Bug 124439
| Summary: | [UPDATE] net/freeradius2 from 2.0.3 to 2.0.5 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Martin Matuska <mm> | ||||
| Component: | Individual Port(s) | Assignee: | Martin Matuska <mm> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
Martin Matuska
2008-06-10 11:00:06 UTC
Responsible Changed From-To: freebsd-ports-bugs->mm Submitter has GNATS access (via the GNATS Auto Assign Tool) Maintainer of net/freeradius2,
Please note that PR ports/124439 has just been submitted.
If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.
The full text of the PR can be found at:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/124439
--
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool) Hi Martin,
Thanks very much for your contribution; it gave me independent
verification of my 2.0.5 work. I have been working on an upgrade since
FreeRADIUS 2.0.5 has been released, also I've had a few days of ill
health.
I had hoped to submit a patch based on your work by now, but there's
some more work to do because of a significant change to the layout of
raddb that has been introduced in 2.0.5. Indeed, I had a 2.0.4 port that
I was about to submit when 2.0.5 was introduced - that was delayed by
the need to upgrade my development box to 6.3-RELEASE so that I was
testing on a supported platform.
I have a bash script that traverses an untarred source archive and
builds a new pkg-plist; your patch provided valuable independent
confirmation that my script is working correctly. Maybe I ought to put
the script in the files directory and submit it as part of the port,
fairly scrappy shell programming that it is. It's there to do a job, not
to be particularly elegant. Maybe one day I will rewrite it in Perl.
However, it works as it is and it's only a maintenance tool, so this is
a very low priority for me.
There's a bug in the regexes of both sed commands that are used to
update radiusd.conf when USER is enabled; I've fixed this in the version
of the port in my internal Subversion repository. I've also enabled the
experimental DHCP functionality when EXPERIMENTAL is turned on, as well
as continuing to be explicit about which modules can't be built because
the dependencies haven't been ported to FreeBSD (rlm_eap2 and rlm_otp,
for example) or they're too experimental and too poorly documented to
make sense for the port (the SQLite module is the primary example here).
From 2.0.5 onwards, the configuration of most of the raddb modules is no
longer in radiusd.conf. Most modules now have a module specific file in
raddb/modules instead.
To my mind, this change needs a message in UPDATING, as users really
need to restructure their own configurations into the new layout. I
believe that the new layout is much more logical than the old - it's one
of those changes that is worth the pain. Not only do these changes
clarify where the configuration of each module is, they also mean there
will be far fewer lines changed in radiusd.conf between future
FreeRADIUS versions.
As it stands, the port removes all unmodified files in
${PREFIX}/etc/raddb when the port is removed and installs all missing
files into ${PREFIX}/etc/raddb when it is installed. Over time, this
will lead to most users having files in ${PREFIX}/etc/raddb of different
base versions, which is a potential maintenance nightmare. In
particular, weird compatibility issues were possible when a user
configured extra functionality such as SQL or LDAP, because of the
disparity in the base versions of radiusd.conf and the SQL or LDAP
configuration files. The current behaviour also means that the port will
re-enable virtual servers that are enabled in the default configuration
but that a user has disabled.
With the changes in FreeRADIUS 2.0.5, these problems become acute. If
you've configured FreeRADIUS in any way and the port's behaviour isn't
changed before being upgraded to 2.0.5, you'll finish up with two
configuration stanzas for the modules installed, as well as a
radiusd.conf that doesn't reference the new module configuration files.
I think the right way ahead is to change the behaviour so that
${PREFIX}/etc/raddb is removed when the port is removed if it is
completely unchanged from the distribution raddb, and
${PREFIX}/etc/raddb is copied from the distribution raddb if and only if
${PREFIX}/etc/raddb doesn't exist. That way, the port won't leave
${PREFIX}/etc/raddb with files of mixed base versions.
Certainly, I think the port should leave the content of all files in
${PREFIX}/etc/raddb untouched if any files have been modified. I believe
the current changes that remove permissions that are a potential
security risk are appropriate - FreeRADIUS will likely fail to start if
they're not made. I also believe updating the user and group lines in
radiusd.conf when USER is set is appropriate. Apart from that, my belief
is that a more conservative philosophy is now correct.
The FreeRADIUS developers suggest managing your configuration in a
version control system. I use Subversion with the base configuration in
a vendor branch, from which I merge the changes after every version
upgrade. This works well, but is more heavyweight than some users want.
Maybe something like mergemaster(8) is needed.
I think pkg-message needs an overhaul, too - it doesn't give many clues
as to how to configure FreeRADIUS on FreeBSD, or how to keep your
configuration up to date.
Finally, I want to look at bootstrapping FreeRADIUS automatically if and
only if ${PREFIX}/etc/raddb is copied from raddb. This would give you
certificates, albeit with default parameters, that were ready to go.
I could make a patch from my development Subversion repository and
submit it with this follow up - it's only an 'svn diff' of my trunk
against the branch I keep in sync with the ports tree. This would
upgrade the port to 2.0.5 and make the other changes I've mentioned.
However, I think it's better that I take the time to work through the
configuration, pkg-message and bootstrap issues properly. That will lead
to a much better quality port as well as less breakage of users'
configurations. I also want to look at moving all the libraries into a
subdirectory of ${PREFIX}/lib - at the moment, FreeRADIUS spams the base
lib directory rather.
I'm hoping to start work on this later today so that I can submit a
definitive patch as soon as possible.
If it will help people to provide an interim patch, I will gladly do so
- on the proviso that people that must make a backup of their
configuration before upgrading FreeRADIUS (or move the raddb directory
somewhere else other than ${PREFIX}/etc/raddb) first.
Best wishes,
David (maintainer)
--
David Wood
david@wood2.org.uk
Thanks David, please sene your latest work for testing. I have to test it on all my tinderboxes (i386, amd64, various branches etc.) I am an active freeradius user as well, so I will test it in real world, too. Hi Martin, In message <485790FB.9090101@FreeBSD.org>, Martin Matuska <mm@FreeBSD.org> writes >please sene your latest work for testing. I have to test it on all my >tinderboxes (i386, amd64, various branches etc.) >I am an active freeradius user as well, so I will test it in real >world, too. http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.patch is where I'm up to. files/patch-sites-available is to be deleted, as you realised. files/pkg-message.in is new. I have tested this patch on 6.3-RELEASE i386 and 7-STABLE amd64, though I've not given it as much of a work-out as I usually do before submitting a patch. Apart from the upgrade to 2.0.5: I've fixed the sed regexes mentioned in my last email. I've changed the port's handling of raddb on installation and removal as outlined in my last email. I've switched to installing all the libraries in a subfolder of ${PREFIX}/lib, as I believe this is tidier. I've added a pkg-message; I think the port was long overdue for one. The questions I can think of are: Is the port's handling of raddb now more logical? (see my last email for more details including why I wanted to change things) Is bootstrapping raddb/certs during post-install (or as an @exec step if installing from a package) appropriate, considering that this can take some time? This makes the server work 'out of the box', which it didn't before. What do you think of the new pkg-message? Have I managed to convey the relevant information as concisely as possible? Is bsd.options.mk now available for use following the EoL of 5.x, 6.1 and 6.2? If it is, I can make python an OPTION, which means the footprint of FreeRADIUS 2 is no higher than FreeRADIUS 1 (important for embedded users). I'm not going to delay this update over this point, but it's something I want to do eventually, as I want to move users increasingly to FreeRADIUS 2. I may back-port some or all of the enhancements that the net/freeradius2 port has to net/freeradius at some point, but I'd rather encourage people to upgrade to FreeRADIUS 2. I regard the reorganisation of radiusd.conf that has happened in FreeRADIUS 2.0.5 as rather disruptive, but worthwhile. Hopefully things will now stabilise and I can continue to encourage users to move to FreeRADIUS 2. If you don't spot any problems in my patch, then I think it's ready for committing *except* that I need to draft an entry for UPDATING to be committed at the same time.. The version of the port in the tree has the old 'remove unmodifed files in raddb when uninstalling' behaviour. This version won't restore those files with the current versions when it is installed, breaking the user's configuration. It's not a disaster, as reinstalling 2.0.3 will repair the configuration. Nevertheless, users need to be advised to back up their configuration (or move it out of ${PREFIX}/etc/raddb) before they uninstall the old port, so as to ensure they have a working configuration. Users should also be encouraged to migrate their configuration to the new 'modules' layout introduced in 2.0.5. Best wishes, David (maintainer) -- David Wood david@wood2.org.uk State Changed From-To: feedback->open Got a word from maintainer Dear Martin and all, I've gradually updated the patch at http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.patch (the link in my previous reply). I believe that the upgrade to 2.0.5 is now ready to commit. My notes on this upgrade are at http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.txt - a copy is pasted below for completeness. The suggested UPDATING entry (which needs to convey a lot of detail and took a lot of drafting and redrafting) is, as described in the notes, at http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.UPDATING.txt I hope that my efforts on documentation in this PR, the UPDATING entry and the new pkg-message, together with the new rc.d script features makes FreeRADIUS 2.0.5 easier to use than any version of FreeRADIUS on FreeBSD to date. I hope that you can review and test the changes, then commit them at your earliest convenience. Hopefully the next few upgrades to the port are much more straightforward! With thanks and apologies for the delay, David (maintainer) FreeBSD enhancements ==================== The certificates folder is bootstrapped when the port is installed for the first time. A pkg-message has been added with helpful information on configuring and maintaining FreeRADIUS. These changes greatly improve the FreeRADIUS 'out of the box' experience. The rc.d script has had 'reload' (HUP the server) and 'debug' ("radiusd -X") options added. Note - HUP only re-reads a limited part of the configuration, but this is better than in FreeRADIUS 1.x where HUP was broken completely These changes make updating and debugging your configuration easier. The user configuration is removed completely when the port is uninstalled if the user configuration and the sample configuration are identical. Any changes caused by bootstrapping the certificates folder are ignored when making this comparison. The sample configuration is copied to the default user configuration location when the port is installed if no configuration was found in this default location. Both these are changes from previous versions of the port - for more details see the UPDATING entry. The libraries are now installed in a subfolder so as not to spam the main library folder. Compiler optimisations are disabled when the WITH_DEVELOPER knob is enabled for ease of debugging. Release notes ============= 2.0.4: Feature improvements * Allow "virtual_server" in "realm" and "home_server" sections. See raddb/proxy.conf and raddb/sites-available/virtual.example.com. * Allow "passwd" module to be listed in "accounting" and "post-auth". * Added "fallback" to "home_server_pool" configuration, to handle the case of all home servers being dead. See raddb/proxy.conf. * Added sample text to raddb/sites-available/inner-tunnel which can simplify debugging of inner tunnel configurations. * Added regular expression matching in realm names. See raddb/proxy.conf for examples. * Added simple DHCP server functionality. For comments, see raddb/sites-available/dhcp. * Added file globbing capabilities to detail file reader * Added sample raddb/sites-available/robust-proxy-accounting * Clients in SQL can now refer to a virtual server. Patch from Michael Bretterklieber. * Added some examples of creating RADIUS administrator in SQL, and assigning appropriate access rights. Bug fixes * Install all files in raddb/sites-available * Allow non-threaded builds. * Don't treat '0x' as special for known attributes that are not of type "octets". * Fix log error in rlm_pap. * Remove documentation about non-existent functionality. * Updated warning messages in debug output. * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. This fix was supposed to go into 2.0.3, but did not make it. * Fix event handling in debug mode for failed proxy requests. * Fix memleak in fifos. Closes #537. * Fix memleak on blocked threads. Closes #538. * Perform additional checks on NULL realms. Closes #541. * Fix handling of "clients" in "listen" section. * When detail file cannot process a packet, sleep for longer to let the rest of the server do something. * Add missing table to raddb/sql/mssql/schema.sql. Closes #545. * Updated rlm_sql_postgresql to build with PostgreSQL 7.x. Closes #533. * Fix "postauth" of rlm_ldap to look for LDAP-UserDn in the correct place. * Update rlm_attr_filter for some corner cases. Closes #543. * Fixed memory leak in libfreeradius event handler. * In the SQL Accounting on/off queries, remove the restriction that the session time had to be zero. 2.0.5: Feature improvements * Permit SQL authorize_reply_query to be empty. * Allow setting response packet type in Post-Proxy-Type Fail handler. * Added install-chown target to set correct permission and ownership make RADMIN=radmin RGROUP=radius install-chown * Support for LDAP-Group and other dynamic comparison attributes in unlang. Developed from a patch byJason Alderfer. * Added chroot support. See radiusd.conf for comments. * Allow clients of 0/0. We do not recommend using this, though. * Moved many module configurations into raddb/modules/* Bug fixes * Allow proxying to virtual servers for accounting packets, too. * Added "num fields" function to PostgreSQL client. * Updated proxy fallback mechanism to validate fallback servers, and to process fallback requests in a child thread. * rlm_realm returns "ok" for LOCAL realms, not "noop". * Fixed some DHCP code handling. The examples should now work. INSTRUCTIONS ============ Apply the patch at http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.patch files/patch-config-security and files/pkg-message.in have been added. files/patch-sites-available has been deleted. Add the text in http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.UPDATING.txt to UPDATING. -- David Wood david@wood2.org.uk mm 2008-07-28 13:14:17 UTC
FreeBSD ports repository
Modified files:
. UPDATING
net/freeradius2 Makefile distinfo pkg-plist
net/freeradius2/files pkg-install.in radiusd.sh.in
Added files:
net/freeradius2/files patch-config-security pkg-message.in
Removed files:
net/freeradius2/files patch-sites-available
Log:
- Update to 2.0.5
- Change handling and structure of configuration files
- Add new options to startup script ("reload", "debug")
- Introduce pkg-message
- Other fixes and enhancements
PR: ports/124439
Submitted by: David Wood <david@wood2.org.uk> (maintainer)
Tested by: mm
Revision Changes Path
1.688 +45 -1 ports/UPDATING
1.71 +27 -26 ports/net/freeradius2/Makefile
1.26 +3 -3 ports/net/freeradius2/distinfo
1.1 +11 -0 ports/net/freeradius2/files/patch-config-security (new)
1.2 +0 -31 ports/net/freeradius2/files/patch-sites-available (dead)
1.2 +3 -3 ports/net/freeradius2/files/pkg-install.in
1.1 +53 -0 ports/net/freeradius2/files/pkg-message.in (new)
1.5 +17 -2 ports/net/freeradius2/files/radiusd.sh.in
1.36 +344 -315 ports/net/freeradius2/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, with minor changes. Thanks! |