.target + +[Service] +Type=forking +PIDFile=/run/radiusd/radiusd.pid +ExecStartPre=-/bin/chown -R radiusd:radiusd /run/radiusd /var/log/radius +ExecStartPre=/usr/sbin/radiusd -C +ExecStart=/usr/sbin/radiusd -d /etc/raddb +ExecReload=/usr/sbin/radiusd -C +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target