Bug 124439 - [UPDATE] net/freeradius2 from 2.0.3 to 2.0.5
Summary: [UPDATE] net/freeradius2 from 2.0.3 to 2.0.5
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Matuska
Depends on:
Reported: 2008-06-10 11:00 UTC by Martin Matuska
Modified: 2008-07-28 14:22 UTC (History)
0 users

See Also:

file.diff (7.39 KB, patch)
2008-06-10 11:00 UTC, Martin Matuska
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Matuska freebsd_committer 2008-06-10 11:00:06 UTC
- Update to 2.0.5
- remove files/patch-sites-available

Tinderbox tested (i386/amd64)
Comment 1 Edwin Groothuis freebsd_committer 2008-06-10 11:00:40 UTC
Responsible Changed
From-To: freebsd-ports-bugs->mm

Submitter has GNATS access (via the GNATS Auto Assign Tool)
Comment 2 Edwin Groothuis freebsd_committer 2008-06-10 11:00:42 UTC
Maintainer of net/freeradius2,

Please note that PR ports/124439 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:

Edwin Groothuis via the GNATS Auto Assign Tool
Comment 3 Edwin Groothuis freebsd_committer 2008-06-10 11:00:44 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 4 David Wood 2008-06-16 16:28:37 UTC
Hi Martin,

Thanks very much for your contribution; it gave me independent 
verification of my 2.0.5 work. I have been working on an upgrade since 
FreeRADIUS 2.0.5 has been released, also I've had a few days of ill 

I had hoped to submit a patch based on your work by now, but there's 
some more work to do because of a significant change to the layout of 
raddb that has been introduced in 2.0.5. Indeed, I had a 2.0.4 port that 
I was about to submit when 2.0.5 was introduced - that was delayed by 
the need to upgrade my development box to 6.3-RELEASE so that I was 
testing on a supported platform.

I have a bash script that traverses an untarred source archive and 
builds a new pkg-plist; your patch provided valuable independent 
confirmation that my script is working correctly. Maybe I ought to put 
the script in the files directory and submit it as part of the port, 
fairly scrappy shell programming that it is. It's there to do a job, not 
to be particularly elegant. Maybe one day I will rewrite it in Perl. 
However, it works as it is and it's only a maintenance tool, so this is 
a very low priority for me.

There's a bug in the regexes of both sed commands that are used to 
update radiusd.conf when USER is enabled; I've fixed this in the version 
of the port in my internal Subversion repository. I've also enabled the 
experimental DHCP functionality when EXPERIMENTAL is turned on, as well 
as continuing to be explicit about which modules can't be built because 
the dependencies haven't been ported to FreeBSD (rlm_eap2 and rlm_otp, 
for example) or they're too experimental and too poorly documented to 
make sense for the port (the SQLite module is the primary example here).

 From 2.0.5 onwards, the configuration of most of the raddb modules is no 
longer in radiusd.conf. Most modules now have a module specific file in 
raddb/modules instead.

To my mind, this change needs a message in UPDATING, as users really 
need to restructure their own configurations into the new layout. I 
believe that the new layout is much more logical than the old - it's one 
of those changes that is worth the pain. Not only do these changes 
clarify where the configuration of each module is, they also mean there 
will be far fewer lines changed in radiusd.conf between future 
FreeRADIUS versions.

As it stands, the port removes all unmodified files in 
${PREFIX}/etc/raddb when the port is removed and installs all missing 
files into ${PREFIX}/etc/raddb when it is installed. Over time, this 
will lead to most users having files in ${PREFIX}/etc/raddb of different 
base versions, which is a potential maintenance nightmare. In 
particular, weird compatibility issues were possible when a user 
configured extra functionality such as SQL or LDAP, because of the 
disparity in the base versions of radiusd.conf and the SQL or LDAP 
configuration files. The current behaviour also means that the port will 
re-enable virtual servers that are enabled in the default configuration 
but that a user has disabled.

With the changes in FreeRADIUS 2.0.5, these problems become acute. If 
you've configured FreeRADIUS in any way and the port's behaviour isn't 
changed before being upgraded to 2.0.5, you'll finish up with two 
configuration stanzas for the modules installed, as well as a 
radiusd.conf that doesn't reference the new module configuration files.

I think the right way ahead is to change the behaviour so that 
${PREFIX}/etc/raddb is removed when the port is removed if it is 
completely unchanged from the distribution raddb, and 
${PREFIX}/etc/raddb is copied from the distribution raddb if and only if 
${PREFIX}/etc/raddb doesn't exist. That way, the port won't leave 
${PREFIX}/etc/raddb with files of mixed base versions.

Certainly, I think the port should leave the content of all files in 
${PREFIX}/etc/raddb untouched if any files have been modified. I believe 
the current changes that remove permissions that are a potential 
security risk are appropriate - FreeRADIUS will likely fail to start if 
they're not made. I also believe updating the user and group lines in 
radiusd.conf when USER is set is appropriate. Apart from that, my belief 
is that a more conservative philosophy is now correct.

The FreeRADIUS developers suggest managing your configuration in a 
version control system. I use Subversion with the base configuration in 
a vendor branch, from which I merge the changes after every version 
upgrade. This works well, but is more heavyweight than some users want. 
Maybe something like mergemaster(8) is needed.

I think pkg-message needs an overhaul, too - it doesn't give many clues 
as to how to configure FreeRADIUS on FreeBSD, or how to keep your 
configuration up to date.

Finally, I want to look at bootstrapping FreeRADIUS automatically if and 
only if ${PREFIX}/etc/raddb is copied from raddb. This would give you 
certificates, albeit with default parameters, that were ready to go.

I could make a patch from my development Subversion repository and 
submit it with this follow up - it's only an 'svn diff' of my trunk 
against the branch I keep in sync with the ports tree. This would 
upgrade the port to 2.0.5 and make the other changes I've mentioned.

However, I think it's better that I take the time to work through the 
configuration, pkg-message and bootstrap issues properly. That will lead 
to a much better quality port as well as less breakage of users' 
configurations. I also want to look at moving all the libraries into a 
subdirectory of ${PREFIX}/lib - at the moment, FreeRADIUS spams the base 
lib directory rather.

I'm hoping to start work on this later today so that I can submit a 
definitive patch as soon as possible.

If it will help people to provide an interim patch, I will gladly do so 
- on the proviso that people that must make a backup of their 
configuration before upgrading FreeRADIUS (or move the raddb directory 
somewhere else other than ${PREFIX}/etc/raddb) first.

Best wishes,

David (maintainer)
David Wood
Comment 5 Martin Matuska freebsd_committer 2008-06-17 11:24:59 UTC
Thanks David,

please sene your latest work for testing. I have to test it on all my 
tinderboxes (i386, amd64, various branches etc.)
I am an active freeradius user as well, so I will test it in real world, 
Comment 6 David Wood 2008-06-19 08:19:07 UTC
Hi Martin,

In message <485790FB.9090101@FreeBSD.org>, Martin Matuska 
<mm@FreeBSD.org> writes
>please sene your latest work for testing. I have to test it on all my 
>tinderboxes (i386, amd64, various branches etc.)
>I am an active freeradius user as well, so I will test it in real 
>world, too.

is where I'm up to.

files/patch-sites-available is to be deleted, as you realised.
files/pkg-message.in is new.

I have tested this patch on 6.3-RELEASE i386 and 7-STABLE amd64, though 
I've not given it as much of a work-out as I usually do before 
submitting a patch.

Apart from the upgrade to 2.0.5:

I've fixed the sed regexes mentioned in my last email.

I've changed the port's handling of raddb on installation and removal as 
outlined in my last email.

I've switched to installing all the libraries in a subfolder of 
${PREFIX}/lib, as I believe this is tidier.

I've added a pkg-message; I think the port was long overdue for one.

The questions I can think of are:

Is the port's handling of raddb now more logical? (see my last email for 
more details including why I wanted to change things)

Is bootstrapping raddb/certs during post-install (or as an @exec step if 
installing from a package) appropriate, considering that this can take 
some time? This makes the server work 'out of the box', which it didn't 

What do you think of the new pkg-message? Have I managed to convey the 
relevant information as concisely as possible?

Is bsd.options.mk now available for use following the EoL of 5.x, 6.1 
and 6.2? If it is, I can make python an OPTION, which means the 
footprint of FreeRADIUS 2 is no higher than FreeRADIUS 1 (important for 
embedded users). I'm not going to delay this update over this point, but 
it's something I want to do eventually, as I want to move users 
increasingly to FreeRADIUS 2.

I may back-port some or all of the enhancements that the net/freeradius2 
port has to net/freeradius at some point, but I'd rather encourage 
people to upgrade to FreeRADIUS 2.

I regard the reorganisation of radiusd.conf that has happened in 
FreeRADIUS 2.0.5 as rather disruptive, but worthwhile. Hopefully things 
will now stabilise and I can continue to encourage users to move to 

If you don't spot any problems in my patch, then I think it's ready for 
committing *except* that I need to draft an entry for UPDATING to be 
committed at the same time..

The version of the port in the tree has the old 'remove unmodifed files 
in raddb when uninstalling' behaviour. This version won't restore those 
files with the current versions when it is installed, breaking the 
user's configuration. It's not a disaster, as reinstalling 2.0.3 will 
repair the configuration.

Nevertheless, users need to be advised to back up their configuration 
(or move it out of ${PREFIX}/etc/raddb) before they uninstall the old 
port, so as to ensure they have a working configuration. Users should 
also be encouraged to migrate their configuration to the new 'modules' 
layout introduced in 2.0.5.

Best wishes,

David (maintainer)
David Wood
Comment 7 Pav Lucistnik freebsd_committer 2008-06-23 16:47:13 UTC
State Changed
From-To: feedback->open

Got a word from maintainer
Comment 8 David Wood 2008-07-15 23:59:35 UTC
Dear Martin and all,

I've gradually updated the patch at
http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.patch (the link 
in my previous reply).

I believe that the upgrade to 2.0.5 is now ready to commit.

My notes on this upgrade are at
http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.txt - a copy is 
pasted below for completeness.

The suggested UPDATING entry (which needs to convey a lot of detail and 
took a lot of drafting and redrafting) is, as described in the notes, at

I hope that my efforts on documentation in this PR, the UPDATING entry 
and the new pkg-message, together with the new rc.d script features 
makes FreeRADIUS 2.0.5 easier to use than any version of FreeRADIUS on 
FreeBSD to date.

I hope that you can review and test the changes, then commit them at 
your earliest convenience. Hopefully the next few upgrades to the port 
are much more straightforward!

With thanks and apologies for the delay,


FreeBSD enhancements

The certificates folder is bootstrapped when the port is installed for
the first time.

A pkg-message has been added with helpful information on configuring
and maintaining FreeRADIUS.

These changes greatly improve the FreeRADIUS 'out of the box'

The rc.d script has had 'reload' (HUP the server) and 'debug' ("radiusd
-X") options added. Note - HUP only re-reads a limited part of the
configuration, but this is better than in FreeRADIUS 1.x where HUP was
broken completely

These changes make updating and debugging your configuration easier.

The user configuration is removed completely when the port is
uninstalled if the user configuration and the sample configuration are
identical. Any changes caused by bootstrapping the certificates folder
are ignored when making this comparison.

The sample configuration is copied to the default user configuration
location when the port is installed if no configuration was found in
this default location.

Both these are changes from previous versions of the port - for more
details see the UPDATING entry.

The libraries are now installed in a subfolder so as not to spam the
main library folder.

Compiler optimisations are disabled when the WITH_DEVELOPER knob is
enabled for ease of debugging.

Release notes


Feature improvements
* Allow "virtual_server" in "realm" and "home_server" sections.
   See raddb/proxy.conf and raddb/sites-available/virtual.example.com.
* Allow "passwd" module to be listed in "accounting" and "post-auth".
* Added "fallback" to "home_server_pool" configuration, to handle
   the case of all home servers being dead.  See raddb/proxy.conf.
* Added sample text to raddb/sites-available/inner-tunnel which
   can simplify debugging of inner tunnel configurations.
* Added regular expression matching in realm names.  See
   raddb/proxy.conf for examples.
* Added simple DHCP server functionality.  For comments, see
* Added file globbing capabilities to detail file reader
* Added sample raddb/sites-available/robust-proxy-accounting
* Clients in SQL can now refer to a virtual server.
   Patch from Michael Bretterklieber.
* Added some examples of creating RADIUS administrator in SQL,
   and assigning appropriate access rights.

Bug fixes
* Install all files in raddb/sites-available
* Allow non-threaded builds.
* Don't treat '0x' as special for known attributes that are not
   of type "octets".
* Fix log error in rlm_pap.
* Remove documentation about non-existent functionality.
* Updated warning messages in debug output.
* Fix handling of timeouts in rlm_ldap that affected 64-bit systems.
   This fix was supposed to go into 2.0.3, but did not make it.
* Fix event handling in debug mode for failed proxy requests.
* Fix memleak in fifos.  Closes #537.
* Fix memleak on blocked threads.  Closes #538.
* Perform additional checks on NULL realms.  Closes #541.
* Fix handling of "clients" in "listen" section.
* When detail file cannot process a packet, sleep for longer
   to let the rest of the server do something.
* Add missing table to raddb/sql/mssql/schema.sql.  Closes #545.
* Updated rlm_sql_postgresql to build with PostgreSQL 7.x.
   Closes #533.
* Fix "postauth" of rlm_ldap to look for LDAP-UserDn in the
   correct place.
* Update rlm_attr_filter for some corner cases.  Closes #543.
* Fixed memory leak in libfreeradius event handler.
* In the SQL Accounting on/off queries, remove the restriction
   that the session time had to be zero.


Feature improvements
* Permit SQL authorize_reply_query to be empty.
* Allow setting response packet type in Post-Proxy-Type Fail
* Added install-chown target to set correct permission and ownership
   make RADMIN=radmin RGROUP=radius install-chown
* Support for LDAP-Group and other dynamic comparison attributes
   in unlang.  Developed from a patch byJason Alderfer.
* Added chroot support.  See radiusd.conf for comments.
* Allow clients of 0/0.  We do not recommend using this, though.
* Moved many module configurations into raddb/modules/*

Bug fixes
* Allow proxying to virtual servers for accounting packets, too.
* Added "num fields" function to PostgreSQL client.
* Updated proxy fallback mechanism to validate fallback servers,
   and to process fallback requests in a child thread.
* rlm_realm returns "ok" for LOCAL realms, not "noop".
* Fixed some DHCP code handling.  The examples should now work.


Apply the patch at

files/patch-config-security and files/pkg-message.in have been added.

files/patch-sites-available has been deleted.

Add the text in
http://www.wood2.org.uk/freebsd/port-freeradius2-2.0.5.UPDATING.txt to
David Wood
Comment 9 dfilter service freebsd_committer 2008-07-28 14:14:26 UTC
mm          2008-07-28 13:14:17 UTC

  FreeBSD ports repository

  Modified files:
    .                    UPDATING 
    net/freeradius2      Makefile distinfo pkg-plist 
    net/freeradius2/files pkg-install.in radiusd.sh.in 
  Added files:
    net/freeradius2/files patch-config-security pkg-message.in 
  Removed files:
    net/freeradius2/files patch-sites-available 
  - Update to 2.0.5
  - Change handling and structure of configuration files
  - Add new options to startup script ("reload", "debug")
  - Introduce pkg-message
  - Other fixes and enhancements
  PR:             ports/124439
  Submitted by:   David Wood <david@wood2.org.uk> (maintainer)
  Tested by:      mm
  Revision  Changes    Path
  1.688     +45 -1     ports/UPDATING
  1.71      +27 -26    ports/net/freeradius2/Makefile
  1.26      +3 -3      ports/net/freeradius2/distinfo
  1.1       +11 -0     ports/net/freeradius2/files/patch-config-security (new)
  1.2       +0 -31     ports/net/freeradius2/files/patch-sites-available (dead)
  1.2       +3 -3      ports/net/freeradius2/files/pkg-install.in
  1.1       +53 -0     ports/net/freeradius2/files/pkg-message.in (new)
  1.5       +17 -2     ports/net/freeradius2/files/radiusd.sh.in
  1.36      +344 -315  ports/net/freeradius2/pkg-plist
cvs-all@freebsd.org mailing list
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 10 Martin Matuska freebsd_committer 2008-07-28 14:22:24 UTC
State Changed
From-To: open->closed

Committed, with minor changes. Thanks!