pkgsrc/net/freeradius/INSTALL

26 lines
948 B
Text
Raw Normal View History

freeradius: Updated to 3.0.16 2018.01.11 Version 3.0.16 has been released. The focus of this release is stability. Feature Improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/. * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix It also now can assign any IPv4 or IPv6 address Based on patches from maximumG. #2094 See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/. * Include dhcpclient binary in freeradius-dhcp debian packge. Bug Fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone). * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone). * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group Fixes #1947. * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041. * Typos in "man" pages. Fixes #2045. * Expand "next" in %{%{...}:-%{...}}. Fixes #2048. * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060. * Don't do debug logging of bad passwords. Fixes #2064. * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes. * EAP-FAST fixes from Isaac Boukris #2078, #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028. * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema Fixes #2061. * sql log now opens the expanded filename, not the input one This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.
2018-04-12 03:21:07 +02:00
# $NetBSD: INSTALL,v 1.2 2018/04/12 01:21:07 nonaka Exp $
Update net/freeradius to 3.0.15. Based on a PR from @coyhile (https://github.com/joyent/pkgsrc/issues/18). Splits modules with external dependencies into separate packages. The 1.1.x branch was EOL'd in 2008. No upgrade guide from 1.1.x to 3.0.x seem to exist. Summary of improvements in 3.x: - Moved configuration entries in radiusd.conf to make more sense. - Added the "integer64" and "ipv4prefix" data types. - Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls. - Updated internal API to support new attributes and formats. - Added code to send SNMP Traps. See raddb/trigger.conf. - Added preliminary support for Apple's Grand Central Dispatch. - Added provisions for raddb/dictionary.local, for local changes See raddb/dictionary for more details. - Added packet/s tracking. See max_pps in the "listen" section. - The %{} expansions and "unlang" conditions are now parsed at server start. Descriptive errors are produced for syntax and format errors. - Casting is now supported for "unlang" comparisons. See "man unlang" e.g. <ipaddr>127.0.0.1 == Framed-IP-Address. - Direct comparison of attribute references is now supported e.g. &Foo == &Bar. This avoids stringification of the attributes. - Direct assignment of attributes is now supported e.g. Foo := &Bar. It also works for "octets" data types. - Comparisons of IPv4 and IPv6 prefixes are now supported The "<" operator means "within the prefix" for comparisons. - New sha1 xlat expansion (thanks to Alan Buxey). - Colourised log messages when logging to stdout. Look for yellow warnings and red errors. Doing this will save you a LOT of grief. - If the PCRE library is available, use it (insted of the POSIX functions) to process regular expressions (thanks to Phil Mayers). - -xv now displays all the features the server was built with, and the versions of the core libraries (libtalloc, libssl). Summary of improvements in 2.x: - simple policy language (see "man unlang") - virtual servers ("raddb/sites-available/README") - IPv6 support - better proxy support ("raddb/proxy.conf") - More EAP types - Debugging output should be <em>much</em> easier to understand - VMPS support - More modules have been moved to "stable" status (python, etc.) - SQL configuration has been cleaned up (see "raddb/sql/*") - limited support for HUP. (The configuration for some modules is re-loaded on HUP. Nothing else is reloaded.) - check configuration and exit ("radiusd -C") - Server core is now event based (simpler, more powerful)
2017-08-26 12:07:27 +02:00
#
# Create default symlinks in ${PKG_SYSCONFDIR} for enabled modules/sites
#
SITES_ENABLED="default inner-tunnel"
MODS_ENABLED="always attr_filter cache_eap chap date detail detail.log
freeradius: Updated to 3.0.16 2018.01.11 Version 3.0.16 has been released. The focus of this release is stability. Feature Improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/. * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix It also now can assign any IPv4 or IPv6 address Based on patches from maximumG. #2094 See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/. * Include dhcpclient binary in freeradius-dhcp debian packge. Bug Fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone). * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone). * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group Fixes #1947. * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041. * Typos in "man" pages. Fixes #2045. * Expand "next" in %{%{...}:-%{...}}. Fixes #2048. * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060. * Don't do debug logging of bad passwords. Fixes #2064. * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes. * EAP-FAST fixes from Isaac Boukris #2078, #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028. * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema Fixes #2061. * sql log now opens the expanded filename, not the input one This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.
2018-04-12 03:21:07 +02:00
digest dynamic_clients eap echo exec expiration expr
Update net/freeradius to 3.0.15. Based on a PR from @coyhile (https://github.com/joyent/pkgsrc/issues/18). Splits modules with external dependencies into separate packages. The 1.1.x branch was EOL'd in 2008. No upgrade guide from 1.1.x to 3.0.x seem to exist. Summary of improvements in 3.x: - Moved configuration entries in radiusd.conf to make more sense. - Added the "integer64" and "ipv4prefix" data types. - Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls. - Updated internal API to support new attributes and formats. - Added code to send SNMP Traps. See raddb/trigger.conf. - Added preliminary support for Apple's Grand Central Dispatch. - Added provisions for raddb/dictionary.local, for local changes See raddb/dictionary for more details. - Added packet/s tracking. See max_pps in the "listen" section. - The %{} expansions and "unlang" conditions are now parsed at server start. Descriptive errors are produced for syntax and format errors. - Casting is now supported for "unlang" comparisons. See "man unlang" e.g. <ipaddr>127.0.0.1 == Framed-IP-Address. - Direct comparison of attribute references is now supported e.g. &Foo == &Bar. This avoids stringification of the attributes. - Direct assignment of attributes is now supported e.g. Foo := &Bar. It also works for "octets" data types. - Comparisons of IPv4 and IPv6 prefixes are now supported The "<" operator means "within the prefix" for comparisons. - New sha1 xlat expansion (thanks to Alan Buxey). - Colourised log messages when logging to stdout. Look for yellow warnings and red errors. Doing this will save you a LOT of grief. - If the PCRE library is available, use it (insted of the POSIX functions) to process regular expressions (thanks to Phil Mayers). - -xv now displays all the features the server was built with, and the versions of the core libraries (libtalloc, libssl). Summary of improvements in 2.x: - simple policy language (see "man unlang") - virtual servers ("raddb/sites-available/README") - IPv6 support - better proxy support ("raddb/proxy.conf") - More EAP types - Debugging output should be <em>much</em> easier to understand - VMPS support - More modules have been moved to "stable" status (python, etc.) - SQL configuration has been cleaned up (see "raddb/sql/*") - limited support for HUP. (The configuration for some modules is re-loaded on HUP. Nothing else is reloaded.) - check configuration and exit ("radiusd -C") - Server core is now event based (simpler, more powerful)
2017-08-26 12:07:27 +02:00
files linelog logintime mschap ntlm_auth pap passwd preprocess
radutmp realm replicate soh sradutmp unix unpack utf8"
case ${STAGE} in
POST-INSTALL)
${ECHO} "Enabling default modules and sites"
${LN} -sf ./mods-config/preprocess/hints @PKG_SYSCONFDIR@/hints
${LN} -sf ./mods-config/preprocess/huntgroups @PKG_SYSCONFDIR@/huntgroups
${LN} -sf ./mods-config/files/authorize @PKG_SYSCONFDIR@/users
for s in ${SITES_ENABLED}; do
${LN} -sf ../sites-available/${s} @PKG_SYSCONFDIR@/sites-enabled/${s}
done
for m in ${MODS_ENABLED}; do
${LN} -sf ../mods-available/${m} @PKG_SYSCONFDIR@/mods-enabled/${m}
done
;;
esac