From: Alan T. DeKok Date: Mon, 27 Jan 2025 13:35:11 +0000 (-0500) Subject: remove radutmp, radlast, radwho, and radzap X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0f4123c84a0aeaa6fc393fd5e6fdaa0e0a86eaf;p=thirdparty%2Ffreeradius-server.git remove radutmp, radlast, radwho, and radzap Many OS's have moved away from using flat-text files for utmp. Some don't even provide utmp functionality or header files. I can't remember the last time I ran into someone using radutmp, even in v3. And I can't recall ever designing a system with radutmp. It's 2025, and people should use sqlite instead. --- diff --git a/configure b/configure index ddfbda3d662..26ae44160fb 100755 --- a/configure +++ b/configure @@ -16648,7 +16648,7 @@ ac_config_commands="$ac_config_commands scripts-chmod" -ac_config_files="$ac_config_files ./Make.inc ./src/include/build-radpaths-h ./src/bin/checkrad ./src/bin/radlast ./src/bin/radtest ./scripts/rc.radiusd ./scripts/cron/radiusd.cron.daily ./scripts/cron/radiusd.cron.monthly ./scripts/util/cryptpasswd ./raddb/radrelay.conf ./raddb/radiusd.conf" +ac_config_files="$ac_config_files ./Make.inc ./src/include/build-radpaths-h ./src/bin/checkrad ./src/bin/radtest ./scripts/rc.radiusd ./scripts/cron/radiusd.cron.daily ./scripts/cron/radiusd.cron.monthly ./scripts/util/cryptpasswd ./raddb/radrelay.conf ./raddb/radiusd.conf" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -17357,7 +17357,6 @@ do "./Make.inc") CONFIG_FILES="$CONFIG_FILES ./Make.inc" ;; "./src/include/build-radpaths-h") CONFIG_FILES="$CONFIG_FILES ./src/include/build-radpaths-h" ;; "./src/bin/checkrad") CONFIG_FILES="$CONFIG_FILES ./src/bin/checkrad" ;; - "./src/bin/radlast") CONFIG_FILES="$CONFIG_FILES ./src/bin/radlast" ;; "./src/bin/radtest") CONFIG_FILES="$CONFIG_FILES ./src/bin/radtest" ;; "./scripts/rc.radiusd") CONFIG_FILES="$CONFIG_FILES ./scripts/rc.radiusd" ;; "./scripts/cron/radiusd.cron.daily") CONFIG_FILES="$CONFIG_FILES ./scripts/cron/radiusd.cron.daily" ;; @@ -17917,7 +17916,7 @@ printf "%s\n" "$as_me: executing $ac_file commands" >&6;} case $ac_file$ac_mode in "stamp-h":C) echo timestamp > src/include/stamp-h ;; "build-radpaths-h":C) (cd ./src/include && /bin/sh ./build-radpaths-h) ;; - "main-chmod":C) (cd ./src/bin && chmod +x checkrad radlast radtest) ;; + "main-chmod":C) (cd ./src/bin && chmod +x checkrad radtest) ;; "scripts-chmod":C) (cd ./scripts && chmod +x rc.radiusd cron/radiusd.cron.daily cron/radiusd.cron.monthly util/cryptpasswd) ;; esac diff --git a/configure.ac b/configure.ac index 34c831ee1e7..141c3c7151c 100644 --- a/configure.ac +++ b/configure.ac @@ -2626,7 +2626,7 @@ dnl # dnl ############################################################# AC_CONFIG_COMMANDS([stamp-h], [echo timestamp > src/include/stamp-h]) AC_CONFIG_COMMANDS([build-radpaths-h], [(cd ./src/include && /bin/sh ./build-radpaths-h)]) -AC_CONFIG_COMMANDS([main-chmod], [(cd ./src/bin && chmod +x checkrad radlast radtest)]) +AC_CONFIG_COMMANDS([main-chmod], [(cd ./src/bin && chmod +x checkrad radtest)]) AC_CONFIG_COMMANDS([scripts-chmod], [(cd ./scripts && chmod +x rc.radiusd cron/radiusd.cron.daily cron/radiusd.cron.monthly util/cryptpasswd)]) dnl # @@ -2639,7 +2639,6 @@ AC_CONFIG_FILES([\ ./Make.inc \ ./src/include/build-radpaths-h \ ./src/bin/checkrad \ - ./src/bin/radlast \ ./src/bin/radtest \ ./scripts/rc.radiusd \ ./scripts/cron/radiusd.cron.daily \ diff --git a/debian/control.in b/debian/control.in index cae96ed2a2c..280d24e0576 100644 --- a/debian/control.in +++ b/debian/control.in @@ -88,12 +88,9 @@ Description: FreeRADIUS client utilities This package contains various client programs and utilities from the FreeRADIUS Server project, including: - radclient - - radlast - radsniff - radsqlrelay - radtest - - radwho - - radzap - smbencrypt Package: freeradius-perl-util diff --git a/debian/freeradius-config.postinst b/debian/freeradius-config.postinst index 17c700ed38e..3c21b32b66f 100644 --- a/debian/freeradius-config.postinst +++ b/debian/freeradius-config.postinst @@ -36,8 +36,8 @@ case "$1" in for mod in always attr_filter cache_eap chap client \ delay detail detail.log digest eap \ eap_inner echo exec files linelog \ - mschap ntlm_auth pap pam passwd radutmp \ - sradutmp stats unix unpack utf8 ; do + mschap ntlm_auth pap pam passwd \ + stats unix unpack utf8 ; do if test ! -h /etc/freeradius/mods-enabled/$mod && \ test ! -e /etc/freeradius/mods-enabled/$mod; then ln -s ../mods-available/$mod /etc/freeradius/mods-enabled/$mod diff --git a/debian/freeradius-utils.install b/debian/freeradius-utils.install index 4b9a9d53229..a277bb92e93 100644 --- a/debian/freeradius-utils.install +++ b/debian/freeradius-utils.install @@ -2,10 +2,7 @@ usr/bin/dhcpclient usr/bin/smbencrypt usr/bin/radclient usr/bin/radict -usr/bin/radwho usr/bin/radsniff -usr/bin/radlast usr/bin/radtest -usr/bin/radzap usr/bin/radsqlrelay usr/bin/radcrypt diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate index 72d5d27138d..c65dafd7dd8 100644 --- a/debian/freeradius.logrotate +++ b/debian/freeradius.logrotate @@ -16,7 +16,6 @@ # Session monitoring utilities, session database modules and # SQL log files /var/log/freeradius/checkrad.log /var/log/freeradius/radwatch.log -/var/log/freeradius/radutmp /var/log/freeradius/radwtmp /var/log/freeradius/sqllog.sql { nocreate daily diff --git a/doc/antora/modules/ROOT/pages/faq.adoc b/doc/antora/modules/ROOT/pages/faq.adoc index 51d912f441c..b269ae4a468 100644 --- a/doc/antora/modules/ROOT/pages/faq.adoc +++ b/doc/antora/modules/ROOT/pages/faq.adoc @@ -21,9 +21,6 @@ Also, it has many features not found in free servers and many commercial ones, l * Multiple DEFAULT entries in raddb/users file * All users file entries can optionally "fall through" * Caches all config files in-memory -* Keeps a list of logged in users (radutmp file) -* "radwho" program can be installed as "fingerd" -* Logs both UNIX wtmp file format and RADIUS detail logfiles * Supports Simultaneous-Use = X parameter. Yes, this means that you can now prevent double logins! * Supports Vendor-Specific attributes, including USR non-standard ones. * Supports proxying @@ -350,9 +347,9 @@ Here is a check list: 1. Check that you added your NAS to _raddb/clients.conf_ and selected correct NAS type, also check the password 2. Run `radiusd -X` and see if it parses the Simultaneous-Use line. 3. Try to run `checkrad` manually; maybe you may have a wrong version of perl, don't have cmu-snmp installed etc. -4. run `radwho`. If it says no one is logged in, Simultaneous-Use won't work. +4. Check the database. If it says no one is logged in, Simultaneous-Use won't work. 5. Verify that the NAS is sending accounting packets. Without accounting packets, Simultaneous-Use will NOT work. -6. Verify that the accounting packets are accepted by the radutmp module. If the module returns "noop", it means that the accounting packets do not have enough information for the server to perform Simultaneous-Use enforcement. +6. Verify that the accounting packets are accepted by the datavase module. If the module returns "noop", it means that the accounting packets do not have enough information for the server to perform Simultaneous-Use enforcement. 7. In case you have SQL as a database, and you have accounting records in radacct table, you'll need to uncomment sql in session section of radiusd.conf file. Also, you'll need to uncomment Simutaneus check query in sql.conf file. The radius server calls the checkrad script when it thinks the user is already logged on on one or more other ports/terminal servers to verify that the user is indeed still online on that *other* port/server. If Simultaneous-Use > 1, then it might be that checkrad is called several times to verify each existing session. @@ -417,10 +414,6 @@ This is generally caused by an incorrect named configuration. Check your named f Another file to investigate is raddb/naslist. All entries there must be resolved by a DNS query. -### Why radwho is taking so long to show users connected? - -See question 4.9 - ### PEAP or EAP-TLS Doesn't Work with a Windows machine The most common problem with PEAP is that the client sends a series of Access-Request messages, the server sends an series of Access-Challenge responses, and then... nothing happens. After a little wait, it all starts again. diff --git a/doc/antora/modules/ROOT/pages/radiusd_x.adoc b/doc/antora/modules/ROOT/pages/radiusd_x.adoc index 250bbace93d..d380a494675 100644 --- a/doc/antora/modules/ROOT/pages/radiusd_x.adoc +++ b/doc/antora/modules/ROOT/pages/radiusd_x.adoc @@ -67,7 +67,6 @@ Sometimes the module you're using does not seem to be loaded or used. In that c including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/preprocess - including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/expr @@ -84,7 +83,6 @@ Sometimes the module you're using does not seem to be loaded or used. In that c including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/dynamic_clients - including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/replicate diff --git a/doc/antora/modules/concepts/pages/modules/ldap_authentication.adoc b/doc/antora/modules/concepts/pages/modules/ldap_authentication.adoc new file mode 100644 index 00000000000..cebabc369f9 --- /dev/null +++ b/doc/antora/modules/concepts/pages/modules/ldap_authentication.adoc @@ -0,0 +1,131 @@ += Authenticating Users with LDAP + +The LDAP module is compatible a few different kinds of authentication +methods. Note that we say _compatible_, and not _supports_. LDAP +servers are databases, and do not support authentication protocols. + +PAP:: +The user supplies a `User-Password` (plaintext or EAP-TTLS/PAP) ++ +FreeRADIUS reads the "known good" password from LDAP, and compares +that to what the user entered. + +Bind as user:: +The user supplies a `User-Password` (plaintext or EAP-TTLS/PAP) ++ +FreeRADIUS uses that password to "bind as the user" to LDAP, using the +supplied `User-Name` and `User-Password. If the bind is successfull, +the user is authenticated. Otherwise, authentication fails. + +CHAP:: +The user supplies a `CHAP` password attribute. ++ +FreeRADIUS reads the "known good" password from LDAP in cleartext, and +compares that to what the user entered. + +MS-CHAP:: +The user supplies a `MS-CHAP` password attribute. Either as +MS-CHAPv2, or as PEAP/MSCHAPv2, or as EAP-TTLS/MS-CHAPv2. ++ +FreeRADIUS reads the "known good" password from LDAP in cleartext, or +as an NT hash, and compares that to what the user entered. + +All of above authentication methods other than "bind as user" require +that FreeRADIUS obtain the `userPassword` field from LDAP. If that +field is not returned to FreeRADIUS, then normal authentication is +impossible. Either FreeRADIUS has to be configured to use "bind as +user" for authentication, or the LDAP database has to be updated to +return the `userPassword` field to FreeRADIUS. This change usually +involves giving the FreeRADIUS "read-only" user permission to read the +`userPassword` field. + +Again, the best method is to test authentication is with the +xref:modules/ldap_search.adoc[ldapsearch] tool. These tests *must* be +run prior to configuring FreeRADIUS. We strongly recommend having the +LDAP database return the `userPassword` field to FreeRADIUS, so that +FreeRADIUS can authenticate the user. + +We also strongly recommend that the passwords be stored in LDAP as +cleartext. Otherwise, the only authentication methods that will work +are PAP and EAP-TTLS/PAP. The next section explains these issues in +more detail. + +== Password Storage Methods + +If the `userPassword` field is returned from LDAP to FreeRADIUS, that +information can be stored in a number of different formats: + +* the value can be cleartext +* the value can be prepended with a string enclosed by braces, such as with `{crypt}` or `{ssha3}`. +* the value can be have a suffix of `::`, in which case the password is generally a https://en.wikipedia.org/wiki/Base64[base64] encoded version of the real password + +TIP: Base64 values can be decoded via the command: `printf "%s" +"VALUE" | base64 -d` + +FreeRADIUS is capable of understanding and parsing all of the above +formats. There is sufficient information in the password values to +determine what format it is in (base64, binary, or text), and what +password "encryption" mechanism has been used (crypt, MD5, SHA, SSHA2, +SHA3, etc). All that is necessary is that the +xref:raddb:mods-available/ldap.adoc[ldap module] be configured to map +the `userPassword` LDAP field to the `&control:Password-With-Header` +attribute in FreeRADIUS. FreeRADIUS will then "do the right thing" to +authenticate the user. + +This mapping is done in the default module configuration. There are +no additional changes required for FreeRADIUS to correctly read and +decode the `userPassword` field from LDAP. Please see the +xref:raddb:mods-available/pap.adoc[pap module] for a full list of +supported password "encryption" formats. + +== Additional Considerations + +There are some major caveats with the above authentication methods. +The first is that we *strongly recommend* against using "bind as +user". This process is slow, and causes unnecessary churn in the +connections used to contact the LDAP server. Further, the "bind as +user" process works _only_ when a `User-Password attribute exists in +the request. If any other authentication type is used in the request, +then the "bind as user" _will not work_. There is no amount of +"fixing" things or configuration changes which will make it work. + +The second caveat is that the `CHAP` authentication type works _only_ +when a "clear text" password is stored in the LDAP database. The +`CHAP` calclulations are designed around having access to the "clear +text" password. It is impossible to use any "encrypted" or "hashed" +passwords with `CHAP`. + +The third caveat is that the `MS-CHAP` authentication type works +_only_ when a "clear text" password or "NT hashed" passwords which are +stored in the LDAP database. The `MS-CHAP` calculations are designed +around having access to "known good" passwords in those formats. It +is impossible to use any other kind of "encrypted" or "hashed" +passwords with `MS-CHAP`. + +The final caveat is that when the LDAP database contains "encrypted" +or "hashed" passwords, the _only_ authentication type which is +compatible with those passwords is PAP. i.e. when the `User-Password` +is supplied to FreeRADIUS. + +For recommendations on password storage methods in LDAP, please see +the LDAP +https://openldap.org/doc/admin24/security.html#Password%20Storage[password +storage] page. Please note that the recommendations there are made +for LDAP security, and pay no attention to the caveats described +above. When both RADIUS and LDAP are used together, then the +requirements of _both_ systems must be met in order for them to work +together. In many cases, a naive approach to LDAP security will +prevent RADIUS from working. + +The issue of a database storing passwords in clear-text has to be +balanced against the users sending clear-text passwords in +authentication protocols. While those passwords are protected by TLS +(EAP-TTLS) or by RADIUS (in it's own "encryption" mechanism), it is +generally better to use a stronger authentication method than just +PAP. + +In the end, there is no perfect solution to security requirements. +The choice may be either to give up on using a particular +authentication method, or to relax the security requirements on LDAP +and on password storage. The final decision as to which choice is +best can only be made by a local administrator. diff --git a/doc/antora/modules/developers/pages/module_interface.adoc b/doc/antora/modules/developers/pages/module_interface.adoc index cdc7f765a8b..0dd19f9d8e7 100644 --- a/doc/antora/modules/developers/pages/module_interface.adoc +++ b/doc/antora/modules/developers/pages/module_interface.adoc @@ -59,14 +59,12 @@ Examples: | rlm_sql | Contains code for talking to MySQL or Postgres, and for mapping RADIUS records onto SQL tables. | rlm_unix | Contains code for making radiusd fit in well on unix-like - systems, including getpw* authentication and utmp/wtmp-style - logging. + systems, including getpw* authentication |=== An instance specifies the actual location of a collection data that can be used by a module. Examples: -* /var/log/radutmp * the MySQL database on bigserver.theisp.com.example A module can have multiple components which act on RADIUS requests at diff --git a/doc/antora/modules/howto/pages/modules/ldap_authentication_testing.adoc b/doc/antora/modules/howto/pages/modules/ldap_authentication_testing.adoc new file mode 100644 index 00000000000..539d1d787e7 --- /dev/null +++ b/doc/antora/modules/howto/pages/modules/ldap_authentication_testing.adoc @@ -0,0 +1,211 @@ +=== Authentication + +Now in another terminal window run on the FreeRADIUS server to test authentication: + +[source,shell] +---- +cat <<'EOF' | radclient -x localhost auth testing123 +User-Name = "john" +User-Password = "password" +EOF +---- + +==== `Access-Accept` + +If this works you should see `radclient` report `Access-Accept` almostly immediately without delay: + +[source,log] +---- +Sent Access-Request Id 39 from 0.0.0.0:47493 to 127.0.0.1:1812 length 44 + User-Name = john + User-Password = password +Received Access-Accept Id 39 from 127.0.0.1:1812 to 0.0.0.0:47493 via lo length 26 + User-Name = "john" +---- + +On the FreeRADIUS debug terminal side, you should see something like: + +[source,log] +---- +... +(0) ldap - Reserved connection (0) +(0) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) +(0) ldap - --> (uid=john) +(0) ldap - Performing search in "dc=example,dc=com" with filter "(uid=john)", scope "sub" +(0) ldap - Waiting for search result... +(0) ldap - User object found at DN "uid=john,ou=people,dc=example,dc=com" +(0) ldap - Processing user attributes +(0) ldap - &control:Password-With-Header += password +(0) ldap - Released connection (0) +(0) ldap (updated) +... +(0) pap - No {...} in &Password-With-Header, re-writing to Cleartext-Password +(0) pap - Normalized &control:Password-With-Header -> &control:Cleartext-Password +(0) pap - Removing &control:Password-With-Header +(0) pap - Setting &control:Auth-Type = pap +(0) pap (updated) +(0) } # recv Access-Request (updated) +(0) Running 'authenticate pap' from file /usr/local/etc/raddb/sites-enabled/default +(0) authenticate pap { +(0) pap - Login attempt with password +(0) pap - Comparing with "known-good" Cleartext-Password (8) +(0) pap - User authenticated successfully +(0) pap (ok) +(0) } # authenticate pap (ok) +(0) Running 'send Access-Accept' from file /usr/local/etc/raddb/sites-enabled/default +... +---- + +Here FreeRADIUS is describing what it did: + + . used the `ldap` module + ** searched for `(uid=john)` in `dc=example,dc=com` + *** this is doing the same as the following that you could run on the CLI ++ +[source,shell] +---- +ldapsearch -LL -H ldap://localhost -x -D cn=freeradius,dc=example,dc=com -w mypassword -b dc=example,dc=com '(uid=john)' +---- + ** found `uid=john,ou=people,dc=example,dc=com` + *** if for you no user is found, but you know the user is in your directory, recheck the `user { ... }` section in `raddb/mods-available/ldap` as you may have a filter or attribute configuration set incorrectly + ** found some useful attributes associated with that user + *** the password which it placed into `control:Password-With-Header` + *** as RADIUS attributes were changed, it returns `updated` as a result code to unlang + . the modules `expiration` and `logintime` were used, but both had no effect (`noop`) + . the module `pap` was used + ** it found a suitable password to use in `&Password-With-Header` + *** populates `&control:Cleartext-Password` + *** the module decides it has everything it needs to do authentication so sets `&control:Auth-Type = pap` + *** as RADIUS attributes were changed, it returns `updated` as a result code to unlang + . the authenticate section runs and hands off to `pap` as `&control:Auth-Type = pap` was set earlier + ** `&control:Cleartext-Password` is compared to `&request:User-Password` + ** matches so `ok` is returned + . we return `Access-Accept` as `ok` was returned to unlang + +This worked as the LDAP credentials used by FreeRADIUS to connect to the LDAP server is able to extract a the `userPassword` attribute; as could been seen from the example `ldapsearch` command provided earlier. + +==== `Access-Reject` + +If this fails, the response will be delayed by one second and `Access-Reject` will be returned: + +[source,shell] +---- +Debug : Sent Access-Request Id 130 from 0.0.0.0:49353 to 127.0.0.1:1812 length 44 +Debug : Received Access-Reject Id 130 from 127.0.0.1:1812 to 0.0.0.0:49353 via lo length 20 +(0) -: Expected Access-Accept got Access-Reject +---- + +You should now look to the output of the debugging from the FreeRADIUS terminal window which may show something like: + +[source,log] +---- +(0) ldap - Reserved connection (0) +(0) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) +(0) ldap - --> (uid=john) +(0) ldap - Performing search in "dc=example,dc=com" with filter "(uid=john)", scope "sub" +(0) ldap - Waiting for search result... +(0) ldap - User object found at DN "uid=john,ou=people,dc=example,dc=com" +(0) ldap - Processing user attributes +(0) ldap - Released connection (0) +(0) ldap (ok) +(0) expiration (noop) +(0) logintime (noop) +(0) pap - WARNING: No "known good" password found for the user. Not setting Auth-Type +(0) pap - WARNING: Authentication will fail unless a "known good" password is available +(0) pap (noop) +(0) } # recv Access-Request (ok) +(0) ERROR: No Auth-Type available: rejecting the user. +(0) Running 'send Access-Reject' from file /usr/local/etc/raddb/sites-enabled/default +---- + +Here FreeRADIUS describes it: + + . used the `ldap` module + ** searched for `(uid=john)` in `dc=example,dc=com` + ** found `uid=john,ou=people,dc=example,dc=com` + ** did *not* find any useful attributes associated with that user + ** module was successful in operation, but changed no RADIUS attributes so returns `ok` + . the modules `expiration` and `logintime` were used, but both had no effect (`noop`) + . the module `pap` was used + ** it finds no suitable password RADIUS attributes to use + ** as it makes no changes, the module returns `noop` + . no `Auth-Type` is set, so FreeRADIUS rejects the request (no even attempting to authenticate) + . returns `Access-Reject` + +This occurs as the LDAP credentials used by FreeRADIUS to connect to the LDAP server is *unable* to extract a the `userPassword` attribute; as could been seen from the example `ldapsearch` command provided earlier. + +You have two options avaliable to you here (`Ctrl-C` the running FreeRADIUS server, make the change and restart): + + . change the permissions of the LDAP credentials used so that FreeRADIUS can read the LDAP `userPassword` attribute + ** this is the recommended option + ** fixing this, means you should see `Access-Accept` as described above + . configure FreeRADIUS to attempt to 'bind' (LDAP language for 'login') as the user in the RADIUS request + ** do this by editing `/usr/local/etc/raddb/sites-available/default` + ** amend by adding after the call to `ldap` in `recv Access-Request { ... }` section, so that it looks like: ++ +[source,unlang] +---- +-ldap +if ((ok || updated) && &User-Password) { + update { + &control:Auth-Type := ldap + } +} +---- + ** FreeRADIUS is now configured to attempt to LDAP bind if the `ldap` module finds a user and the RADIUS request contains a `User-Password` RADIUS attribute + +If you use LDAP bind'ing to perform user authentication, then when `radclient` receives `Accept-Accept', the FreeRADIUS debug terminal will look like: + +[source,log] +---- +(0) ldap - Reserved connection (0) +(0) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) +(0) ldap - --> (uid=john) +(0) ldap - Performing search in "dc=example,dc=com" with filter "(uid=john)", scope "sub" +(0) ldap - Waiting for search result... +(0) ldap - User object found at DN "uid=john,ou=people,dc=example,dc=com" +(0) ldap - Processing user attributes +(0) ldap - Released connection (0) +(0) ldap (ok) +(0) if ((ok || updated) && &User-Password) { +(0) update { +(0) &control:Auth-Type := ldap +(0) } # update (noop) +(0) } # if ((ok || updated) && &User-Password) (noop) +(0) expiration (noop) +(0) logintime (noop) +(0) pap - WARNING: No "known good" password found for the user. Not setting Auth-Type +(0) pap - WARNING: Authentication will fail unless a "known good" password is available +(0) pap (noop) +(0) } # recv Access-Request (ok) +(0) Running 'authenticate ldap' from file /usr/local/etc/raddb/sites-enabled/default +(0) authenticate ldap { +(0) ldap - Login attempt with password +(0) ldap - Reserved connection (1) +(0) ldap - Login attempt by "john" +(0) ldap - Using user DN from request "uid=john,ou=people,dc=example,dc=com" +(0) ldap - Waiting for bind result... +(0) ldap - Bind successful +(0) ldap - Bind as user "uid=john,ou=people,dc=example,dc=com" was successful +(0) ldap - Released connection (1) +(0) ldap (ok) +(0) } # authenticate ldap (ok) +(0) Running 'send Access-Accept' from file /usr/local/etc/raddb/sites-enabled/default +---- + +Here FreeRADIUS is describes it: + + . used the `ldap` module + ** searched for `(uid=john)` in `dc=example,dc=com` + ** found `uid=john,ou=people,dc=example,dc=com` + ** did *not* find any useful attributes associated with that user + ** module was successful in operation, but changed no RADIUS attributes so returns `ok` + . `&control:Auth-Type := ldap` was set as the `ldap` module was successful in finding a user + . the modules `expiration` and `logintime` were used, but both had no effect (`noop`) + . the module `pap` was used + ** it finds no suitable password RADIUS attributes to use + ** as it makes no changes, the module returns `noop` + . the authenticate section runs and hands off to `ldap` as `&control:Auth-Type = ldap` was set earlier + ** attemps to LDAP bind as `uid=john,ou=people,dc=example,dc=com` + ** successful so `ok` is returned + . we return `Access-Accept` as `ok` was returned to unlang diff --git a/doc/antora/modules/howto/pages/modules/ldap_group.adoc b/doc/antora/modules/howto/pages/modules/ldap_group.adoc new file mode 100644 index 00000000000..08ccdfab4b2 --- /dev/null +++ b/doc/antora/modules/howto/pages/modules/ldap_group.adoc @@ -0,0 +1,7 @@ + ** in the `group { ... }` section + *** check that `filter` can match your groups when searched for + **** for Active Directory you may need to use `(objectClass=group)` instead + *** referring to your notes above on how your LDAP server handles authorization, if it uses the LDAP attribute in: + **** *a dedicated group object (ie. `member`):* uncomment `membership_filter` and possibility amend the value + **** *the user object (ie. `memberOf`):* check `membership_attribute` is set apprioately + . enabled the LDAP module diff --git a/doc/antora/modules/howto/pages/modules/sqlippool/populating.adoc b/doc/antora/modules/howto/pages/modules/sqlippool/populating.adoc new file mode 100644 index 00000000000..4a3fdc325a1 --- /dev/null +++ b/doc/antora/modules/howto/pages/modules/sqlippool/populating.adoc @@ -0,0 +1,205 @@ += Generating IPs for the pools. + +The `scripts/sql/generate_pool_addresses.pl` file is a helper script +for populating IP pools with address entries. + +The script generates output which is useful for populating an IP pool +for use with FreeRADIUS (and possibly other purposes). The pool may be +implemented as an SQL IP Pool (the `sqlippool` module) or any other +backing store that has one entry per IP address. + +This script output a list of address to add, retain and remove in order to +align a pool to a specification. It is likely that you will want to +process the output to generate the actual commands (e.g. SQL statements) +that make changes to the datastore. For example: + +[source,shell] +---- +generate_pool_addresses.pl ... | align_sql_pools.pl postgresql +---- + +Once the IP addresses have been generated, + +== Use with a single address range + +For basic use, arguments can be provided to this script that denote the ends +of a single IP (v4 or v6) address range together with the pool_name. + +Optionally the number of IPs to sparsely populate the range with can be +provided. If the range is wider than a /16 then the population of the range +is capped at 65536 IPs, unless otherwise specified. + +In the case that a sparse range is defined, a file containing pre-existing +IP entries can be provided. The range will be populated with entries from +this file that fall within the range, prior to the remainder of the range +being populated with random address in the range. + +[source,shell] +---- +generate_pool_addresses.pl \ + [ [ ] ] +---- + +NOTE: Sparse ranges are populated using a deterministic, pseudo-random +function. This allows pools to be trivially extended without having to +supply the existing contents using a file. If you require +less-predictable randomness or a different random sequence then remove +or modify the line calling srand(), below. + + +### Use with multiple pools and address ranges + +For more complex us, the script allows a set of pool definitions to be +provided in a YAML file which describes a set of one or more pools, each +containing a set of one or more ranges. The first argument in this case is +always "yaml": + +[source,shell] +---- +generate_pool_addresses.pl yaml [ ] +---- + +The format for the YAML file is demonstrated by the following example: + +---- +pool_with_a_single_contiguous_range: + - start: 192.0.2.3 + end: 192.0.2.250 + +pool_with_a_single_sparse_range: + - start: 10.10.10.0 + end: 10.10.20.255 + capacity: 200 + +pool_with_multiple_ranges: + - start: 10.10.10.1 + end: 10.10.10.253 + - start: 10.10.100.0 + end: 10.10.199.255 + capacity: 1000 + +v6_pool_with_contiguous_range: + - start: '2001:db8:1:2:3:4:5:10' + end: '2001:db8:1:2:3:4:5:7f' + +v6_pool_with_sparse_range: + - start: '2001:db8:1:2::' + end: '2001:db8:1:2:ffff:ffff:ffff:ffff' + capacity: 200 +---- + +As with the basic use case, a file containing pre-existing IP entries can be +provided with which any sparse ranges will be populated ahead of any random +addresses. + +=== Output + +The script returns line-based output beginning with `+`, `=` or `-`, and +includes the pool_name and an IP address. + + +`+ pool_name 192.0.2.10`:: + + A new address to be added to the corresponding range in the pool. + +`pool_name 192.0.2.20`:: + + A pre-existing address that is to be retained in the pool. (Only if a + pre-existing pool entries file is given.) + +`pool_name 192.0.2.30`:: + + A pre-existing address that is to be removed from the corresponding + range in the pool. (Only if a pre-existing pool entries file is given.) + +`# main_pool: 192.0.10.3 - 192.0.12.250 (500)`:: + + Lines beginning with "#" are comments + +.Example of creating a fully populated IP range. +============================================= + +[source,shell] +---- +generate_pool_addresses.pl main_pool 192.0.2.3 192.0.2.249 +---- + +Will create a pool from a full populated IPv4 range, i.e. all IPs in the +range available for allocation). +============================================= + + +.Example of creating a sparsely populated pool. +============================================= + +[source,shell] +---- +generate_pool_addresses.pl main_pool 10.66.0.0 10.66.255.255 10000 +---- + +Will create a pool from a sparsely populated IPv4 range for a `/16` +network (maximum of 65.536 addresses), populating the range with 10,000 +addreses. The effective size of the pool can be increased in future by +increasing the capacity of the range with: +============================================= + + +.Example of extending a previously populated pool. +============================================= + +[source,shell] +---- +generate_pool_addresses.pl main_pool 10.66.0.0 10.66.255.255 20000 +---- + +This command will generate the same initial set of 10,000 addresses as +the previous example but will create 20,000 addresses overall, unless +the random seed has been changed since the initial run. +============================================= + + +.Example of creating an IPv6 pool +============================================= + +[source,shell] +---- +generate_pool_addresses.pl main_pool 2001:db8:1:2:: \ + 2001:db8:1:2:ffff:ffff:ffff:ffff +---- + +Will create a pool from the IPv6 range `2001:db8:1:2::/64`, initially +populating the range with 65536 (by default) addresses. +============================================= + + +.Example of extending a previously populated IPv6 pool. +============================================= + +[source,shell] +---- +generate_pool_addresses.pl main_pool 2001:db8:1:2:: \ + 2001:db8:1:2:ffff:ffff:ffff:ffff \ + 10000 existing_ips.txt +---- + +Will create a pool using the same range as the previous example, but +this time the range will be populated with 10,000 addresses. The range +will be populated using lines extracted from the `existing_ips.txt` file +that represent IPs which fall within range. +============================================= + + +.Example of creating pools from a YAML file. +============================================= + +[source,shell] +---- +generate_pool_addresses.pl yaml pool_defs.yml existing_ips.txt +---- + +Will create one of more pools using the definitions found in the +`pool_defs.yml` YAML file. The pools will contain one or more ranges with +each of the ranges first being populated with entries from the +`existing_ips.txt` file that fall within the range, before being filled +with random addresses to the defined capacity. +============================================= diff --git a/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc b/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc index bb534982ad4..f48498879d5 100644 --- a/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc +++ b/doc/antora/modules/howto/pages/tuning/tuning_guide.adoc @@ -40,7 +40,7 @@ caching the user default/regular profiles. == SQL Module -* Use the sql module in the session section instead of the radutmp +* Use the sql module in the session section instead of the deprecated radutmp module. It works _much_ quicker. * Create a multi column index for the (`UserName`, `AcctStopTime`) attributes especially if you are using sql for double login detection. @@ -52,8 +52,3 @@ Especially if you have a lot of access servers or your NAS does not send very random Session-Ids. That way you will always have one candidate row to search for, instead of all the rows that have the same `AcctSessionId`. - -== RADUTMP Module - -* Enable noatime on the radutmp file -* Don’t use it diff --git a/doc/antora/modules/installation/pages/upgrade.adoc b/doc/antora/modules/installation/pages/upgrade.adoc index 69d4ac738d1..8f501badf0d 100644 --- a/doc/antora/modules/installation/pages/upgrade.adoc +++ b/doc/antora/modules/installation/pages/upgrade.adoc @@ -876,17 +876,9 @@ All data received from the network is marked `tainted` by default. === rlm_radutmp -The `case_sensitive` option has been removed. Administrators should -not be permitting users to log in with multiple different user names. -If your system needs to be case insensitive, we suggest changing all -names to lowercase: - -``` -recv Access-Request { - &Stripped-User-Name := %tolower(%{User-Name}) - ... -} -``` +The module has been removed. Many Unix distributions have moved away +from using flat-text files for `utmp`. We recommend using sqlite +to store session data, instead of radutmp. === rlm_rest diff --git a/doc/antora/modules/reference/nav.adoc b/doc/antora/modules/reference/nav.adoc index a773710cb24..0c2d4e868d2 100644 --- a/doc/antora/modules/reference/nav.adoc +++ b/doc/antora/modules/reference/nav.adoc @@ -177,7 +177,6 @@ **** xref:raddb/mods-available/perl.adoc[Perl] **** xref:raddb/mods-available/python.adoc[Python] **** xref:raddb/mods-available/radius.adoc[Radius] -**** xref:raddb/mods-available/radutmp.adoc[Radutmp] **** xref:raddb/mods-available/redis.adoc[REDIS] **** xref:raddb/mods-available/redis_ippool.adoc[Redis IP Pool] **** xref:raddb/mods-available/rediswho.adoc[REDISWho] @@ -189,7 +188,6 @@ **** xref:raddb/mods-available/sql.adoc[SQL] **** xref:raddb/mods-available/sqlcounter.adoc[SQL Counter] **** xref:raddb/mods-available/sqlippool.adoc[SQL-IP-Pool] -**** xref:raddb/mods-available/sradutmp.adoc[sRadutmp] **** xref:raddb/mods-available/stats.adoc[Stats] **** xref:raddb/mods-available/totp.adoc[TOTP] **** xref:raddb/mods-available/unbound.adoc[Unbound] diff --git a/doc/antora/modules/reference/pages/man/radclient.1 b/doc/antora/modules/reference/pages/man/radclient.1 new file mode 100644 index 00000000000..afd1464032d --- /dev/null +++ b/doc/antora/modules/reference/pages/man/radclient.1 @@ -0,0 +1,242 @@ +'\" t +.\" Title: radclient +.\" Author: Alan DeKok +.\" Generator: Asciidoctor 2.0.10 +.\" Date: 2020-12-21 +.\" Manual: FreeRADIUS +.\" Source: FreeRADIUS +.\" Language: English +.\" +.TH "RADCLIENT" "1" "2020-12-21" "FreeRADIUS" "FreeRADIUS" +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.ss \n[.ss] 0 +.nh +.ad l +.de URL +\fI\\$2\fP <\\$1>\\$3 +.. +.als MTO URL +.if \n[.g] \{\ +. mso www.tmac +. am URL +. ad l +. . +. am MTO +. ad l +. . +. LINKSTYLE blue R < > +.\} +.SH "NAME" +radclient \- send packets to a RADIUS server, show reply +.SH "SYNOPSIS" +.sp +\fBradclient\fP \fI[ OPTIONS ]\fP \fIserver {acct|auth|status|disconnect|auto} secret\fP +.SH "DESCRIPTION" +.sp +`radclient* is a radius client program. It can send arbitrary radius +packets to a radius server, then shows the reply. It can be used to test +changes you made in the configuration of the radius server, or it can be +used to monitor if a radius server is up. +.sp +\fBradclient\fP reads radius attribute/value pairs from it standard input, +or from a file specified on the command line. It then encodes these +attribute/value pairs using the dictionary, and sends them to the remote +server. +.sp +The \f(CRUser\-Password\fP and \f(CRCHAP\-Password\fP attributes are automatically +encrypted before the packet is sent to the server. +.SH "OPTIONS" +.sp +\fB\-4\fP +.RS 4 +Use IPv4 (default) +.RE +.sp +\fB\-6\fP +.RS 4 +Use IPv6 +.RE +.sp +\fB\-c count\fP +.RS 4 +Send each packet \fIcount\fP times. +.RE +.sp +\fB\-d config_dir\fP +.RS 4 +The directory that contains the user dictionary file. Defaults to +\f(CR/etc/raddb\fP. +.RE +.sp +\fB\-D dict_dir\fP +.RS 4 +The directory that contains the main dictionary file. Defaults to +\f(CR/usr/share/freeradius/dictionary\fP. +.RE +.sp +\fB\-f filename[:filename]\fP +.RS 4 +File to read the attribute/value pairs from. If this is not specified, +they are read from stdin. This option can be specified multiple times, +in which case packets are sent in order by file, and within each file, +by first packet to last packet. A blank line separates logical packets +within a file. If a pair of files separated by a colon is specified, the +second file will be used to filter the responses to requests from the +first. The number of requests and filters must be the same. A summary of +filter results will be displayed if \-s is passed. +.RE +.sp +\fB\-F\fP +.RS 4 +Print the file name, packet number and reply code. +.RE +.sp +\fB\-h\fP +.RS 4 +Print usage help information. +.RE +.sp +\fB\-i id\fP +.RS 4 +Use \fIid\fP as the RADIUS request Id. +.RE +.sp +\fB\-n number\fP +.RS 4 + Try to send \fInumber\fP requests per second, evenly spaced. This option +allows you to slow down the rate at which radclient sends requests. When +not using \f(CR\-n\fP, the default is to send packets as quickly as possible, +with no inter\-packet delays. ++ +Due to limitations in radclient, this option does not accurately send +the requested number of packets per second. +.RE +.sp +\fB\-p number\fP +.RS 4 + Send \fInumber\fP requests in parallel, without waiting for a response +for each one. By default, radclient sends the first request it has +read, waits for the response, and once the response is received, +sends the second request in its list. This option allows you to send +many requests at simultaneously. Once \fInumber\fP are sent, radclient +waits for all of the responses to arrive (or for the requests to +time out), before sending any more packets. ++ +This option permits you to discover the maximum load accepted by a +RADIUS server. +.RE +.sp +\fB\-P proto\fP +.RS 4 +Use \fIproto\fP transport protocol ("tcp" or "udp"). Only available if +FreeRADIUS is compiled with TCP transport support. +.RE +.sp +\fB\-q\fP +.RS 4 +Go to quiet mode, and do not print out anything. +.RE +.sp +\fB\-r number\fP +.RS 4 +Try to send each packet \fInumber\fP of times as retries, before giving up on it. +The default is 10. +.RE +.sp +\fB\-s\fP +.RS 4 +Print out some summaries of packets sent and received. +.RE +.sp +\fB\-S filename\fP +.RS 4 + Rather than reading the shared secret from the command\-line (where it +can be seen by others on the local system), read it instead from +\fIfilename\fP. +.RE +.sp +\fB\-t timeout\fP +.RS 4 +Wait \fItimeout\fP seconds before deciding that the NAS has not responded +to a request, and re\-sending the packet. The default timeout is 3. +.RE +.sp +\fB\-v\fP +.RS 4 +Print out version information. +.RE +.sp +\fB\-x\fP +.RS 4 +Print out debugging information. +.RE +.sp +\fBserver[:port]\fP +.RS 4 + The hostname or IP address of the remote server. Optionally a UDP port +can be specified. If no UDP port is specified, it is looked up in +\f(CR/etc/services\fP. The service name looked for is \fBradacct\fP for accounting +packets, and \fBradius\fP for all other requests. If a service is not found +in \f(CR/etc/services\fP, 1813 and 1812 are used respectively. ++ +The RADIUS attributes read by \fIradclient\fP can contain the special +attribute \f(CRPacket\-Dst\-IP\-Address\fP. If this attribute exists, then that +IP address is where the packet is sent, and the \fBserver\fP specified on +the command\-line is ignored. ++ +If the RADIUS attribute list always contains the \f(CRPacket\-Dst\-IP\-Address\fP +attribute, then the \fBserver\fP parameter can be given as \fB\-\fP. ++ +The RADIUS attributes read by \fIradclient\fP can contain the special +attribute \f(CRPacket\-Dst\-Port\fP. If this attribute exists, then that UDP +port is where the packet is sent, and the \fB:port\fP specified on the +command\-line is ignored. +.RE +.sp +\fBauth | acct | status | disconnect | auto\fP +.RS 4 + Use \fBauth\fP to send an authentication packet (Access\-Request), \fBacct\fP +to send an accounting packet (Accounting\-Request), \fBstatus\fP to send an +status packet (Status\-Server), or \fBdisconnect\fP to send a disconnection +request. Instead of these values, you can also use a decimal code here. +For example, code 12 is also \fBStatus\-Server\fP. ++ +The RADIUS attributes read by \fIradclient\fP can contain the special +attribute \f(CRPacket\-Type\fP. If this attribute exists, then that type of +packet is sent, and the \fItype\fP specified on the command\-line is ignored. ++ +If the RADIUS attribute list always contains the \f(CRPacket\-Type\fP +attribute, then the \fBtype\fP parameter can be given as \fBauto\fP. +.RE +.sp +\fBsecret\fP +.RS 4 +The shared secret for this client. It needs to be defined on the +radius server side too, for the IP address you are sending the radius +packets from. +.RE +.SH "EXAMPLE" +.sp +A sample session that queries the remote server for \fIStatus\-Server\fP. +Not all servers support this, but FreeRADIUS has configurable support +for it. +.sp +.if n .RS 4 +.nf +$ echo "Message\-Authenticator = 0x00" | radclient 192.0.2.42 status s3cr3t +Sending request to server 192.0.2.42, port 1812. +Received Packet from host 192.0.2.42 code=2, id=140, length=54 + Reply\-Message = "FreeRADIUS up 21 days, 02:05" +.fi +.if n .RE +.SH "SEE ALSO" +.sp +radiusd(8), +.SH "AUTHOR" +.sp +The FreeRADIUS Server Project (\c +.URL "http://www.freeradius.org" "" ")" +.SH "AUTHOR" +.sp +Alan DeKok \ No newline at end of file diff --git a/doc/antora/modules/reference/pages/man/radiusd.8 b/doc/antora/modules/reference/pages/man/radiusd.8 new file mode 100644 index 00000000000..053ae5bffca --- /dev/null +++ b/doc/antora/modules/reference/pages/man/radiusd.8 @@ -0,0 +1,264 @@ +'\" t +.\" Title: radiusd +.\" Author: Alan DeKok +.\" Generator: Asciidoctor 2.0.10 +.\" Date: 2020-12-21 +.\" Manual: FreeRADIUS +.\" Source: FreeRADIUS +.\" Language: English +.\" +.TH "RADIUSD" "8" "2020-12-21" "FreeRADIUS" "FreeRADIUS" +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.ss \n[.ss] 0 +.nh +.ad l +.de URL +\fI\\$2\fP <\\$1>\\$3 +.. +.als MTO URL +.if \n[.g] \{\ +. mso www.tmac +. am URL +. ad l +. . +. am MTO +. ad l +. . +. LINKSTYLE blue R < > +.\} +.SH "NAME" +radiusd \- Authentication, Authorization and Accounting server +.SH "SYNOPSIS" +.sp +\fBradiusd\fP [\fB\-C\fP] [\fB\-d\fP \fIconfig_directory\fP] [\fB\-f\fP] [\fB\-h\fP] [\fB\-l\fP +\fIlog_file\fP] [\fB\-m\fP] [\fB\-n\fP \fIname\fP] [\fB\-s\fP] [\fB\-t\fP] [\fB\-T\fP] [\fB\-v\fP] [\fB\-x\fP] +[\fB\-X\fP] +.SH "DESCRIPTION" +.sp +FreeRADIUS is a high\-performance and highly configurable RADIUS server. +It supports many database back\-ends such as flat\-text files, SQL, LDAP, +Perl, Python, etc. It also supports many authentication protocols such +as PAP, CHAP, MS\-CHAP(v2), HTTP Digest, and EAP (EAP\-MD5, EAP\-TLS, PEAP, +EAP\-TTLS, EAP\-SIM, etc.). +.sp +It also has full support for Cisco\(cqs VLAN Query Protocol (VMPS) and DHCP. +.sp +Please read the DEBUGGING section below. It contains instructions for +quickly configuring the server for your local system. +.SH "OPTIONS" +.sp +The following command\-line options are accepted by the server. +.sp +\fB\-C\fP +.RS 4 +Check the configuration and exit immediately. If there is a problem +reading the configuration, then the server will exit with a non\-zero +status code. If the configuration appears to be acceptable, then the +server will exit with a zero status code. +.sp +Note that there are limitations to this check. Due to the complexities +involved in \fIalmost\fP starting a RADIUS server, these checks are +necessarily incomplete. The server can return a zero status code when +run with \f(CR\-C\fP, but may still exit with an error when run normally. +.sp +See the output of \f(CRradiusd \-XC\fP for a list of which modules are +checked for correct configuration, and which modules are skipped, +and therefore not checked. +.RE +.sp +\fB\-d config_directory\fP +.RS 4 +Defaults to \f(CR/etc/raddb\fP. \f(CRRadiusd\fP looks here for its configuration +files such as the \f(CRdictionary\fP and the \f(CRusers\fP files. +.RE +.sp +\fB\-f\fP +.RS 4 +Do not fork, stay running as a foreground process. +.RE +.sp +\fB\-h\fP +.RS 4 +Print usage help information. +.RE +.sp +\fB\-l log_file\fP +.RS 4 +Defaults to \f(CR${logdir}/radius.log\fP. \f(CRRadiusd\fP writes its logging +information to this file. If \f(CRlog_file\fP is the string \f(CRstdout\fP, then +logging messages will be written to stdout. +.RE +.sp +\fB\-m\fP +.RS 4 +On SIGINT or SIGQUIT exit cleanly instead of immediately. This is most +useful for when running the server with "valgrind". +.RE +.sp +\fB\-n name\fP +.RS 4 +Read \f(CRraddb/name.conf\fP instead of \f(CRraddb/radiusd.conf\fP. +.sp +Note that by default, the server looks for a configuration file +which matches its own name. Creating a soft link from file \f(CRfoo\fP +to \f(CRradiusd\fP, and then running the program \f(CRfoo\fP, will cause the +binary to look for \f(CRraddb/foo.conf\fP. +.RE +.sp +\fB\-s\fP +.RS 4 +Run in "single server" mode. The server normally runs with multiple +threads and/or processes, which can lower its response time to +requests. In single server mode, the server will not "daemonize" +(auto\-background) itself. +.RE +.sp +\fB\-t\fP +.RS 4 +Do not spawn threads. +.RE +.sp +\fB\-T\fP +.RS 4 +Always add timestamps to log messages. +.RE +.sp +\fB\-v\fP +.RS 4 +Print server version information and exit. +.RE +.sp +\fB\-X\fP +.RS 4 +Debugging mode. This argument is equivalent to using \f(CR\-sfxx \-l +stdout\fP. When trying to understand how the server works, ALWAYS run +it with \f(CRradiusd \-X\fP. For production servers, use the \f(CRraddebug\fP +program. +.RE +.sp +\fB\-x\fP +.RS 4 +Finer\-grained debug mode. In this mode the server will print details +of every request to the default logging destination. Using multiple +\f(CR\-x\fP options will increase the debug output. +.RE +.SH "DEBUGGING" +.sp +The default configuration is set to work in the widest possible +circumstances. It requires minimal changes for your system. +.sp +However, your needs may be complex, and may require significant changes +to the server configuration. Making random changes is a guaranteed +method of failure. Instead, we STRONGLY RECOMMEND proceeding via the +following steps: +.sp +1) Always run the server in debugging mode ( \f(CRradiusd \-X\fP ) after +making a configuration change. We cannot emphasize this enough. If you +are not running the server in debugging mode, you \fIwill not\fP be able to +see what is doing, and you \fIwill not\fP be able to correct any problems. +.sp +If you ask questions on the mailing list, the first response will be to +tell you "run the server in debugging mode". Please, follow these +instructions. +.sp +2) Change as little as possible in the default configuration +files. The server contains a decade of experience with protocols, +databases, and different systems. Its default configuration is designed +to work almost everywhere, and to do almost everything you need. +.sp +3) When you make a small change, testing it before changing +anything else. If the change works, save a copy of the configuration, +and make another change. If the change doesn\(cqt work, debug it, and try +to understand why it doesn\(cqt work. +.sp +If you begin by making large changes to the server configuration, it +will never work, and you will never be able to debug the problem. +.sp +4) If you need to add a connection to a database FOO (e.g. LDAP +or SQL), then: + +.br +a) Edit \f(CRraddb/modules/foo\fP + +.br +This file contains the default configuration for the module. It contains +comments describing what can be configured, and what those configuration +entries mean. + +.br +b) Edit \f(CRraddb/sites\-available/default\fP + +.br +This file contains the default policy for the server. e.g. "enable CHAP, +MS\-CHAP, and EAP authentication". Look in this file for all references +to your module "foo". Read the comments, and remove the leading hash \(aq#\(aq +from the lines referencing the module. This enables the module. + +.br +c) Edit \f(CRraddb/sites\-available/inner\-tunnel\fP + +.br +This file contains the default policy for the "tunneled" portion of +certain EAP methods. Perform the same kind of edits as above, for the +"default" file.. If you are not using EAP (802.1X), then this step can +be skipped. + +.br +d) Start the server in debugging mode ( \f(CRradiusd \-X\fP ), and start +testing. +.sp +5) Ask questions on the mailing list + +.br +(\c +.MTO "freeradius\-users\(atlists.freeradius.org" "" ")." +When asking questions, include +the output from debugging mode ( \f(CRradiusd \-X\fP ). This information will +allow people to help you. If you do not include it, the first response +to your message will be "post the output of debug mode". +.sp +Ask questions earlier, rather than later. If you cannot solve a problem +in a day, ask a question on the mailing list. Most questions have been +seen before, and can be answered quickly. +.SH "BACKGROUND" +.sp +\fBRADIUS\fP is a protocol spoken between an access server, typically a +device connected to several modems or ISDN lines, and a \fBradius\fP server. +When a user connects to the access server, (s)he is asked for a +loginname and a password. This information is then sent to the \fBradius\fP +server. The server replies with "access denied", or "access OK". In the +latter case login information is sent along, such as the IP address in +the case of a PPP connection. +.SH "CONFIGURATION" +.sp +\f(CRradiusd\fP uses a number of configuration files. Each file has its own +manpage describing the format of the file. These files are: +.sp +\fBradiusd.conf\fP +.RS 4 +The main configuration file, which sets the administrator\-controlled +items. +.RE +.sp +\fBdictionary\fP +.RS 4 +This file is usually static. It defines all the possible RADIUS +attributes used in the other configuration files. You don\(cqt have to +modify it. It includes other dictionary files in the same directory. +.RE +.sp +\fBunlang\fP +.RS 4 +The processing and policy language used in the server. +.RE +.SH "SEE ALSO" +.sp +radiusd.conf(5), dictionary(5), unlang(5), raddebug(8) +.SH "AUTHOR" +.sp +The FreeRADIUS Server Project (\c +.URL "http://www.freeradius.org" "" ")" +.SH "AUTHOR" +.sp +Alan DeKok \ No newline at end of file diff --git a/doc/antora/modules/reference/pages/man/radmin.8 b/doc/antora/modules/reference/pages/man/radmin.8 new file mode 100644 index 00000000000..6114c3dab96 --- /dev/null +++ b/doc/antora/modules/reference/pages/man/radmin.8 @@ -0,0 +1,784 @@ +'\" t +.\" Title: radmin +.\" Author: Alan DeKok +.\" Generator: Asciidoctor 2.0.10 +.\" Date: 2020-12-21 +.\" Manual: FreeRADIUS +.\" Source: FreeRADIUS +.\" Language: English +.\" +.TH "RADMIN" "8" "2020-12-21" "FreeRADIUS" "FreeRADIUS" +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.ss \n[.ss] 0 +.nh +.ad l +.de URL +\fI\\$2\fP <\\$1>\\$3 +.. +.als MTO URL +.if \n[.g] \{\ +. mso www.tmac +. am URL +. ad l +. . +. am MTO +. ad l +. . +. LINKSTYLE blue R < > +.\} +.SH "NAME" +radmin \- FreeRADIUS Administration tool +.SH "SYNOPSIS" +.sp +\fBradmin\fP [\fB\-d\fP \fIconfig_directory\fP] [\fB\-e\fP \fIcommand\fP] [\fB\-E\fP] [\fB\-f\fP +\fIsocket_file\fP] [\fB\-h\fP] [\fB\-i\fP \fIinput_file\fP] [\fB\-l\fP \fIlog_file\fP] [\fB\-n\fP +\fIname\fP] [\fB\-q\fP] +.SH "DESCRIPTION" +.sp +FreeRADIUS Server administration tool that connects to the control +socket of a running server, and gives a command\-line interface to it. +.sp +At this time, only a few commands are supported. Please type "help" at +the command prompt for detailed information about the supported +commands. +.SH "WARNING" +.sp +The security protections offered by this command are limited to the +permissions on the Unix domain socket, and the server configuration. If +someone can connect to the Unix domain socket, they have a substantial +amount of control over the server. +.SH "OPTIONS" +.sp +The following command\-line options are accepted by the program. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server +configuration files to find the "listen" section that defines the +control socket filename. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Run \fIcommand\fP and exit. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Echo commands as they are being executed. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Specify the socket filename directly. The radiusd.conf file is not +read. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Print usage help information. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Reads input from the specified file. If not specified, stdin is used. +This also sets "\-q". +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Writes the commands which are executed to this log file. This +functionality is off by default. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Quiet mode. +.RE +.SH "COMMANDS" +.sp +The commands implemented by the command\-line interface are almost +completely controlled by the server. There are a few commands +interpreted locally by radmin: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Reconnect to the server. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Exit from radmin. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Exit from radmin. +.RE +.sp +The other commands are implemented by the server. Type "help" at the +prompt for more information. +.SH "EXAMPLES" +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Set debug logs to /var/log/radius/bob.log. There is very little +checking of this filename. Rogue administrators may be able use this +command to over\-write almost any file on the system. If those +administrators have write access to "radius.conf", they can do the same +thing without radmin, too. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Enable debugging output for all requests that match the condition. Any +"unlang" condition is valid here. The condition is parsed as a string, +so it must be enclosed in single or double quotes. Strings enclosed in +double\-quotes must have back\-slashes and the quotation marks escaped +inside of the string. +.RE +.sp +Only one debug condition can be active at a time. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +A more complex condition that enables debugging output for requests +containing User\-Name "bob", or requests that originate from source IP +address 192.0.2.22. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Disable debug conditionals. +.RE +.SH "FULL LIST OF COMMANDS" +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of add +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Add client configuration commands +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Add new client definition from +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +debugging commands +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Enable debugging for requests matching [condition] +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Set debug level to . Higher is more debugging. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Send all debugging output to [filename] +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of del +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Delete client configuration commands +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Delete a dynamically created client +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +sends a HUP signal to the server, or optionally to one module +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +commands to inject packets into a running server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Inject packets to the destination IP and port. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Inject packets as if they came from +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Inject packet from input\-file>, with results sent to +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +reconnect to a running server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +terminates the server, and cause it to exit +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of set +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +set module commands +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +set configuration for +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +set the module to be alive or dead (always return "fail") +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +set home server commands +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +set state for given home server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of show +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of client +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show configuration for given client +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +shows list of global clients +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show debug properties +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Shows current debugging condition. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Shows current debugging level. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Shows current debugging file. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of home_server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show configuration for given home server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +shows list of home servers +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +shows state of given home server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of module +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show configuration for given module +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show other module properties +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +shows list of loaded modules +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show sections where may be used +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +shows time at which server started +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Prints version of the running server +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +Prints out configuration as XML +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +do sub\-command of stats +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show statistics for given client, or for all clients (auth or acct) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show statistics for given home server (ipaddr and port), or for all +home servers (auth or acct) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +show statistics for the given detail file +.RE +.SH "SEE ALSO" +.sp +unlang(5), radiusd.conf(5), raddb/sites\-available/control\-socket +.SH "AUTHOR" +.sp +Alan DeKok <\c +.MTO "aland\(atfreeradius.org" "" ">" +.SH "AUTHOR" +.sp +Alan DeKok \ No newline at end of file diff --git a/doc/antora/modules/reference/pages/man/radsniff.8 b/doc/antora/modules/reference/pages/man/radsniff.8 new file mode 100644 index 00000000000..cae33af4a4b --- /dev/null +++ b/doc/antora/modules/reference/pages/man/radsniff.8 @@ -0,0 +1,262 @@ +'\" t +.\" Title: radsniff +.\" Author: Alan DeKok +.\" Generator: Asciidoctor 2.0.10 +.\" Date: 2020-12-21 +.\" Manual: FreeRADIUS +.\" Source: FreeRADIUS +.\" Language: English +.\" +.TH "RADSNIFF" "8" "2020-12-21" "FreeRADIUS" "FreeRADIUS" +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.ss \n[.ss] 0 +.nh +.ad l +.de URL +\fI\\$2\fP <\\$1>\\$3 +.. +.als MTO URL +.if \n[.g] \{\ +. mso www.tmac +. am URL +. ad l +. . +. am MTO +. ad l +. . +. LINKSTYLE blue R < > +.\} +.SH "NAME" +radsniff \- dump radius protocol +.SH "SYNOPSIS" +.sp +*radsniff \fI[ OPTIONS ]\fP +.SH "DESCRIPTION" +.sp +*radsniff is a simple wrapper around libpcap. It can also print out the +contents of RADIUS packets using the FreeRADIUS dictionaries. +.SH "OPTIONS" +.sp +\fB\-a\fP +.RS 4 +List all interfaces which can be used to capture packets. +.RE +.sp +\fB\-c count\fP +.RS 4 +Number of packets to capture. Exit after capturing \fBcount\fP packets +.RE +.sp +\fB\-C checksum_type\fP +.RS 4 +Enable checksum validation. Specify \f(CRudp\fP or \f(CRradius\fP. +.RE +.sp +\fB\-d config_dir\fP +.RS 4 +The directory that contains the user dictionary file. Defaults to +\f(CR/etc/raddb\fP. +.RE +.sp +\fB\-D dict_dir\fP +.RS 4 +The directory that contains the main dictionary file. Defaults to +\f(CR/usr/share/freeradius/dictionary\fP. +.RE +.sp +\fB\-e event[,event]\fP +.RS 4 + Only log requests with specific \fIevent\fP flags. ++ +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +\fBreceived\fP \- a request or response +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +\fBnorsp\fP \- no response was received to a request +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +\fBrtx\fP \- retransmission of a request which was already seen +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +\fBnoreq\fP \- a response was seen with no matching request +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +\fBreused\fP \- RADIUS ID field was reused too soon +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +. sp -1 +. IP \(bu 2.3 +.\} +\fBerror\fP \- error decoding the packet +.RE +.RE +.sp +\fB\-F\fP +.RS 4 +Filter PCAP file from stdin to stdout. Output file will contain RADIUS +packets. +.RE +.sp +\fB\-f filter\fP +.RS 4 +PCAP filter. (default is \f(CRudp port 1812 or 1813\fP) +.RE +.sp +\fB\-h\fP +.RS 4 +Print usage help information. +.RE +.sp +\fB\-i interface\fP +.RS 4 +Capture from the named \fIinterface\fP. +.RE +.sp +\fB\-I filename\fP +.RS 4 +Read packets from \fIfilename\fP. +.RE +.sp +\fB\-l attr[,attr]\fP +.RS 4 +Output packet signature and a list of named xattributes. +.RE +.sp +\fB\-L attr[,attr]\fP +.RS 4 +Use the named attributes tfor detecting retransmissions +.RE +.sp +\fB\-m\fP +.RS 4 +Print packet headers only, not contents. +.RE +.sp +\fB\-p port\fP +.RS 4 +Listen for packets on port. +.RE +.sp +\fB\-P filename\fP +.RS 4 +Daemonize, and write PID to _filename_x +.RE +.sp +\fB\-q\fP +.RS 4 +Print less debugging information. +.RE +.sp +\fB\-r attribute\-filter\fP +.RS 4 +RADIUS attribute request filter. +.RE +.sp +\fB\-R attribute\-filter\fP +.RS 4 +RADIUS attribute response filter. +.RE +.sp +\fB\-s secret\fP +.RS 4 +RADIUS secret. +.RE +.sp +\fB\-S\fP +.RS 4 +Sort attributes in the packet. Used to compare server results. +.RE +.sp +\fB\-w filename\fP +.RS 4 +Write output packets to \fIfilename\fP. +.RE +.sp +\fB\-x\fP +.RS 4 +Print out debugging information. +.RE +.sp +The following options are for statistics gathering. +.sp +\fB\-E\fP +.RS 4 +Print statistics in CSV format. +.RE +.sp +\fB\-N prefix\fP +.RS 4 +The instance name passed to the collectd plugin. +.RE +.sp +\fB\-O server\fP +.RS 4 +Write output statics to the named collectd server. +.RE +.sp +\fB\-T timeout\fP +.RS 4 +The timeout in milliseconds before the request is considered +to be lost. +.RE +.sp +\fB\-W interval\fP +.RS 4 +Write statistics every \fIinterval\fP seconds. +.RE +.SH "SEE ALSO" +.sp +radiusd(8),pcap(3) +.SH "AUTHOR" +.sp +The FreeRADIUS Server Project (\c +.URL "http://www.freeradius.org" "" ")" +.SH "AUTHOR" +.sp +Alan DeKok \ No newline at end of file diff --git a/doc/antora/modules/reference/pages/raddb/- b/doc/antora/modules/reference/pages/raddb/- new file mode 100644 index 00000000000..7f0fb443e13 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/- @@ -0,0 +1,224 @@ += Certificates + +This directory contains scripts to create the server certificates. To +make a set of default (i.e. test) certificates, simply type: + +``` +$ ./bootstrap +``` + +The `openssl` command will be run against the sample configuration +files included here, and will make a self-signed certificate authority +(i.e. root CA), and a server certificate. This "root CA" should be +installed on any client machine needing to do EAP-TLS, PEAP, or +EAP-TTLS. + +The Microsoft `XP Extensions` will be automatically included in the +server certificate. Without those extensions Windows clients will refuse +to authenticate to FreeRADIUS. + +The root CA and the `XP Extensions` file also contain a +crlDistributionPoints attribute. The latest release of Windows Phone +needs this to be present for the handset to validate the RADIUS server +certificate. The RADIUS server must have the URI defined but the CA need +not have…however it is best practice for a CA to have a revocation URI. +Note that whilst the Windows Mobile client cannot actually use the CRL +when doing 802.1X it is recommended that the URI be an actual working +URL and contain a revocation format file as there may be other OS +behaviour at play and future OSes that may do something with that URI. + +In general, you should use self-signed certificates for 802.1x (EAP) +authentication. When you list root CAs from other organisations in the +`ca_file`, you permit them to masquerade as you, to authenticate your +users, and to issue client certificates for `EAP-TLS`. + +If you already have CA and server certificates, rename (or delete) this +directory, and create a new `certs` directory containing your +certificates. Note that the `make install` command will NOT over-write +your existing `raddb/certs` directory, which means that the +`bootstrap` command will not be run. + +== New Installations + +We suggest that new installations use the test certificates for initial +tests, and then create real certificates to use for normal user +authentication. See the instructions below for how to create the various +certificates. The old test certificates can be deleted by running the +following command: + +``` +$ make distclean +``` + +Then, follow the instructions below for creating real certificates. + +Once the final certificates have been created, you can delete the +`bootstrap` command from this directory, and delete the +`make_cert_command` configuration from the `tls` sub-section of +`raddb/mods-available/eap`. + +If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete the +relevant sub-sections from the `raddb/mods-available/eap` file. + +== Root Certificate + +``` +$ vi ca.cnf +``` + +Edit the `input_password` and `output_password` fields to be the +password for the CA certificate. + +Edit the [certificate_authority] section to have the correct values for +your country, state, etc. + +``` +$ make ca +``` + +This step creates CA certificate using both RSA and ECC keys, in the respective +directories. + +``` +$ make rsa/ca.der +``` + +Or: + +``` +$ make ecc/ca.der +``` + +These steps create the DER format of the self-signed certificates, which is can +be imported into Windows. + +== Server Certificate + +The following steps will let you create a server certificate for use +with TLS-based EAP methods, such as EAP-TLS, PEAP, and TTLS. Follow +similar steps to create an "inner-server.pem" file, for use with +EAP-TLS that is tunneled inside of another TLS-based EAP method. + +``` +$ vi server.cnf +``` + +Edit the `input_password` and `output_password` fields to be the +password for the server certificate. + +Edit the [server] section to have the correct values for your country, +state, etc. Be sure that the commonName field here is different from the +commonName for the CA certificate. + +``` +$ make server +``` + +This step creates and verifies the server certificates using both RSA and ECC +keys. + +If you have an existing certificate authority, and wish to create a +certificate signing request for the server certificate, edit server.cnf +as above, and type the following command. + +``` +$ make rsa/server.csr +``` + +Or: + +``` +$ make ecc/server.csr +``` + +You will have to ensure that the certificate contains the XP extensions +needed by Microsoft clients. + +== Client Certificate + +Client certificates are used by EAP-TLS, and optionally by EAP-TTLS and +PEAP. The following steps outline how to create a client certificate +that is signed by the CA certificate created above. You will have to +have the password for the CA certificate in the "input_password" and +"output_password" fields of the ca.cnf file. + +``` +$ vi client.cnf +``` + +Edit the `input_password` and `output_password` fields to be the +password for the client certificate. You will have to give these +passwords to the end user who will be using the certificates. + +Edit the [client] section to have the correct values for your country, +state, etc. Be sure that the commonName field here is the User-Name that +will be used for logins! + +``` +$ make client +``` + +The user's certificates (RSA and ECC) will be in `emailAddress.pem` and +`emailAddress.ecc.pem`, e.g. `user@example.com.pem`. + +To create another client certificate, just repeat the steps for making a +client certificate, being sure to enter a different login name for `commonName`, +and a different password. + +== Performance + +EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL +calculations. That is, a normal system can handle PAP authentication at +a rate of 10k packets/s. However, SSL involves RSA calculations, which +are very expensive. To benchmark your system, do: + +``` +$ openssl speed rsa +``` + +or + +``` +$ openssl speed rsa2048 +``` + +to test 2048 bit keys. + +That number is also the maximum number of authentications/s that can +be done for `EAP-TLS` (or `TTLS`, or `PEAP`). Typically eh + +== Compatibility + +The certificates created using this method are known to be compatible +with ALL operating systems. Some common issues are: + +* Most systems now require certain OIDs in the certificates. If it doesn’t see + them, it will stop doing EAP. The most visible effect is that the client + starts EAP, gets a few `Access-Challenge` packets, and then a little while + later re-starts EAP. If this happens, see the FAQ, and the comments in + `raddb/mods-available/eap` for how to fix it. + +* Windows requires the root certificates to be on the client PC. If it + doesn’t have them, you will see the same issue as above. + +* Windows XP post SP2 has a bug where it has problems with certificate + chains. i.e. if the server certificate is an intermediate one, and not a + root one, then authentication will silently fail, as above. + +* Some versions of Windows CE cannot handle 4K RSA certificates. They + will (again) silently fail, as above. + +* In none of these cases will Windows give the end user any reasonable + error message describing what went wrong. This leads people to blame the + RADIUS server. That blame is misplaced. + +* Certificate chains of more than 64K bytes are likely to not + work. Most clients cannot handle 64K certificate chains. Most Access + Points will shut down the EAP session after about 50 round trips, + while 64K certificate chains will take about 60 round trips. So + don’t use large certificate chains. They will only work after + everyone upgrade everything in the network. + +* All other operating systems are known to work with EAP and FreeRADIUS. + This includes Linux, *BSD, Mac OS X, Solaris, etc. along with all + known embedded systems, phones, WiFi devices, etc. diff --git a/doc/antora/modules/reference/pages/raddb/ack.conf.adoc b/doc/antora/modules/reference/pages/raddb/ack.conf.adoc new file mode 100644 index 00000000000..9fe4f462b70 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/ack.conf.adoc @@ -0,0 +1,730 @@ + + + + += FreeRADIUS server configuration file - 4.0.0 + +Read `man radiusd` before editing this file. See the section +titled DEBUGGING. It outlines a method where you can quickly +obtain the configuration you want, without running into +trouble. + +Run the server in debugging mode, and READ the output. + + $ radiusd -X + +We cannot emphasize this point strongly enough. The vast +majority of problems can be solved by carefully reading the +debugging output, which includes warnings about common issues, +and suggestions for how they may be fixed. + +There may be a lot of output, but look carefully for words like: +`warning`, `error`, `reject`, or `failure`. The messages there +will usually be enough to guide you to a solution. + +If you are going to ask a question on the mailing list, then +explain what you are trying to do, and include the output from +debugging mode (`radiusd -X`). Failure to do so means that all +of the responses to your question will be people telling you +to _post the output of `radiusd -X`_. + + +## Default instance + +The location of other config files and logfiles are declared +in this file. + +Also general configuration for modules can be done in this +file, it is exported through the API to modules that ask for +it. + +See `man radiusd.conf` for documentation on the format of this +file. Note that the individual configuration items are NOT +documented in that "man" page. They are only documented here, +in the comments. + +The `unlang` policy language can be used to create complex +if / else policies. See `man unlang` for details. + +NOTE: The paths used for installed server files. They are set +automatically at install time and will not normally need to be +changed. + + + +name:: the name of the running server. + +See also the `-n` command-line option. + + + +Location of config and logfiles. + + + +Should likely be ${localstatedir}/lib/radiusd + + + +libdir:: Where to find the rlm_* modules. + +This should be automatically set at configuration time. + +If the server builds and installs, but fails at execution time +with an 'undefined symbol' error, then you can use the `libdir` +directive to work around the problem. + +The cause is usually that a library has been installed on your +system in a place where the dynamic linker *cannot* find it. When +executing as root (or another user), your personal environment + *may* be set up to allow the dynamic linker to find the +library. When executing as a daemon, FreeRADIUS *may not* have +the same personalized configuration. + +To work around the problem, find out which library contains +that symbol, and add the directory containing that library to +the end of `libdir`, with a colon separating the directory +names. *No* spaces are allowed. e.g. + + libdir = /usr/local/lib:/opt/package/lib + +You can also try setting the `LD_LIBRARY_PATH` environment +variable in a script which starts the server. + +If that does not work, then you can re-configure and re-build the +server to NOT use shared libraries, via: + + ./configure --disable-shared + make + make install + + + +pidfile:: Where to place the PID of the RADIUS server. + +The server may be signalled while it's running by using this +file. + +This file is written when _only_ running in daemon mode. + +e.g.: `kill -HUP $(cat /var/run/radiusd/radiusd.pid)` + + + +panic_action:: Command to execute if the server dies unexpectedly. + +[WARNING] +==== +FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. + +THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +PATTACH CAN BE USED AS AN ATTACK VECTOR. +==== + +The panic action is a command which will be executed if the server +receives a fatal, non user generated signal, i.e. `SIGSEGV`, `SIGBUS`, +`SIGABRT` or `SIGFPE`. + +This can be used to start an interactive debugging session so +that information regarding the current state of the server can +be acquired. + +The following string substitutions are available: +- `%e` The currently executing program e.g. `/sbin/radiusd` +- `%p` The PID of the currently executing program e.g. `12345` + +Standard `${}` substitutions are also allowed. + +An example panic action for opening an interactive session in GDB would be: + + +Again, don't use that on a production system. + +An example panic action for opening an automated session in GDB would be: + + +NOTE: That command can be used on a production system. + + + +max_request_time:: The maximum time (in seconds) to handle a request. + +Requests which take more time than this to process may be killed, and +a REJECT message is returned. + +WARNING: If you notice that requests take a long time to be handled, +then this MAY INDICATE a bug in the server, in one of the modules +used to handle a request, OR in your local configuration. + +This problem is most often seen when using an SQL database. If it takes +more than a second or two to receive an answer from the SQL database, +then it probably means that you haven't indexed the database. See your +SQL server documentation for more information. + +Useful range of values: `5` to `120` + + + +max_requests:: The maximum number of requests which the server keeps +track of. This should be `256` multiplied by the number of clients. +e.g. With `4` clients, this number should be `1024`. + +If this number is too low, then when the server becomes busy, +it will not respond to any new requests, until the 'cleanup_delay' +time has passed, and it has removed the old requests. + +If this number is set too high, then the server will use a bit more +memory for no real benefit. + +If you aren't sure what it should be set to, it's better to set it +too high than too low. Setting it to `1000` per client is probably +the highest it should be. + +Useful range of values: `256` to `infinity` + + + +reverse_lookups:: Log the names of clients or just their IP addresses + +e.g., www.freeradius.org (`on`) or 206.47.27.232 (`off`). + +The default is `off` because it would be overall better for the net +if people had to knowingly turn this feature on, since enabling it +means that each client request will result in AT LEAST one lookup +request to the nameserver. Enabling `hostname_lookups` will also +mean that your server may stop randomly for `30` seconds from time +to time, if the DNS requests take too long. + +Turning hostname lookups off also means that the server won't block +for `30` seconds, if it sees an IP address which has no name associated +with it. + +allowed values: {no, yes} + + + +hostname_lookups:: Global toggle for preventing hostname resolution + +The default is `on` because people often use hostnames in configuration +files. The main disadvantage of enabling this is the server may block +at inopportune moments (like opening new connections) if the DNS servers +are unavailable + +allowed values: {no, yes} + + + +Logging section. The various `log_*` configuration items +will eventually be moved here. + + +destination: Destination for log messages. + +This can be one of: + +|=== +| Destination | Description +| files | Log to `file`, as defined below. +| syslog | To syslog (see also the `syslog_facility`, below. +| stdout | Standard output. +| stderr | Standard error. +|=== + +The command-line option `-X` over-rides this option, and forces +logging to go to stdout. + + + +colourise:: Highlight important messages sent to stderr and stdout. + +Option will be ignored (disabled) if output if `TERM` is not +an xterm or output is not to a TTY. + + + +timestamp:: Add a timestamp to the start of every log message. + +By default this is done with log levels of `-Xx` or `-xxx` +where the destination is not syslog, or at all levels where the +output is a file. + +The config option below forcefully enables or disables timestamps +irrespective of the log destination. + +NOTE: Is overridden by the `-T` command line option. + + + +file:: The logging messages for the server are appended to the +tail of this file `if ${destination} == "files"` + +NOTE: If the server is running in debugging mode, this file is +NOT used. + + + +syslog_facility:: Which syslog facility to use, `if ${destination} == "syslog"`. + +The exact values permitted here are _OS-dependent_. You probably +don't want to change this. + + + +.ENVIRONMENT VARIABLES + +You can reference environment variables using an expansion like +`$ENV{PATH}`. However it is sometimes useful to be able to also set +environment variables. This section lets you do that. + +The main purpose of this section is to allow administrators to keep +RADIUS-specific configuration in the RADIUS configuration files. +For example, if you need to set an environment variable which is +used by a module. You could put that variable into a shell script, +but that's awkward. Instead, just list it here. + +Note that these environment variables are set AFTER the +configuration file is loaded. So you cannot set FOO here, and +expect to reference it via `$ENV{FOO}` in another configuration file. +You should instead just use a normal configuration variable for +that. + + +Set environment varable `FOO` to value '/bar/baz'. + +NOTE: Note that you MUST use '='. You CANNOT use '+=' to append +values. + + + +Delete environment variable `BAR`. + + + +`LD_PRELOAD` is special. It is normally set before the +application runs, and is interpreted by the dynamic linker. +Which means you cannot set it inside of an application, and +expect it to load libraries. + +Since this functionality is useful, we extend it here. + +You can set + +LD_PRELOAD = /path/to/library.so + +and the server will load the named libraries. Multiple +libraries can be loaded by specificing multiple individual +`LD_PRELOAD` entries. + + + + +.Templates + +Template files hold common definitions that can be used in other +server sections. When a template is referenced, the configuration +items within the referenced template are copied to the referencing +section. + +Using templates reduces repetition of common configuration items, +which in turn makes the server configuration easier to maintain. + +See template.d/default for examples of using templates, and the +referencing syntax. + + + +.Security Configuration + +There may be multiple methods of attacking on the server. This +section holds the configuration items which minimize the impact +of those attacks + + +chroot: directory where the server does "chroot". + +The chroot is done very early in the process of starting +the server. After the chroot has been performed it +switches to the `user` listed below (which MUST be +specified). If `group` is specified, it switches to that +group, too. Any other groups listed for the specified +`user` in `/etc/group` are also added as part of this +process. + +The current working directory (chdir / cd) is left + *outside* of the `chroot` until all of the modules have been +initialized. This allows the `raddb` directory to be left +outside of the `chroot`. Once the modules have been +initialized, it does a `chdir` to `${logdir}`. This means +that it should be impossible to break out of the chroot. + +If you are worried about security issues related to this +use of chdir, then simply ensure that the "raddb" directory +is inside of the chroot, end be sure to do "cd raddb" +BEFORE starting the server. + +If the server is statically linked, then the only files +that have to exist in the chroot are `${run_dir}` and +`${logdir}`. If you do the `cd raddb` as discussed above, +then the `raddb` directory has to be inside of the `chroot` +directory, too. + + + +user:: +group:: + +The name (or `#number`) of the `user`/`group` to run `radiusd` as. + +If these are commented out, the server will run as the +user/group that started it. In order to change to a +different user/group, you MUST be root ( or have root +privileges ) to start the server. + +We STRONGLY recommend that you run the server with as few +permissions as possible. That is, if you're not using +shadow passwords, the user and group items below should be +set to radius'. + +NOTE: Some kernels refuse to `setgid(group)` when the +value of (unsigned)group is above 60000; don't use group +`nobody` on these systems! + +On systems with shadow passwords, you might have to set +`group = shadow` for the server to be able to read the +shadow password file. If you can authenticate users while +in debug mode, but not in daemon mode, it may be that the +debugging mode server is running as a user that can read +the shadow info, and the user listed below can not. + +The server will also try to use `initgroups` to read +/etc/groups. It will join all groups where "user" is a +member. This can allow for some finer-grained access +controls. + + + +allow_core_dumps:: Core dumps are a bad thing. + +This should only be set to `yes` if you're debugging +a problem with the server. + +allowed values: {no, yes} + + + +max_attributes:: The maximum number of attributes +permitted in a RADIUS packet. Packets which have MORE +than this number of attributes in them will be dropped. + +If this number is set too low, then no RADIUS packets +will be accepted. + +If this number is set too high, then an attacker may be +able to send a small number of packets which will cause +the server to use all available memory on the machine. + +Setting this number to 0 means "allow any number of attributes" + + + +allow_vulnerable_openssl: Allow the server to start with +versions of OpenSSL known to have critical vulnerabilities. + +This check is based on the version number reported by libssl +and may not reflect patches applied to libssl by +distribution maintainers. + + + +openssl_fips_mode:: Enable OpenSSL FIPS mode. + +This disables non-FIPS compliant digests and algorithms + + + +.Clients Configuration + +Client configuration is defined in `clients.conf`. + +[WARNING] +==== +The `clients.conf` file contains all of the information from the old +`clients` and `naslist` configuration files. We recommend that you +do NOT use `client's` or `naslist`, although they are still +supported. + +Anything listed in 'clients.conf' will take precedence over the +information from the old-style configuration files. +==== + + + +.Thread Pool Configuration + +In v4, the thread pool does not change size dynamically. Instead, +there are a small number of threads which read from the network, +and a slightly larger number of threads which process a request. + + +num_networks:: Only one network thread is supported for now. + + + +num_workers:: The worker threads can be varied. It should be +at least one, and no more than 32. Since each request is +non-blocking, there is no reason to run hundreds of threads +as in v3. + + + +.SNMP notifications. + +Uncomment the following line to enable snmptraps. Note that you +MUST also configure the full path to the `snmptrap` command in +the `trigger.conf` file. + + + +.Module Configuration + +The names and configuration of each module is located in this section. + +After the modules are defined here, they may be referred to by name, +in other sections of this configuration file. + + +Each module has a configuration as follows: + +``` +name [ instance ] { + config_item = value + ... +} +``` + +The `name` is used to load the `rlm_name` library +which implements the functionality of the module. + +The 'instance' is optional. To have two different instances +of a module, it first must be referred to by 'name'. +The different copies of the module are then created by +inventing two 'instance' names, e.g. 'instance1' and 'instance2' + +The instance names can then be used in later configuration +INSTEAD of the original 'name'. See the 'radutmp' configuration +for an example. + + + +Some modules have ordering issues. + +e.g. `sqlippool` uses the configuration from `sql`. +In that case, the `sql` module must be read off of disk before +the `sqlippool`. + +However, the directory inclusion below just reads the +directory from start to finish. Which means that the +modules are read off of disk randomly. + +As of `>= 3.0.18`, you can list individual modules *before* the +directory inclusion. Those modules will be loaded first. +Then, when the directory is read, those modules will be +skipped and not read twice. + + + +Modules are in mods-enabled/. Files matching +the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are +initialized ONLY if they are referenced in a processing +section, such as authorize, authenticate, accounting, +pre/post-proxy, etc. + + + +.Instantiation + +This section orders the loading of the modules. Modules +listed here will get loaded BEFORE the later sections like +authorize, authenticate, etc. get examined. + +This section is not strictly needed. When a section like +authorize refers to a module, it's automatically loaded and +initialized. However, some modules may not be listed in any +of the following sections, so they can be listed here. + +Also, listing modules here ensures that you have control over +the order in which they are initialized. If one module needs +something defined by another module, you can list them in order +here, and ensure that the configuration will be OK. + +After the modules listed here have been loaded, all of the modules +in the "mods-enabled" directory will be loaded. Loading the +"mods-enabled" directory means that unlike Version 2, you usually +don't need to list modules here. + + +We list the counter module here so that it registers +the check_name attribute before any module which sets +it. + + + +subsections here can be thought of as `virtual` modules. + +e.g. If you have two redundant SQL servers, and you want to +use them in the authorize and accounting sections, you could +place a `redundant` block in each section, containing the +exact same text. Or, you could uncomment the following +lines, and list `redundant_sql` in the authorize and +accounting sections. + +The `virtual` module defined here can also be used with +dynamic expansions, under a few conditions: + + * The section is `redundant`, or `load-balance`, or + `redundant-load-balance` + * The section contains modules ONLY, and no sub-sections + * All modules in the section are using the same rlm_ + driver, e.g. They are all sql, or all ldap, etc. + +When those conditions are satisfied, the server will +automatically register a dynamic expansion, using the +name of the `virtual` module. In the example below, +it will be `redundant_sql`. You can then use this expansion +just like any other: + + update reply { + Filter-Id := "%{redundant_sql: ... }" + } + +In this example, the expansion is done via module `sql1`, +and if that expansion fails, using module `sql2`. + +For best results, configure the `pool` subsection of the +module so that `retry_delay` is non-zero. That will allow +the redundant block to quickly ignore all "down" SQL +databases. If instead we have `retry_delay = 0`, then +every time the redundant block is used, the server will try +to open a connection to every `down` database, causing +problems. + + sql1 + sql2 + + +.Policies + +Policies are virtual modules, similar to those defined in the +`instantiate` section above. + +Defining a policy in one of the `policy.d` files means that it can be +referenced in multiple places as a *name*, rather than as a series of +conditions to match, and actions to take. + +Policies are something like subroutines in a normal language, but +they cannot be called recursively. They MUST be defined in order. +If policy A calls policy B, then B MUST be defined before A. + + + +.Load virtual servers. + +This next $INCLUDE line loads files in the directory that +match the regular expression: /[a-zA-Z0-9_.]+/ + +It allows you to define new virtual servers simply by placing +a file into the raddb/sites-enabled/ directory. + +All of the other configuration sections like: + + * `recv Access-Request {}` + * `process Access-Request {}` + * `process Accounting-Request {}` + +Have been moved to the the file: + +`raddb/sites-available/default` + +This is the `default` virtual server that has the same +configuration as in version 1.0.x and 1.1.x. The default +installation enables this virtual server. You should +edit it to create policies for your local site. + +For more documentation on virtual servers, see: + +`doc/raddb/sites-available/index.adoc` + + +== Default Configuration + +``` +prefix = /Users/alandekok/git/wrapper//install +exec_prefix = ${prefix} +sysconfdir = ${prefix}/etc +localstatedir = ${prefix}/var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct +name = radiusd +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} +db_dir = ${raddbdir} +libdir = ${exec_prefix}/lib +pidfile = ${run_dir}/${name}.pid +#panic_action = "gdb %e %p" +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +max_request_time = 30 +max_requests = 16384 +reverse_lookups = no +hostname_lookups = yes +log { + destination = files + colourise = yes +# timestamp = no + file = ${logdir}/radius.log + syslog_facility = daemon +} +ENV { +# FOO = '/bar/baz' +# BAR +# LD_PRELOAD = /path/to/library1.so +# LD_PRELOAD = /path/to/library2.so +} +templates { + $INCLUDE template.d/ +} +security { +# chroot = /path/to/chroot/directory +# user = radius +# group = radius + allow_core_dumps = no + max_attributes = 200 + allow_vulnerable_openssl = no +# openssl_fips_mode = no +} +$INCLUDE clients.conf +thread pool { + num_networks = 1 + num_workers = 4 +} +#$INCLUDE trigger.conf +modules { +# $INCLUDE mods-enabled/sql + $INCLUDE mods-enabled/ +} +instantiate { +# daily +# redundant redundant_sql { +# } +} +policy { + $INCLUDE policy.d/ +} +$INCLUDE ack-enabled/ +``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/README.md b/doc/antora/modules/reference/pages/raddb/mods-available/README.md new file mode 100644 index 00000000000..3af24e56163 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/mods-available/README.md @@ -0,0 +1,80 @@ +# Modules in Version 4 + +As of Version 3, all of the modules have been places in the +`mods-available/` directory. This practice follows that used by other +servers such as Nginx, Apache, etc. The "modules" directory should +not be used. + +Modules are enabled by creating a file in the mods-enabled/ directory. +You can also create a soft-link from one directory to another: + + $ cd mods-enabled/ + $ ln -s ../mods-available/foo + +This will enable module `foo`. Be sure that you have configured the +module correctly before enabling it, otherwise the server will not +start. You can verify the server configuration by running +`radiusd -XC`. + +A large number of modules are enabled by default. This allows the +server to work with the largest number of authentication protocols. +Please be careful when disabling modules. You will likely need to +edit the `sites-enabled/` files to remove references to any disabled +modules. + +## Conditional Modules + +FreeRADIUS allows modules to be conditionally loaded. This is useful +when you want to have a virtual server which references a module, but +does not require it. Instead of editing the virtual server file, you +can just conditionally enable the module. + +Modules are conditionally enabled by adding a `-` before their name in +a virtual server. For example, you can do: + + server { + recv Access-Request { + ... + ldap + -sql + ... + } + } + +This says "require the LDAP module, but use the SQL module only if it +is configured." + +This feature is not very useful for production configurations. It is, +however, very useful for the default examples that ship with the +server. + +## Ignoring module + +If you see this message:: + + Ignoring module (see mods-available/README.md) + +Then you are in the right place. Most of the time this message can be +ignored. The message can be fixed by find the references to `-module` +in the virtual server, and deleting them. + +Another way to fix it is to configure the module, as described above. + +## Simplification + +Allowing conditional modules simplifies the default virtual servers +that are shipped with FreeRADIUS. This means that if you want to +enable LDAP (for example), you no longer need to edit the files in +`sites-available/` in order to enable it. + +Instead, you should edit the `mods-available/ldap` file to point to +your local LDAP server. Then, enable the module via the soft-link +method described above. + +Once the module is enabled, it will automatically be used in the +default configuration. + +## List of available modules + + diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/all_modules.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/all_modules.adoc index 34c72c5503f..a60fddc0ce5 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/all_modules.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/all_modules.adoc @@ -47,8 +47,6 @@ of the module. couchbase server as FreeRADIUS starts. | xref:raddb/mods-available/csv.adoc[csv] | Maps values in a CSV file to FreeRADIUS attributes and adds them to the request. | xref:raddb/mods-available/passwd.adoc[passwd] | Reads and caches line-oriented files that are in a format similar to ``/etc/passwd``. -| xref:raddb/mods-available/radutmp.adoc[radutmp] | Writes a utmp style file that lists the users who are logged in. The file is used mainly for Simultaneous-Use checking -and by radwho to see who has current sessions. | xref:raddb/mods-available/redis.adoc[redis] | Provides connectivity to single and clustered instances of Redis. This module exposes a string expansion that may be used to execute queries against Redis. | xref:raddb/mods-available/redis_ippool.adoc[redis_ippool] | Implements a fast and scalable IP allocation system using Redis. Supports both IPv4 and IPv6 address and prefix @@ -111,7 +109,6 @@ including syslog, flat files, and raw UDP/TCP sockets. | xref:raddb/mods-available/ntlm_auth.adoc[ntlm_auth] | NTLM Auth | xref:raddb/mods-available/redundant_sql.adoc[redundant_sql] | redundant_sql | xref:raddb/mods-available/smbpasswd.adoc[smbpasswd] | SMBPasswd -| xref:raddb/mods-available/sradutmp.adoc[sradutmp] | sRadutmp | xref:raddb/mods-available/stats.adoc[stats] | Stats | xref:raddb/mods-available/totp.adoc[totp] | |===== diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/radutmp.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/radutmp.adoc deleted file mode 100644 index e54b1cfd9dc..00000000000 --- a/doc/antora/modules/reference/pages/raddb/mods-available/radutmp.adoc +++ /dev/null @@ -1,70 +0,0 @@ - - - - -= Radutmp Module - -The `radutmp` module writes a `utmp` style file, of which users are -currently logged in, and where they've logged in from. - -This file is used mainly for `Simultaneous-Use` checking, -and also `radwho`, to see who's currently logged in. - -See also `man 5 utmp`. - - - -## Configuration Settings - - -filename:: Where the file is stored. - -It's not a log file, so it doesn't need rotating. - - - -username:: The field in the packet to key on for the users name. - -If you have other fields which you want to use to key on to control -`Simultaneous-Use`, then you can use them here. - -However, that the size of the field in the `utmp` data -structure is small, around `32` characters, so that will limit -the possible choices of keys. - -TIP: You may want instead: `%{&Stripped-User-Name || &User-Name}`. - - - -check_with_nas:: Accounting information may be lost, so the user MAY -have logged off of the NAS, but we haven't noticed. - -If so, we can verify this information with the NAS. - -If we want to believe the 'utmp' file, then this configuration entry -can be set to `no`. - - - -permissions:: Set the file permissions, as the contents of this file -are usually private. - - - -caller_id:: If enabled, it will extract the field `link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` from -the packet and store as `username` information. - -Default is `no`. - - -== Default Configuration - -``` -radutmp { - filename = ${logdir}/radutmp - username = %{User-Name} - check_with_nas = yes - permissions = 0600 -# caller_id = "yes" -} -``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/sradutmp.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/sradutmp.adoc deleted file mode 100644 index 2e28bbd68ad..00000000000 --- a/doc/antora/modules/reference/pages/raddb/mods-available/sradutmp.adoc +++ /dev/null @@ -1,32 +0,0 @@ - - - - -= sRadutmp Module - -The `sradutmp` module is a _Safe Radutmp_. - -It does not contain caller ID, so it can be world-readable, and `radwho` -can work for normal users, without exposing any information that isn't -already exposed by who(1). - -This is another _instance_ of the `radutmp` module, but it is given -then name `sradutmp` to identify it later in the `accounting` -section. - - - -## Configuration Settings - -See the `radutmp` module for common configuration explanation. - - -== Default Configuration - -``` -radutmp sradutmp { - filename = ${logdir}/sradutmp - permissions = 0644 - caller_id = "no" -} -``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc index 98ecf560632..db60bb0d5a0 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/unix.adoc @@ -34,22 +34,11 @@ are no longer supported. ## Configuration Settings -radwtmp:: The location of the `wtmp` file. - -The only use for `radlast`. If you don't use `radlast`, -then you can comment out this item. - -NOTE: The radwtmp file may get large! You should rotate it -(cp /dev/null radwtmp), or just not use it. - -The default is to not use radwtmp files. It's better to -use a database. - == Default Configuration ``` unix { -# radwtmp = ${logdir}/radwtmp + } ``` diff --git a/doc/antora/modules/reference/pages/raddb/mods-config/README.md b/doc/antora/modules/reference/pages/raddb/mods-config/README.md new file mode 100644 index 00000000000..a0740ea3f47 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/mods-config/README.md @@ -0,0 +1,21 @@ +# The mods-config Directory + +This directory contains module-specific configuration files. These +files are in a format different from the one used by the main +`radiusd.conf` files. Earlier versions of the server had many +module-specific files in the main `raddb` directory. The directory +contained many files, and it was not clear which files did what. + +For Version 3 of FreeRADIUS, we have moved to a consistent naming +scheme. Each module-specific configuration file is placed in this +directory, in a subdirectory named for the module. Where necessary, +files in the subdirectory have been named for the processing section +where they are used. + +For example, the `users` file is now located in +`mods-config/files/authorize`. That filename tells us three things: + +1. The file is used in the `authorize` section. +2. The file is used by the `files` module. +3. It is a "module configuration" file, which is a specific format. + diff --git a/doc/antora/modules/reference/pages/raddb/outgoing.conf.adoc b/doc/antora/modules/reference/pages/raddb/outgoing.conf.adoc new file mode 100644 index 00000000000..ab0b065f3e6 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/outgoing.conf.adoc @@ -0,0 +1,68 @@ + +We don't need to set anything here. + + + + + + + +Does nothing other than proxying. + + + + + +== Default Configuration + +``` +modules { +radius { + transport = udp + type = Access-Request + originate = yes + pool { + start = 1 + min = 1 + max = 1 + } + udp { + ipaddr = 127.0.0.1 + port = 1812 + secret = testing123 + } +} +} +log { + colourise = yes +} +server default { + namespace = radius + listen { + type = Access-Request + type = Accounting-Request + type = CoA-Request + type = Disconnect-Request + } + recv Access-Request { + radius + if (ok) { + update reply { + &Packet-Type := Access-Accept + } + } + } + send Access-Accept { + } + send Access-Reject { + } + recv Accounting-Request { + } + send Accounting-Response { + } + recv CoA-Request { + } + recv Disconnect-Request { + } +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc b/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc index 28608a13725..186a5c644df 100644 --- a/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc +++ b/doc/antora/modules/reference/pages/raddb/radiusd.conf.adoc @@ -628,8 +628,7 @@ The different copies of the module are then created by inventing two 'instance' names, e.g. 'instance1' and 'instance2' The instance names can then be used in later configuration -INSTEAD of the original 'name'. See the 'radutmp' configuration -for an example. +INSTEAD of the original 'name'. diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/README.md b/doc/antora/modules/reference/pages/raddb/sites-available/README.md new file mode 100644 index 00000000000..6f95f904f52 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/README.md @@ -0,0 +1,337 @@ +# Virtual Servers + +FreeRADIUS 4.0 supports virtual servers. This is probably the +single largest change that is NOT backwards compatible with 1.x. + +The virtual servers do NOT have to be set up with the +`sites-available` and `sites-enabled` directories. You can still +have one "radiusd.conf" file, and put the server configuration +there: + + ... + server { + recv Access-Request { + ... + } + authenticate pap { + ... + } + ... + } + ... + +The power of virtual servers lies in their ability to separate +policies. A policy can be placed into a virtual server, where it is +guaranteed to affect only the requests that are passed through that +virtual server. In 1.x, the policies were global, and it sometimes +took much effort to write a policy so that it only applied in certain +limited situations. + + +## What do we mean by "virtual server"? + +A virtual server is a (nearly complete) RADIUS server, just like a +configuration for FreeRADIUS 1.x. However, FreeRADIUS can now run +multiple virtual servers at the same time. The virtual servers can +even proxy requests to each other! + +The simplest way to create a virtual server is to take the all of +the request processing sections from radius.conf, ("authorize" , +"authenticate", etc.) and wrap them in a "server {}" block, as above. + +You can create another virtual server by: + +1. defining a new "server foo {...}" section in `radiusd.conf` +2. Putting the normal "authorize", etc. sections inside of it +3. Adding a "listen" section *inside* of the "server" section. + +e.g. + + ... + server foo { + listen { + ipaddr = 127.0.0.1 + port = 2000 + type = auth + } + + recv Access-Request { + update control { + Cleartext-Password := "bob" + } + pap + } + + authenticate pap { + pap + } + } + ... + +With that text added to `radiusd.conf`, run the server in debugging +mode (`radiusd -X`), and in another terminal window, type: + + $ radtest bob bob localhost:2000 0 testing123 + +You should see the server return an Access-Accept. + + +## Capabilities and limitations + +The only sub-sections that can appear in a virtual server section +are: + + listen + client + authorize + authenticate + post-auth + pre-proxy + post-proxy + preacct + accounting + session + +All other configuration parameters (modules, etc.) are global. + +Inside of a virtual server, the authorize, etc. sections have their +normal meaning, and can contain anything that an authorize section +could contain in 1.x. + +When a "listen" section is inside of a virtual server definition, it +means that all requests sent to that IP/port will be processed through +the virtual server. There cannot be two "listen" sections with the +same IP address and port number. + +When a "client" section is inside of a virtual server definition, it +means that that client is known only to the "listen" sections that are +also inside of that virtual server. Not only is this client +definition available only to this virtual server, but the details of +the client configuration is also available only to this virtual +server. + +i.e. Two virtual servers can listen on different IP address and +ports, but both can have a client with IP address 127.0.0.1. The +shared secret for that client can be different for each virtual +server. + + +## More complex "listen" capabilities + +The "listen" sections have a few additional configuration items that +were not in 1.x, and were not mentioned above. These configuration +items enable almost any mapping of IP / port to clients to virtual +servers. + +The configuration items are: + + virtual_server = + + If set, all requests sent to this IP / port are processed + through the named virtual server. + + This directive can be used only for "listen" sections + that are global. i.e. It CANNOT be used if the + "listen" section is inside of a virtual server. + + clients = + + If set, the "listen" section looks for a "clients" section: + + clients { + ... + } + + It looks inside of that named "clients" section for + "client" subsections, at least one of which must + exist. Each client in that section is added to the + list of known clients for this IP / port. No other + clients are known. + + If it is set, it over-rides the list of clients (if + any) in the same virtual server. Note that the + clients are NOT additive! + + If it is not set, then the clients from the current + virtual server (if any) are used. If there are no + clients in this virtual server, then the global + clients are used. + + i.e. The most specific directive is used: + * configuration in this "listen" section + * clients in the same virtual server + * global clients + + The directives are also *exclusive*, not *additive*. + If you have one client in a virtual server, and + another client referenced from a "listen" section, + then that "listen" section will ONLY use the second + client. It will NOT use both clients. + + +## More complex "client" capabilities + +The "client" sections have a few additional configuration items that +were not in 1.x, and were not mentioned above. These configuration +items enable almost any mapping of IP / port to clients to virtual +servers. + +The configuration items are: + + virtual_server = + + If set, all requests from this client are processed + through the named virtual server. + + This directive can be used only for "client" sections + that are global. i.e. It CANNOT be used if the + "client" section is inside of a virtual server. + +If the "listen" section has a "server" entry, and a matching +client is found ALSO with a "server" entry, then the clients server is +used for that request. + + +## Worked examples + +Listening on one socket, and mapping requests from two clients to +two different servers. + + listen { + ... + } + client one { + ... + virtual_server = server_one + } + client two { + ... + virtual_server = server_two + } + server server_one { + recv Access-Request { + ... + } + ... + } + server server_two { + recv Access-Request { + ... + } + ... + } + +This could also be done as: + + listen { + ... + virtual_server = server_one + } + client one { + ... + } + client two { + ... + virtual_server = server_two + } + server server_one { + recv Access-Request { + ... + } + ... + } + server server_two { + recv Access-Request { + ... + } + ... + } + +In this case, the default server for the socket is "server_one", so +there is no need to set that in the client "one" configuration. The +"server_two" configuration for client "two" over-rides the default +setting for the socket. + +Note that the following configuration will NOT work: + + listen { + ... + virtual_server = server_one + } + client one { + ... + } + server server_one { + recv Access-Request { + ... + } + ... + } + server server_two { + client two { + ... + } + recv Access-Request { + ... + } + ... + } + +In this example, client "two" is hidden inside of the virtual +server, where the "listen" section cannot find it. + + +## Outlined examples + +This section outlines a number of examples, with alternatives. + +* one server, multiple sockets + - multiple "listen" sections in a "server" section + +* one server per client + - define multiple servers + - have a global "listen" section + - have multiple global "clients", each with "virtual_server = X" + +* two servers, each with their own sockets + - define multiple servers + - put "client" sections into each "server" + - put a "listen" section into each "server" + + Each server can list the same client IP, and the secret + can be different. + +* two sockets, sharing a list of clients, but pointing to different servers + - define global "listen" sections + - in each, set "virtual_server = X" + - in each, set "clients = Y" + - define "clients Y" section, containing multiple clients. + + This also means that you can have a third socket, which + doesn't share any of these clients. + + +## How to decide what to do + + +If you want *completely* separate policies for a socket or a client, +then create a separate virtual server. Then, map the request to that +server by setting configuration entries in a "listen" section or in a +"client" section. + +Start off with the common cases first. If most of the clients +and/or sockets get a particular policy, make that policy the default. +Configure it without paying attention to the sockets or clients you +want to add later, and without adding a second virtual server. Once +it works, then add the second virtual server. + +If you want to re-use the previously defined sockets with the second +virtual server, then you will need one or more global "client" +sections. Those clients will contain a "virtual_server = ..." entry +that will direct requests from those clients to the appropriate +virtual server. + +## List of provided virtual servers + + diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/bfd2.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/bfd2.adoc new file mode 100644 index 00000000000..d5bf508aac2 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/bfd2.adoc @@ -0,0 +1,140 @@ + + + + += BFD (Bidirectional Forwarding Detection) + +The purpose of `BFD` is to quickly detect if a link is up or down. + +We are using it to determine if a `peer` application is up or down. +For example, when two servers are configured in primary / secondary +mode, they should be set up as BFD peers. They can then detect +when the other one goes down. + +The code is in FreeRADIUS because we want to know if the *application* +is running. It doesn't matter if the link is up, or if the host system +is running. If the FreeRADIUS daemon is down, then we want to know ASAP. + +NOTE: See also `raddb/trigger.conf`. There are BFD-specific triggers +which are executed when the link is started, goes up, down, or is +administratively down. + + + +## Default instance + + + +### server bfd { ... } + + + +Common configuration for the BFD state machine. + + + + +#### listen { ... } + + + +ipaddr: IP address, or IPv6 address as normal. + + + +port:: Port as normal. + + + + + + + +auth_type:: BFD Authentication method. + +May be one of: + +[options="header,autowidth"] +|=== +| Option | Description +| none | no password, not recommended +| simple | cleartext password in the packet, not recommended +| keyed-md5 | MD5 based, like RADIUS style shared secret key +| met-keyed-md5 | similar to above +| keyed-sha1 | SHA1 based, like RADIUS style shared secret key +| met-keyed-sha1 | similar to above +|=== + +NOTE: The other side of the BFD connection has to have the same +kind of authentication set. + + + +secret:: The secret key used for authentication. + +If it starts with "0x", then it is treated as a hex string. This is recommended +for security. The secrets should be `~16` octets long, and random. + + + +min_transmit_interval:: Minimum time interval to transmit. + + + +min_receive_interval:: Minimum time interval to receive. + + + +max_timeouts:: Max number of timeouts before the session is declared dead. + + + +demand:: BFD Demand mode. + +allowed values: {no, yes} + + + + + + + +== Default Configuration + +``` +server other { + namespace = bfd + bfd { + } + listen { + transport = udp + udp { + ipaddr = ${bfd_other} + port = 3784 + only_state_changes = true + } + } +peer main { + ipaddr = ${bfd_main} + port = 3784 + auth_type = ${bfd_auth_type} + secret = "hello" + min_transmit_interval = 250ms + min_receive_interval = 250ms + max_timeouts = 3 + demand = no +} +recv Admin-Down { + ok +} +recv Down { + ok +} +recv Init { + ok +} +recv Up { + ok +} +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.orig.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.orig.adoc new file mode 100644 index 00000000000..c06b7aafb24 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.orig.adoc @@ -0,0 +1,118 @@ + + + + += Control socket interface. + + + + + + +namespace:: Determine the current scope as a control service. + + + +All configuration related to the control interface. + + +transport:: Define which communication channel. + + + +UNIX socket-file as communication channel. + + +filename:: Socket location. + +Most operating systems (other than Linux), do not respect +permissions set on socket files. + +To work around this issue, we ensure the +permissions on the directory containing the socket, +are sufficiently restrictive to only allow access +by the FreeRADIUS user, or the gid below (if set). + +It is recommended to house the socket in its own +sub-directory. FreeRADIUS will create this sub-directory +if it doesn't exist and set the appropriate ownership and +permissions. + + + +peercred:: It is enabled by default, and offers an additional layer +of security. When enabled FreeRADIUS will check the euid and +egid of the process connecting to the control socket. + +The client process is allowed to connect if any of the following +are true: + +- The client processes' euid is 0 (root). +- The client processes' euid matches FreeRADIUS' euid. +- gid is set (below), and the client processes' egid matches the + configured gid. + +NOTE: With peercred enabled, auxiliary groups of the client process +are not considered. If you have multiple users and need to control +control socket authorization via group membership, you should set +`peercred = no`, and rely on filesystem permissions for enforcement. + + + +uid:: Name of user who is allowed to connect to the control socket. + + + +gid:: Name of group that is allowed to connect to the control socket. + + + +mode:: Access mode. + +This can be used to give *some* administrators access to +monitor the system, but not to change it. + +ro = read only access (default) +rw = read/write access. + + +@todo - add "limit" section + + +These don't do anything for now + + + +== Default Configuration + +``` +# In the future, we will add username/password checking for +# connections to the control socket. We will also add +# command authorization, where the commands entered by the +# administrator are run through a virtual server before +# they are executed. +# For now, anyone who has permission to connect to the socket +# has nearly complete control over the server. Be warned! +# NOTE: This functionality is NOT enabled by default. +# See also the "radmin" program, which is used to communicate +# with the server over the control socket. +server control { + namespace = control + listen { + transport = unix + unix { + filename = ${run_dir}/control/${name}.sock +# peercred = no +# uid = radius +# gid = radius + mode = rw + } + } + recv { + ok + } + send { + ok + } +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.rej.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.rej.adoc new file mode 100644 index 00000000000..ec8a27e0768 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/control-socket.rej.adoc @@ -0,0 +1,32 @@ + +uid:: Name of user who is allowed to connect to the control socket. + + + +gid:: Name of group that is allowed to connect to the control socket. + + + +Access mode. + +uid:: Name of user who is allowed to connect to the control socket. + + + +gid:: Name of group that is allowed to connect to the control socket. + + + +Access mode. + +== Default Configuration + +``` +*************** +*** 83,94 **** +- # uid = radius +- # gid = radius +--- 83,94 ---- ++ # uid = freerad ++ # gid = freerad +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/crash.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/crash.adoc new file mode 100644 index 00000000000..50b3eb3b6c9 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/crash.adoc @@ -0,0 +1,56 @@ + +== Default Configuration + +``` + &Filter-Id := "db.findAndModify({ \ + 'query': { \ + 'AcctStopTime': null, \ + 'NasIpAddress': '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', \ + 'AcctStarttime': { \ + '$lt': \ + } \ + }, \ + 'update': { \ + '$set': { \ + 'AcctStopTime': '', \ + 'AcctUpdateTime': '', \ + 'AcctSessionTime': { \ + '$subtract': [ '', '123' ] \ + }, \ + 'AcctTerminateCause': '%{%{Acct-Terminate-Cause}:-NAS-Reboot}', \ + 'Class': '%{Class}', \ + 'FramedIpAddress': '%{Framed-IP-Address}', \ + 'update_date': { \ + '$date': { \ + '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' \ + } \ + }, \ + 'start_time': '%{Packet-Original-Timestamp}' \ + }, \ + '$push': { \ + 'events_data': { \ + 'event_id': '%{sha2_256:%{tolower:%{Calling-Station-Id}}}', \ + 'event_type': 'Accounting-Start', \ + 'event_time': '%{Packet-Original-Timestamp}', \ + 'creation_date': { \ + '$date': { \ + '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' \ + } \ + } \ + } \ + }, \ + '$setOnInsert': { \ + 'pool_name': '%{control.IP-Pool.Name}', \ + 'FramedIpAddress': '%{Framed-IP-Address}', \ + 'closed': false, \ + 'update_counter': 0, \ + 'creation_date': { \ + '$date': { \ + '$numberLong': '%{expr: (%l * 1000) + (%M / 1000)}' \ + } \ + } \ + } \ + }, \ + 'upsert': 2 1 1 true \ + })" +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc index 742d567d6f2..299d2d15977 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/decoupled-accounting.adoc @@ -42,11 +42,6 @@ Create a 'detail'ed log of the packets. Note that accounting requests which are proxied are also logged in the detail file. -Update the wtmp file - -If you don't use "radlast", you can delete this line. - - For Simultaneous-Use tracking. Due to packet losses in the network, the data here @@ -119,8 +114,6 @@ send Accounting-Response { detail # daily unix - radutmp -# sradutmp  # pool of IPs are used. sqlippool # sql diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc index 4396bccdf74..57aff759a94 100644 --- a/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc +++ b/doc/antora/modules/reference/pages/raddb/sites-available/default.adoc @@ -1245,12 +1245,6 @@ Update counters for daily usage calculations. -Update the wtmp file. - -This is only relevant if you use "radlast". - - - For Simultaneous-Use tracking. Due to packet losses in the network, the data here may @@ -1500,8 +1494,6 @@ send Accounting-Response { detail # daily # unix -# radutmp -# sradutmp # pgsql-voip attr_filter.accounting_response } diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/default.orig.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/default.orig.adoc new file mode 100644 index 00000000000..29f64884f96 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/default.orig.adoc @@ -0,0 +1,1563 @@ + +:toc: + + + += The default Virtual Server + +The `default` virtual server is the first one that is enabled on a +default installation of FreeRADIUS. This configuration is +designed to work in the widest possible set of circumstances, with +the widest possible number of authentication methods. This means +that in general, you should need to make very few changes to this +file. + +The usual approach is as follows: + + * configure users in a database (e.g. the `files` module, or in + `sql`) + * configure the relevant module to talk to the database + (e.g. `sql`) + * If using EAP / 802.1X, configure the certificates in + the `certs/` directory. + +Then, run the server. This process will ensure that users can log +in via PAP, CHAP, MS-CHAP, etc. You should so test the server via +`radtest` to verify that it works. + +## Editing this file + +Please read "man radiusd" before editing this file. See the +section titled DEBUGGING. It outlines a method where you can +quickly obtain the configuration you want, without running into +trouble. See also "man unlang", which documents the format of this +file. And finally, the debug output can be complex. Please read +https://wiki.freeradius.org/radiusd-X to understand that output. + +The best way to configure the server for your local system is to + *carefully* edit this file. Most attempts to make large edits to +this file will *break the server*. Any edits should be small, and +tested by running the server with `radiusd -X`. Once the edits +have been verified to work, save a copy of these configuration +files somewhere. We recommend using a revision control system such +as `git`, or even a "tar" file. Then, make more edits, and test, +as above. + +There are many "commented out" references to modules and +configurations These references serve as place-holders, and as +documentation. If you need the functionality of that module, then: + + * configure the module in link:../../../../../../mods-available/index.adoc[mods-available/] + * enable the module in `mods-enabled`. e.g. for LDAP, do: `cd mods-enabled;ln -s ../mods-available/ldap` + * un-comment the references to it in this file. + +In most cases, those small changes will result in the server being +able to connect to the database, and to authenticate users. + +## The Virtual Server + +This is the `default` virtual server. + + +namespace:: + +In v4, all "server" sections MUST start with a "namespace" +parameter. This tells the server which protocol is being used. + +All of the "listen" sections in this virtual server will +only accept packets for that protocol. + + + +### The listen section + +The `listen` sections in v4 are very different from the +`listen sections in v3. The changes were necessary in +order to make FreeRADIUS more flexible, and to make the +configuration simpler and more consistent. + + +type:: The type of packet to accept. + +Multiple types can be accepted by using multiple +lines of `type = ...`. + +This change from v3 makes it much clearer what kind +of packet is being accepted. The old `auth+acct` +configuration was awkward and potentially +confusing. + + + +transport:: The transport protocol. + +The allowed transports for RADIUS are currently +`udp` and `tcp`. A `listen` section can only have +one `transport` defined. For multiple transports, +use multiple `listen` sections. + +You can have a "headless" server by commenting out +the "transport" configuration. A "headless" server +will process packets from other virtual servers, +but will not accept packets from the network. + +The `inner-tunnel` server is an example of a +headless server. It accepts packets from the +"inner tunnel" portion of PEAP and TTLS. But it +does not accept those packets from the network. + + + +limit:: limits for this socket. + +The `limit` section contains configuration items +which enforce various limits on the socket. These +limits are usually transport-specific. + +Limits are used to prevent "run-away" problems. + + +max_clients:: The maximum number of dynamic +clients which can be defined for this +listener. + +If dynamic clients are not used, then this +configuration item is ignored. + +The special value of `0` means "no limit". +We do not recommend using `0`, as attackers +could forge packets from the entire +Internet, and cause FreeRADIUS to run out +of memory. + +This configuration item should be set to +the number of individual RADIUS clients +(e.g. NAS, AP, etc.) which will be sending +packets to FreeRADIUS. + + + +max_connections:: The maximum number of +connected sockets which will be accepted +for this listener. + +Each connection opens a new socket, so be +aware of system file descriptor +limitations. + +If the listeners do not use connected +sockets (e.g. TCP), then this configuration +item is ignored. + + + +idle_timeout:: Time after which idle +connections or dynamic clients are deleted. + +Useful range of values: 5 to 600 + + + +nak_lifetime:: Time for which blacklisted +clients are placed into a NAK cache. + +If a dynamic client is disallowed, it is +placed onto a "NAK" blacklist for a period +of time. This blacklist helps to prevent +DoS attacks. When subsequent packets are +received from that IP address, they hit the +"NAK" cache, and are immediately discarded. + +After `nak_timeout` seconds, the blacklist +entry will be removed, and the IP will be +allowed to try again to define a dynamic +client. + +Useful range of values: 1 to 600 + + + +cleanup_delay:: The time to wait (in +seconds) before cleaning up a reply to an +`link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packet. + +The reply is normally cached internally for +a short period of time, after it is sent to +the NAS. The reply packet may be lost in +the network, and the NAS will not see it. +The NAS will then re-send the request, and +the server will respond quickly with the +cached reply. + +If this value is set too low, then +duplicate requests from the NAS MAY NOT be +detected, and will instead be handled as +separate requests. + +If this value is set too high, then the +server will use more memory for no benefit. + +This value can include a decimal number of +seconds, e.g. "4.1". + +Useful range of values: 2 to 30 + + + +#### UDP Transport + +When the `listen` section contains `transport = +udp`, it looks for a "udp" subsection. This +subsection contains all of the configuration for +the UDP transport. + + +ipaddr:: The IP address where FreeRADIUS +accepts packets. + +The address can be IPv4, IPv6, a numbered +IP address, or a host name. If a host name +is used, the IPv4 address is preferred. +When there is no IPv4 address for a host +name, the IPv6 address is used. + +As with UDP, `ipaddr`, `ipv4addr`, and `ipv6addr` +are all allowed. + +ipv4addr:: Use IPv4 addresses. + +The same as `ipaddr`, but will only use +IPv4 addresses. + +ipv6addr:: Use IPv6 addresses. + +The same as `ipaddr`, but will only use +IPv6 addresses. + + + +port:: the UDP where FreeRADIUS accepts +packets. + +The default port for Access-Accept packets +is `1812`. + + + +dynamic_clients:: Whether or not we allow +dynamic clients. + +If set to `true`, then packets from unknown +clients are passed through the `new +client` subsection below. See that section +for more information about how dynamic +clients work. + + + +networks:: The list of networks which are +allowed to send packets to FreeRADIUS for +dynamic clients. + +If there are no dynamic clients, then this +section is ignored. + +The purpose of the `networks` subsection is +to ensure that only a small set of source +IPs can trigger dynamic clients. If anyone +could trigger dynamic clients, then the +server would be subject to a DoS attack. + + +allow:: Allow packets from these +networks to define dynamic clients. + +Packets from all other sources will +be rejected. + +When a packet is from an allowed +network, it will be run through the +`new client` subsection below. +That subsection can still reject +the client request. + +There is no limit to the number of +networks which can be listed here. + + + +deny:: deny some networks. + +The default behavior is to only +allow packets from the `allow` +networks. The `deny` directive +allows you to carve out a subset of +an `allow` network, where some +packets are denied. + +That is, a `deny` network MUST +exist within a previous `allow` network. + +The `allow` and `deny` rules apply +only to networks. The order which +they appear in the configuration +file does not matter. + + + +#### TCP Transport + +When the configuration has `transport = tcp`, it +looks for a `tcp` subsection. That subsection +contains all of the configuration for the TCP +transport. + +Since UDP and TCP are similar, the majority of the +configuration items are the same for both of them. + + +NOTE: As with v3, `ipaddr`, `ipv4addr`, and `ipv6addr` +are all allowed. + + + +ipaddr:: + + + +port:: the TCP where FreeRADIUS accepts +packets. + +The default port for Access-Accept packets +is `1812`. + + + +dynamic_clients:: Whether or not we allow dynamic clients. + +If set to true, then packets from unknown +clients are passed through the "new client" +subsection below. See that section for +more information. + + + +networks { ... }:: + +If dynamic clients are allowed, then limit +them to only a small set of source +networks. + +If dynamic clients are not allowed, then +this section is ignored. + + +allow:: +deny:: + +Allow packets from these networks +to define dynamic clients. + +Packets from all other sources will +be rejected. + +Even if a packet is from an allowed +network, it still must be allowed +by the "new client" subsection. + +There is no limit to the number of +networks which can be listed here. + + + +#### Access-Request subsection + +This section contains configuration which is +specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets. + +Similar sections can be added, but are not +necessary for Accounting-Request (and other) +packets. At this time, there is no configuration +needed for other packet types. + + +log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets + +In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was +configured in the main `radiusd.conf` file, +in the main `log` subsection. That +limitation meant that the configuration was +global to FreeRADIUS. i.e. you could not +have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for +different virtual server. + +The extra configuration in v4 allows for +increased flexibility. + + +stripped_names:: Log the full +`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was +found in the request. + +allowed values: {no, yes} + + + +auth:: Log authentication requests +to the log file. + +allowed values: {no, yes} + + + +auth_goodpass:: Log "good" +passwords with the authentication +requests. + +allowed values: {no, yes} + + + +auth_badpass:: Log "bad" +passwords with the authentication +requests. + +allowed values: {no, yes} + + + +msg_goodpass:: +msg_badpass:: + +Log additional text at the end of the "Login OK" messages. +for these to work, the "auth" and "auth_goodpass" or "auth_badpass" +configurations above have to be set to "yes". + +The strings below are dynamically expanded, which means that +you can put anything you want in them. However, note that +this expansion can be slow, and can negatively impact server +performance. + + + +msg_denied:: + +The message when the user exceeds the Simultaneous-Use limit. + + + +session:: Controls how ongoing +(multi-round) sessions are handled + +This section is primarily useful for EAP. +It controls the number of EAP +authentication attempts that can occur +concurrently. + + +max:: The maximum number of ongoing sessions + + + +timeout:: How long to wait before expiring a +session. + +The timer starts when a response +with a state value is sent. The +timer stops when a request +containing the previously sent +state value is received. + + + + + +As with v3, "ipaddr", "ipv4addr", and "ipv6addr" +are all allowed. + + + +Whether or not we allow dynamic clients. + +If set to true, then packets from unknown +clients are passed through the "new client" +subsection below. See that section for +more information. + + + +If dynamic clients are allowed, then limit +them to only a small set of source +networks. + +If dynamic clients are not allowed, then +this section is ignored. + + +Allow packets from these networks +to define dynamic clients. + +Packets from all other sources will +be rejected. + +Even if a packet is from an allowed +network, it still must be allowed +by the "new client" subsection. + +There is no limit to the number of +networks which can be listed here. + + + +#### Access-Request subsection + +This section contains configuration which is +specific to processing `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets. + +Similar sections can be added, but are not +necessary for Accounting-Request (and other) +packets. At this time, there is no configuration +needed for other packet types. + + +log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets + +In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was +configured in the main `radiusd.conf` file, +in the main `log` subsection. That +limitation meant that the configuration was +global to FreeRADIUS. i.e. you could not +have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for +different virtual server. + +The extra configuration in v4 allows for +increased flexibility. + +stripped_names:: Log the full +`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was +found in the request. + +allowed values: {no, yes} + + +auth:: Log authentication requests +to the log file. + +allowed values: {no, yes} + + +auth_goodpass:: Log "good" +passwords with the authentication +requests. + +allowed values: {no, yes} + + +auth_badpass:: Log "bad" +passwords with the authentication +requests. + +allowed values: {no, yes} + + +Log additional text at the end of the "Login OK" messages. +for these to work, the "auth" and "auth_goodpass" or "auth_badpass" +configurations above have to be set to "yes". + +The strings below are dynamically expanded, which means that +you can put anything you want in them. However, note that +this expansion can be slow, and can negatively impact server +performance. + + +The message when the user exceeds the Simultaneous-Use limit. + + + +session:: Controls how ongoing +(multi-round) sessions are handled + +This section is primarily useful for EAP. +It controls the number of EAP +authentication attempts that can occur +concurrently. + + +max:: The maximum number of ongoing sessions + + +timeout:: How long to wait before expiring a +session. + +The timer starts when a response +with a state value is sent. The +timer stops when a request +containing the previously sent +state value is received. + + + +### Listen for Accounting-Request packets + + + + + +### Local Clients + +The "client" sections can can also be placed here. Unlike +v3, they do not need to be wrapped in a "clients" section. +They can just co-exist beside the "listen" sections. + +Clients listed here will apply to *all* listeners in this +virtual server. + +The clients listed here take precedence over the global +clients. + + +The other "client" configuration items can be added +here, too. + + +## Packet Processing sections + +The sections below are called when a RADIUS packet has been +received. + + * recv Access-Request - for authorization and authentication + * recv Status-Server - for checking the server is responding + + + +### Receive Access-Request packets + + + + + +Take a `link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]`, and perform some checks on it, for +spaces and other invalid characters. If the `link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` +is invalid, reject the request. + +See policy.d/filter for the definition of the +filter_username policy. + + + +Some broken equipment sends passwords with embedded +zeros, i.e. the debug output will show: + + User-Password = "password\000\000" + +This policy will fix the password to just be "password". + + + +If you intend to use CUI and you require that the +Operator-Name be set for CUI generation and you want to +generate CUI also for your local clients, then uncomment +operator-name below and set the operator-name for +your clients in clients.conf. + + + +Proxying example + +The following example will proxy the request if the +username ends in example.com. + + + +If you want to generate CUI for some clients that do +not send proper CUI requests, then uncomment cui below +and set "add_cui = yes" for these clients in +clients.conf. + + + +The `auth_log` module will write all `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets to a file. + +Uncomment the next bit in order to have a log of +authentication requests. For more information, see +link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log]. + + + +The `chap` module will set `Auth-Type := CHAP` if the +packet contains a `link:https://freeradius.org/rfc/rfc2865.html#CHAP-Challenge[CHAP-Challenge]` attribute. The module +does this only if the `Auth-Type` attribute has not already +been set. + + + +The `mschap` module will set `Auth-Type := mschap` if the +packet contains an `link:https://freeradius.org/rfc/rfc2548.html#MS-CHAP-Challenge[MS-CHAP-Challenge]` attribute. The +module does this only if the `Auth-Type` attribute has not +already been set. + + + +The `digest` module implements the SIP Digest +authentication method. + +Note that the module does not implement https://tools.ietf.org/html/rfc4590[RFC 4590]. Instead, +it implements an earlier draft of the specification. Since +all of the NAS equipment also implements the earlier draft, +this limitation is fine. + +If you have a Cisco SIP server authenticating against +FreeRADIUS, the `digest` module will set `Auth-Type := +"Digest"` if we are handling an SIP Digest request and the +`Auth-Type` has not already been set. + + + +The `wimax` module fixes up various WiMAX-specific stupidities. + +The WiMAX specification says that the `link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` +is 6 octets of the MAC. This definition conflicts with RFC +3580, and all common RADIUS practices. Un-commenting the +`wimax` module here allows the module to change the +`link:https://freeradius.org/rfc/rfc2865.html#Calling-Station-Id[Calling-Station-Id]` attribute to the normal format as +specified in https://tools.ietf.org/html/rfc3580#section-3.21.[RFC 3580 Section 3.21.] + + + +The `eap` module takes care of all EAP authentication, +including EAP-MD5, EAP-TLS, PEAP and EAP-TTLS. + +The module also sets the EAP-Type attribute in the request +list, to the incoming EAP type. + +The `eap` module returns `ok` if it is not yet ready to +authenticate the user. The configuration below checks for +that return value, and if so, stops processing the current +section. + +The result is that any LDAP and/or SQL servers will not be +queried during the initial set of packets that go back and +forth to set up EAP-TTLS or PEAP. + +We also recommend doing user lookups in the `inner-tunnel` +virtual server. + + + +The `unix` module will obtain passwords from `/etc/passwd` +or `/etc/shadow`. It does this via the system API's, which +are not thread-safe. We do not recommend using the `unix` module. + + + +Read what used to be the `users` file. Since v3, this file +is located in `mods-config/files/authorize`. + + + +Look in an SQL database. The schema of the database is +meant to mirror the `users` file. For a full description +of the module behavior, please see +https://wiki.freeradius.org/modules/Rlm_sql + + + +If you are using /etc/smbpasswd, and are also doing mschap +authentication, the un-comment this line, configure the +module. + + + +The `ldap` module reads passwords and other attributes from +an LDAP database. + +For a full description of the module behavior, please see +https://wiki.freeradius.org/modules/Rlm_ldap + + + +Enforce daily limits on time spent logged in. This module +is a variant of the the `counter` module. + + + +See if the account has expired: check the time in the +`Expiration` attribute and reject if we are past it. +If the account has not expired, set `link:https://freeradius.org/rfc/rfc2865.html#Session-Timeout[Session-Timeout]`. + + + +Look at the `Login-Time` attribute and reject if the user +is not allowed access at the present time. Otherwise, +set `link:https://freeradius.org/rfc/rfc2865.html#Session-Timeout[Session-Timeout]` to the end of the permitted time span. + + + +The `pap` module will set `Auth-Type := PAP` if the +packet contains a `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` attribute. The module +does this only if the `Auth-Type` attribute has not already +been set. + +The `pap` module is also responsible for "normalizing" the +various kinds of "known good" passwords. +e.g. `NT-Password` may come as a 16 byte blob, or as a +32-byte hex string, or as a base-64 encoded string. The +`pap` module will look for common variations of password +encoding, and convert them all to a normal form. + +This module should be listed last, so that the other +modules get a chance to set Auth-Type for themselves. + + + +### Receive Status-Server packets + + +This section is processed when the server receives a `Status-Server` +packet. + + +We are still here and responding. + + + +## Authentication Sections + +The sub-sections below are called based on the value of the +`Auth-Type` attribute, which should have been set by the `recv +Access-Request` section, above. + +Since version 4, proxying also happens in this section. For more +information on how proxying has changed in version 4, please see +https://wiki.freeradius.org/upgrading/version4/proxy. + +For authentication, you should generally NOT set the `Auth-Type` +attribute. As noted above, the modules will usually figure it what +to do, and will do the right thing. The most common side effect of +erroneously setting the `Auth-Type` attribute is that one +authentication method will work, but all of the others will not. + +The common reasons to set the `Auth-Type` attribute by hand are +to forcibly reject the user (`Auth-Type := Reject`), to or +forcibly accept the user (`Auth-Type := Accept`), or for +proxying. + +Note that `Auth-Type := Accept` will NOT work with EAP. The EAP +authentication protocol uses a series of handshake messages. All +of the messages must be exchanged correctly in order for EAP +authentication to succeed. Bypassing that process with `Auth-Type +:= Accept` will just result in the user being rejected. + +Policy configuration should generally go in the `send ...` sections +below, after authentication has completed. + + + +### PAP Authentication + +For users who are using PAP authentication. A back-end database +listed in the "recv Access-Request" section MUST supply a "known +good" password for the user. The password can be clear-text, or +encrypted via `crypt`, `bcrypt`, or other hashing. + + + +### CHAP Authentication + +For users who are using CHAP authentication. A back-end database +listed in the "recv Access-Request" section MUST supply a +Cleartext-Password attribute. Encrypted passwords won't work. + + + +### MS-CHAP authentication + +For users who are using MS-CHAP authentication. A back-end +database listed in the "recv Access-Request" section MUST supply +either a Cleartext-Password attribute, or an NT-Password +attribute. Encrypted passwords won't work. + + + +### SIP Digest Authentication + +For users who are using SIP Digest authentication. + +The `digest` line in the `recv Access-Request` section should also +be uncommented. + + + +## PAM (Pluggable Authentication Modules) Authentication + +Authenticate with PAM (Pluggable Authentication Modules). + +We do not recommend using PAM. The server has enough functionality +that anything that can be done in PAM can be done easier in +FreeRADIUS. + + + +### LDAP Authentication + +For users who are using PAP, and when you can't get the "known +good" password from LDAP. The module binds to the LDAP directory +as the user, along with the password taken from the User-Password +attribute. The "bind as user" method means that CHAP, MS-CHAP, and +EAP won't work, as they does not supply a plain-text password. + +We do NOT recommend using this. LDAP servers are databases, not +authentication servers. It is only here as a last resort for +databases such as Active Directory. + +We strongly recommend using `ldap` in the `recv Access-Request` +section. And, ensuring that the account used by FreeRADIUS has +read permission on all of the users, groups, and passwords. + + + +EAP Authentication + +For EAP-MD5, EAP-MSCHAP, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-PWD, etc. + + + +### Proxying + +Proxying has changed substantially from v3 to v4. These changes +are complex, but were necessary in order to support new features. +The result is that configurations which were impossible in v3 are +now trivial in v4. For example: + + * sending the same packet to multiple destinations, along with retransmissions + * sending the same packet to multiple destinations in parallel + * trying to proxy, and if it fails, programmatically doing something else + * trying to proxy, and if it fails, authenticating the user locally + * note that this won't work for EAP. + +For more information, see: +https://wiki.freeradius.org/upgrading/version4/proxy. + + + +The following example shows how proxying to three remote servers +can be configured. + +The `Auth-Type` attribute would need to be set to +`proxy-example.com`. The home servers MUST be defined in +link:../../../../../../mods-available/radius.adoc[mods-available/radius]. + + + + + + +## Send replies to Access-Request packets + + + +### send Access-Challenge packets + + +This section is called when sending an Access-Challenge +response. It is configured to filter out all attributes that should +not be in the packet. + + + +### send Access-Accept packets + +Once we know that the user has been authenticated successfully, +there are additional things that can be done. + + +If you need to have a State attribute, you can add it +here. e.g. for later CoA-Request with State, and +Service-Type = Authorize-Only. + + + +For EAP-TTLS and PEAP, add any cached attributes to the +reply. The "session-state" attributes are automatically +cached when an Access-Challenge is sent, and retrieved +when an `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` is received. + +The `session-state` attributes are deleted after an +`link:https://freeradius.org/rfc/rfc2865.html#Access-Reject[Access-Reject]` or `link:https://freeradius.org/rfc/rfc2865.html#Access-Accept[Access-Accept]` packet has been sent. + + + +For EAP, ensure that the Access-Accept contains a User-Name +attribute. + + + +Get an address from the IP Pool. + + + +Create the CUI value and add the attribute to +Access-Accept. Uncomment the line below if + *returning* the CUI to the NAS. + + + +If you want to have a log of authentication replies, +un-comment the following line. This is defined in +link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log]. + + + +After authenticating the user, do another SQL query. + + + +Instead of sending the query to the SQL server in +real-time, write it into a log file to be picked up and +sent to the database later. + + + +Un-comment the following if you want to modify the +user's object in LDAP after a successful login. + + + +Calculate the various WiMAX keys. In order for this to +work, you will need to define the WiMAX NAI, usually +via: + + +If you want various keys to be calculated, you will +need to update the reply with "template" values. The +module will see this, and replace the template values +with the correct ones taken from the cryptographic +calculations, e.g. + + +You may want to delete the `MS-MPPE-*-Keys` from the +reply, as some WiMAX clients behave badly when those +attributes are included. See the configuration entry +`delete_mppe_keys` in link:../../../../../../mods-available/wimax.adoc[mods-available/wimax] for +more information. + + + +If there is a client certificate (EAP-TLS, and very +occasionally PEAP and EAP-TTLS), then some attributes +are filled out after the certificate verification has +been performed. These fields MAY be available during +the authentication, or they may be available only in +the appropriate "send" section. + +The first set of attributes contains information about +the issuing certificate which is being used. The second +contains information about the client certificate (if +available). + + + + +Insert the `link:https://freeradius.org/rfc/rfc2865.html#Class[Class]` attribute with a unique value into the +response, which aids matching auth and acct records and +protects against duplicate Acct-Session-Id. + +Note: This only works if the NAS has implemented RFC +2865 behaviour for the Class attribute, AND if the NAS +supports long Class attributes. Many older or cheap +NASes only support 16-octet Class attributes. + + + +MacSEC requires the use of `EAP-Key-Name`. However, we +don't want to send it for all EAP sessions. Therefore, the +EAP modules put required data into the `EAP-Session-Id` +attribute. This attribute is never put into a request or +reply packet. + +Uncomment the next few lines to copy the required data +into the EAP-Key-Name attribute. + + + +Remove `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` if the response contains an +`link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]` attribute. Some NAS equipment will +automatically convert the `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` to an "EAP +notification" packet, which will cause end-user machines to +drop the network connection. + + + +### send Access-Reject packets + +This section processes `link:https://freeradius.org/rfc/rfc2865.html#Access-Reject[Access-Reject]` packets before they are sent +to the NAS. + +The `session-state` list is available while this section is being +processed. But all of the attributes in that list are discarded as +soon as the section is finished. + + +Log failed authentications in SQL, too. + + + +Filter out attributes that should not be in +Access-Reject packets. + + + +Insert an EAP-Failure message if the request was rejected by +policy, instead of from an authentication failure. + + + +Remove `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` if the response contains an +`link:https://freeradius.org/rfc/rfc2869.html#EAP-Message[EAP-Message]` attribute. Some NAS equipment will +automatically convert the `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` to an "EAP +notification" packet, which will cause end-user machines to +drop the network connection. + + + +Delay sending the `link:https://freeradius.org/rfc/rfc2865.html#Access-Reject[Access-Reject]` packet. This is no +longer automatic as it was in version 3. + + + +Accounting + + +This section deals with receiving Accounting requests and +sending Accounting responses. + + + +An Accounting-Request packet has been received. Decide which +accounting type to use. + + +Merge Acct-[Input|Output]-Gigawords and +Acct-[Input-Output]-Octets into a single 64-bit +counter, Acct-[Input|Output]-Octets64. + + + +Session start times are *implied* in RADIUS. The NAS +never sends a "start time". Instead, it sends a start +packet, *possibly* with an Acct-Delay-Time. The server +is supposed to conclude that the start time was +"Acct-Delay-Time" seconds in the past. + +The unlang below creates an explicit start time, which +can then be used in other modules. It will be *mostly* +correct. Any errors are due to the 1-second resolution +of RADIUS, and the possibility that the time on the NAS +may be off. + +The start time is: NOW - delay - session_length + + + +Ensure that we have a semi-unique identifier for every +request, as many NAS boxes are broken. + + + +Read the 'acct_users' file. + + + +Version 4 allows for sections specific to Acct-Status-Type. + +Once the `recv Accounting-Request` section is processed, one of the +`accounting ... { ... }` sections will be run, based on the +value of the `link:https://freeradius.org/rfc/rfc2866.html#Acct-Status-Type[Acct-Status-Type]` attribute. + +After the `accounting ... { ... }` section has been run, it will +then process the `send Accounting-Response` section + + + +Session start + + + + +Session stop + + + + +Session is still alive + + + + +The NAS has just booted up. + + + + +The NAS is about to go down + + + + +Session failed to do something + + + + +There are many other values for `link:https://freeradius.org/rfc/rfc2866.html#Acct-Status-Type[Acct-Status-Type]` such as: + + * Tunnel-Start + * Tunnel-Stop + * Tunnel-Reject + * Tunnel-Link-Start + * Tunnel-Link-Stop + * Tunnel-Link-Reject + +Some vendors also define their own values, which is a very bad idea. + + + +Send Accounting-Response. + +Log the accounting data before replying. If logging fails then +the reply will not be sent, which means the NAS will send the +request again. + + +Add the CUI attribute from the corresponding +Access-Accept to the Accouning-Response. + +Use it only if your NAS boxes do not support CUI +themselves. + + + +Create a 'detail'ed log of the packets. Note that +accounting requests which are proxied are also logged +in the detail file. + + + +Update counters for daily usage calculations. + + + +Update the wtmp file. + +If you don't use "radlast", you can delete this line. + + + +For Simultaneous-Use tracking. + +Due to packet losses in the network, the data here may +be incorrect. There is little we can do about it. + + + +Return an address to the IP Pool when we see a stop +record. + + + +Log traffic to an SQL database. + +See "Accounting Queries" in link:../../../../../../mods-available/sql.adoc[mods-available/sql]. + + + +If you receive stop packets with zero session length, +they will NOT be logged in the database. The SQL +module will print a message (only in debugging mode), +and will return "noop". + +You can ignore these packets by uncommenting the +following three lines. Otherwise, the server will not +respond to the accounting request, and the NAS will +retransmit. + + + +Instead of sending the query to the SQL server in +real-time, write it into a log file to be picked up and +sent to the database later. + + + +Cisco VoIP specific bulk accounting. + + + +Filter attributes from the accounting response. + + +== Default Configuration + +``` +server default { + namespace = radius + listen { + type = Access-Request + type = Status-Server + transport = udp + limit { + max_clients = 256 + max_connections = 256 + idle_timeout = 60.0 + nak_lifetime = 30.0 + cleanup_delay = 5.0 + } + udp { + ipaddr = * + port = 1812 +# dynamic_clients = true + networks { + allow = 127/8 + allow = 192.0.2/24 +# deny = 127.0.0/24 + } + } + tcp { + ipaddr = * + port = 1812 +# dynamic_clients = true + networks { + allow = 127/8 + allow = 192.0.2/24 +# deny = 127.0.0/24 + } + } + Access-Request { + log { + stripped_names = no + auth = no + auth_goodpass = no + auth_badpass = no +# msg_goodpass = "" +# msg_badpass = "" + msg_denied = "You are already logged in - access denied" + } + session { +# max = 4096 +# timeout = 15 + } + } + } + listen { + type = Access-Request + type = Status-Server + transport = tcp + tcp { + ipaddr = * + port = 1812 +# dynamic_clients = true + networks { + allow = 127/8 + allow = 192.0.2/24 +# deny = 127.0.0/24 + } + } + Access-Request { + log { + stripped_names = no + auth = no + auth_badpass = no + auth_goodpass = no +# msg_goodpass = "" +# msg_badpass = "" + msg_denied = "You are already logged in - access denied" + } + session { +# max = 4096 +# timeout = 15 + } + } + } + listen { + type = Accounting-Request + transport = udp + udp { + ipaddr = * + port = 1813 + } + } + client localhost { + shortname = sample + ipaddr = 192.0.2.1 + secret = testing123 + } +recv Access-Request { + map csv "%{User-Name}" { + &reply:Filter-Id := field3 + &reply:Reply-Message := field4 + } + filter_username +# filter_password +# operator-name +# if (&User-Name =~ /@example\.com$/) { +# update control { +# &Auth-Type := "proxy-example.com" +# } +# } +# cui +# auth_log + chap + mschap + digest +# wimax + eap { + ok = return + } +# unix + files + -sql +# smbpasswd + -ldap +# daily + expiration + logintime + pap +} +recv Status-Server { + ok +} +authenticate pap { + pap +} +authenticate chap { + chap +} +authenticate mschap { + mschap +} +authenticate digest { + digest +} +#authenticate pam { +# pam +#} +authenticate ldap { + -ldap +} +authenticate eap { + eap +} +#authenticate proxy-example.com { +# # +# # Log the request before proxying. +# # +# pre_proxy_log +# # +# # Send the request to remote RADIUS servers, with +# # fail-over from one to the other if there's no response. +# # +# redundant { +# radius1.example.com +# radius2.example.com +# radius3.example.com +# } +# # +# # Log the reply after proxying. +# # +# post_proxy_log.post-proxy +#} +send Access-Challenge { + attr_filter.access_challenge.post-auth + handled +} +send Access-Accept { +# if (!&reply:State) { +# update reply { +# &State := "0x%{randstr:16h}" +# } +# } + update { + &reply: += &session-state: + } + eap +# main_pool +# cui +# reply_log + -sql +# sql_log +# ldap +# update request { +# WiMAX-MN-NAI = "%{User-Name}" +# } +# update reply { +# WiMAX-FA-RK-Key = 0x00 +# WiMAX-MSK = "%{EAP-MSK}" +# } +# wimax +# update reply { +# &Reply-Message += "%{session-state:TLS-Cert-Serial}" +# &Reply-Message += "%{session-state:TLS-Cert-Expiration}" +# &Reply-Message += "%{session-state:TLS-Cert-Subject}" +# &Reply-Message += "%{session-state:TLS-Cert-Issuer}" +# &Reply-Message += "%{session-state:TLS-Cert-Common-Name}" +# &Reply-Message += "%{session-state:TLS-Cert-Subject-Alt-Name-Email}" +# &Reply-Message += "%{session-state:TLS-Client-Cert-Serial}" +# &Reply-Message += "%{session-state:TLS-Client-Cert-Expiration}" +# &Reply-Message += "%{session-state:TLS-Client-Cert-Subject}" +# &Reply-Message += "%{session-state:TLS-Client-Cert-Issuer}" +# &Reply-Message += "%{session-state:TLS-Client-Cert-Common-Name}" +# &Reply-Message += "%{session-state:TLS-Client-Cert-Subject-Alt-Name-Email}" +# } +# insert_acct_class +# if (&reply:EAP-Session-Id) { +# update reply { +# &EAP-Key-Name := &reply:EAP-Session-Id +# } +# } + remove_reply_message_if_eap +} +send Access-Reject { + -sql + attr_filter.access_reject + eap + remove_reply_message_if_eap + delay_reject +} +recv Accounting-Request { +# acct_counters64 +# update request { +# &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" +# } + acct_unique + files +} +accounting Start { +} +accounting Stop { +} +accounting Alive { +} +accounting Accounting-On { +} +accounting Accounting-Off { +} +accounting Failed { +} +send Accounting-Response { +# cui + detail +# daily + unix +# radutmp +# sradutmp +# main_pool + -sql +# if (noop) { +# ok +# } +# sql_log +# pgsql-voip + attr_filter.accounting_response +} +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/default.rej.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/default.rej.adoc new file mode 100644 index 00000000000..edd8feb7d6d --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/default.rej.adoc @@ -0,0 +1,77 @@ + + + + +If no other module has claimed responsibility for +authentication, then try to use PAP. This allows the + + +If no other module has claimed responsibility for +authentication, then try to use PAP. This allows the +in the 'authorize' section supplies a password. The +password can be clear-text, or encrypted. + + +in the 'authorize' section supplies a password. The +password can be clear-text, or encrypted. + + + +== Default Configuration + +``` +*************** +*** 86,91 **** + udp { + ipaddr = * + port = 1812 + } + } +--- 86,92 ---- + udp { + ipaddr = * + port = 1812 ++ cleanup_delay = 30 + } + } +*************** +*** 227,232 **** + expiration + logintime +--- 228,237 ---- + expiration + logintime ++ update control { ++ Cleartext-Password := "bob" ++ } ++ +*************** +*** 277,283 **** + authenticate pap { +- pap + } +--- 282,308 ---- + authenticate pap { ++ if (!Proxy-State) { ++ fork Access-Request { ++ radius { ++ fail = 1 ++ } ++ if (fail) { ++ update reply { ++ Packet-Type := Access-Accept ++ } ++ ok ++ } ++ } ++ ++ if (!fail) { ++ accept ++ } ++ } ++ else { ++ pap ++ # do_not_respond ++ } + } +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/detail-debugging.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/detail-debugging.adoc new file mode 100644 index 00000000000..9c2028bbabf --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/detail-debugging.adoc @@ -0,0 +1,37 @@ +``` +server detail { + namespace = detail + + listen { + type = Accounting-Request + transport = file + + file { + filename = "${confdir}/detail-*" + filename.work = "${confdir}/detail.work" + track = no + } + +# work { +# filename.work = "${confdir}/detail.work" +# track = no +# } + + } + +recv { + fail +} + +send success { + ok +} + +send failure { +``` +do nothing +``` +} + +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.orig.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.orig.adoc new file mode 100644 index 00000000000..384b07cdff5 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/dhcp.orig.adoc @@ -0,0 +1,373 @@ + + +See raddb/mods-available/dhcp_sqlippool for the IP Pool configuration. + +See raddb/policy.d/dhcp_sqlippool for the "glue" code that allows +the RADIUS based "sqlippool" module to be used for DHCP. + +See raddb/mods-config/sql/ippool/ for the schemas. + +See raddb/sites-available/dhcp for instructions on how to configure +the DHCP server. + + + + +The DHCP functionality goes into a virtual server. + + +Define a DHCP socket. + +The default port below is 6700, so you don't break your network. +If you want it to do real DHCP, change this to 67, and good luck! + +You can also bind the DHCP socket to an interface. +See below, and raddb/radiusd.conf for examples. + +This lets you run *one* DHCP server instance and have it listen on +multiple interfaces, each with a separate policy. + +If you have multiple interfaces, it is a good idea to bind the +listen section to an interface. You will also need one listen +section per interface. + + + +IP address to listen on. Will usually be the IP of the +interface, or 0.0.0.0 + +The port should be 67 for a production network. Don't set +it to 67 on a production network unless you really know +what you're doing. Even if nothing is configured below, the +server may still NAK legitimate responses from clients. + +Interface name we are listening on. See comments above. + +source IP address for unicast packets sent by the +DHCP server. + +The source IP for unicast packets is chosen from the first +one of the following items which returns a valid IP +address: + + src_ipaddr + ipaddr + reply:DHCP-Server-IP-Address + reply:DHCP-DHCP-Server-Identifier + + +The DHCP server defaults to allowing broadcast packets. +Set this to "no" only when the server receives *all* packets +from a relay agent. i.e. when *no* clients are on the same +LAN as the DHCP server. + +It's set to "no" here for testing. It will usually want to +be "yes" in production, unless you are only dealing with +relayed packets. + +On Linux if you're running the server as non-root, you +will need to do: + +sudo setcap cap_net_admin=ei /path/to/radiusd + +This will allow the server to set ARP table entries +for newly allocated IPs + + +If there is no `client` entry in a DHCPv4 virtual server, it will +automatically create and use a "0/0" client. + +If there is one or more clients defined in a DHCPv4 virtual server, +they will be used to limit source IP addresses for DHCPv4 packets. +Only packets from known clients or networks will be accepted. + +If a `client` is defined, you should list all subnets used for end +user machines, along with all DHCPv4 gateways that send packets to +the server. + + ipaddr = 192.168.0.0/16 + +Packets received on the socket will be processed through one +of the following sections, named after the DHCP packet type. +See dictionary.dhcpv4 for the packet types. + +Return packets will be sent to, in preference order: + DHCP-Gateway-IP-Address + DHCP-Client-IP-Address + DHCP-Your-IP-Address +At least one of these attributes should be set at the end of each +section for a response to be sent. + + +Set the type of packet to send in reply. + +The server will look at the DHCP-Message-Type attribute to +determine which type of packet to send in reply. Common +values would be DHCP-Offer, DHCP-Ack or DHCP-NAK. See +dictionary.dhcp for all the possible values. + +DHCP-Do-Not-Respond can be used to tell the server to not +respond. + +In the event that DHCP-Message-Type is not set then the +server will fall back to determining the type of reply +based on the rcode of this section. + + +The contents here are invented. Change them! + +Do a simple mapping of MAC to assigned IP. + +See below for the definition of the "mac2ip" +module. + +mac2ip + +If the MAC wasn't found in that list, do something else. +You could call a Perl, Python, or Java script here. + +if (notfound) { +... +} + +Or, allocate IPs from the DHCP pool in SQL. You may need to +set the pool name here if you haven't set it elsewhere. + +If DHCP-Message-Type is not set, returning "ok" or +"updated" from this section will respond with a DHCP-Offer +message. + +Other rcodes will tell the server to not return any response. + + +Response packet type. See DHCP-Discover section above. + +The contents here are invented. Change them! + +Do a simple mapping of MAC to assigned IP. + +See below for the definition of the "mac2ip" +module. + +mac2ip + +If the MAC wasn't found in that list, do something else. +You could call a Perl, Python, or Java script here. + +if (notfound) { +... +} + +Or, allocate IPs from the DHCP pool in SQL. You may need to +set the pool name here if you haven't set it elsewhere. + +If DHCP-Message-Type is not set, returning "ok" or +"updated" from this section will respond with a DHCP-Ack +packet. + +"handled" will not return a packet, all other rcodes will +send back a DHCP-NAK. + + +Other DHCP packet types + +There should be a separate section for each DHCP message type. +By default this configuration will ignore them all. Any packet type +not defined here will be responded to with a DHCP-NAK. + + + + +For Windows 7 boxes + + + +The thing being queried for is implicit +in the packets. + +has MAC, asking for IP, etc. +look up MAC in database + +has IP, asking for MAC, etc. +look up IP in database + +has host name, asking for IP, MAC, etc. +look up identifier in database + + +stop processing + + +We presume that the database lookup returns "notfound" +if it can't find anything. + + + +Add more logic here. Is the lease inactive? +If so, respond with DHCP-Lease-Unassigned. + +Otherwise, respond with DHCP-Lease-Active + + + +Also be sure to return ALL information about +the lease. + + + +The reply types are: + +DHCP-Lease-Unknown +DHCP-Lease-Active +DHCP-Lease-Unassigned + + + + + +This next section is a sample configuration for the "passwd" +module, that reads flat-text files. It should go into +radiusd.conf, in the "modules" section. + +The file is in the format , + + +This lets you perform simple static IP assignment. + +There is a preconfigured "mac2ip" module setup in +mods-available/mac2ip. To use it do: + + # cd raddb/ + # ln -s ../mods-available/mac2ip mods-enabled/mac2ip + # mkdir mods-config/passwd + +Then create the file mods-config/passwd/mac2ip with the above +format. + + +This is an example only - see mods-available/mac2ip instead; do +not uncomment these lines here. + + +== Default Configuration + +``` +# This is a virtual server that handles DHCP. +server dhcp { + namespace = dhcpv4 +listen { + type = DHCP-Discover + type = DHCP-Request + type = DHCP-Inform + type = DHCP-Release + type = DHCP-Decline + type = DHCP-Lease-Query + transport = udp + udp { + ipaddr = 127.0.0.1 + port = 6700 +# interface = lo0 + src_ipaddr = 127.0.0.1 + broadcast = no + } +} +#client private { +#} +recv DHCP-Discover { + update reply { + &DHCP-Message-Type = DHCP-Offer + } + update reply { + &DHCP-Domain-Name-Server = 127.0.0.1 + &DHCP-Domain-Name-Server = 127.0.0.2 + &DHCP-Subnet-Mask = 255.255.255.0 + &DHCP-Router-Address = 192.0.2.1 + &DHCP-IP-Address-Lease-Time = 86400 + &DHCP-DHCP-Server-Identifier = 192.0.2.1 + } +# update control { +# &Pool-Name := "local" +# } +# dhcp_sqlippool + ok +} +recv DHCP-Request { + update reply { + &DHCP-Message-Type = DHCP-Ack + } + update reply { + &DHCP-Domain-Name-Server = 127.0.0.1 + &DHCP-Domain-Name-Server = 127.0.0.2 + &DHCP-Subnet-Mask = 255.255.255.0 + &DHCP-Router-Address = 192.0.2.1 + &DHCP-IP-Address-Lease-Time = 86400 + &DHCP-DHCP-Server-Identifier = 192.0.2.1 + } +# update control { +# &Pool-Name := "local" +# } +# dhcp_sqlippool + ok +} +recv DHCP-Decline { + update reply { + &DHCP-Message-Type = DHCP-Do-Not-Respond + } + reject +} +recv DHCP-Inform { + update reply { + &DHCP-Message-Type = DHCP-Do-Not-Respond + } + reject +} +#recv DHCP-Inform { +# update reply { +# Packet-Dst-Port = 67 +# DHCP-Message-Type = DHCP-ACK +# DHCP-DHCP-Server-Identifier = "%{Packet-Dst-IP-Address}" +# DHCP-Site-specific-28 = 0x0a00 +# } +# ok +#} +recv DHCP-Release { + update reply { + &DHCP-Message-Type = DHCP-Do-Not-Respond + } + reject +} +recv DHCP-Lease-Query { + if (&DHCP-Client-Hardware-Address) { + } + elsif (&DHCP-Your-IP-Address) { + } + elsif (&DHCP-Client-Identifier) { + } + else { + update reply { + &DHCP-Message-Type = DHCP-Lease-Unknown + } + ok + return + } + if (notfound) { + update reply { + &DHCP-Message-Type = DHCP-Lease-Unknown + } + ok + return + } + update reply { + &DHCP-Message-Type = DHCP-Lease-Unassigned + } +} +} +# 00:01:02:03:04:05,192.0.2.100 +# 01:01:02:03:04:05,192.0.2.101 +# 02:01:02:03:04:05,192.0.2.102 +#passwd mac2ip { +# filename = ${confdir}/mac2ip +# format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address" +# delimiter = "," +#} +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc new file mode 100644 index 00000000000..0428df44d88 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc @@ -0,0 +1,43 @@ + + + + + +## Packet Processing sections + +The sections below are called when a RADIUS packet has been +received. + + * recv Access-Request - for authorization and authentication + * recv Status-Server - for checking the server is responding + + + +### Receive Access-Request packets + + + + +== Default Configuration + +``` +server proxy { + namespace = radius + listen { + type = Access-Request + transport = udp + udp { + ipaddr = * + port = 2812 + } + } +recv Access-Request { + update control { + &Auth-Type := proxy + } +} +authenticate proxy { + radius +} +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/tls-cache.orig.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/tls-cache.orig.adoc new file mode 100644 index 00000000000..ea7a7873b07 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/tls-cache.orig.adoc @@ -0,0 +1,127 @@ + +This virtual server controls caching of TLS sessions. + +When a TLS session is used, the server will automatically create +the following attributes in the session-state list. These attributes +are the ones for the *server* certificate. + + +If a client certificate is required (e.g. EAP-TLS or sometimes PEAP / TTLS), +the following attributes are also created in the session-state list: + + + + + + +This section is run whenever the server needs to read an +entry from the TLS session cache. + +It should read the attribute &session-state.TLS-Session-Data +from the cache, along with any other attributes which +were in the cache + +On success it should return 'ok' or 'updated'. + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + + +This section is run whenever the server needs to write an +entry to the TLS session cache. + +It should write the attribute &session-state.Session-Data +to the cache, along with any other attributes which +need to be cached. + +On success it should return 'ok' or 'updated'. + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + + +This section is run whenever the server needs to delete an +entry from the TLS session cache. + +On success it should return 'ok', 'updated', 'noop' or 'notfound' + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + + +This section is run after certificate attributes are added +to the request list, and before performing OCSP validation. + +It should read the attribute &control.TLS-OCSP-Cert-Valid +from the cache. + +On success it should return 'ok', 'updated', 'noop' or 'notfound' +To force OCSP validation failure, it should return 'reject'. + + + +This section is run after OCSP validation has completed. + +It should write the attribute &reply.TLS-OCSP-Cert-Valid +to the cache. + +On success it should return 'ok' or 'updated'. + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + +== Default Configuration + +``` +# TLS-Cert-Serial +# TLS-Cert-Expiration +# TLS-Cert-Subject +# TLS-Cert-Issuer +# TLS-Cert-Common-Name +# TLS-Cert-Subject-Alt-Name-Email +# TLS-Client-Cert-Serial +# TLS-Client-Cert-Expiration +# TLS-Client-Cert-Subject +# TLS-Client-Cert-Issuer +# TLS-Client-Cert-Common-Name +# TLS-Client-Cert-Subject-Alt-Name-Email +server tls-cache { + namespace = tls_cache + load tls-session { + update control { + Cache-Allow-Insert := no + } + cache_tls_session + } + store tls-session { + update control { + Cache-TTL := 0 + } + cache_tls_session + } + clear tls-session { + update control { + Cache-TTL := 0 + Cache-Allow-Insert := no + } + cache_tls_session + } + load ocsp-state { + update control { + Cache-Allow-Insert := no + } + cache_ocsp + } + store ocsp-state { + update control { + Cache-TTL := "%{expr:&reply.TLS-OCSP-Next-Update * -1}" + Cache-Allow-Merge := no + } + cache_ocsp + } +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/tls-session.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/tls-session.adoc new file mode 100644 index 00000000000..3e70f4a3951 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/sites-available/tls-session.adoc @@ -0,0 +1,210 @@ + +This virtual server controls TLS sessions. + +When a TLS session is used, the server will automatically create +attributes in the session-state list with details extracted from +the client certificate chain. + +The number of certificates decoded depends on the setting of +setting of `attriubte_mode` in the `verify` section of the +appropriate TLS configuration. + +Certificates are decoded into nested attributes e.g. + + +When more than one certificate is decoded, the first ( i.e. +&session-state.TLS-Certificate[0] ) will be the client certificate, +with the next being its issuer. + + + + +This section can be run to verify a client certificate if +additional checks need to be performed beyond standard +checks verification against a trust chain, CRLs and OCSP. + +Attributes extracted from the certificates forming the +client certificate chain will be in the session state list. + +Returning 'ok', 'updated' or 'noop' will cause the verification +to succeed. Other return codes will cause the verification +to fail. + + +Check the client certificate matches a string, and reject otherwise + + + +Check the client certificate common name against the supplied identity + + + +This is a convenient place to call LDAP, for example, when using +EAP-TLS, as it will only be called once, after all certificates as +part of the EAP-TLS challenge process have been verified. + +An example could be to use LDAP to check that the connecting host, as +well as presenting a valid certificate, is also in a group based on +the EAP-Identity (assuming this contains the service principal name). +Settings such as the following could be used in the ldap module +configuration: + +basedn = "dc=example, dc=com" +filter = "(servicePrincipalName=%{EAP-Identity})" +base_filter = "(objectClass=computer)" +groupname_attribute = cn +groupmembership_filter = "(&(objectClass=group)(member=%{control.Ldap-UserDn}))" + + + + +Now let's test membership of an LDAP group (the ldap bind user will +need permission to read this group membership): + + + +or, to be more specific, you could use the group's full DN: +if (!%ldap.group("CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) { + + +This may be a better place to call the files modules when using +EAP-TLS, as it will only be called once, after the challenge-response +iteration has completed. + + + + + +This section is run prior to creating a new TLS session +and can be used to modify session parameters such as +max and min TLS versions. + + + +This section is run whenever the server needs to read an +entry from the TLS session cache. + +It should read the attribute &session-state.TLS-Session-Data +from the cache, along with any other attributes which +were in the cache + +On success it should return 'ok' or 'updated'. + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + + + +This section is run whenever the server needs to write an +entry to the TLS session cache. + +It should write the attribute &session-state.Session-Data +to the cache, along with any other attributes which +need to be cached. + +On success it should return 'ok' or 'updated'. + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + + + +This section is run whenever the server needs to delete an +entry from the TLS session cache. + +On success it should return 'ok', 'updated', 'noop' or 'notfound' + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + + + +This section is run after the TLS session is established. + +It is intended for logging session details such as +TLS version or cipher suite. + + + + +This section is run after certificate attributes are added +to the request list, and before performing OCSP validation. + +It should read the attribute &control.TLS-OCSP-Cert-Valid +from the cache. + +On success it should return 'ok', 'updated', 'noop' or 'notfound' +To force OCSP validation failure, it should return 'reject'. + + + + +This section is run after OCSP validation has completed. + +It should write the attribute &reply.TLS-OCSP-Cert-Valid +to the cache. + +On success it should return 'ok' or 'updated'. + +The return code has no real effect on session processing +and will just cause the server to emit a warning. + + + +== Default Configuration + +``` +# TLS-Certificate = { +# Subject = '...', +# Common-Name = '...', +# Issuer = '...' +# } +server tls-session { + namespace = tls + verify certificate { +# if ("%{session-state.TLS-Certificate.Common-Name}" != 'client.example.com') { +# reject +# } +# if (&EAP-Identity != "host/%{session-state.TLS-Certificate.Common-Name}") { +# reject +# } +# ldap +# if (!%ldap.group("Permitted-Laptops")) { +# reject +# } +# files + ok + } +# new session { +# &control.Max-Version := 1.3 +# &control.Min-Version := 1.2 +# } + load session { + &control.Cache-Allow-Insert := no + cache_tls_session + } + store session { + &control.Cache-TTL := 0 + cache_tls_session + } + clear session { + &control.Cache-TTL := 0 + &control.Cache-Allow-Insert := no + cache_tls_session + } +# establish session { +# } + load ocsp-state { + &control.Cache-Allow-Insert := no + cache_ocsp + } + store ocsp-state { + &control.Cache-TTL := "%{&reply.TLS-OCSP-Next-Update * -1}" + &control.Cache-Allow-Merge := no + cache_ocsp + } +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/tacclient.conf.adoc b/doc/antora/modules/reference/pages/raddb/tacclient.conf.adoc new file mode 100644 index 00000000000..fc33758e6e4 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/tacclient.conf.adoc @@ -0,0 +1,73 @@ + + + + += FreeRADIUS Client configuration file - 4.0.0 + + + + + + + + +Does nothing other than send packets. It doesn't listen on any input sockets. + + + + + + + +== Default Configuration + +``` +modules { +tacacs { + transport = tcp + type = Authentication-Start + type = Authentication-Continue + type = Authorization-Request + type = Accounting-Request + tcp { + ipaddr = $ENV{TACCLIENT_SERVER} + port = 4900 +# port = $ENV{TACCLIENT_PORT} + secret = $ENV{TACCLIENT_SECRET} + } + pool { + start = 1 + min = 1 + max = 1 + connection { + connect_timeout = 3.0 + reconnect_delay = 0 + } + } +} +} +log { + colourise = yes +} +server default { + namespace = tacacs + listen { + type = Authentication-Start + type = Authentication-Continue + type = Authorization-Request + type = Accounting-Request + } + recv Authentication-Start { + tacacs + } + recv Authentication-Continue { + tacacs + } + recv Authorization-Request { + tacacs + } + recv Accounting-Request { + tacacs + } +} +``` diff --git a/doc/antora/modules/reference/pages/raddb/test.conf.adoc b/doc/antora/modules/reference/pages/raddb/test.conf.adoc new file mode 100644 index 00000000000..63029516d80 --- /dev/null +++ b/doc/antora/modules/reference/pages/raddb/test.conf.adoc @@ -0,0 +1,9 @@ + +== Default Configuration + +``` +security { + allow_vulnerable_openssl = yes +} +$INCLUDE radiusd.conf +``` diff --git a/doc/antora/modules/reference/pages/unlang/foo b/doc/antora/modules/reference/pages/unlang/foo new file mode 100644 index 00000000000..0df9e90e1f7 --- /dev/null +++ b/doc/antora/modules/reference/pages/unlang/foo @@ -0,0 +1 @@ +Ethan Robert Thompson . DOB: November 9th, 1998 \ No newline at end of file diff --git a/doc/antora/modules/reference/pages/unlang/function.adoc b/doc/antora/modules/reference/pages/unlang/function.adoc new file mode 100644 index 00000000000..600d75f4379 --- /dev/null +++ b/doc/antora/modules/reference/pages/unlang/function.adoc @@ -0,0 +1,31 @@ +you can define functions inside of functions (why not?) + +you can put functions into classes. that defines the prefix, and the protocol. + +otherwise the function must be generic, and not use any protocol-specific attributes. + +class foo { + proto = dhcpv4 + +} + +function uint32 foo(uint32 bar, uint32 baz) +{ + + + return fff +} + +and if the compiler finds a function which is referenced but doesn't exist, it looks in raddb/lib/func/foo/bar +with `.` replaced by `/`. + +it should load the default class description in raddb/lib/class-name/DEFS + +in xlat_tokenize(), when we get XLAT_FUNC_UNRESOLVED, add it to the unresolved function tree. + +then + +while (pop(tree)) { + load function + compile function +} diff --git a/doc/antora/modules/reference/pages/unlang/guide.adoc b/doc/antora/modules/reference/pages/unlang/guide.adoc new file mode 100644 index 00000000000..d142832ce5e --- /dev/null +++ b/doc/antora/modules/reference/pages/unlang/guide.adoc @@ -0,0 +1,2 @@ +# A Helpful Guide with Hints + diff --git a/doc/antora/modules/tutorials/assets/images/server_schematic.svg b/doc/antora/modules/tutorials/assets/images/server_schematic.svg index 54942928b2b..9ce7b1e15e7 100644 --- a/doc/antora/modules/tutorials/assets/images/server_schematic.svg +++ b/doc/antora/modules/tutorials/assets/images/server_schematic.svg @@ -501,8 +501,6 @@ fill:#000000;"/> unix -radutmp - Home server authorize diff --git a/doc/antora/modules/tutorials/pages/accounting.adoc b/doc/antora/modules/tutorials/pages/accounting.adoc index c2b0fac863e..63ba5b3e692 100644 --- a/doc/antora/modules/tutorials/pages/accounting.adoc +++ b/doc/antora/modules/tutorials/pages/accounting.adoc @@ -8,11 +8,20 @@ log the accounting requests. *Files:* - `/var/radacct/127.0.0.1/detail*` -- `/var/log/radius/radutmp` -*Modules:* rlm_detail, rlm_radutmp +*Modules:* detail + +[NOTE] +====================================================================== +This documentation is out of date for v4, and needs to be fixed. + +The `radlast` and `radwho` programs are no longer included with the +server. + +The `radutmp` module is no longer included with the server. +We recommend using sqlite instead of flat-text databases. +====================================================================== -*Programs*: radwho, radlast In addition to authorization and authentication, one of the primary roles of a RADIUS server is to record accounting information supplied by an NAS. In this @@ -23,13 +32,6 @@ an NAS when a user logs in. Use the entry in the file from the exercise in xref:new_user.adoc[New User] for user "bob". -[NOTE] -======================================================================== -For FreeRADIUS v3.0.x and later, before starting you should open -`raddb/sites-available/default` and uncomment all references to the "radutmp" -module. -======================================================================== - You may create accounting packets by hand for this exercise, but we suggest that the follow test packets from the `exercises/packets` directory be used in this exercise: @@ -80,7 +82,7 @@ You should see output containing lines similar to the following: ----------------------------------------------------------------------------------- Other modules that should be referenced for "accounting" are the -"preprocess", "suffix", "detail", "unix", and "radutmp" modules. We +"preprocess", "suffix", "detail", and "sql" modules. We will work through the operation of these modules in a moment. Now, run the `radwho` and `radlast` programs again: diff --git a/doc/antora/modules/tutorials/pages/simultaneous_use.adoc b/doc/antora/modules/tutorials/pages/simultaneous_use.adoc index cbabe66f270..859a6197a41 100644 --- a/doc/antora/modules/tutorials/pages/simultaneous_use.adoc +++ b/doc/antora/modules/tutorials/pages/simultaneous_use.adoc @@ -9,8 +9,6 @@ time. *Files:* - `etc/raddb/users` -- `etc/raddb/mods-available/radutmp` -- `/var/log/radius/radutmp` For this exercise, you are assumed to have previously worked through, and be familiar with, the accounting exercise from @@ -22,14 +20,14 @@ logging into the server, and then attempting a simultaneous login for a second session, while still logged in for the first session. You should run the `bob-login-one.sh` and `bob-acct-start.sh` -scripts, to simulate a successful user login. You should use the -`radwho` program to verify that the server knows that the user is logged +scripts, to simulate a successful user login. You should check the database +to verify that the server knows that the user is logged in. You should then run the `bob-login-two.sh`, and observe that the second authentication request succeeds. The login record should be -removed through running the `bob-acct-stop.sh` script, and you -should use the `radwho` program to verify that no one is currently +removed through running the `bob-acct-stop.sh` script, and check the database +to verify that no one is currently logged in. you should now read the `Simultaneous-Use` file in the diff --git a/man/man1/radlast.1 b/man/man1/radlast.1 deleted file mode 100644 index ff48f229254..00000000000 --- a/man/man1/radlast.1 +++ /dev/null @@ -1,21 +0,0 @@ -.TH RADLAST 1 "22 February 2001" "" "FreeRADIUS Daemon" -.SH NAME -radlast - show "last" info from the radwtmp file -.SH SYNOPSIS -.B radlast -.IR [ options ] -.SH DESCRIPTION -The FreeRADIUS server can write an accounting log in the -\fIwtmp\fP format of the local system. \fBradlast\fP is a frontend -for the systems \fBlast\fP command - it just calls \fBlast\fP -with the \fI-f path_to_radwtmp_file\fP argument, and passes all -options on the command line to the system \fBlast\fP command. -.SH OPTIONS -See the manpage of the system \fBlast\fP command. -.SH SEE ALSO -radiusd(8), -radiusd.conf(5), -wtmp(5), -last(1). -.SH AUTHOR -Miquel van Smoorenburg, miquels@cistron.nl. diff --git a/man/man1/radwho.1 b/man/man1/radwho.1 deleted file mode 100644 index c131255485d..00000000000 --- a/man/man1/radwho.1 +++ /dev/null @@ -1,99 +0,0 @@ -.TH RADWHO 1 "17 Feb 2013" "" "FreeRADIUS Daemon" -.SH NAME -radwho - show online users -.SH SYNOPSIS -.B radwho -.RB [ \-c ] -.RB [ \-d -.IR raddb_directory ] -.RB [ \-F -.IR radutmp_file ] -.RB [ \-i ] -.RB [ \-n ] -.RB [ \-N -.IR nas_ip_address ] -.RB [ \-p ] -.RB [ \-P -.IR nas_port ] -.RB [ \-r ] -.RB [ \-R ] -.RB [ \-s ] -.RB [ \-S ] -.RB [ \-u -.IR user ] -.RB [ \-U -.IR user ] -.RB [ \-Z ] -.SH DESCRIPTION -The FreeRADIUS server can be configured to maintain an active session -database in a file called \fIradutmp\fP. This utility shows the -content of that session database. -.SH OPTIONS -.IP \-c -Shows caller ID (if available) instead of the full name. -.IP \-d\ \fIraddb_directory\fP -The directory that contains the RADIUS configuration files. Defaults to -\fI/etc/raddb\fP. -.IP \-F\ \fIradutmp_file\fP -The file that contains the radutmp file. If this is specified, \-d is -not necessary. -.IP \-i -Shows the session ID instead of the full name. -.IP \-n -Normally radwho looks up the username in the systems password file, -and shows the full username as well. The \fB-n\fP flags prevents this. -.IP \-N\ \fInas_ip_address\fP -Show only those entries which match the given NAS IP address. -.IP \-p -Adds an extra column for the port type - I for ISDN, A for Analog. -.IP \-P\ \fInas_port\fP -Show only those entries which match the given NAS port. -.IP \-r -Outputs all data in \fIraw\fP format - no headers, no formatting, -fields are comma-separated. -.IP \-R -Output all data in RADIUS attribute format. All fields are printed. -.IP \-s -Show full name. -.IP \-S -Hide shell users. Doesn't show the entries for users that do not -have a SLIP or PPP session. -.IP \-u\ \fIuser\fP -Show only those entries which match the given username (case insensitive). -.IP \-U\ \fIuser\fP -Show only those entries which match the given username (case sensitive). -.IP \-Z -When combined with \fI-R\fP, prints out the contents of an -Accounting-Request packet which can be passed to \fIradclient\fP, in -order to "zap" that users session from \fIradutmp\fP. -.PP -For example, -.RS -.sp -.nf -.ne 3 -$ radwho -ZRN 10.0.0.1 | radclient -f - radius.example.net acct testing123 -.fi -.sp -.RE -will result in all an Accounting-Request packet being sent to the -RADIUS server, which tells the server that the NAS rebooted. i.e. It -"zaps" all of the users on that NAS. - -To "zap" one user, specify NAS, username, and NAS port: -.RS -.sp -.nf -.ne 3 -$ radwho -ZRN 10.0.0.1 -u user -P 10 | radclient -f - radius.example.net acct testing123 -.fi -.sp -.RE -Other combinations are also possible. - -.SH SEE ALSO -radiusd(8), -radclient(1), -radiusd.conf(5). -.SH AUTHOR -Miquel van Smoorenburg, miquels@cistron.nl. diff --git a/man/man1/radzap.1 b/man/man1/radzap.1 deleted file mode 100644 index e39da9a1c0c..00000000000 --- a/man/man1/radzap.1 +++ /dev/null @@ -1,68 +0,0 @@ -.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon" -.SH NAME -radzap - remove rogue entries from the active sessions database -.SH SYNOPSIS -.B radzap -.RB [ \-d -.IR raddb_directory ] -.RB [ \-h ] -.RB [ \-N -.IR nas_ip_address ] -.RB [ \-P -.IR nas_port ] -.RB [ \-u -.IR user ] -.RB [ \-U -.IR user ] -.RB [ \-x ] -\fIserver[:port] secret\fP -.SH DESCRIPTION -The FreeRADIUS server can be configured to maintain an active session -database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1) -use this database. Sometimes that database can get out of sync, and -then it might contain rogue entries. \fBradzap\fP can clean up this -database. - -As of FreeRADIUS 1.1.0, \fBradzap\fP is a simple shell-script wrapper -around \fBradwho\fP(1) and \fBradclient\fP(1). - -The sessions are "zapped" by sending an Accounting-Request packet -which contains the information necessary for the server to delete the -session record. \fBradzap\fP sends a packet to the server, rather -than writing to \fIradutmp\fP directly, because session records may -also be maintained in SQL. -.SH OPTIONS -.IP \-d\ \fIraddb_directory\fP -The directory that contains the RADIUS configuration files. -\fBradzap\fP reads \fIradiusd.conf\fP to determine the location of the -\fIradutmp\fP file. -.IP \-h -Print usage help information. -.IP \-N\ \fInas_ip_address\fP -Zap the entries which match the given NAS IP address. -.IP \-P\ \fInas_port\fP -Zap the entries which match the given NAS port. -.IP \-u\ \fIuser\fP -Zap the entries which match the given username (case insensitive). -.IP \-U\ \fIuser\fP -Zap the entries which match the given username (case sensitive). -.IP \-x -Enable debugging output. -.IP server[:port] -The hostname or IP address of the remote server. Optionally a UDP port -can be specified. If no UDP port is specified, it is looked up in -\fI/etc/services\fP. The service name looked for is \fBradacct\fP for -accounting packets, and \fBradius\fP for all other requests. If a -service is not found in \fI/etc/services\fP, 1813 and 1812 are used -respectively. -.IP secret -The shared secret for this client. It needs to be defined on the -radius server side too, for the IP address you are sending the radius -packets from. -.SH SEE ALSO -radwho(1), -radclient(1), -radiusd(8), -radiusd.conf(5). -.SH AUTHOR -Alan DeKok diff --git a/raddb/all.mk b/raddb/all.mk index 38a5ae3f850..84e59a32a49 100644 --- a/raddb/all.mk +++ b/raddb/all.mk @@ -10,8 +10,8 @@ LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES)) DEFAULT_MODULES := always attr_filter cache_eap chap client \ delay detail detail.log digest eap \ eap_inner echo escape exec files linelog \ - mschap ntlm_auth pap passwd radutmp \ - sradutmp stats unix unpack utf8 + mschap ntlm_auth pap passwd \ + stats unix unpack utf8 LOCAL_MODULES := $(addprefix raddb/mods-enabled/,$(DEFAULT_MODULES)) diff --git a/raddb/mods-available/radutmp b/raddb/mods-available/radutmp deleted file mode 100644 index c7ea4194253..00000000000 --- a/raddb/mods-available/radutmp +++ /dev/null @@ -1,68 +0,0 @@ -# -*- text -*- -# -# -# $Id$ - -####################################################################### -# -# = Radutmp Module -# -# The `radutmp` module writes a `utmp` style file, of which users are -# currently logged in, and where they've logged in from. -# -# This file is used mainly for `Simultaneous-Use` checking, -# and also `radwho`, to see who's currently logged in. -# -# See also `man 5 utmp`. -# - -# -# ## Configuration Settings -# -radutmp { - # - # filename:: Where the file is stored. - # - # It's not a log file, so it doesn't need rotating. - # - filename = ${logdir}/radutmp - - # - # username:: The field in the packet to key on for the users name. - # - # If you have other fields which you want to use to key on to control - # `Simultaneous-Use`, then you can use them here. - # - # However, that the size of the field in the `utmp` data - # structure is small, around `32` characters, so that will limit - # the possible choices of keys. - # - # TIP: You may want instead: `%{&Stripped-User-Name || &User-Name}`. - # - username = %{User-Name} - - # - # check_with_nas:: Accounting information may be lost, so the user MAY - # have logged off of the NAS, but we haven't noticed. - # - # If so, we can verify this information with the NAS. - # - # If we want to believe the 'utmp' file, then this configuration entry - # can be set to `no`. - # - check_with_nas = yes - - # - # permissions:: Set the file permissions, as the contents of this file - # are usually private. - # - permissions = 0600 - - # - # caller_id:: If enabled, it will extract the field `Calling-Station-Id` from - # the packet and store as `username` information. - # - # Default is `no`. - # -# caller_id = "yes" -} diff --git a/raddb/mods-available/sradutmp b/raddb/mods-available/sradutmp deleted file mode 100644 index 51ee66524d3..00000000000 --- a/raddb/mods-available/sradutmp +++ /dev/null @@ -1,30 +0,0 @@ -# -*- text -*- -# -# -# $Id$ - -####################################################################### -# -# = sRadutmp Module -# -# The `sradutmp` module is a _Safe Radutmp_. -# -# It does not contain caller ID, so it can be world-readable, and `radwho` -# can work for normal users, without exposing any information that isn't -# already exposed by who(1). -# -# This is another _instance_ of the `radutmp` module, but it is given -# then name `sradutmp` to identify it later in the `accounting` -# section. -# - -# -# ## Configuration Settings -# -# See the `radutmp` module for common configuration explanation. -# -radutmp sradutmp { - filename = ${logdir}/sradutmp - permissions = 0644 - caller_id = "no" -} diff --git a/raddb/mods-available/unix b/raddb/mods-available/unix index 0529fa24c9c..ab4ed006098 100644 --- a/raddb/mods-available/unix +++ b/raddb/mods-available/unix @@ -32,22 +32,13 @@ # The old `Unix-Group`, `Group`, and `Group-Name` attributes and comparisons # are no longer supported. # +# All of `radutmp`, `radwho`, `radlast`, and `radzap` have been removed. +# +# You can no longer have the `unix` module process accounting packets. +# # # ## Configuration Settings # unix { - # - # radwtmp:: The location of the `wtmp` file. - # - # The only use for `radlast`. If you don't use `radlast`, - # then you can comment out this item. - # - # NOTE: The radwtmp file may get large! You should rotate it - # (cp /dev/null radwtmp), or just not use it. - # - # The default is to not use radwtmp files. It's better to - # use a database. - # -# radwtmp = ${logdir}/radwtmp } diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index 4908aeceae2..4c74606cdf0 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -703,8 +703,9 @@ modules { # inventing two 'instance' names, e.g. 'instance1' and 'instance2' # # The instance names can then be used in later configuration - # INSTEAD of the original 'name'. See the 'radutmp' configuration - # for an example. + # INSTEAD of the original 'name'. e.g. instead of `pap { ...}`, + # you can use `pap other {...}`. The `other` name will then be + # a reference to the second PAP module. # # diff --git a/raddb/sites-available/decoupled-accounting b/raddb/sites-available/decoupled-accounting index e9e2526e40f..9c18d7964d8 100644 --- a/raddb/sites-available/decoupled-accounting +++ b/raddb/sites-available/decoupled-accounting @@ -76,19 +76,6 @@ send Accounting-Response { detail # daily - # Update the wtmp file - # - # If you don't use "radlast", you can delete this line. - unix - - # - # For Simultaneous-Use tracking. - # - # Due to packet losses in the network, the data here - # may be incorrect. There is little we can do about it. - radutmp -# sradutmp - # # Return an address to the IP Pool when we see a stop record. # diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 3afd25fb1d2..729b659a0f5 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -1512,22 +1512,6 @@ send Accounting-Response { # # daily - # - # Update the wtmp file. - # - # This is only relevant if you use "radlast". - # -# unix - - # - # For Simultaneous-Use tracking. - # - # Due to packet losses in the network, the data here may - # be incorrect. There is little we can do about it. - # -# radutmp -# sradutmp - # # Cisco VoIP specific bulk accounting. # diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate index dba48935044..db0245e81e2 100644 --- a/redhat/freeradius-logrotate +++ b/redhat/freeradius-logrotate @@ -15,7 +15,6 @@ # Session monitoring utilities, session database modules and # SQL log files /var/log/radius/checkrad.log /var/log/radius/radwatch.log -/var/log/radius/radutmp /var/log/radius/radwtmp /var/log/radius/sqllog.sql { nocreate monthly diff --git a/redhat/freeradius.spec b/redhat/freeradius.spec index c5d05cf8e44..35166a29799 100644 --- a/redhat/freeradius.spec +++ b/redhat/freeradius.spec @@ -745,7 +745,7 @@ RADDB=$RPM_BUILD_ROOT%{_sysconfdir}/raddb # logs %__mkdir_p $RPM_BUILD_ROOT/var/log/radius/radacct -touch $RPM_BUILD_ROOT/var/log/radius/{radutmp,radius.log} +touch $RPM_BUILD_ROOT/var/log/radius/radius.log %__install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd %__install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd @@ -908,7 +908,6 @@ fi # logs %dir %attr(700,radiusd,radiusd) /var/log/radius/ %dir %attr(700,radiusd,radiusd) /var/log/radius/radacct/ -%ghost %attr(644,radiusd,radiusd) /var/log/radius/radutmp %ghost %attr(600,radiusd,radiusd) /var/log/radius/radius.log # @@ -1020,7 +1019,6 @@ fi %{_libdir}/freeradius/rlm_pap.so %{_libdir}/freeradius/rlm_passwd.so %{_libdir}/freeradius/rlm_radius.so -%{_libdir}/freeradius/rlm_radutmp.so %{_libdir}/freeradius/rlm_sometimes.so %{_libdir}/freeradius/rlm_sql.so %{_libdir}/freeradius/rlm_sql_null.so @@ -1186,21 +1184,15 @@ fi /usr/bin/radclient /usr/bin/radcrypt /usr/bin/radict -/usr/bin/radlast /usr/bin/radsniff /usr/bin/radsqlrelay /usr/bin/radtest /usr/bin/raduat -/usr/bin/radwho -/usr/bin/radzap /usr/bin/smbencrypt # man-pages %doc %{_mandir}/man1/dhcpclient.1.gz %doc %{_mandir}/man1/radclient.1.gz -%doc %{_mandir}/man1/radlast.1.gz %doc %{_mandir}/man1/radtest.1.gz -%doc %{_mandir}/man1/radwho.1.gz -%doc %{_mandir}/man1/radzap.1.gz %doc %{_mandir}/man8/radsniff.8.gz %doc %{_mandir}/man8/radsqlrelay.8.gz diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius index 8746a938119..7a04ca50a24 100644 --- a/scripts/logrotate/freeradius +++ b/scripts/logrotate/freeradius @@ -26,10 +26,6 @@ # SQL log files # /var/log/radius/sqllog.sql -# -# Session database modules -# -/var/log/radius/radutmp /var/log/radius/radwtmp # There are different detail-rotating strategies you can use. One is # to write to a single detail file per IP and use the rotate config # below. Another is to write to a daily detail file per IP with: diff --git a/src/bin/.gitignore b/src/bin/.gitignore index a0477d58a34..c9b3ed4a53a 100644 --- a/src/bin/.gitignore +++ b/src/bin/.gitignore @@ -1,4 +1,3 @@ checkrad -radlast radtest fuzzer_*.mk diff --git a/src/bin/all.mk b/src/bin/all.mk index 88d00d5b965..7f141018394 100644 --- a/src/bin/all.mk +++ b/src/bin/all.mk @@ -3,14 +3,11 @@ SUBMAKEFILES := \ radclient-ng.mk \ radict.mk \ radiusd.mk \ - radlast.mk \ radlock.mk \ radsniff.mk \ radsnmp.mk \ radsizes.mk \ - radwho.mk \ radtest.mk \ - radzap.mk \ dhcpclient.mk \ unit_test_attribute.mk \ unit_test_map.mk \ diff --git a/src/bin/radlast.in b/src/bin/radlast.in deleted file mode 100755 index 69867bb954f..00000000000 --- a/src/bin/radlast.in +++ /dev/null @@ -1,7 +0,0 @@ -#! /bin/sh - -prefix=@prefix@ -localstatedir=@localstatedir@ -logdir=@logdir@ - -exec last -f $logdir/radwtmp "$@" diff --git a/src/bin/radlast.mk b/src/bin/radlast.mk deleted file mode 100644 index 21a6124677a..00000000000 --- a/src/bin/radlast.mk +++ /dev/null @@ -1,5 +0,0 @@ -install: $(R)$(bindir)/radlast - -$(R)$(bindir)/radlast: src/bin/radlast | $(R)$(bindir) - @echo INSTALL $(notdir $<) - @$(INSTALL) -m 755 $< $(R)$(bindir) diff --git a/src/bin/radwho.c b/src/bin/radwho.c deleted file mode 100644 index 662d3989b02..00000000000 --- a/src/bin/radwho.c +++ /dev/null @@ -1,575 +0,0 @@ -/*@-skipposixheaders@*/ -/* - * radwho.c Show who is logged in on the terminal servers. - * - * Version: $Id$ - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - * - * @copyright 2000,2006 The FreeRADIUS server project - * @copyright 2000 Alan DeKok (aland@freeradius.org) - */ - -RCSID("$Id$") - -#include -#include -#include -#include - -#include - -#include -#include -#include - -/* - * Header above output and format. - */ -static char const *hdr1 = -"Login Name What TTY When From Location"; - -static char const *hdr2 = -"Login Port What When From Location"; - -static char const *eol = "\n"; -static int showname = -1; -static int showptype = 0; -static int showcid = 0; -static char const *progname = "radwho"; - -static char const *radutmp_file = NULL; - -static struct radutmp_config_t { - char const *radutmp_fn; -} radutmpconfig; - -static const conf_parser_t module_config[] = { - { FR_CONF_POINTER("filename", FR_TYPE_STRING, CONF_FLAG_FILE_INPUT, &radutmpconfig.radutmp_fn), .dflt = RADUTMP }, - CONF_PARSER_TERMINATOR -}; - -/* - * Get fullname of a user. - */ -static char *fullname(char *username) -{ -#ifdef HAVE_PWD_H - struct passwd *pwd; - char *s; - - if ((pwd = getpwnam(username)) != NULL) { - if ((s = strchr(pwd->pw_gecos, ',')) != NULL) *s = 0; - return pwd->pw_gecos; - } -#endif - - return username; -} - -/* - * Return protocol type. - */ -static char const *proto(int id, int porttype) -{ - static char buf[8]; - - if (showptype) { - if (!strchr("ASITX", porttype)) - porttype = ' '; - if (id == 'S') - snprintf(buf, sizeof(buf), "SLP %c", porttype); - else if (id == 'P') - snprintf(buf, sizeof(buf), "PPP %c", porttype); - else - snprintf(buf, sizeof(buf), "shl %c", porttype); - return buf; - } - if (id == 'S') return "SLIP"; - if (id == 'P') return "PPP"; - return "shell"; -} - -/* - * Return a time in the form day hh:mm - */ -static char *dotime(time_t t) -{ - /* - * man 3 ctime - * The caller must provide the output buffer buf - * (which must be at least 26 characters long) - */ - static char buff[26]; - char *s = ctime_r(&t, buff); - - if (showname) { - strlcpy(s + 4, s + 11, 6); - s[9] = 0; - } else { - strlcpy(s + 4, s + 8, 9); - s[12] = 0; - } - - return s; -} - - -/* - * Print address of NAS. - */ -static char const *hostname(char *buf, size_t buflen, uint32_t ipaddr) -{ - /* - * WTF is this code for? - */ - if (ipaddr == 0 || ipaddr == (uint32_t)-1 || ipaddr == (uint32_t)-2) - return ""; - - return inet_ntop(AF_INET, &ipaddr, buf, buflen); - -} - - -/* - * Print usage message and exit. - */ -static NEVER_RETURNS void usage(int status) -{ - FILE *output = status?stderr:stdout; - - fprintf(output, "Usage: radwho [-d raddb] [-cfihnprRsSZ] [-N nas] [-P nas_port] [-u user] [-U user]\n"); - fprintf(output, " -c Show caller ID, if available.\n"); - fprintf(output, " -d Set the raddb directory (default is %s).\n", RADIUS_DIR); - fprintf(output, " -F Use radutmp .\n"); - fprintf(output, " -i Show session ID.\n"); - fprintf(output, " -n No full name.\n"); - fprintf(output, " -N Show entries matching the given NAS IP address.\n"); - fprintf(output, " -p Show port type.\n"); - fprintf(output, " -P Show entries matching the given nas port.\n"); - fprintf(output, " -r Print output as raw comma-delimited data.\n"); - fprintf(output, " -R Print output as RADIUS attributes and values.\n"); - fprintf(output, " includes ALL information from the radutmp record.\n"); - fprintf(output, " -s Show full name.\n"); - fprintf(output, " -S Hide shell users from radius.\n"); - fprintf(output, " -u Show entries matching the given user.\n"); - fprintf(output, " -U Like -u, but case-sensitive.\n"); - fprintf(output, " -Z Include accounting stop information in radius output. Requires -R.\n"); - fr_exit_now(status); -} - -/** - * - * @hidecallgraph - */ -int main(int argc, char **argv) -{ - CONF_SECTION *maincs, *cs; - FILE *fp; - struct radutmp rt; - char othername[256]; - char nasname[1024]; - char session_id[sizeof(rt.session_id)+1]; - int hideshell = 0; - int showsid = 0; - int rawoutput = 0; - int radiusoutput = 0; /* Radius attributes */ - char const *portind; - int c; - unsigned int portno; - char buffer[2048]; - char const *user = NULL; - int user_cmp = 0; - time_t now = 0; - uint32_t nas_port = ~0; - uint32_t nas_ip_address = INADDR_NONE; - int zap = 0; - fr_dict_t *dict = NULL; - TALLOC_CTX *autofree; - - char const *p; - main_config_t *config; - int ret = EXIT_SUCCESS; - - /* - * Must be called first, so the handler is called last - */ - fr_atexit_global_setup(); - - autofree = talloc_autofree_context(); - -#ifndef NDEBUG - if (fr_fault_setup(autofree, getenv("PANIC_ACTION"), argv[0]) < 0) { - fr_perror("%s", main_config->name); - fr_exit_now(EXIT_FAILURE); - } -#endif - - talloc_set_log_stderr(); - - /* - * Allocate the main config structure. - * It's allocating so we can hang talloced buffers off it. - */ - config = main_config_alloc(autofree); - if (!config) { - fr_perror("Failed allocating main config"); - fr_exit_now(EXIT_FAILURE); - } - - p = strrchr(argv[0], FR_DIR_SEP); - if (!p) { - main_config_name_set_default(config, argv[0], false); - } else { - main_config_name_set_default(config, p + 1, false); - } - - while((c = getopt(argc, argv, "d:D:fF:hnN:sSipP:crRu:U:Z")) != -1) switch (c) { - case 'd': - main_config_raddb_dir_set(config, optarg); - break; - case 'D': - main_config_dict_dir_set(config, optarg); - break; - case 'F': - radutmp_file = optarg; - break; - case 'h': - usage(EXIT_SUCCESS); /* never returns */ - case 'S': - hideshell = 1; - break; - case 'n': - showname = 0; - break; - case 'N': - if (inet_pton(AF_INET, optarg, &nas_ip_address) <= 0) { - usage(EXIT_FAILURE); - } - break; - case 's': - showname = 1; - break; - case 'i': - showsid = 1; - break; - case 'p': - showptype = 1; - break; - case 'P': - nas_port = atoi(optarg); - break; - case 'c': - showcid = 1; - showname = 1; - break; - case 'r': - rawoutput = 1; - break; - case 'R': - radiusoutput = 1; - now = time(NULL); - break; - case 'u': - user = optarg; - user_cmp = 0; - break; - case 'U': - user = optarg; - user_cmp = 1; - break; - case 'Z': - zap = 1; - break; - - default: - usage(1); /* never returns */ - } - - /* - * Mismatch between the binary and the libraries it depends on - */ - if (fr_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) { - fr_perror("%s", main_config->name); - return 1; - } - - if (!fr_dict_global_ctx_init(NULL, true, config->dict_dir)) { - fr_perror("%s", main_config->name); - fr_exit_now(EXIT_FAILURE); - } - - - if (fr_dict_internal_afrom_file(&dict, FR_DICTIONARY_INTERNAL_DIR, __FILE__) < 0) { - fr_perror("%s", config->name); - fr_exit_now(EXIT_FAILURE); - } - - if (fr_dict_read(dict, config->raddb_dir, FR_DICTIONARY_FILE) == -1) { - PERROR("Failed to initialize the dictionaries"); - return 1; - } - fr_strerror_clear(); /* Clear the error buffer */ - - /* - * Be safe. - */ - if (zap && !radiusoutput) zap = 0; - - /* - * zap EVERYONE, but only on this nas - */ - if (zap && !user && (~nas_port == 0)) { - /* - * We need to know which NAS to zap users in. - */ - if (nas_ip_address == INADDR_NONE) usage(1); - - printf("Acct-Status-Type = Accounting-Off\n"); - printf("NAS-IP-Address = %s\n", - hostname(buffer, sizeof(buffer), nas_ip_address)); - printf("Acct-Delay-Time = 0\n"); - fr_exit_now(0); /* don't bother printing anything else */ - } - - if (radutmp_file) goto have_radutmp; - - /* Read radiusd.conf */ - maincs = cf_section_alloc(NULL, NULL, "main", NULL); - if (!maincs) fr_exit_now(EXIT_FAILURE); - - snprintf(buffer, sizeof(buffer), "%.200s/radiusd.conf", config->raddb_dir); - if ((cf_file_read(maincs, buffer) < 0) || (cf_section_pass2(maincs) < 0)) { - fr_perror("%s: Error reading or parsing radiusd.conf\n", argv[0]); - talloc_free(maincs); - fr_exit_now(EXIT_FAILURE); - } - - cs = cf_section_find(maincs, "modules", NULL); - if (!cs) { - fr_perror("%s: No modules section found in radiusd.conf\n", argv[0]); - fr_exit_now(EXIT_FAILURE); - } - /* Read the radutmp section of radiusd.conf */ - cs = cf_section_find(cs, "radutmp", NULL); - if (!cs) { - fr_perror("%s: No configuration information in radutmp section of radiusd.conf\n", argv[0]); - fr_exit_now(EXIT_FAILURE); - } - - if (cf_section_rules_push(cs, module_config) < 0) fr_exit_now(EXIT_FAILURE); - cf_section_parse(maincs, NULL, cs); - - /* Assign the correct path for the radutmp file */ - radutmp_file = radutmpconfig.radutmp_fn; - - have_radutmp: - if (showname < 0) showname = 1; - - /* - * Show the users logged in on the terminal server(s). - */ - if ((fp = fopen(radutmp_file, "r")) == NULL) { - fr_perror("%s: Error reading %s: %s\n", - progname, radutmp_file, fr_syserror(errno)); - return 0; - } - - /* - * Don't print the headers if raw or RADIUS - */ - if (!rawoutput && !radiusoutput) { - fputs(showname ? hdr1 : hdr2, stdout); - fputs(eol, stdout); - } - - /* - * Read the file, printing out active entries. - */ - while (fread(&rt, sizeof(rt), 1, fp) == 1) { - char name[sizeof(rt.login) + 1]; - - if (rt.type != P_LOGIN) continue; /* hide logout sessions */ - - /* - * We don't show shell users if we are - * fingerd, as we have done that above. - */ - if (hideshell && !strchr("PCS", rt.proto)) - continue; - - /* - * Print out sessions only for the given user. - */ - if (user) { /* only for a particular user */ - if (((user_cmp == 0) && - (strncasecmp(rt.login, user, strlen(user)) != 0)) || - ((user_cmp == 1) && - (strncmp(rt.login, user, strlen(user)) != 0))) { - continue; - } - } - - /* - * Print out only for the given NAS port. - */ - if (~nas_port != 0) { - if (rt.nas_port != nas_port) continue; - } - - /* - * Print out only for the given NAS IP address - */ - if (nas_ip_address != INADDR_NONE) { - if (rt.nas_address != nas_ip_address) continue; - } - - memcpy(session_id, rt.session_id, sizeof(rt.session_id)); - session_id[sizeof(rt.session_id)] = 0; - - if (!rawoutput && rt.nas_port > (showname ? 999 : 99999)) { - portind = ">"; - portno = (showname ? 999 : 99999); - } else { - portind = "S"; - portno = rt.nas_port; - } - - /* - * Print output as RADIUS attributes - */ - if (radiusoutput) { - memcpy(nasname, rt.login, sizeof(rt.login)); - nasname[sizeof(rt.login)] = '\0'; - - fr_snprint(buffer, sizeof(buffer), nasname, -1, '"'); - printf("User-Name = \"%s\"\n", buffer); - - fr_snprint(buffer, sizeof(buffer), session_id, -1, '"'); - printf("Acct-Session-Id = \"%s\"\n", buffer); - - if (zap) printf("Acct-Status-Type = ::Stop\n"); - - printf("NAS-IP-Address = %s\n", - hostname(buffer, sizeof(buffer), - rt.nas_address)); - printf("NAS-Port = %u\n", rt.nas_port); - - switch (rt.proto) { - case 'S': - printf("Service-Type = ::Framed-User\n"); - printf("Framed-Protocol = ::SLIP\n"); - break; - - case 'P': - printf("Service-Type = ::Framed-User\n"); - printf("Framed-Protocol = ::PPP\n"); - break; - - default: - printf("Service-type = ::Login-User\n"); - break; - } - if (rt.framed_address != INADDR_NONE) { - printf("Framed-IP-Address = %s\n", - hostname(buffer, sizeof(buffer), - rt.framed_address)); - } - - /* - * Some sanity checks on the time - */ - if ((rt.time <= now) && - (now - rt.time) <= (86400 * 365)) { - printf("Acct-Session-Time = %" PRId64 "\n", (int64_t) (now - rt.time)); - } - - if (rt.caller_id[0] != '\0') { - memcpy(nasname, rt.caller_id, - sizeof(rt.caller_id)); - nasname[sizeof(rt.caller_id)] = '\0'; - - fr_snprint(buffer, sizeof(buffer), nasname, -1, '"'); - printf("Calling-Station-Id = \"%s\"\n", buffer); - } - - printf("\n"); /* separate entries with a blank line */ - continue; - } - - /* - * Show the fill name, or not. - */ - memcpy(name, rt.login, sizeof(rt.login)); - name[sizeof(rt.login)] = '\0'; - - if (showname) { - if (rawoutput == 0) { - printf("%-10.10s %-17.17s %-5.5s %s%-3u %-9.9s %-15.15s %-.19s%s", - name, - showcid ? rt.caller_id : - (showsid? session_id : fullname(rt.login)), - proto(rt.proto, rt.porttype), - portind, portno, - dotime(rt.time), - hostname(nasname, sizeof(nasname), rt.nas_address), - hostname(othername, sizeof(othername), rt.framed_address), eol); - } else { - printf("%s,%s,%s,%s%u,%s,%s,%s%s", - name, - showcid ? rt.caller_id : - (showsid? session_id : fullname(rt.login)), - proto(rt.proto, rt.porttype), - portind, portno, - dotime(rt.time), - hostname(nasname, sizeof(nasname), rt.nas_address), - hostname(othername, sizeof(othername), rt.framed_address), eol); - } - } else { - if (rawoutput == 0) { - printf("%-10.10s %s%-5u %-6.6s %-13.13s %-15.15s %-.28s%s", - name, - portind, portno, - proto(rt.proto, rt.porttype), - dotime(rt.time), - hostname(nasname, sizeof(nasname), rt.nas_address), - hostname(othername, sizeof(othername), rt.framed_address), - eol); - } else { - printf("%s,%s%u,%s,%s,%s,%s%s", - name, - portind, portno, - proto(rt.proto, rt.porttype), - dotime(rt.time), - hostname(nasname, sizeof(nasname), rt.nas_address), - hostname(othername, sizeof(othername), rt.framed_address), - eol); - } - } - } - fclose(fp); - - main_config_free(&config); - - fr_dict_free(&dict, __FILE__); - - /* - * Ensure our atexit handlers run before any other - * atexit handlers registered by third party libraries. - */ - fr_atexit_global_trigger_all(); - - return ret; -} diff --git a/src/bin/radwho.mk b/src/bin/radwho.mk deleted file mode 100644 index 089cfe55cbc..00000000000 --- a/src/bin/radwho.mk +++ /dev/null @@ -1,5 +0,0 @@ -TARGET := radwho$(E) -SOURCES := radwho.c - -TGT_PREREQS := $(LIBFREERADIUS_SERVER) -TGT_LDLIBS := $(LIBS) diff --git a/src/bin/radzap b/src/bin/radzap deleted file mode 100755 index f05f2533336..00000000000 --- a/src/bin/radzap +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# -# $Id$ -# - -usage() { - echo "Usage: radzap [options] server[:port] secret" >&2 - echo " -h Print usage help information." - echo " -d raddb_directory: directory where radiusd.conf is located." - echo " -D dict_directory: directory where the dictionaries are located." - echo " -N nas_ip_address: IP address of the NAS to zap." - echo " -P nas_port: NAS port that the user is logged into." - echo " -u username: Name of user to zap (case insensitive)." - echo " -U username: like -u, but case-sensitive." - echo " -x Enable debugging output." - exit ${1:-0} -} - -while test "$#" != "0" -do - case $1 in - -h) usage;; - - -d) OPTS="$OPTS -d $2";shift;shift;; - - -D) OPTS="$OPTS -D $2";shift;shift;; - - -N) NAS_IP_ADDR="-N $2";shift;shift;; - - -P) NAS_PORT="-P $2";shift;shift;; - - -u) USER_NAME="-u $2";shift;shift;; - - -U) USER_NAME="-U $2";shift;shift;; - - -x) DEBUG="-x";shift;; - - *) break;; - - esac -done - -if test "$#" != "2"; then - usage 1 >&2 -fi - - -SERVER=$1 -SECRET=$2 - -# -# Radzap is now a wrapper around radwho & radclient. -# -radwho -ZR $OPTS $NAS_IP_ADDR $NAS_PORT $USER_NAME | radclient $DEBUG $OPTS -f - $SERVER acct $SECRET diff --git a/src/bin/radzap.mk b/src/bin/radzap.mk deleted file mode 100644 index f64db2165b0..00000000000 --- a/src/bin/radzap.mk +++ /dev/null @@ -1,5 +0,0 @@ -install: $(R)$(bindir)/radzap - -$(R)$(bindir)/radzap: src/bin/radzap | $(R)$(bindir) - @echo INSTALL $(notdir $<) - @$(INSTALL) -m 755 $< $(R)$(bindir) diff --git a/src/lib/server/.gitignore b/src/lib/server/.gitignore index 5527d605359..0d98bbac149 100644 --- a/src/lib/server/.gitignore +++ b/src/lib/server/.gitignore @@ -3,10 +3,7 @@ radsniff.mk checkrad radclient radiusd -radlast radtest radsniff -radwho radmin -radconf2xml dhclient diff --git a/src/lib/server/radutmp.h b/src/lib/server/radutmp.h deleted file mode 100644 index 3eafb379528..00000000000 --- a/src/lib/server/radutmp.h +++ /dev/null @@ -1,79 +0,0 @@ -#pragma once -/* - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - */ - -/** - * $Id$ - * - * @file lib/server/radutmp.h - * @brief Definitions for session tracking with a 'UTMP' file - * - * @copyright 2015 The FreeRADIUS server project - */ -RCSIDH(radutmp_h, "$Id$") - -#ifdef __cplusplus -extern "C" { -#endif - -/* - * Types of connection. - */ -#ifndef P_UNKNOWN -# define P_UNKNOWN 0 -# define P_LOCAL 'L' -# define P_RLOGIN 'R' -# define P_SLIP 'S' -# define P_CSLIP 'C' -# define P_PPP 'P' -# define P_AUTOPPP 'A' -# define P_TELNET 'E' -# define P_TCPCLEAR 'T' -# define P_TCPLOGIN 'U' -# define P_CONSOLE '!' -# define P_SHELL 'X' -#endif - -#define P_IDLE 0 -#define P_LOGIN 1 - -struct radutmp { - char login[32]; /* Loginname */ - /* FIXME: extend to 48 or 64 bytes */ - unsigned int nas_port; /* Port on the terminal server (32 bits). */ - char session_id[8]; /* Radius session ID (first 8 bytes at least)*/ - /* FIXME: extend to 16 or 32 bytes */ - unsigned int nas_address; /* IP of portmaster. */ - unsigned int framed_address; /* SLIP/PPP address or login-host. */ - int proto; /* Protocol. */ - time_t time; /* Time entry was last updated. */ - time_t delay; /* Delay time of request */ - int type; /* Type of entry (login/logout) */ - char porttype; /* Porttype (I=ISDN A=Async T=Async-ISDN */ - char res1,res2,res3; /* Fills up to one int */ - char caller_id[16]; /* Calling-Station-ID */ - char reserved[12]; /* 3 ints reserved */ -}; - -/* - * Take the size of the structure from the actual structure definition. - */ -#define RUT_NAMESIZE sizeof(((struct radutmp *) NULL)->login) -#define RUT_SESSSIZE sizeof(((struct radutmp *) NULL)->session_id) - -#ifdef __cplusplus -} -#endif diff --git a/src/lib/util/conf.h b/src/lib/util/conf.h index 404e94fce1b..eb56176dae8 100644 --- a/src/lib/util/conf.h +++ b/src/lib/util/conf.h @@ -9,8 +9,3 @@ #define RADIUS_CLIENTS "clients" #define RADIUS_NASLIST "naslist" #define RADIUS_REALMS "realms" - -#define RADUTMP LOGDIR "/radutmp" -#define SRADUTMP LOGDIR "/sradutmp" -#define RADWTMP LOGDIR "/radwtmp" -#define SRADWTMP LOGDIR "/sradwtmp" diff --git a/src/modules/rlm_radutmp/.gitignore b/src/modules/rlm_radutmp/.gitignore deleted file mode 100644 index e93697306ee..00000000000 --- a/src/modules/rlm_radutmp/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -config.h -all.mk diff --git a/src/modules/rlm_radutmp/README.md b/src/modules/rlm_radutmp/README.md deleted file mode 100644 index a91246ad3ae..00000000000 --- a/src/modules/rlm_radutmp/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# rlm_radutmp -## Metadata -
-
category
datastore
-
- -## Summary -Writes a utmp style file that lists the users who are logged in. The file is used mainly for Simultaneous-Use checking -and by radwho to see who has current sessions. diff --git a/src/modules/rlm_radutmp/all.mk.in b/src/modules/rlm_radutmp/all.mk.in deleted file mode 100644 index adfeba7d8d1..00000000000 --- a/src/modules/rlm_radutmp/all.mk.in +++ /dev/null @@ -1,11 +0,0 @@ -TARGETNAME := @targetname@ - -ifneq "$(TARGETNAME)" "" -TARGET := $(TARGETNAME)$(L) -endif - -SOURCES := $(TARGETNAME).c - -SRC_CFLAGS := @mod_cflags@ -TGT_LDLIBS := @mod_ldflags@ -LOG_ID_LIB = 40 diff --git a/src/modules/rlm_radutmp/config.h.in b/src/modules/rlm_radutmp/config.h.in deleted file mode 100644 index ef5f2fd31b0..00000000000 --- a/src/modules/rlm_radutmp/config.h.in +++ /dev/null @@ -1,34 +0,0 @@ -/* config.h.in. Generated from configure.ac by autoheader. */ - -/* Define to 1 if you have the header file. */ -#undef HAVE_INTTYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_MEMORY_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STDINT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STDLIB_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STRINGS_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STRING_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_MMAN_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_STAT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_UNISTD_H - -/* Define to 1 if you have the ANSI C header files. */ -#undef STDC_HEADERS diff --git a/src/modules/rlm_radutmp/configure b/src/modules/rlm_radutmp/configure deleted file mode 100755 index 1e8a627455a..00000000000 --- a/src/modules/rlm_radutmp/configure +++ /dev/null @@ -1,4557 +0,0 @@ -#! /bin/sh -# From configure.ac Revision. -# Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71. -# -# -# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, -# Inc. -# -# -# This configure script is free software; the Free Software Foundation -# gives unlimited permission to copy, distribute and modify it. -## -------------------- ## -## M4sh Initialization. ## -## -------------------- ## - -# Be more Bourne compatible -DUALCASE=1; export DUALCASE # for MKS sh -as_nop=: -if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 -then : - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else $as_nop - case `(set -o) 2>/dev/null` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; -esac -fi - - - -# Reset variables that may have inherited troublesome values from -# the environment. - -# IFS needs to be set, to space, tab, and newline, in precisely that order. -# (If _AS_PATH_WALK were called with IFS unset, it would have the -# side effect of setting IFS to empty, thus disabling word splitting.) -# Quoting is to prevent editors from complaining about space-tab. -as_nl=' -' -export as_nl -IFS=" "" $as_nl" - -PS1='$ ' -PS2='> ' -PS4='+ ' - -# Ensure predictable behavior from utilities with locale-dependent output. -LC_ALL=C -export LC_ALL -LANGUAGE=C -export LANGUAGE - -# We cannot yet rely on "unset" to work, but we need these variables -# to be unset--not just set to an empty or harmless value--now, to -# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct -# also avoids known problems related to "unset" and subshell syntax -# in other old shells (e.g. bash 2.01 and pdksh 5.2.14). -for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH -do eval test \${$as_var+y} \ - && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : -done - -# Ensure that fds 0, 1, and 2 are open. -if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi -if (exec 3>&2) ; then :; else exec 2>/dev/null; fi - -# The user is always right. -if ${PATH_SEPARATOR+false} :; then - PATH_SEPARATOR=: - (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { - (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || - PATH_SEPARATOR=';' - } -fi - - -# Find who we are. Look in the path if we contain no directory separator. -as_myself= -case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - test -r "$as_dir$0" && as_myself=$as_dir$0 && break - done -IFS=$as_save_IFS - - ;; -esac -# We did not find ourselves, most probably we were run as `sh COMMAND' -# in which case we are not to be found in the path. -if test "x$as_myself" = x; then - as_myself=$0 -fi -if test ! -f "$as_myself"; then - printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - exit 1 -fi - - -# Use a proper internal environment variable to ensure we don't fall - # into an infinite loop, continuously re-executing ourselves. - if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then - _as_can_reexec=no; export _as_can_reexec; - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 -exit 255 - fi - # We don't want this to propagate to other subprocesses. - { _as_can_reexec=; unset _as_can_reexec;} -if test "x$CONFIG_SHELL" = x; then - as_bourne_compatible="as_nop=: -if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 -then : - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which - # is contrary to our usage. Disable this feature. - alias -g '\${1+\"\$@\"}'='\"\$@\"' - setopt NO_GLOB_SUBST -else \$as_nop - case \`(set -o) 2>/dev/null\` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; -esac -fi -" - as_required="as_fn_return () { (exit \$1); } -as_fn_success () { as_fn_return 0; } -as_fn_failure () { as_fn_return 1; } -as_fn_ret_success () { return 0; } -as_fn_ret_failure () { return 1; } - -exitcode=0 -as_fn_success || { exitcode=1; echo as_fn_success failed.; } -as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } -as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } -as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } -if ( set x; as_fn_ret_success y && test x = \"\$1\" ) -then : - -else \$as_nop - exitcode=1; echo positional parameters were not saved. -fi -test x\$exitcode = x0 || exit 1 -blah=\$(echo \$(echo blah)) -test x\"\$blah\" = xblah || exit 1 -test -x / || exit 1" - as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO - as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO - eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && - test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1" - if (eval "$as_required") 2>/dev/null -then : - as_have_required=yes -else $as_nop - as_have_required=no -fi - if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null -then : - -else $as_nop - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -as_found=false -for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - as_found=: - case $as_dir in #( - /*) - for as_base in sh bash ksh sh5; do - # Try only shells that exist, to save several forks. - as_shell=$as_dir$as_base - if { test -f "$as_shell" || test -f "$as_shell.exe"; } && - as_run=a "$as_shell" -c "$as_bourne_compatible""$as_required" 2>/dev/null -then : - CONFIG_SHELL=$as_shell as_have_required=yes - if as_run=a "$as_shell" -c "$as_bourne_compatible""$as_suggested" 2>/dev/null -then : - break 2 -fi -fi - done;; - esac - as_found=false -done -IFS=$as_save_IFS -if $as_found -then : - -else $as_nop - if { test -f "$SHELL" || test -f "$SHELL.exe"; } && - as_run=a "$SHELL" -c "$as_bourne_compatible""$as_required" 2>/dev/null -then : - CONFIG_SHELL=$SHELL as_have_required=yes -fi -fi - - - if test "x$CONFIG_SHELL" != x -then : - export CONFIG_SHELL - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 -exit 255 -fi - - if test x$as_have_required = xno -then : - printf "%s\n" "$0: This script requires a shell more modern than all" - printf "%s\n" "$0: the shells that I found on your system." - if test ${ZSH_VERSION+y} ; then - printf "%s\n" "$0: In particular, zsh $ZSH_VERSION has bugs and should" - printf "%s\n" "$0: be upgraded to zsh 4.3.4 or later." - else - printf "%s\n" "$0: Please tell bug-autoconf@gnu.org about your system, -$0: including any error possibly output before this -$0: message. Then install a modern shell, or manually run -$0: the script under such a shell if you do have one." - fi - exit 1 -fi -fi -fi -SHELL=${CONFIG_SHELL-/bin/sh} -export SHELL -# Unset more variables known to interfere with behavior of common tools. -CLICOLOR_FORCE= GREP_OPTIONS= -unset CLICOLOR_FORCE GREP_OPTIONS - -## --------------------- ## -## M4sh Shell Functions. ## -## --------------------- ## -# as_fn_unset VAR -# --------------- -# Portably unset VAR. -as_fn_unset () -{ - { eval $1=; unset $1;} -} -as_unset=as_fn_unset - - -# as_fn_set_status STATUS -# ----------------------- -# Set $? to STATUS, without forking. -as_fn_set_status () -{ - return $1 -} # as_fn_set_status - -# as_fn_exit STATUS -# ----------------- -# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -as_fn_exit () -{ - set +e - as_fn_set_status $1 - exit $1 -} # as_fn_exit -# as_fn_nop -# --------- -# Do nothing but, unlike ":", preserve the value of $?. -as_fn_nop () -{ - return $? -} -as_nop=as_fn_nop - -# as_fn_mkdir_p -# ------------- -# Create "$as_dir" as a directory, including parents if necessary. -as_fn_mkdir_p () -{ - - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || eval $as_mkdir_p || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -printf "%s\n" X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - - -} # as_fn_mkdir_p - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p -# as_fn_append VAR VALUE -# ---------------------- -# Append the text in VALUE to the end of the definition contained in VAR. Take -# advantage of any shell optimizations that allow amortized linear growth over -# repeated appends, instead of the typical quadratic growth present in naive -# implementations. -if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null -then : - eval 'as_fn_append () - { - eval $1+=\$2 - }' -else $as_nop - as_fn_append () - { - eval $1=\$$1\$2 - } -fi # as_fn_append - -# as_fn_arith ARG... -# ------------------ -# Perform arithmetic evaluation on the ARGs, and store the result in the -# global $as_val. Take advantage of shells that can avoid forks. The arguments -# must be portable across $(()) and expr. -if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null -then : - eval 'as_fn_arith () - { - as_val=$(( $* )) - }' -else $as_nop - as_fn_arith () - { - as_val=`expr "$@" || test $? -eq 1` - } -fi # as_fn_arith - -# as_fn_nop -# --------- -# Do nothing but, unlike ":", preserve the value of $?. -as_fn_nop () -{ - return $? -} -as_nop=as_fn_nop - -# as_fn_error STATUS ERROR [LINENO LOG_FD] -# ---------------------------------------- -# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -# script with STATUS, using 1 if that was 0. -as_fn_error () -{ - as_status=$1; test $as_status -eq 0 && as_status=1 - if test "$4"; then - as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi - printf "%s\n" "$as_me: error: $2" >&2 - as_fn_exit $as_status -} # as_fn_error - -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi - -if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then - as_basename=basename -else - as_basename=false -fi - -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi - -as_me=`$as_basename -- "$0" || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || -printf "%s\n" X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q - } - /^X\/\(\/\/\)$/{ - s//\1/ - q - } - /^X\/\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - - - as_lineno_1=$LINENO as_lineno_1a=$LINENO - as_lineno_2=$LINENO as_lineno_2a=$LINENO - eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && - test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { - # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) - sed -n ' - p - /[$]LINENO/= - ' <$as_myself | - sed ' - s/[$]LINENO.*/&-/ - t lineno - b - :lineno - N - :loop - s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ - t loop - s/-\n.*// - ' >$as_me.lineno && - chmod +x "$as_me.lineno" || - { printf "%s\n" "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } - - # If we had to re-execute with $CONFIG_SHELL, we're ensured to have - # already done that, so ensure we don't try to do so again and fall - # in an infinite loop. This has already happened in practice. - _as_can_reexec=no; export _as_can_reexec - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensitive to this). - . "./$as_me.lineno" - # Exit status is that of the last command. - exit -} - - -# Determine whether it's possible to make 'echo' print without a newline. -# These variables are no longer used directly by Autoconf, but are AC_SUBSTed -# for compatibility with existing Makefiles. -ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in #((((( --n*) - case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. - xy) ECHO_C='\c';; - *) echo `echo ksh88 bug on AIX 6.1` > /dev/null - ECHO_T=' ';; - esac;; -*) - ECHO_N='-n';; -esac - -# For backward compatibility with old third-party macros, we provide -# the shell variables $as_echo and $as_echo_n. New code should use -# AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. -as_echo='printf %s\n' -as_echo_n='printf %s' - - -rm -f conf$$ conf$$.exe conf$$.file -if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file -else - rm -f conf$$.dir - mkdir conf$$.dir 2>/dev/null -fi -if (echo >conf$$.file) 2>/dev/null; then - if ln -s conf$$.file conf$$ 2>/dev/null; then - as_ln_s='ln -s' - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' - elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln - else - as_ln_s='cp -pR' - fi -else - as_ln_s='cp -pR' -fi -rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file -rmdir conf$$.dir 2>/dev/null - -if mkdir -p . 2>/dev/null; then - as_mkdir_p='mkdir -p "$as_dir"' -else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -fi - -as_test_x='test -x' -as_executable_p=as_fn_executable_p - -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" - -# Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - - -test -n "$DJDIR" || exec 7<&0 &1 - -# Name of the host. -# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, -# so uname gets run too. -ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` - -# -# Initializations. -# -ac_default_prefix=/usr/local -ac_clean_files= -ac_config_libobj_dir=. -LIBOBJS= -cross_compiling=no -subdirs= -MFLAGS= -MAKEFLAGS= - -# Identity of this package. -PACKAGE_NAME='' -PACKAGE_TARNAME='' -PACKAGE_VERSION='' -PACKAGE_STRING='' -PACKAGE_BUGREPORT='' -PACKAGE_URL='' - -ac_unique_file="rlm_radutmp.c" -# Factoring default headers for most tests. -ac_includes_default="\ -#include -#ifdef HAVE_STDIO_H -# include -#endif -#ifdef HAVE_STDLIB_H -# include -#endif -#ifdef HAVE_STRING_H -# include -#endif -#ifdef HAVE_INTTYPES_H -# include -#endif -#ifdef HAVE_STDINT_H -# include -#endif -#ifdef HAVE_STRINGS_H -# include -#endif -#ifdef HAVE_SYS_TYPES_H -# include -#endif -#ifdef HAVE_SYS_STAT_H -# include -#endif -#ifdef HAVE_UNISTD_H -# include -#endif" - -ac_header_c_list= -ac_subst_vars='LTLIBOBJS -LIBOBJS -mod_cflags -mod_ldflags -targetname -OBJEXT -EXEEXT -ac_ct_CC -CPPFLAGS -LDFLAGS -CFLAGS -CC -target_alias -host_alias -build_alias -LIBS -ECHO_T -ECHO_N -ECHO_C -DEFS -mandir -localedir -libdir -psdir -pdfdir -dvidir -htmldir -infodir -docdir -oldincludedir -includedir -runstatedir -localstatedir -sharedstatedir -sysconfdir -datadir -datarootdir -libexecdir -sbindir -bindir -program_transform_name -prefix -exec_prefix -PACKAGE_URL -PACKAGE_BUGREPORT -PACKAGE_STRING -PACKAGE_VERSION -PACKAGE_TARNAME -PACKAGE_NAME -PATH_SEPARATOR -SHELL' -ac_subst_files='' -ac_user_opts=' -enable_option_checking -with_rlm_radutmp -' - ac_precious_vars='build_alias -host_alias -target_alias -CC -CFLAGS -LDFLAGS -LIBS -CPPFLAGS' - - -# Initialize some variables set by options. -ac_init_help= -ac_init_version=false -ac_unrecognized_opts= -ac_unrecognized_sep= -# The variables have the same names as the options, with -# dashes changed to underlines. -cache_file=/dev/null -exec_prefix=NONE -no_create= -no_recursion= -prefix=NONE -program_prefix=NONE -program_suffix=NONE -program_transform_name=s,x,x, -silent= -site= -srcdir= -verbose= -x_includes=NONE -x_libraries=NONE - -# Installation directory options. -# These are left unexpanded so users can "make install exec_prefix=/foo" -# and all the variables that are supposed to be based on exec_prefix -# by default will actually change. -# Use braces instead of parens because sh, perl, etc. also accept them. -# (The list follows the same order as the GNU Coding Standards.) -bindir='${exec_prefix}/bin' -sbindir='${exec_prefix}/sbin' -libexecdir='${exec_prefix}/libexec' -datarootdir='${prefix}/share' -datadir='${datarootdir}' -sysconfdir='${prefix}/etc' -sharedstatedir='${prefix}/com' -localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' -includedir='${prefix}/include' -oldincludedir='/usr/include' -docdir='${datarootdir}/doc/${PACKAGE}' -infodir='${datarootdir}/info' -htmldir='${docdir}' -dvidir='${docdir}' -pdfdir='${docdir}' -psdir='${docdir}' -libdir='${exec_prefix}/lib' -localedir='${datarootdir}/locale' -mandir='${datarootdir}/man' - -ac_prev= -ac_dashdash= -for ac_option -do - # If the previous option needs an argument, assign it. - if test -n "$ac_prev"; then - eval $ac_prev=\$ac_option - ac_prev= - continue - fi - - case $ac_option in - *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; - *=) ac_optarg= ;; - *) ac_optarg=yes ;; - esac - - case $ac_dashdash$ac_option in - --) - ac_dashdash=yes ;; - - -bindir | --bindir | --bindi | --bind | --bin | --bi) - ac_prev=bindir ;; - -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) - bindir=$ac_optarg ;; - - -build | --build | --buil | --bui | --bu) - ac_prev=build_alias ;; - -build=* | --build=* | --buil=* | --bui=* | --bu=*) - build_alias=$ac_optarg ;; - - -cache-file | --cache-file | --cache-fil | --cache-fi \ - | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) - ac_prev=cache_file ;; - -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ - | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) - cache_file=$ac_optarg ;; - - --config-cache | -C) - cache_file=config.cache ;; - - -datadir | --datadir | --datadi | --datad) - ac_prev=datadir ;; - -datadir=* | --datadir=* | --datadi=* | --datad=*) - datadir=$ac_optarg ;; - - -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ - | --dataroo | --dataro | --datar) - ac_prev=datarootdir ;; - -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ - | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) - datarootdir=$ac_optarg ;; - - -disable-* | --disable-*) - ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: \`$ac_useropt'" - ac_useropt_orig=$ac_useropt - ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"enable_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval enable_$ac_useropt=no ;; - - -docdir | --docdir | --docdi | --doc | --do) - ac_prev=docdir ;; - -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) - docdir=$ac_optarg ;; - - -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) - ac_prev=dvidir ;; - -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) - dvidir=$ac_optarg ;; - - -enable-* | --enable-*) - ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: \`$ac_useropt'" - ac_useropt_orig=$ac_useropt - ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"enable_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval enable_$ac_useropt=\$ac_optarg ;; - - -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ - | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ - | --exec | --exe | --ex) - ac_prev=exec_prefix ;; - -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ - | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ - | --exec=* | --exe=* | --ex=*) - exec_prefix=$ac_optarg ;; - - -gas | --gas | --ga | --g) - # Obsolete; use --with-gas. - with_gas=yes ;; - - -help | --help | --hel | --he | -h) - ac_init_help=long ;; - -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) - ac_init_help=recursive ;; - -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) - ac_init_help=short ;; - - -host | --host | --hos | --ho) - ac_prev=host_alias ;; - -host=* | --host=* | --hos=* | --ho=*) - host_alias=$ac_optarg ;; - - -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) - ac_prev=htmldir ;; - -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ - | --ht=*) - htmldir=$ac_optarg ;; - - -includedir | --includedir | --includedi | --included | --include \ - | --includ | --inclu | --incl | --inc) - ac_prev=includedir ;; - -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ - | --includ=* | --inclu=* | --incl=* | --inc=*) - includedir=$ac_optarg ;; - - -infodir | --infodir | --infodi | --infod | --info | --inf) - ac_prev=infodir ;; - -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) - infodir=$ac_optarg ;; - - -libdir | --libdir | --libdi | --libd) - ac_prev=libdir ;; - -libdir=* | --libdir=* | --libdi=* | --libd=*) - libdir=$ac_optarg ;; - - -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ - | --libexe | --libex | --libe) - ac_prev=libexecdir ;; - -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ - | --libexe=* | --libex=* | --libe=*) - libexecdir=$ac_optarg ;; - - -localedir | --localedir | --localedi | --localed | --locale) - ac_prev=localedir ;; - -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) - localedir=$ac_optarg ;; - - -localstatedir | --localstatedir | --localstatedi | --localstated \ - | --localstate | --localstat | --localsta | --localst | --locals) - ac_prev=localstatedir ;; - -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ - | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) - localstatedir=$ac_optarg ;; - - -mandir | --mandir | --mandi | --mand | --man | --ma | --m) - ac_prev=mandir ;; - -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) - mandir=$ac_optarg ;; - - -nfp | --nfp | --nf) - # Obsolete; use --without-fp. - with_fp=no ;; - - -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c | -n) - no_create=yes ;; - - -no-recursion | --no-recursion | --no-recursio | --no-recursi \ - | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) - no_recursion=yes ;; - - -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ - | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ - | --oldin | --oldi | --old | --ol | --o) - ac_prev=oldincludedir ;; - -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ - | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ - | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) - oldincludedir=$ac_optarg ;; - - -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) - ac_prev=prefix ;; - -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) - prefix=$ac_optarg ;; - - -program-prefix | --program-prefix | --program-prefi | --program-pref \ - | --program-pre | --program-pr | --program-p) - ac_prev=program_prefix ;; - -program-prefix=* | --program-prefix=* | --program-prefi=* \ - | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) - program_prefix=$ac_optarg ;; - - -program-suffix | --program-suffix | --program-suffi | --program-suff \ - | --program-suf | --program-su | --program-s) - ac_prev=program_suffix ;; - -program-suffix=* | --program-suffix=* | --program-suffi=* \ - | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) - program_suffix=$ac_optarg ;; - - -program-transform-name | --program-transform-name \ - | --program-transform-nam | --program-transform-na \ - | --program-transform-n | --program-transform- \ - | --program-transform | --program-transfor \ - | --program-transfo | --program-transf \ - | --program-trans | --program-tran \ - | --progr-tra | --program-tr | --program-t) - ac_prev=program_transform_name ;; - -program-transform-name=* | --program-transform-name=* \ - | --program-transform-nam=* | --program-transform-na=* \ - | --program-transform-n=* | --program-transform-=* \ - | --program-transform=* | --program-transfor=* \ - | --program-transfo=* | --program-transf=* \ - | --program-trans=* | --program-tran=* \ - | --progr-tra=* | --program-tr=* | --program-t=*) - program_transform_name=$ac_optarg ;; - - -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) - ac_prev=pdfdir ;; - -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) - pdfdir=$ac_optarg ;; - - -psdir | --psdir | --psdi | --psd | --ps) - ac_prev=psdir ;; - -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) - psdir=$ac_optarg ;; - - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil) - silent=yes ;; - - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) - ac_prev=sbindir ;; - -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ - | --sbi=* | --sb=*) - sbindir=$ac_optarg ;; - - -sharedstatedir | --sharedstatedir | --sharedstatedi \ - | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ - | --sharedst | --shareds | --shared | --share | --shar \ - | --sha | --sh) - ac_prev=sharedstatedir ;; - -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ - | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ - | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ - | --sha=* | --sh=*) - sharedstatedir=$ac_optarg ;; - - -site | --site | --sit) - ac_prev=site ;; - -site=* | --site=* | --sit=*) - site=$ac_optarg ;; - - -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) - ac_prev=srcdir ;; - -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) - srcdir=$ac_optarg ;; - - -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ - | --syscon | --sysco | --sysc | --sys | --sy) - ac_prev=sysconfdir ;; - -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ - | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) - sysconfdir=$ac_optarg ;; - - -target | --target | --targe | --targ | --tar | --ta | --t) - ac_prev=target_alias ;; - -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) - target_alias=$ac_optarg ;; - - -v | -verbose | --verbose | --verbos | --verbo | --verb) - verbose=yes ;; - - -version | --version | --versio | --versi | --vers | -V) - ac_init_version=: ;; - - -with-* | --with-*) - ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: \`$ac_useropt'" - ac_useropt_orig=$ac_useropt - ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"with_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval with_$ac_useropt=\$ac_optarg ;; - - -without-* | --without-*) - ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: \`$ac_useropt'" - ac_useropt_orig=$ac_useropt - ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"with_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval with_$ac_useropt=no ;; - - --x) - # Obsolete; use --with-x. - with_x=yes ;; - - -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ - | --x-incl | --x-inc | --x-in | --x-i) - ac_prev=x_includes ;; - -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ - | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) - x_includes=$ac_optarg ;; - - -x-libraries | --x-libraries | --x-librarie | --x-librari \ - | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) - ac_prev=x_libraries ;; - -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ - | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) - x_libraries=$ac_optarg ;; - - -*) as_fn_error $? "unrecognized option: \`$ac_option' -Try \`$0 --help' for more information" - ;; - - *=*) - ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` - # Reject names that are not valid shell variable names. - case $ac_envvar in #( - '' | [0-9]* | *[!_$as_cr_alnum]* ) - as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; - esac - eval $ac_envvar=\$ac_optarg - export $ac_envvar ;; - - *) - # FIXME: should be removed in autoconf 3.0. - printf "%s\n" "$as_me: WARNING: you should use --build, --host, --target" >&2 - expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && - printf "%s\n" "$as_me: WARNING: invalid host type: $ac_option" >&2 - : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" - ;; - - esac -done - -if test -n "$ac_prev"; then - ac_option=--`echo $ac_prev | sed 's/_/-/g'` - as_fn_error $? "missing argument to $ac_option" -fi - -if test -n "$ac_unrecognized_opts"; then - case $enable_option_checking in - no) ;; - fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; - *) printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; - esac -fi - -# Check all directory arguments for consistency. -for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ - datadir sysconfdir sharedstatedir localstatedir includedir \ - oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir -do - eval ac_val=\$$ac_var - # Remove trailing slashes. - case $ac_val in - */ ) - ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` - eval $ac_var=\$ac_val;; - esac - # Be sure to have absolute directory names. - case $ac_val in - [\\/$]* | ?:[\\/]* ) continue;; - NONE | '' ) case $ac_var in *prefix ) continue;; esac;; - esac - as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" -done - -# There might be people who depend on the old broken behavior: `$host' -# used to hold the argument of --host etc. -# FIXME: To remove some day. -build=$build_alias -host=$host_alias -target=$target_alias - -# FIXME: To remove some day. -if test "x$host_alias" != x; then - if test "x$build_alias" = x; then - cross_compiling=maybe - elif test "x$build_alias" != "x$host_alias"; then - cross_compiling=yes - fi -fi - -ac_tool_prefix= -test -n "$host_alias" && ac_tool_prefix=$host_alias- - -test "$silent" = yes && exec 6>/dev/null - - -ac_pwd=`pwd` && test -n "$ac_pwd" && -ac_ls_di=`ls -di .` && -ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || - as_fn_error $? "working directory cannot be determined" -test "X$ac_ls_di" = "X$ac_pwd_ls_di" || - as_fn_error $? "pwd does not report name of working directory" - - -# Find the source files, if location was not specified. -if test -z "$srcdir"; then - ac_srcdir_defaulted=yes - # Try the directory containing this script, then the parent directory. - ac_confdir=`$as_dirname -- "$as_myself" || -$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_myself" : 'X\(//\)[^/]' \| \ - X"$as_myself" : 'X\(//\)$' \| \ - X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || -printf "%s\n" X"$as_myself" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - srcdir=$ac_confdir - if test ! -r "$srcdir/$ac_unique_file"; then - srcdir=.. - fi -else - ac_srcdir_defaulted=no -fi -if test ! -r "$srcdir/$ac_unique_file"; then - test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." - as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" -fi -ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" -ac_abs_confdir=`( - cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" - pwd)` -# When building in place, set srcdir=. -if test "$ac_abs_confdir" = "$ac_pwd"; then - srcdir=. -fi -# Remove unnecessary trailing slashes from srcdir. -# Double slashes in file names in object file debugging info -# mess up M-x gdb in Emacs. -case $srcdir in -*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; -esac -for ac_var in $ac_precious_vars; do - eval ac_env_${ac_var}_set=\${${ac_var}+set} - eval ac_env_${ac_var}_value=\$${ac_var} - eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} - eval ac_cv_env_${ac_var}_value=\$${ac_var} -done - -# -# Report the --help message. -# -if test "$ac_init_help" = "long"; then - # Omit some internal or obsolete options to make the list less imposing. - # This message is too long to be a string in the A/UX 3.1 sh. - cat <<_ACEOF -\`configure' configures this package to adapt to many kinds of systems. - -Usage: $0 [OPTION]... [VAR=VALUE]... - -To assign environment variables (e.g., CC, CFLAGS...), specify them as -VAR=VALUE. See below for descriptions of some of the useful variables. - -Defaults for the options are specified in brackets. - -Configuration: - -h, --help display this help and exit - --help=short display options specific to this package - --help=recursive display the short help of all the included packages - -V, --version display version information and exit - -q, --quiet, --silent do not print \`checking ...' messages - --cache-file=FILE cache test results in FILE [disabled] - -C, --config-cache alias for \`--cache-file=config.cache' - -n, --no-create do not create output files - --srcdir=DIR find the sources in DIR [configure dir or \`..'] - -Installation directories: - --prefix=PREFIX install architecture-independent files in PREFIX - [$ac_default_prefix] - --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX - [PREFIX] - -By default, \`make install' will install all the files in -\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify -an installation prefix other than \`$ac_default_prefix' using \`--prefix', -for instance \`--prefix=\$HOME'. - -For better control, use the options below. - -Fine tuning of the installation directories: - --bindir=DIR user executables [EPREFIX/bin] - --sbindir=DIR system admin executables [EPREFIX/sbin] - --libexecdir=DIR program executables [EPREFIX/libexec] - --sysconfdir=DIR read-only single-machine data [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] - --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] - --libdir=DIR object code libraries [EPREFIX/lib] - --includedir=DIR C header files [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc [/usr/include] - --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] - --datadir=DIR read-only architecture-independent data [DATAROOTDIR] - --infodir=DIR info documentation [DATAROOTDIR/info] - --localedir=DIR locale-dependent data [DATAROOTDIR/locale] - --mandir=DIR man documentation [DATAROOTDIR/man] - --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] - --htmldir=DIR html documentation [DOCDIR] - --dvidir=DIR dvi documentation [DOCDIR] - --pdfdir=DIR pdf documentation [DOCDIR] - --psdir=DIR ps documentation [DOCDIR] -_ACEOF - - cat <<\_ACEOF -_ACEOF -fi - -if test -n "$ac_init_help"; then - - cat <<\_ACEOF - -Optional Packages: - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] - --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --without-rlm_radutmp build without ability to maintain utmp-style - sessions - -Some influential environment variables: - CC C compiler command - CFLAGS C compiler flags - LDFLAGS linker flags, e.g. -L if you have libraries in a - nonstandard directory - LIBS libraries to pass to the linker, e.g. -l - CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if - you have headers in a nonstandard directory - -Use these variables to override the choices made by `configure' or to help -it to find libraries and programs with nonstandard names/locations. - -Report bugs to the package provider. -_ACEOF -ac_status=$? -fi - -if test "$ac_init_help" = "recursive"; then - # If there are subdirs, report their specific --help. - for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue - test -d "$ac_dir" || - { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || - continue - ac_builddir=. - -case "$ac_dir" in -.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; -*) - ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. - ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; - esac ;; -esac -ac_abs_top_builddir=$ac_pwd -ac_abs_builddir=$ac_pwd$ac_dir_suffix -# for backward compatibility: -ac_top_builddir=$ac_top_build_prefix - -case $srcdir in - .) # We are building in place. - ac_srcdir=. - ac_top_srcdir=$ac_top_builddir_sub - ac_abs_top_srcdir=$ac_pwd ;; - [\\/]* | ?:[\\/]* ) # Absolute name. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir - ac_abs_top_srcdir=$srcdir ;; - *) # Relative name. - ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_build_prefix$srcdir - ac_abs_top_srcdir=$ac_pwd/$srcdir ;; -esac -ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix - - cd "$ac_dir" || { ac_status=$?; continue; } - # Check for configure.gnu first; this name is used for a wrapper for - # Metaconfig's "Configure" on case-insensitive file systems. - if test -f "$ac_srcdir/configure.gnu"; then - echo && - $SHELL "$ac_srcdir/configure.gnu" --help=recursive - elif test -f "$ac_srcdir/configure"; then - echo && - $SHELL "$ac_srcdir/configure" --help=recursive - else - printf "%s\n" "$as_me: WARNING: no configuration information is in $ac_dir" >&2 - fi || ac_status=$? - cd "$ac_pwd" || { ac_status=$?; break; } - done -fi - -test -n "$ac_init_help" && exit $ac_status -if $ac_init_version; then - cat <<\_ACEOF -configure -generated by GNU Autoconf 2.71 - -Copyright (C) 2021 Free Software Foundation, Inc. -This configure script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it. -_ACEOF - exit -fi - -## ------------------------ ## -## Autoconf initialization. ## -## ------------------------ ## - -echo -echo Running tests for rlm_radutmp -echo - - -# ac_fn_c_try_compile LINENO -# -------------------------- -# Try to compile conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest.beam - if { { ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext -then : - ac_retval=0 -else $as_nop - printf "%s\n" "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_compile - -# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES -# ------------------------------------------------------- -# Tests whether HEADER exists and can be compiled using the include files in -# INCLUDES, setting the cache variable VAR accordingly. -ac_fn_c_check_header_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -printf %s "checking for $2... " >&6; } -if eval test \${$3+y} -then : - printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -#include <$2> -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - eval "$3=yes" -else $as_nop - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext -fi -eval ac_res=\$$3 - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -printf "%s\n" "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_header_compile -ac_configure_args_raw= -for ac_arg -do - case $ac_arg in - *\'*) - ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - as_fn_append ac_configure_args_raw " '$ac_arg'" -done - -case $ac_configure_args_raw in - *$as_nl*) - ac_safe_unquote= ;; - *) - ac_unsafe_z='|&;<>()$`\\"*?[ '' ' # This string ends in space, tab. - ac_unsafe_a="$ac_unsafe_z#~" - ac_safe_unquote="s/ '\\([^$ac_unsafe_a][^$ac_unsafe_z]*\\)'/ \\1/g" - ac_configure_args_raw=` printf "%s\n" "$ac_configure_args_raw" | sed "$ac_safe_unquote"`;; -esac - -cat >config.log <<_ACEOF -This file contains any messages produced by compilers while -running configure, to aid debugging if configure makes a mistake. - -It was created by $as_me, which was -generated by GNU Autoconf 2.71. Invocation command line was - - $ $0$ac_configure_args_raw - -_ACEOF -exec 5>>config.log -{ -cat <<_ASUNAME -## --------- ## -## Platform. ## -## --------- ## - -hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` -uname -m = `(uname -m) 2>/dev/null || echo unknown` -uname -r = `(uname -r) 2>/dev/null || echo unknown` -uname -s = `(uname -s) 2>/dev/null || echo unknown` -uname -v = `(uname -v) 2>/dev/null || echo unknown` - -/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` -/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` - -/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` -/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` -/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` -/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` -/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` -/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` -/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` - -_ASUNAME - -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - printf "%s\n" "PATH: $as_dir" - done -IFS=$as_save_IFS - -} >&5 - -cat >&5 <<_ACEOF - - -## ----------- ## -## Core tests. ## -## ----------- ## - -_ACEOF - - -# Keep a trace of the command line. -# Strip out --no-create and --no-recursion so they do not pile up. -# Strip out --silent because we don't want to record it for future runs. -# Also quote any args containing shell meta-characters. -# Make two passes to allow for proper duplicate-argument suppression. -ac_configure_args= -ac_configure_args0= -ac_configure_args1= -ac_must_keep_next=false -for ac_pass in 1 2 -do - for ac_arg - do - case $ac_arg in - -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil) - continue ;; - *\'*) - ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - case $ac_pass in - 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; - 2) - as_fn_append ac_configure_args1 " '$ac_arg'" - if test $ac_must_keep_next = true; then - ac_must_keep_next=false # Got value, back to normal. - else - case $ac_arg in - *=* | --config-cache | -C | -disable-* | --disable-* \ - | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ - | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ - | -with-* | --with-* | -without-* | --without-* | --x) - case "$ac_configure_args0 " in - "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; - esac - ;; - -* ) ac_must_keep_next=true ;; - esac - fi - as_fn_append ac_configure_args " '$ac_arg'" - ;; - esac - done -done -{ ac_configure_args0=; unset ac_configure_args0;} -{ ac_configure_args1=; unset ac_configure_args1;} - -# When interrupted or exit'd, cleanup temporary files, and complete -# config.log. We remove comments because anyway the quotes in there -# would cause problems or look ugly. -# WARNING: Use '\'' to represent an apostrophe within the trap. -# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. -trap 'exit_status=$? - # Sanitize IFS. - IFS=" "" $as_nl" - # Save into config.log some information that might help in debugging. - { - echo - - printf "%s\n" "## ---------------- ## -## Cache variables. ## -## ---------------- ##" - echo - # The following way of writing the cache mishandles newlines in values, -( - for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do - eval ac_val=\$$ac_var - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( - *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( - BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done - (set) 2>&1 | - case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( - *${as_nl}ac_space=\ *) - sed -n \ - "s/'\''/'\''\\\\'\'''\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" - ;; #( - *) - sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" - ;; - esac | - sort -) - echo - - printf "%s\n" "## ----------------- ## -## Output variables. ## -## ----------------- ##" - echo - for ac_var in $ac_subst_vars - do - eval ac_val=\$$ac_var - case $ac_val in - *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac - printf "%s\n" "$ac_var='\''$ac_val'\''" - done | sort - echo - - if test -n "$ac_subst_files"; then - printf "%s\n" "## ------------------- ## -## File substitutions. ## -## ------------------- ##" - echo - for ac_var in $ac_subst_files - do - eval ac_val=\$$ac_var - case $ac_val in - *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac - printf "%s\n" "$ac_var='\''$ac_val'\''" - done | sort - echo - fi - - if test -s confdefs.h; then - printf "%s\n" "## ----------- ## -## confdefs.h. ## -## ----------- ##" - echo - cat confdefs.h - echo - fi - test "$ac_signal" != 0 && - printf "%s\n" "$as_me: caught signal $ac_signal" - printf "%s\n" "$as_me: exit $exit_status" - } >&5 - rm -f core *.core core.conftest.* && - rm -f -r conftest* confdefs* conf$$* $ac_clean_files && - exit $exit_status -' 0 -for ac_signal in 1 2 13 15; do - trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal -done -ac_signal=0 - -# confdefs.h avoids OS command line length limits that DEFS can exceed. -rm -f -r conftest* confdefs.h - -printf "%s\n" "/* confdefs.h */" > confdefs.h - -# Predefined preprocessor variables. - -printf "%s\n" "#define PACKAGE_NAME \"$PACKAGE_NAME\"" >>confdefs.h - -printf "%s\n" "#define PACKAGE_TARNAME \"$PACKAGE_TARNAME\"" >>confdefs.h - -printf "%s\n" "#define PACKAGE_VERSION \"$PACKAGE_VERSION\"" >>confdefs.h - -printf "%s\n" "#define PACKAGE_STRING \"$PACKAGE_STRING\"" >>confdefs.h - -printf "%s\n" "#define PACKAGE_BUGREPORT \"$PACKAGE_BUGREPORT\"" >>confdefs.h - -printf "%s\n" "#define PACKAGE_URL \"$PACKAGE_URL\"" >>confdefs.h - - -# Let the site file select an alternate cache file if it wants to. -# Prefer an explicitly selected file to automatically selected ones. -if test -n "$CONFIG_SITE"; then - ac_site_files="$CONFIG_SITE" -elif test "x$prefix" != xNONE; then - ac_site_files="$prefix/share/config.site $prefix/etc/config.site" -else - ac_site_files="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" -fi - -for ac_site_file in $ac_site_files -do - case $ac_site_file in #( - */*) : - ;; #( - *) : - ac_site_file=./$ac_site_file ;; -esac - if test -f "$ac_site_file" && test -r "$ac_site_file"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 -printf "%s\n" "$as_me: loading site script $ac_site_file" >&6;} - sed 's/^/| /' "$ac_site_file" >&5 - . "$ac_site_file" \ - || { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "failed to load site script $ac_site_file -See \`config.log' for more details" "$LINENO" 5; } - fi -done - -if test -r "$cache_file"; then - # Some versions of bash will fail to source /dev/null (special files - # actually), so we avoid doing that. DJGPP emulates it as a regular file. - if test /dev/null != "$cache_file" && test -f "$cache_file"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 -printf "%s\n" "$as_me: loading cache $cache_file" >&6;} - case $cache_file in - [\\/]* | ?:[\\/]* ) . "$cache_file";; - *) . "./$cache_file";; - esac - fi -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 -printf "%s\n" "$as_me: creating cache $cache_file" >&6;} - >$cache_file -fi - -# Test code for whether the C compiler supports C89 (global declarations) -ac_c_conftest_c89_globals=' -/* Does the compiler advertise C89 conformance? - Do not test the value of __STDC__, because some compilers set it to 0 - while being otherwise adequately conformant. */ -#if !defined __STDC__ -# error "Compiler does not advertise C89 conformance" -#endif - -#include -#include -struct stat; -/* Most of the following tests are stolen from RCS 5.7 src/conf.sh. */ -struct buf { int x; }; -struct buf * (*rcsopen) (struct buf *, struct stat *, int); -static char *e (p, i) - char **p; - int i; -{ - return p[i]; -} -static char *f (char * (*g) (char **, int), char **p, ...) -{ - char *s; - va_list v; - va_start (v,p); - s = g (p, va_arg (v,int)); - va_end (v); - return s; -} - -/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has - function prototypes and stuff, but not \xHH hex character constants. - These do not provoke an error unfortunately, instead are silently treated - as an "x". The following induces an error, until -std is added to get - proper ANSI mode. Curiously \x00 != x always comes out true, for an - array size at least. It is necessary to write \x00 == 0 to get something - that is true only with -std. */ -int osf4_cc_array ['\''\x00'\'' == 0 ? 1 : -1]; - -/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters - inside strings and character constants. */ -#define FOO(x) '\''x'\'' -int xlc6_cc_array[FOO(a) == '\''x'\'' ? 1 : -1]; - -int test (int i, double x); -struct s1 {int (*f) (int a);}; -struct s2 {int (*f) (double a);}; -int pairnames (int, char **, int *(*)(struct buf *, struct stat *, int), - int, int);' - -# Test code for whether the C compiler supports C89 (body of main). -ac_c_conftest_c89_main=' -ok |= (argc == 0 || f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]); -' - -# Test code for whether the C compiler supports C99 (global declarations) -ac_c_conftest_c99_globals=' -// Does the compiler advertise C99 conformance? -#if !defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L -# error "Compiler does not advertise C99 conformance" -#endif - -#include -extern int puts (const char *); -extern int printf (const char *, ...); -extern int dprintf (int, const char *, ...); -extern void *malloc (size_t); - -// Check varargs macros. These examples are taken from C99 6.10.3.5. -// dprintf is used instead of fprintf to avoid needing to declare -// FILE and stderr. -#define debug(...) dprintf (2, __VA_ARGS__) -#define showlist(...) puts (#__VA_ARGS__) -#define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__)) -static void -test_varargs_macros (void) -{ - int x = 1234; - int y = 5678; - debug ("Flag"); - debug ("X = %d\n", x); - showlist (The first, second, and third items.); - report (x>y, "x is %d but y is %d", x, y); -} - -// Check long long types. -#define BIG64 18446744073709551615ull -#define BIG32 4294967295ul -#define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0) -#if !BIG_OK - #error "your preprocessor is broken" -#endif -#if BIG_OK -#else - #error "your preprocessor is broken" -#endif -static long long int bignum = -9223372036854775807LL; -static unsigned long long int ubignum = BIG64; - -struct incomplete_array -{ - int datasize; - double data[]; -}; - -struct named_init { - int number; - const wchar_t *name; - double average; -}; - -typedef const char *ccp; - -static inline int -test_restrict (ccp restrict text) -{ - // See if C++-style comments work. - // Iterate through items via the restricted pointer. - // Also check for declarations in for loops. - for (unsigned int i = 0; *(text+i) != '\''\0'\''; ++i) - continue; - return 0; -} - -// Check varargs and va_copy. -static bool -test_varargs (const char *format, ...) -{ - va_list args; - va_start (args, format); - va_list args_copy; - va_copy (args_copy, args); - - const char *str = ""; - int number = 0; - float fnumber = 0; - - while (*format) - { - switch (*format++) - { - case '\''s'\'': // string - str = va_arg (args_copy, const char *); - break; - case '\''d'\'': // int - number = va_arg (args_copy, int); - break; - case '\''f'\'': // float - fnumber = va_arg (args_copy, double); - break; - default: - break; - } - } - va_end (args_copy); - va_end (args); - - return *str && number && fnumber; -} -' - -# Test code for whether the C compiler supports C99 (body of main). -ac_c_conftest_c99_main=' - // Check bool. - _Bool success = false; - success |= (argc != 0); - - // Check restrict. - if (test_restrict ("String literal") == 0) - success = true; - char *restrict newvar = "Another string"; - - // Check varargs. - success &= test_varargs ("s, d'\'' f .", "string", 65, 34.234); - test_varargs_macros (); - - // Check flexible array members. - struct incomplete_array *ia = - malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10)); - ia->datasize = 10; - for (int i = 0; i < ia->datasize; ++i) - ia->data[i] = i * 1.234; - - // Check named initializers. - struct named_init ni = { - .number = 34, - .name = L"Test wide string", - .average = 543.34343, - }; - - ni.number = 58; - - int dynamic_array[ni.number]; - dynamic_array[0] = argv[0][0]; - dynamic_array[ni.number - 1] = 543; - - // work around unused variable warnings - ok |= (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == '\''x'\'' - || dynamic_array[ni.number - 1] != 543); -' - -# Test code for whether the C compiler supports C11 (global declarations) -ac_c_conftest_c11_globals=' -// Does the compiler advertise C11 conformance? -#if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112L -# error "Compiler does not advertise C11 conformance" -#endif - -// Check _Alignas. -char _Alignas (double) aligned_as_double; -char _Alignas (0) no_special_alignment; -extern char aligned_as_int; -char _Alignas (0) _Alignas (int) aligned_as_int; - -// Check _Alignof. -enum -{ - int_alignment = _Alignof (int), - int_array_alignment = _Alignof (int[100]), - char_alignment = _Alignof (char) -}; -_Static_assert (0 < -_Alignof (int), "_Alignof is signed"); - -// Check _Noreturn. -int _Noreturn does_not_return (void) { for (;;) continue; } - -// Check _Static_assert. -struct test_static_assert -{ - int x; - _Static_assert (sizeof (int) <= sizeof (long int), - "_Static_assert does not work in struct"); - long int y; -}; - -// Check UTF-8 literals. -#define u8 syntax error! -char const utf8_literal[] = u8"happens to be ASCII" "another string"; - -// Check duplicate typedefs. -typedef long *long_ptr; -typedef long int *long_ptr; -typedef long_ptr long_ptr; - -// Anonymous structures and unions -- taken from C11 6.7.2.1 Example 1. -struct anonymous -{ - union { - struct { int i; int j; }; - struct { int k; long int l; } w; - }; - int m; -} v1; -' - -# Test code for whether the C compiler supports C11 (body of main). -ac_c_conftest_c11_main=' - _Static_assert ((offsetof (struct anonymous, i) - == offsetof (struct anonymous, w.k)), - "Anonymous union alignment botch"); - v1.i = 2; - v1.w.k = 5; - ok |= v1.i != 5; -' - -# Test code for whether the C compiler supports C11 (complete). -ac_c_conftest_c11_program="${ac_c_conftest_c89_globals} -${ac_c_conftest_c99_globals} -${ac_c_conftest_c11_globals} - -int -main (int argc, char **argv) -{ - int ok = 0; - ${ac_c_conftest_c89_main} - ${ac_c_conftest_c99_main} - ${ac_c_conftest_c11_main} - return ok; -} -" - -# Test code for whether the C compiler supports C99 (complete). -ac_c_conftest_c99_program="${ac_c_conftest_c89_globals} -${ac_c_conftest_c99_globals} - -int -main (int argc, char **argv) -{ - int ok = 0; - ${ac_c_conftest_c89_main} - ${ac_c_conftest_c99_main} - return ok; -} -" - -# Test code for whether the C compiler supports C89 (complete). -ac_c_conftest_c89_program="${ac_c_conftest_c89_globals} - -int -main (int argc, char **argv) -{ - int ok = 0; - ${ac_c_conftest_c89_main} - return ok; -} -" - -as_fn_append ac_header_c_list " stdio.h stdio_h HAVE_STDIO_H" -as_fn_append ac_header_c_list " stdlib.h stdlib_h HAVE_STDLIB_H" -as_fn_append ac_header_c_list " string.h string_h HAVE_STRING_H" -as_fn_append ac_header_c_list " inttypes.h inttypes_h HAVE_INTTYPES_H" -as_fn_append ac_header_c_list " stdint.h stdint_h HAVE_STDINT_H" -as_fn_append ac_header_c_list " strings.h strings_h HAVE_STRINGS_H" -as_fn_append ac_header_c_list " sys/stat.h sys_stat_h HAVE_SYS_STAT_H" -as_fn_append ac_header_c_list " sys/types.h sys_types_h HAVE_SYS_TYPES_H" -as_fn_append ac_header_c_list " unistd.h unistd_h HAVE_UNISTD_H" -# Check that the precious variables saved in the cache have kept the same -# value. -ac_cache_corrupted=false -for ac_var in $ac_precious_vars; do - eval ac_old_set=\$ac_cv_env_${ac_var}_set - eval ac_new_set=\$ac_env_${ac_var}_set - eval ac_old_val=\$ac_cv_env_${ac_var}_value - eval ac_new_val=\$ac_env_${ac_var}_value - case $ac_old_set,$ac_new_set in - set,) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -printf "%s\n" "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,set) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 -printf "%s\n" "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,);; - *) - if test "x$ac_old_val" != "x$ac_new_val"; then - # differences in whitespace do not lead to failure. - ac_old_val_w=`echo x $ac_old_val` - ac_new_val_w=`echo x $ac_new_val` - if test "$ac_old_val_w" != "$ac_new_val_w"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 -printf "%s\n" "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} - ac_cache_corrupted=: - else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 -printf "%s\n" "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} - eval $ac_var=\$ac_old_val - fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 -printf "%s\n" "$as_me: former value: \`$ac_old_val'" >&2;} - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 -printf "%s\n" "$as_me: current value: \`$ac_new_val'" >&2;} - fi;; - esac - # Pass precious variables to config.status. - if test "$ac_new_set" = set; then - case $ac_new_val in - *\'*) ac_arg=$ac_var=`printf "%s\n" "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; - *) ac_arg=$ac_var=$ac_new_val ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. - *) as_fn_append ac_configure_args " '$ac_arg'" ;; - esac - fi -done -if $ac_cache_corrupted; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 -printf "%s\n" "$as_me: error: changes in the environment can compromise the build" >&2;} - as_fn_error $? "run \`${MAKE-make} distclean' and/or \`rm $cache_file' - and start over" "$LINENO" 5 -fi -## -------------------- ## -## Main body of script. ## -## -------------------- ## - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - - - - - - - - -# Check whether --with-rlm_radutmp was given. -if test ${with_rlm_radutmp+y} -then : - withval=$with_rlm_radutmp; -fi - - - - -fail= -fr_status= -fr_features= -: > "config.report" -: > "config.report.tmp" - - - -if test x"$with_rlm_radutmp" != xno; then - - - - - - - - - - - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. -set dummy ${ac_tool_prefix}gcc; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}gcc" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -printf "%s\n" "$CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - -fi -if test -z "$ac_cv_prog_CC"; then - ac_ct_CC=$CC - # Extract the first word of "gcc", so it can be a program name with args. -set dummy gcc; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_ac_ct_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="gcc" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -printf "%s\n" "$ac_ct_CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - if test "x$ac_ct_CC" = x; then - CC="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - CC=$ac_ct_CC - fi -else - CC="$ac_cv_prog_CC" -fi - -if test -z "$CC"; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. -set dummy ${ac_tool_prefix}cc; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}cc" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -printf "%s\n" "$CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - - fi -fi -if test -z "$CC"; then - # Extract the first word of "cc", so it can be a program name with args. -set dummy cc; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else - ac_prog_rejected=no -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - if test "$as_dir$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue - fi - ac_cv_prog_CC="cc" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -if test $ac_prog_rejected = yes; then - # We found a bogon in the path, so make sure we never use it. - set dummy $ac_cv_prog_CC - shift - if test $# != 0; then - # We chose a different compiler from the bogus one. - # However, it has the same basename, so the bogon will be chosen - # first if we set CC to just the basename; use the full file name. - shift - ac_cv_prog_CC="$as_dir$ac_word${1+' '}$@" - fi -fi -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -printf "%s\n" "$CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - -fi -if test -z "$CC"; then - if test -n "$ac_tool_prefix"; then - for ac_prog in cl.exe - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. -set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -printf "%s\n" "$CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - - test -n "$CC" && break - done -fi -if test -z "$CC"; then - ac_ct_CC=$CC - for ac_prog in cl.exe -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_ac_ct_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="$ac_prog" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -printf "%s\n" "$ac_ct_CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - - test -n "$ac_ct_CC" && break -done - - if test "x$ac_ct_CC" = x; then - CC="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - CC=$ac_ct_CC - fi -fi - -fi -if test -z "$CC"; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}clang", so it can be a program name with args. -set dummy ${ac_tool_prefix}clang; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}clang" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -printf "%s\n" "$CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - -fi -if test -z "$ac_cv_prog_CC"; then - ac_ct_CC=$CC - # Extract the first word of "clang", so it can be a program name with args. -set dummy clang; ac_word=$2 -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -printf %s "checking for $ac_word... " >&6; } -if test ${ac_cv_prog_ac_ct_CC+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="clang" - printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -printf "%s\n" "$ac_ct_CC" >&6; } -else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -fi - - if test "x$ac_ct_CC" = x; then - CC="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - CC=$ac_ct_CC - fi -else - CC="$ac_cv_prog_CC" -fi - -fi - - -test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "no acceptable C compiler found in \$PATH -See \`config.log' for more details" "$LINENO" 5; } - -# Provide some information about the compiler. -printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 -set X $ac_compile -ac_compiler=$2 -for ac_option in --version -v -V -qversion -version; do - { { ac_try="$ac_compiler $ac_option >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_compiler $ac_option >&5") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - sed '10a\ -... rest of stderr output deleted ... - 10q' conftest.err >conftest.er1 - cat conftest.er1 >&5 - fi - rm -f conftest.er1 conftest.err - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -done - -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" -# Try to create an executable without -o first, disregard a.out. -# It will help us diagnose broken compilers, and finding out an intuition -# of exeext. -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 -printf %s "checking whether the C compiler works... " >&6; } -ac_link_default=`printf "%s\n" "$ac_link" | sed 's/ -o *conftest[^ ]*//'` - -# The possible output files: -ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" - -ac_rmfiles= -for ac_file in $ac_files -do - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - * ) ac_rmfiles="$ac_rmfiles $ac_file";; - esac -done -rm -f $ac_rmfiles - -if { { ac_try="$ac_link_default" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_link_default") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -then : - # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. -# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' -# in a Makefile. We should not override ac_cv_exeext if it was cached, -# so that the user can short-circuit this test for compilers unknown to -# Autoconf. -for ac_file in $ac_files '' -do - test -f "$ac_file" || continue - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) - ;; - [ab].out ) - # We found the default executable, but exeext='' is most - # certainly right. - break;; - *.* ) - if test ${ac_cv_exeext+y} && test "$ac_cv_exeext" != no; - then :; else - ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - fi - # We set ac_cv_exeext here because the later test for it is not - # safe: cross compilers may not add the suffix if given an `-o' - # argument, so we may need to know it at that point already. - # Even if this section looks crufty: it has the advantage of - # actually working. - break;; - * ) - break;; - esac -done -test "$ac_cv_exeext" = no && ac_cv_exeext= - -else $as_nop - ac_file='' -fi -if test -z "$ac_file" -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; } -printf "%s\n" "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "C compiler cannot create executables -See \`config.log' for more details" "$LINENO" 5; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -printf "%s\n" "yes" >&6; } -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 -printf %s "checking for C compiler default output file name... " >&6; } -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 -printf "%s\n" "$ac_file" >&6; } -ac_exeext=$ac_cv_exeext - -rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out -ac_clean_files=$ac_clean_files_save -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 -printf %s "checking for suffix of executables... " >&6; } -if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -then : - # If both `conftest.exe' and `conftest' are `present' (well, observable) -# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will -# work properly (i.e., refer to `conftest.exe'), while it won't with -# `rm'. -for ac_file in conftest.exe conftest conftest.*; do - test -f "$ac_file" || continue - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - break;; - * ) break;; - esac -done -else $as_nop - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details" "$LINENO" 5; } -fi -rm -f conftest conftest$ac_cv_exeext -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 -printf "%s\n" "$ac_cv_exeext" >&6; } - -rm -f conftest.$ac_ext -EXEEXT=$ac_cv_exeext -ac_exeext=$EXEEXT -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main (void) -{ -FILE *f = fopen ("conftest.out", "w"); - return ferror (f) || fclose (f) != 0; - - ; - return 0; -} -_ACEOF -ac_clean_files="$ac_clean_files conftest.out" -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 -printf %s "checking whether we are cross compiling... " >&6; } -if test "$cross_compiling" != yes; then - { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } - if { ac_try='./conftest$ac_cv_exeext' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot run C compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details" "$LINENO" 5; } - fi - fi -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 -printf "%s\n" "$cross_compiling" >&6; } - -rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out -ac_clean_files=$ac_clean_files_save -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 -printf %s "checking for suffix of object files... " >&6; } -if test ${ac_cv_objext+y} -then : - printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.o conftest.obj -if { { ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -printf "%s\n" "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -then : - for ac_file in conftest.o conftest.obj conftest.*; do - test -f "$ac_file" || continue; - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; - *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` - break;; - esac -done -else $as_nop - printf "%s\n" "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot compute suffix of object files: cannot compile -See \`config.log' for more details" "$LINENO" 5; } -fi -rm -f conftest.$ac_cv_objext conftest.$ac_ext -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 -printf "%s\n" "$ac_cv_objext" >&6; } -OBJEXT=$ac_cv_objext -ac_objext=$OBJEXT -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C" >&5 -printf %s "checking whether the compiler supports GNU C... " >&6; } -if test ${ac_cv_c_compiler_gnu+y} -then : - printf %s "(cached) " >&6 -else $as_nop - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ -#ifndef __GNUC__ - choke me -#endif - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - ac_compiler_gnu=yes -else $as_nop - ac_compiler_gnu=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext -ac_cv_c_compiler_gnu=$ac_compiler_gnu - -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 -printf "%s\n" "$ac_cv_c_compiler_gnu" >&6; } -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -if test $ac_compiler_gnu = yes; then - GCC=yes -else - GCC= -fi -ac_test_CFLAGS=${CFLAGS+y} -ac_save_CFLAGS=$CFLAGS -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 -printf %s "checking whether $CC accepts -g... " >&6; } -if test ${ac_cv_prog_cc_g+y} -then : - printf %s "(cached) " >&6 -else $as_nop - ac_save_c_werror_flag=$ac_c_werror_flag - ac_c_werror_flag=yes - ac_cv_prog_cc_g=no - CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - ac_cv_prog_cc_g=yes -else $as_nop - CFLAGS="" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - -else $as_nop - ac_c_werror_flag=$ac_save_c_werror_flag - CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO" -then : - ac_cv_prog_cc_g=yes -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - ac_c_werror_flag=$ac_save_c_werror_flag -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 -printf "%s\n" "$ac_cv_prog_cc_g" >&6; } -if test $ac_test_CFLAGS; then - CFLAGS=$ac_save_CFLAGS -elif test $ac_cv_prog_cc_g = yes; then - if test "$GCC" = yes; then - CFLAGS="-g -O2" - else - CFLAGS="-g" - fi -else - if test "$GCC" = yes; then - CFLAGS="-O2" - else - CFLAGS= - fi -fi -ac_prog_cc_stdc=no -if test x$ac_prog_cc_stdc = xno -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C11 features" >&5 -printf %s "checking for $CC option to enable C11 features... " >&6; } -if test ${ac_cv_prog_cc_c11+y} -then : - printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c11=no -ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$ac_c_conftest_c11_program -_ACEOF -for ac_arg in '' -std=gnu11 -do - CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO" -then : - ac_cv_prog_cc_c11=$ac_arg -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam - test "x$ac_cv_prog_cc_c11" != "xno" && break -done -rm -f conftest.$ac_ext -CC=$ac_save_CC -fi - -if test "x$ac_cv_prog_cc_c11" = xno -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 -printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c11" = x -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 -printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 -printf "%s\n" "$ac_cv_prog_cc_c11" >&6; } - CC="$CC $ac_cv_prog_cc_c11" -fi - ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c11 - ac_prog_cc_stdc=c11 -fi -fi -if test x$ac_prog_cc_stdc = xno -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C99 features" >&5 -printf %s "checking for $CC option to enable C99 features... " >&6; } -if test ${ac_cv_prog_cc_c99+y} -then : - printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c99=no -ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$ac_c_conftest_c99_program -_ACEOF -for ac_arg in '' -std=gnu99 -std=c99 -c99 -qlanglvl=extc1x -qlanglvl=extc99 -AC99 -D_STDC_C99= -do - CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO" -then : - ac_cv_prog_cc_c99=$ac_arg -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam - test "x$ac_cv_prog_cc_c99" != "xno" && break -done -rm -f conftest.$ac_ext -CC=$ac_save_CC -fi - -if test "x$ac_cv_prog_cc_c99" = xno -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 -printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c99" = x -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 -printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 -printf "%s\n" "$ac_cv_prog_cc_c99" >&6; } - CC="$CC $ac_cv_prog_cc_c99" -fi - ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 - ac_prog_cc_stdc=c99 -fi -fi -if test x$ac_prog_cc_stdc = xno -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C89 features" >&5 -printf %s "checking for $CC option to enable C89 features... " >&6; } -if test ${ac_cv_prog_cc_c89+y} -then : - printf %s "(cached) " >&6 -else $as_nop - ac_cv_prog_cc_c89=no -ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$ac_c_conftest_c89_program -_ACEOF -for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" -do - CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO" -then : - ac_cv_prog_cc_c89=$ac_arg -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam - test "x$ac_cv_prog_cc_c89" != "xno" && break -done -rm -f conftest.$ac_ext -CC=$ac_save_CC -fi - -if test "x$ac_cv_prog_cc_c89" = xno -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 -printf "%s\n" "unsupported" >&6; } -else $as_nop - if test "x$ac_cv_prog_cc_c89" = x -then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 -printf "%s\n" "none needed" >&6; } -else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 -printf "%s\n" "$ac_cv_prog_cc_c89" >&6; } - CC="$CC $ac_cv_prog_cc_c89" -fi - ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 - ac_prog_cc_stdc=c89 -fi -fi - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - -ac_header= ac_cache= -for ac_item in $ac_header_c_list -do - if test $ac_cache; then - ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default" - if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then - printf "%s\n" "#define $ac_item 1" >> confdefs.h - fi - ac_header= ac_cache= - elif test $ac_header; then - ac_cache=$ac_item - else - ac_header=$ac_item - fi -done - - - - - - - - -if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes -then : - -printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h - -fi -ac_fn_c_check_header_compile "$LINENO" "sys/mman.h" "ac_cv_header_sys_mman_h" "$ac_includes_default" -if test "x$ac_cv_header_sys_mman_h" = xyes -then : - printf "%s\n" "#define HAVE_SYS_MMAN_H 1" >>confdefs.h - -fi - - - - targetname=rlm_radutmp -else - targetname= - echo \*\*\* module rlm_radutmp is disabled. - - -fr_status="disabled" - -fi - -if test x"$fail" != x""; then - targetname="" - - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_radutmp." >&5 -printf "%s\n" "$as_me: WARNING: silently not building rlm_radutmp." >&2;} - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_radutmp requires: $fail." >&5 -printf "%s\n" "$as_me: WARNING: FAILURE: rlm_radutmp requires: $fail." >&2;}; - fail="$(echo $fail)" - - -fr_status="skipping (requires $fail)" - - fr_features= - -else - - -fr_status="OK" - -fi - -if test x"$fr_features" = x""; then - $as_echo "$fr_status" > "config.report" -else - $as_echo_n "$fr_status ... " > "config.report" - cat "config.report.tmp" >> "config.report" -fi - -rm "config.report.tmp" - - - - - - - -ac_config_headers="$ac_config_headers config.h" - -ac_config_files="$ac_config_files all.mk" - -cat >confcache <<\_ACEOF -# This file is a shell script that caches the results of configure -# tests run on this system so they can be shared between configure -# scripts and configure runs, see configure's option --config-cache. -# It is not useful on other systems. If it contains results you don't -# want to keep, you may remove or edit it. -# -# config.status only pays attention to the cache file if you give it -# the --recheck option to rerun configure. -# -# `ac_cv_env_foo' variables (set or unset) will be overridden when -# loading this file, other *unset* `ac_cv_foo' will be assigned the -# following values. - -_ACEOF - -# The following way of writing the cache mishandles newlines in values, -# but we know of no workaround that is simple, portable, and efficient. -# So, we kill variables containing newlines. -# Ultrix sh set writes to stderr and can't be redirected directly, -# and sets the high bit in the cache file unless we assign to the vars. -( - for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do - eval ac_val=\$$ac_var - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( - *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( - BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done - - (set) 2>&1 | - case $as_nl`(ac_space=' '; set) 2>&1` in #( - *${as_nl}ac_space=\ *) - # `set' does not quote correctly, so add quotes: double-quote - # substitution turns \\\\ into \\, and sed turns \\ into \. - sed -n \ - "s/'/'\\\\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" - ;; #( - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" - ;; - esac | - sort -) | - sed ' - /^ac_cv_env_/b end - t clear - :clear - s/^\([^=]*\)=\(.*[{}].*\)$/test ${\1+y} || &/ - t end - s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ - :end' >>confcache -if diff "$cache_file" confcache >/dev/null 2>&1; then :; else - if test -w "$cache_file"; then - if test "x$cache_file" != "x/dev/null"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 -printf "%s\n" "$as_me: updating cache $cache_file" >&6;} - if test ! -f "$cache_file" || test -h "$cache_file"; then - cat confcache >"$cache_file" - else - case $cache_file in #( - */* | ?:*) - mv -f confcache "$cache_file"$$ && - mv -f "$cache_file"$$ "$cache_file" ;; #( - *) - mv -f confcache "$cache_file" ;; - esac - fi - fi - else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 -printf "%s\n" "$as_me: not updating unwritable cache $cache_file" >&6;} - fi -fi -rm -f confcache - -test "x$prefix" = xNONE && prefix=$ac_default_prefix -# Let make expand exec_prefix. -test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' - -DEFS=-DHAVE_CONFIG_H - -ac_libobjs= -ac_ltlibobjs= -U= -for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue - # 1. Remove the extension, and $U if already installed. - ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' - ac_i=`printf "%s\n" "$ac_i" | sed "$ac_script"` - # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR - # will be set to the directory where LIBOBJS objects are built. - as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" - as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' -done -LIBOBJS=$ac_libobjs - -LTLIBOBJS=$ac_ltlibobjs - - - -: "${CONFIG_STATUS=./config.status}" -ac_write_fail=0 -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files $CONFIG_STATUS" -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 -printf "%s\n" "$as_me: creating $CONFIG_STATUS" >&6;} -as_write_fail=0 -cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 -#! $SHELL -# Generated by $as_me. -# Run this file to recreate the current configuration. -# Compiler output produced by configure, useful for debugging -# configure, is in config.log if it exists. - -debug=false -ac_cs_recheck=false -ac_cs_silent=false - -SHELL=\${CONFIG_SHELL-$SHELL} -export SHELL -_ASEOF -cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 -## -------------------- ## -## M4sh Initialization. ## -## -------------------- ## - -# Be more Bourne compatible -DUALCASE=1; export DUALCASE # for MKS sh -as_nop=: -if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 -then : - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else $as_nop - case `(set -o) 2>/dev/null` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; -esac -fi - - - -# Reset variables that may have inherited troublesome values from -# the environment. - -# IFS needs to be set, to space, tab, and newline, in precisely that order. -# (If _AS_PATH_WALK were called with IFS unset, it would have the -# side effect of setting IFS to empty, thus disabling word splitting.) -# Quoting is to prevent editors from complaining about space-tab. -as_nl=' -' -export as_nl -IFS=" "" $as_nl" - -PS1='$ ' -PS2='> ' -PS4='+ ' - -# Ensure predictable behavior from utilities with locale-dependent output. -LC_ALL=C -export LC_ALL -LANGUAGE=C -export LANGUAGE - -# We cannot yet rely on "unset" to work, but we need these variables -# to be unset--not just set to an empty or harmless value--now, to -# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct -# also avoids known problems related to "unset" and subshell syntax -# in other old shells (e.g. bash 2.01 and pdksh 5.2.14). -for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH -do eval test \${$as_var+y} \ - && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : -done - -# Ensure that fds 0, 1, and 2 are open. -if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi -if (exec 3>&2) ; then :; else exec 2>/dev/null; fi - -# The user is always right. -if ${PATH_SEPARATOR+false} :; then - PATH_SEPARATOR=: - (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { - (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || - PATH_SEPARATOR=';' - } -fi - - -# Find who we are. Look in the path if we contain no directory separator. -as_myself= -case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - test -r "$as_dir$0" && as_myself=$as_dir$0 && break - done -IFS=$as_save_IFS - - ;; -esac -# We did not find ourselves, most probably we were run as `sh COMMAND' -# in which case we are not to be found in the path. -if test "x$as_myself" = x; then - as_myself=$0 -fi -if test ! -f "$as_myself"; then - printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - exit 1 -fi - - - -# as_fn_error STATUS ERROR [LINENO LOG_FD] -# ---------------------------------------- -# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -# script with STATUS, using 1 if that was 0. -as_fn_error () -{ - as_status=$1; test $as_status -eq 0 && as_status=1 - if test "$4"; then - as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi - printf "%s\n" "$as_me: error: $2" >&2 - as_fn_exit $as_status -} # as_fn_error - - - -# as_fn_set_status STATUS -# ----------------------- -# Set $? to STATUS, without forking. -as_fn_set_status () -{ - return $1 -} # as_fn_set_status - -# as_fn_exit STATUS -# ----------------- -# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -as_fn_exit () -{ - set +e - as_fn_set_status $1 - exit $1 -} # as_fn_exit - -# as_fn_unset VAR -# --------------- -# Portably unset VAR. -as_fn_unset () -{ - { eval $1=; unset $1;} -} -as_unset=as_fn_unset - -# as_fn_append VAR VALUE -# ---------------------- -# Append the text in VALUE to the end of the definition contained in VAR. Take -# advantage of any shell optimizations that allow amortized linear growth over -# repeated appends, instead of the typical quadratic growth present in naive -# implementations. -if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null -then : - eval 'as_fn_append () - { - eval $1+=\$2 - }' -else $as_nop - as_fn_append () - { - eval $1=\$$1\$2 - } -fi # as_fn_append - -# as_fn_arith ARG... -# ------------------ -# Perform arithmetic evaluation on the ARGs, and store the result in the -# global $as_val. Take advantage of shells that can avoid forks. The arguments -# must be portable across $(()) and expr. -if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null -then : - eval 'as_fn_arith () - { - as_val=$(( $* )) - }' -else $as_nop - as_fn_arith () - { - as_val=`expr "$@" || test $? -eq 1` - } -fi # as_fn_arith - - -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi - -if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then - as_basename=basename -else - as_basename=false -fi - -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi - -as_me=`$as_basename -- "$0" || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || -printf "%s\n" X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q - } - /^X\/\(\/\/\)$/{ - s//\1/ - q - } - /^X\/\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - - -# Determine whether it's possible to make 'echo' print without a newline. -# These variables are no longer used directly by Autoconf, but are AC_SUBSTed -# for compatibility with existing Makefiles. -ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in #((((( --n*) - case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. - xy) ECHO_C='\c';; - *) echo `echo ksh88 bug on AIX 6.1` > /dev/null - ECHO_T=' ';; - esac;; -*) - ECHO_N='-n';; -esac - -# For backward compatibility with old third-party macros, we provide -# the shell variables $as_echo and $as_echo_n. New code should use -# AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. -as_echo='printf %s\n' -as_echo_n='printf %s' - -rm -f conf$$ conf$$.exe conf$$.file -if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file -else - rm -f conf$$.dir - mkdir conf$$.dir 2>/dev/null -fi -if (echo >conf$$.file) 2>/dev/null; then - if ln -s conf$$.file conf$$ 2>/dev/null; then - as_ln_s='ln -s' - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' - elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln - else - as_ln_s='cp -pR' - fi -else - as_ln_s='cp -pR' -fi -rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file -rmdir conf$$.dir 2>/dev/null - - -# as_fn_mkdir_p -# ------------- -# Create "$as_dir" as a directory, including parents if necessary. -as_fn_mkdir_p () -{ - - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || eval $as_mkdir_p || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -printf "%s\n" X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - - -} # as_fn_mkdir_p -if mkdir -p . 2>/dev/null; then - as_mkdir_p='mkdir -p "$as_dir"' -else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -fi - - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p -as_test_x='test -x' -as_executable_p=as_fn_executable_p - -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" - -# Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - - -exec 6>&1 -## ----------------------------------- ## -## Main body of $CONFIG_STATUS script. ## -## ----------------------------------- ## -_ASEOF -test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# Save the log message, to keep $0 and so on meaningful, and to -# report actual input values of CONFIG_FILES etc. instead of their -# values after options handling. -ac_log=" -This file was extended by $as_me, which was -generated by GNU Autoconf 2.71. Invocation command line was - - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS - CONFIG_LINKS = $CONFIG_LINKS - CONFIG_COMMANDS = $CONFIG_COMMANDS - $ $0 $@ - -on `(hostname || uname -n) 2>/dev/null | sed 1q` -" - -_ACEOF - -case $ac_config_files in *" -"*) set x $ac_config_files; shift; ac_config_files=$*;; -esac - -case $ac_config_headers in *" -"*) set x $ac_config_headers; shift; ac_config_headers=$*;; -esac - - -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -# Files that config.status was made for. -config_files="$ac_config_files" -config_headers="$ac_config_headers" - -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -ac_cs_usage="\ -\`$as_me' instantiates files and other configuration actions -from templates according to the current configuration. Unless the files -and actions are specified as TAGs, all are instantiated by default. - -Usage: $0 [OPTION]... [TAG]... - - -h, --help print this help, then exit - -V, --version print version number and configuration settings, then exit - --config print configuration, then exit - -q, --quiet, --silent - do not print progress messages - -d, --debug don't remove temporary files - --recheck update $as_me by reconfiguring in the same conditions - --file=FILE[:TEMPLATE] - instantiate the configuration file FILE - --header=FILE[:TEMPLATE] - instantiate the configuration header FILE - -Configuration files: -$config_files - -Configuration headers: -$config_headers - -Report bugs to the package provider." - -_ACEOF -ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"` -ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"` -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -ac_cs_config='$ac_cs_config_escaped' -ac_cs_version="\\ -config.status -configured by $0, generated by GNU Autoconf 2.71, - with options \\"\$ac_cs_config\\" - -Copyright (C) 2021 Free Software Foundation, Inc. -This config.status script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it." - -ac_pwd='$ac_pwd' -srcdir='$srcdir' -test -n "\$AWK" || AWK=awk -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# The default lists apply if the user does not specify any file. -ac_need_defaults=: -while test $# != 0 -do - case $1 in - --*=?*) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` - ac_shift=: - ;; - --*=) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg= - ac_shift=: - ;; - *) - ac_option=$1 - ac_optarg=$2 - ac_shift=shift - ;; - esac - - case $ac_option in - # Handling of the options. - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - ac_cs_recheck=: ;; - --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) - printf "%s\n" "$ac_cs_version"; exit ;; - --config | --confi | --conf | --con | --co | --c ) - printf "%s\n" "$ac_cs_config"; exit ;; - --debug | --debu | --deb | --de | --d | -d ) - debug=: ;; - --file | --fil | --fi | --f ) - $ac_shift - case $ac_optarg in - *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; - '') as_fn_error $? "missing file argument" ;; - esac - as_fn_append CONFIG_FILES " '$ac_optarg'" - ac_need_defaults=false;; - --header | --heade | --head | --hea ) - $ac_shift - case $ac_optarg in - *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - as_fn_append CONFIG_HEADERS " '$ac_optarg'" - ac_need_defaults=false;; - --he | --h) - # Conflict between --help and --header - as_fn_error $? "ambiguous option: \`$1' -Try \`$0 --help' for more information.";; - --help | --hel | -h ) - printf "%s\n" "$ac_cs_usage"; exit ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil | --si | --s) - ac_cs_silent=: ;; - - # This is an error. - -*) as_fn_error $? "unrecognized option: \`$1' -Try \`$0 --help' for more information." ;; - - *) as_fn_append ac_config_targets " $1" - ac_need_defaults=false ;; - - esac - shift -done - -ac_configure_extra_args= - -if $ac_cs_silent; then - exec 6>/dev/null - ac_configure_extra_args="$ac_configure_extra_args --silent" -fi - -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -if \$ac_cs_recheck; then - set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion - shift - \printf "%s\n" "running CONFIG_SHELL=$SHELL \$*" >&6 - CONFIG_SHELL='$SHELL' - export CONFIG_SHELL - exec "\$@" -fi - -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -exec 5>>config.log -{ - echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX -## Running $as_me. ## -_ASBOX - printf "%s\n" "$ac_log" -} >&5 - -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - -# Handling of arguments. -for ac_config_target in $ac_config_targets -do - case $ac_config_target in - "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; - "all.mk") CONFIG_FILES="$CONFIG_FILES all.mk" ;; - - *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; - esac -done - - -# If the user did not use the arguments to specify the items to instantiate, -# then the envvar interface is used. Set only those that are not. -# We use the long form for the default assignment because of an extremely -# bizarre bug on SunOS 4.1.3. -if $ac_need_defaults; then - test ${CONFIG_FILES+y} || CONFIG_FILES=$config_files - test ${CONFIG_HEADERS+y} || CONFIG_HEADERS=$config_headers -fi - -# Have a temporary directory for convenience. Make it in the build tree -# simply because there is no reason against having it here, and in addition, -# creating and moving files from /tmp can sometimes cause problems. -# Hook for its removal unless debugging. -# Note that there is a small window in which the directory will not be cleaned: -# after its creation but before its name has been assigned to `$tmp'. -$debug || -{ - tmp= ac_tmp= - trap 'exit_status=$? - : "${ac_tmp:=$tmp}" - { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status -' 0 - trap 'as_fn_exit 1' 1 2 13 15 -} -# Create a (secure) tmp directory for tmp files. - -{ - tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && - test -d "$tmp" -} || -{ - tmp=./conf$$-$RANDOM - (umask 077 && mkdir "$tmp") -} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 -ac_tmp=$tmp - -# Set up the scripts for CONFIG_FILES section. -# No need to generate them if there are no CONFIG_FILES. -# This happens for instance with `./config.status config.h'. -if test -n "$CONFIG_FILES"; then - - -ac_cr=`echo X | tr X '\015'` -# On cygwin, bash can eat \r inside `` if the user requested igncr. -# But we know of no other shell where ac_cr would be empty at this -# point, so we can use a bashism as a fallback. -if test "x$ac_cr" = x; then - eval ac_cr=\$\'\\r\' -fi -ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` -if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then - ac_cs_awk_cr='\\r' -else - ac_cs_awk_cr=$ac_cr -fi - -echo 'BEGIN {' >"$ac_tmp/subs1.awk" && -_ACEOF - - -{ - echo "cat >conf$$subs.awk <<_ACEOF" && - echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && - echo "_ACEOF" -} >conf$$subs.sh || - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 -ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` -ac_delim='%!_!# ' -for ac_last_try in false false false false false :; do - . ./conf$$subs.sh || - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - - ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` - if test $ac_delim_n = $ac_delim_num; then - break - elif $ac_last_try; then - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi -done -rm -f conf$$subs.sh - -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && -_ACEOF -sed -n ' -h -s/^/S["/; s/!.*/"]=/ -p -g -s/^[^!]*!// -:repl -t repl -s/'"$ac_delim"'$// -t delim -:nl -h -s/\(.\{148\}\)..*/\1/ -t more1 -s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ -p -n -b repl -:more1 -s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -p -g -s/.\{148\}// -t nl -:delim -h -s/\(.\{148\}\)..*/\1/ -t more2 -s/["\\]/\\&/g; s/^/"/; s/$/"/ -p -b -:more2 -s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -p -g -s/.\{148\}// -t delim -' >$CONFIG_STATUS || ac_write_fail=1 -rm -f conf$$subs.awk -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -_ACAWK -cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && - for (key in S) S_is_set[key] = 1 - FS = "" - -} -{ - line = $ 0 - nfields = split(line, field, "@") - substed = 0 - len = length(field[1]) - for (i = 2; i < nfields; i++) { - key = field[i] - keylen = length(key) - if (S_is_set[key]) { - value = S[key] - line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) - len += length(value) + length(field[++i]) - substed = 1 - } else - len += 1 + keylen - } - - print line -} - -_ACAWK -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then - sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" -else - cat -fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ - || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 -_ACEOF - -# VPATH may cause trouble with some makes, so we remove sole $(srcdir), -# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and -# trailing colons and then remove the whole line if VPATH becomes empty -# (actually we leave an empty line to preserve line numbers). -if test "x$srcdir" = x.; then - ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ -h -s/// -s/^/:/ -s/[ ]*$/:/ -s/:\$(srcdir):/:/g -s/:\${srcdir}:/:/g -s/:@srcdir@:/:/g -s/^:*// -s/:*$// -x -s/\(=[ ]*\).*/\1/ -G -s/\n// -s/^[^=]*=[ ]*$// -}' -fi - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -fi # test -n "$CONFIG_FILES" - -# Set up the scripts for CONFIG_HEADERS section. -# No need to generate them if there are no CONFIG_HEADERS. -# This happens for instance with `./config.status Makefile'. -if test -n "$CONFIG_HEADERS"; then -cat >"$ac_tmp/defines.awk" <<\_ACAWK || -BEGIN { -_ACEOF - -# Transform confdefs.h into an awk script `defines.awk', embedded as -# here-document in config.status, that substitutes the proper values into -# config.h.in to produce config.h. - -# Create a delimiter string that does not exist in confdefs.h, to ease -# handling of long lines. -ac_delim='%!_!# ' -for ac_last_try in false false :; do - ac_tt=`sed -n "/$ac_delim/p" confdefs.h` - if test -z "$ac_tt"; then - break - elif $ac_last_try; then - as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi -done - -# For the awk script, D is an array of macro values keyed by name, -# likewise P contains macro parameters if any. Preserve backslash -# newline sequences. - -ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* -sed -n ' -s/.\{148\}/&'"$ac_delim"'/g -t rset -:rset -s/^[ ]*#[ ]*define[ ][ ]*/ / -t def -d -:def -s/\\$// -t bsnl -s/["\\]/\\&/g -s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ -D["\1"]=" \3"/p -s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p -d -:bsnl -s/["\\]/\\&/g -s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ -D["\1"]=" \3\\\\\\n"\\/p -t cont -s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p -t cont -d -:cont -n -s/.\{148\}/&'"$ac_delim"'/g -t clear -:clear -s/\\$// -t bsnlc -s/["\\]/\\&/g; s/^/"/; s/$/"/p -d -:bsnlc -s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p -b cont -' >$CONFIG_STATUS || ac_write_fail=1 - -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - for (key in D) D_is_set[key] = 1 - FS = "" -} -/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { - line = \$ 0 - split(line, arg, " ") - if (arg[1] == "#") { - defundef = arg[2] - mac1 = arg[3] - } else { - defundef = substr(arg[1], 2) - mac1 = arg[2] - } - split(mac1, mac2, "(") #) - macro = mac2[1] - prefix = substr(line, 1, index(line, defundef) - 1) - if (D_is_set[macro]) { - # Preserve the white space surrounding the "#". - print prefix "define", macro P[macro] D[macro] - next - } else { - # Replace #undef with comments. This is necessary, for example, - # in the case of _POSIX_SOURCE, which is predefined and required - # on some systems where configure will not decide to define it. - if (defundef == "undef") { - print "/*", prefix defundef, macro, "*/" - next - } - } -} -{ print } -_ACAWK -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 -fi # test -n "$CONFIG_HEADERS" - - -eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " -shift -for ac_tag -do - case $ac_tag in - :[FHLC]) ac_mode=$ac_tag; continue;; - esac - case $ac_mode$ac_tag in - :[FHL]*:*);; - :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; - :[FH]-) ac_tag=-:-;; - :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; - esac - ac_save_IFS=$IFS - IFS=: - set x $ac_tag - IFS=$ac_save_IFS - shift - ac_file=$1 - shift - - case $ac_mode in - :L) ac_source=$1;; - :[FH]) - ac_file_inputs= - for ac_f - do - case $ac_f in - -) ac_f="$ac_tmp/stdin";; - *) # Look for the file first in the build tree, then in the source tree - # (if the path is not absolute). The absolute path cannot be DOS-style, - # because $ac_f cannot contain `:'. - test -f "$ac_f" || - case $ac_f in - [\\/$]*) false;; - *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; - esac || - as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; - esac - case $ac_f in *\'*) ac_f=`printf "%s\n" "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac - as_fn_append ac_file_inputs " '$ac_f'" - done - - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ - configure_input='Generated from '` - printf "%s\n" "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' - `' by configure.' - if test x"$ac_file" != x-; then - configure_input="$ac_file. $configure_input" - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 -printf "%s\n" "$as_me: creating $ac_file" >&6;} - fi - # Neutralize special characters interpreted by sed in replacement strings. - case $configure_input in #( - *\&* | *\|* | *\\* ) - ac_sed_conf_input=`printf "%s\n" "$configure_input" | - sed 's/[\\\\&|]/\\\\&/g'`;; #( - *) ac_sed_conf_input=$configure_input;; - esac - - case $ac_tag in - *:-:* | *:-) cat >"$ac_tmp/stdin" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; - esac - ;; - esac - - ac_dir=`$as_dirname -- "$ac_file" || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || -printf "%s\n" X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - as_dir="$ac_dir"; as_fn_mkdir_p - ac_builddir=. - -case "$ac_dir" in -.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; -*) - ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. - ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; - esac ;; -esac -ac_abs_top_builddir=$ac_pwd -ac_abs_builddir=$ac_pwd$ac_dir_suffix -# for backward compatibility: -ac_top_builddir=$ac_top_build_prefix - -case $srcdir in - .) # We are building in place. - ac_srcdir=. - ac_top_srcdir=$ac_top_builddir_sub - ac_abs_top_srcdir=$ac_pwd ;; - [\\/]* | ?:[\\/]* ) # Absolute name. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir - ac_abs_top_srcdir=$srcdir ;; - *) # Relative name. - ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_build_prefix$srcdir - ac_abs_top_srcdir=$ac_pwd/$srcdir ;; -esac -ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix - - - case $ac_mode in - :F) - # - # CONFIG_FILE - # - -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# If the template does not know about datarootdir, expand it. -# FIXME: This hack should be removed a few years after 2.60. -ac_datarootdir_hack=; ac_datarootdir_seen= -ac_sed_dataroot=' -/datarootdir/ { - p - q -} -/@datadir@/p -/@docdir@/p -/@infodir@/p -/@localedir@/p -/@mandir@/p' -case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in -*datarootdir*) ac_datarootdir_seen=yes;; -*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 -printf "%s\n" "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - ac_datarootdir_hack=' - s&@datadir@&$datadir&g - s&@docdir@&$docdir&g - s&@infodir@&$infodir&g - s&@localedir@&$localedir&g - s&@mandir@&$mandir&g - s&\\\${datarootdir}&$datarootdir&g' ;; -esac -_ACEOF - -# Neutralize VPATH when `$srcdir' = `.'. -# Shell code in configure.ac might set extrasub. -# FIXME: do we really want to maintain this feature? -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -ac_sed_extra="$ac_vpsub -$extrasub -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -:t -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b -s|@configure_input@|$ac_sed_conf_input|;t t -s&@top_builddir@&$ac_top_builddir_sub&;t t -s&@top_build_prefix@&$ac_top_build_prefix&;t t -s&@srcdir@&$ac_srcdir&;t t -s&@abs_srcdir@&$ac_abs_srcdir&;t t -s&@top_srcdir@&$ac_top_srcdir&;t t -s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t -s&@builddir@&$ac_builddir&;t t -s&@abs_builddir@&$ac_abs_builddir&;t t -s&@abs_top_builddir@&$ac_abs_top_builddir&;t t -$ac_datarootdir_hack -" -eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ - >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - -test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && - { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && - { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ - "$ac_tmp/out"`; test -z "$ac_out"; } && - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined" >&5 -printf "%s\n" "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined" >&2;} - - rm -f "$ac_tmp/stdin" - case $ac_file in - -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; - *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; - esac \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - ;; - :H) - # - # CONFIG_HEADER - # - if test x"$ac_file" != x-; then - { - printf "%s\n" "/* $configure_input */" >&1 \ - && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" - } >"$ac_tmp/config.h" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 -printf "%s\n" "$as_me: $ac_file is unchanged" >&6;} - else - rm -f "$ac_file" - mv "$ac_tmp/config.h" "$ac_file" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - fi - else - printf "%s\n" "/* $configure_input */" >&1 \ - && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ - || as_fn_error $? "could not create -" "$LINENO" 5 - fi - ;; - - - esac - -done # for ac_tag - - -as_fn_exit 0 -_ACEOF -ac_clean_files=$ac_clean_files_save - -test $ac_write_fail = 0 || - as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 - - -# configure is writing to config.log, and then calls config.status. -# config.status does its own redirection, appending to config.log. -# Unfortunately, on DOS this fails, as config.log is still kept open -# by configure, so config.status won't be able to write to it; its -# output is simply discarded. So we exec the FD to /dev/null, -# effectively closing config.log, so it can be properly (re)opened and -# appended to by config.status. When coming back to configure, we -# need to make the FD available again. -if test "$no_create" != yes; then - ac_cs_success=: - ac_config_status_args= - test "$silent" = yes && - ac_config_status_args="$ac_config_status_args --quiet" - exec 5>/dev/null - $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false - exec 5>>config.log - # Use ||, not &&, to avoid exiting from the if with $? = 1, which - # would make configure fail if this is the last instruction. - $ac_cs_success || as_fn_exit 1 -fi -if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 -printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} -fi - - diff --git a/src/modules/rlm_radutmp/configure.ac b/src/modules/rlm_radutmp/configure.ac deleted file mode 100644 index 80bde8747d3..00000000000 --- a/src/modules/rlm_radutmp/configure.ac +++ /dev/null @@ -1,18 +0,0 @@ -AC_PREREQ([2.71]) -AC_INIT -AC_CONFIG_SRCDIR([rlm_radutmp.c]) -AC_REVISION($Revision$) -FR_INIT_MODULE([rlm_radutmp], [ability to maintain utmp-style sessions]) - -FR_MODULE_START_TESTS - -AC_CHECK_HEADERS(sys/mman.h) - -FR_MODULE_END_TESTS([nostrict]) - -AC_SUBST(mod_ldflags) -AC_SUBST(mod_cflags) - -AC_CONFIG_HEADER([config.h]) -AC_CONFIG_FILES([all.mk]) -AC_OUTPUT diff --git a/src/modules/rlm_radutmp/rlm_radutmp.c b/src/modules/rlm_radutmp/rlm_radutmp.c deleted file mode 100644 index e5186eb149a..00000000000 --- a/src/modules/rlm_radutmp/rlm_radutmp.c +++ /dev/null @@ -1,595 +0,0 @@ -/* - * This program is is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - */ - -/** - * $Id$ - * @file rlm_radutmp.c - * @brief Tracks sessions. - * - * @copyright 2000-2013 The FreeRADIUS server project - */ -RCSID("$Id$") - -#include -#include -#include -#include -#include - -#include - -#include "config.h" - -#define LOCK_LEN sizeof(struct radutmp) - -static char const porttypes[] = "ASITX"; - -/* - * used for caching radutmp lookups in the accounting component. - */ -typedef struct nas_port_s NAS_PORT; -struct nas_port_s { - uint32_t nasaddr; - uint16_t port; - off_t offset; - NAS_PORT *next; -}; - -typedef struct { - NAS_PORT *nas_port_list; -} rlm_radutmp_mutable_t; - -typedef struct { - rlm_radutmp_mutable_t *mutable; - bool check_nas; - mode_t permission; - bool caller_id_ok; -} rlm_radutmp_t; - -typedef struct { - fr_value_box_t filename; - fr_value_box_t username; -} rlm_radutmp_env_t; - -static const conf_parser_t module_config[] = { - { FR_CONF_OFFSET("check_with_nas", rlm_radutmp_t, check_nas), .dflt = "yes" }, - { FR_CONF_OFFSET("permissions", rlm_radutmp_t, permission), .dflt = "0644", .func = cf_parse_permissions }, - { FR_CONF_OFFSET("caller_id", rlm_radutmp_t, caller_id_ok), .dflt = "no" }, - CONF_PARSER_TERMINATOR -}; - -static const call_env_method_t method_env = { - FR_CALL_ENV_METHOD_OUT(rlm_radutmp_env_t), - .env = (call_env_parser_t[]) { - { FR_CALL_ENV_OFFSET("filename", FR_TYPE_STRING, CALL_ENV_FLAG_REQUIRED, rlm_radutmp_env_t, filename) }, - { FR_CALL_ENV_OFFSET("username", FR_TYPE_STRING, CALL_ENV_FLAG_REQUIRED, rlm_radutmp_env_t, username), - .pair.dflt = "%{User-Name}", .pair.dflt_quote = T_DOUBLE_QUOTED_STRING }, - CALL_ENV_TERMINATOR - } -}; - -static fr_dict_t const *dict_radius; - -extern fr_dict_autoload_t rlm_radutmp_dict[]; -fr_dict_autoload_t rlm_radutmp_dict[] = { - { .out = &dict_radius, .proto = "radius" }, - { NULL } -}; - -static fr_dict_attr_t const *attr_acct_delay_time; -static fr_dict_attr_t const *attr_acct_session_id; -static fr_dict_attr_t const *attr_acct_session_time; -static fr_dict_attr_t const *attr_acct_status_type; -static fr_dict_attr_t const *attr_calling_station_id; -static fr_dict_attr_t const *attr_framed_ip_address; -static fr_dict_attr_t const *attr_framed_protocol; -static fr_dict_attr_t const *attr_login_ip_host; -static fr_dict_attr_t const *attr_nas_ip_address; -static fr_dict_attr_t const *attr_nas_port; -static fr_dict_attr_t const *attr_nas_port_type; - -extern fr_dict_attr_autoload_t rlm_radutmp_dict_attr[]; -fr_dict_attr_autoload_t rlm_radutmp_dict_attr[] = { - { .out = &attr_acct_delay_time, .name = "Acct-Delay-Time", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - { .out = &attr_acct_session_id, .name = "Acct-Session-Id", .type = FR_TYPE_STRING, .dict = &dict_radius }, - { .out = &attr_acct_session_time, .name = "Acct-Session-Time", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - { .out = &attr_acct_status_type, .name = "Acct-Status-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - { .out = &attr_calling_station_id, .name = "Calling-Station-Id", .type = FR_TYPE_STRING, .dict = &dict_radius }, - { .out = &attr_framed_ip_address, .name = "Framed-IP-Address", .type = FR_TYPE_IPV4_ADDR, .dict = &dict_radius }, - { .out = &attr_framed_protocol, .name = "Framed-Protocol", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - { .out = &attr_login_ip_host, .name = "Login-IP-Host", .type = FR_TYPE_IPV4_ADDR, .dict = &dict_radius }, - { .out = &attr_nas_ip_address, .name = "NAS-IP-Address", .type = FR_TYPE_IPV4_ADDR, .dict = &dict_radius }, - { .out = &attr_nas_port, .name = "NAS-Port", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - { .out = &attr_nas_port_type, .name = "NAS-Port-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - { NULL } -}; - -/* - * Zap all users on a NAS from the radutmp file. - */ -static unlang_action_t radutmp_zap(rlm_rcode_t *p_result, request_t *request, char const *filename, uint32_t nasaddr, time_t t) -{ - struct radutmp u; - int fd; - - if (t == 0) time(&t); - - fd = open(filename, O_RDWR); - if (fd < 0) { - REDEBUG("Error accessing file %s: %s", filename, fr_syserror(errno)); - RETURN_MODULE_FAIL; - } - - /* - * Lock the utmp file, prefer lockf() over flock(). - */ - if (rad_lockfd(fd, LOCK_LEN) < 0) { - REDEBUG("Failed to acquire lock on file %s: %s", filename, fr_syserror(errno)); - close(fd); - RETURN_MODULE_FAIL; - } - - /* - * Find the entry for this NAS / portno combination. - */ - while (read(fd, &u, sizeof(u)) == sizeof(u)) { - if ((nasaddr != 0 && nasaddr != u.nas_address) || u.type != P_LOGIN) { - continue; - } - /* - * Match. Zap it. - */ - if (lseek(fd, -(off_t)sizeof(u), SEEK_CUR) < 0) { - REDEBUG("radutmp_zap: negative lseek!"); - lseek(fd, (off_t)0, SEEK_SET); - } - u.type = P_IDLE; - u.time = t; - - if (write(fd, &u, sizeof(u)) < 0) { - REDEBUG("Failed writing: %s", fr_syserror(errno)); - - close(fd); - RETURN_MODULE_FAIL; - } - } - close(fd); /* and implicitly release the locks */ - - RETURN_MODULE_OK; -} - -/* - * Lookup a NAS_PORT in the nas_port_list - */ -static NAS_PORT *nas_port_find(NAS_PORT *nas_port_list, uint32_t nasaddr, uint16_t port) -{ - NAS_PORT *cl; - - for(cl = nas_port_list; cl; cl = cl->next) { - if (nasaddr == cl->nasaddr && - port == cl->port) - break; - } - - return cl; -} - - -/* - * Store logins in the RADIUS utmp file. - */ -static unlang_action_t CC_HINT(nonnull) mod_accounting(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) -{ - rlm_radutmp_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radutmp_t); - rlm_radutmp_env_t *env = talloc_get_type_abort(mctx->env_data, rlm_radutmp_env_t); - rlm_rcode_t rcode = RLM_MODULE_OK; - struct radutmp ut, u; - fr_pair_t *vp; - int status = -1; - int protocol = -1; - time_t t; - int fd = -1; - bool port_seen = false; - int off; - char ip_name[INET_ADDRSTRLEN]; /* 255.255.255.255 */ - char const *nas; - NAS_PORT *cache; - int r; - fr_client_t *client; - - if (request->dict != dict_radius) RETURN_MODULE_NOOP; - - if (request->packet->socket.inet.src_ipaddr.af != AF_INET) { - RDEBUG2("IPv6 not supported!"); - RETURN_MODULE_NOOP; - } - - /* - * Which type is this. - */ - if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_acct_status_type)) == NULL) { - RDEBUG2("No Accounting-Status-Type record"); - RETURN_MODULE_NOOP; - } - status = vp->vp_uint32; - - /* - * Look for weird reboot packets. - * - * ComOS (up to and including 3.5.1b20) does not send - * standard FR_STATUS_ACCOUNTING_XXX messages. - * - * Check for: o no Acct-Session-Time, or time of 0 - * o Acct-Session-Id of "00000000". - * - * We could also check for NAS-Port, that attribute - * should NOT be present (but we don't right now). - */ - if ((status != FR_STATUS_ACCOUNTING_ON) && - (status != FR_STATUS_ACCOUNTING_OFF)) do { - int check1 = 0; - int check2 = 0; - - if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_acct_session_time)) - == NULL || vp->vp_uint32 == 0) - check1 = 1; - if ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_acct_session_id)) - != NULL && vp->vp_length == 8 && - memcmp(vp->vp_strvalue, "00000000", 8) == 0) - check2 = 1; - if (check1 == 0 || check2 == 0) { - break; - } - RIDEBUG("Converting reboot records"); - if (status == FR_STATUS_STOP) status = FR_STATUS_ACCOUNTING_OFF; - else if (status == FR_STATUS_START) status = FR_STATUS_ACCOUNTING_ON; - } while(0); - - time(&t); - memset(&ut, 0, sizeof(ut)); - ut.porttype = 'A'; - ut.nas_address = htonl(INADDR_NONE); - - /* - * First, find the interesting attributes. - */ - for (vp = fr_pair_list_head(&request->request_pairs); - vp; - vp = fr_pair_list_next(&request->request_pairs, vp)) { - if ((vp->da == attr_login_ip_host) || - (vp->da == attr_framed_ip_address)) { - ut.framed_address = vp->vp_ipv4addr; - } else if (vp->da == attr_framed_protocol) { - protocol = vp->vp_uint32; - } else if (vp->da == attr_nas_ip_address) { - ut.nas_address = vp->vp_ipv4addr; - } else if (vp->da == attr_nas_port) { - ut.nas_port = vp->vp_uint32; - port_seen = true; - } else if (vp->da == attr_acct_delay_time) { - ut.delay = vp->vp_uint32; - } else if (vp->da == attr_acct_session_id) { - /* - * If length > 8, only store the - * last 8 bytes. - */ - off = vp->vp_length - sizeof(ut.session_id); - /* - * Ascend is br0ken - it adds a \0 - * to the end of any string. - * Compensate. - */ - if ((vp->vp_length > 0) && (vp->vp_strvalue[vp->vp_length - 1] == 0)) off--; - if (off < 0) off = 0; - memcpy(ut.session_id, vp->vp_strvalue + off, sizeof(ut.session_id)); - } else if (vp->da == attr_nas_port_type) { - if (vp->vp_uint32 <= 4) ut.porttype = porttypes[vp->vp_uint32]; - } else if (vp->da == attr_calling_station_id) { - if (inst->caller_id_ok) strlcpy(ut.caller_id, vp->vp_strvalue, sizeof(ut.caller_id)); - } - } - - /* - * If we didn't find out the NAS address, use the - * originator's IP address. - */ - if (ut.nas_address == htonl(INADDR_NONE)) { - client = client_from_request(request); - if (!client) goto no_client; - - ut.nas_address = request->packet->socket.inet.src_ipaddr.addr.v4.s_addr; - nas = client->shortname; - - } else if (request->packet->socket.inet.src_ipaddr.addr.v4.s_addr == ut.nas_address) { /* might be a client, might not be. */ - client = client_from_request(request); - if (!client) goto no_client; - - nas = client->shortname; - /* - * The NAS isn't a client, it's behind - * a proxy server. In that case, just - * get the IP address. - */ - } else { - no_client: - nas = inet_ntop(AF_INET, &ut.nas_address, ip_name, sizeof(ip_name)); - } - - /* - * Set the protocol field. - */ - if (protocol == FR_PPP) { - ut.proto = 'P'; - } else if (protocol == FR_SLIP) { - ut.proto = 'S'; - } else { - ut.proto = 'T'; - } - - ut.time = t - ut.delay; - - /* - * See if this was a reboot. - * - * Hmm... we may not want to zap all of the users when the NAS comes up, because of issues with receiving - * UDP packets out of order. - */ - if (status == FR_STATUS_ACCOUNTING_ON && (ut.nas_address != htonl(INADDR_NONE))) { - RIDEBUG("NAS %s restarted (Accounting-On packet seen)", nas); - radutmp_zap(&rcode, request, env->filename.vb_strvalue, ut.nas_address, ut.time); - - goto finish; - } - - if (status == FR_STATUS_ACCOUNTING_OFF && (ut.nas_address != htonl(INADDR_NONE))) { - RIDEBUG("NAS %s rebooted (Accounting-Off packet seen)", nas); - radutmp_zap(&rcode, request, env->filename.vb_strvalue, ut.nas_address, ut.time); - - goto finish; - } - - /* - * If we don't know this type of entry pretend we succeeded. - */ - if (status != FR_STATUS_START && status != FR_STATUS_STOP && status != FR_STATUS_ALIVE) { - REDEBUG("NAS %s port %u unknown packet type %d)", nas, ut.nas_port, status); - rcode = RLM_MODULE_NOOP; - - goto finish; - } - - /* - * Copy the expanded username to the radutmp structure - */ - strlcpy(ut.login, env->username.vb_strvalue, RUT_NAMESIZE); - - /* - * Perhaps we don't want to store this record into - * radutmp. We skip records: - * - * - without a NAS-Port (telnet / tcp access) - * - with the username "!root" (console admin login) - */ - if (!port_seen) { - RWDEBUG2("No NAS-Port seen. Cannot do anything. Checkrad will probably not work!"); - rcode = RLM_MODULE_NOOP; - - goto finish; - } - - if (strncmp(ut.login, "!root", RUT_NAMESIZE) == 0) { - RDEBUG2("Not recording administrative user"); - rcode = RLM_MODULE_NOOP; - - goto finish; - } - - /* - * Enter into the radutmp file. - */ - fd = open(env->filename.vb_strvalue, O_RDWR|O_CREAT, inst->permission); - if (fd < 0) { - REDEBUG("Error accessing file %pV: %s", &env->filename, fr_syserror(errno)); - rcode = RLM_MODULE_FAIL; - - goto finish; - } - - /* - * Lock the utmp file, prefer lockf() over flock(). - */ - if (rad_lockfd(fd, LOCK_LEN) < 0) { - REDEBUG("Error acquiring lock on %pV: %s", &env->filename, fr_syserror(errno)); - rcode = RLM_MODULE_FAIL; - - goto finish; - } - - /* - * Find the entry for this NAS / portno combination. - */ - if ((cache = nas_port_find(inst->mutable->nas_port_list, ut.nas_address, ut.nas_port)) != NULL) { - if (lseek(fd, (off_t)cache->offset, SEEK_SET) < 0) { - rcode = RLM_MODULE_FAIL; - goto finish; - } - } - - r = 0; - off = 0; - while (read(fd, &u, sizeof(u)) == sizeof(u)) { - off += sizeof(u); - if ((u.nas_address != ut.nas_address) || (u.nas_port != ut.nas_port)) { - continue; - } - - /* - * Don't compare stop records to unused entries. - */ - if (status == FR_STATUS_STOP && u.type == P_IDLE) { - continue; - } - - if ((status == FR_STATUS_STOP) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) != 0) { - /* - * Don't complain if this is not a - * login record (some clients can - * send _only_ logout records). - */ - if (u.type == P_LOGIN) { - RWDEBUG("Logout entry for NAS %s port %u has wrong ID", nas, u.nas_port); - } - - r = -1; - break; - } - - if ((status == FR_STATUS_START) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) == 0 && - u.time >= ut.time) { - if (u.type == P_LOGIN) { - RIDEBUG("Login entry for NAS %s port %u duplicate", nas, u.nas_port); - r = -1; - break; - } - - RWDEBUG("Login entry for NAS %s port %u wrong order", nas, u.nas_port); - r = -1; - break; - } - - /* - * FIXME: the ALIVE record could need some more checking, but anyway I'd - * rather rewrite this mess -- miquels. - */ - if ((status == FR_STATUS_ALIVE) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) == 0 && - u.type == P_LOGIN) { - /* - * Keep the original login time. - */ - ut.time = u.time; - } - - if (lseek(fd, -(off_t)sizeof(u), SEEK_CUR) < 0) { - RWDEBUG("negative lseek!"); - lseek(fd, (off_t)0, SEEK_SET); - off = 0; - } else { - off -= sizeof(u); - } - - r = 1; - break; - } /* read the file until we find a match */ - - /* - * Found the entry, do start/update it with - * the information from the packet. - */ - if ((r >= 0) && (status == FR_STATUS_START || status == FR_STATUS_ALIVE)) { - /* - * Remember where the entry was, because it's - * easier than searching through the entire file. - */ - if (!cache) { - cache = talloc_zero(inst->mutable, NAS_PORT); - if (cache) { - cache->nasaddr = ut.nas_address; - cache->port = ut.nas_port; - cache->offset = off; - cache->next = inst->mutable->nas_port_list; - inst->mutable->nas_port_list = cache; - } - } - - ut.type = P_LOGIN; - if (write(fd, &ut, sizeof(u)) < 0) { - REDEBUG("Failed writing: %s", fr_syserror(errno)); - - rcode = RLM_MODULE_FAIL; - goto finish; - } - } - - /* - * The user has logged off, delete the entry by - * re-writing it in place. - */ - if (status == FR_STATUS_STOP) { - if (r > 0) { - u.type = P_IDLE; - u.time = ut.time; - u.delay = ut.delay; - if (write(fd, &u, sizeof(u)) < 0) { - REDEBUG("Failed writing: %s", fr_syserror(errno)); - - rcode = RLM_MODULE_FAIL; - goto finish; - } - } else if (r == 0) { - RWDEBUG("Logout for NAS %s port %u, but no Login record", nas, ut.nas_port); - } - } - - finish: - - if (fd > -1) { - close(fd); /* and implicitly release the locks */ - } - - RETURN_MODULE_RCODE(rcode); -} - -static int mod_instantiate(module_inst_ctx_t const *mctx) -{ - rlm_radutmp_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radutmp_t); - - /* - * Must be in the NULL ctx so it doesn't - * end up in a protected page. - */ - inst->mutable = talloc_zero(NULL, rlm_radutmp_mutable_t); - - return 0; -} - -static int mod_detach(module_detach_ctx_t const *mctx) -{ - rlm_radutmp_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radutmp_t); - - talloc_free(inst->mutable); - - return 0; -} - -/* globally exported name */ -extern module_rlm_t rlm_radutmp; -module_rlm_t rlm_radutmp = { - .common = { - .magic = MODULE_MAGIC_INIT, - .name = "radutmp", - .flags = MODULE_TYPE_THREAD_UNSAFE, - .inst_size = sizeof(rlm_radutmp_t), - .config = module_config, - .instantiate = mod_instantiate, - .detach = mod_detach - }, - .method_group = { - .bindings = (module_method_binding_t[]){ - { .section = SECTION_NAME("accounting", CF_IDENT_ANY), .method = mod_accounting, .method_env = &method_env }, - MODULE_BINDING_TERMINATOR - } - } -}; diff --git a/src/modules/rlm_unix/README.md b/src/modules/rlm_unix/README.md index e7123dd58fb..839646c963b 100644 --- a/src/modules/rlm_unix/README.md +++ b/src/modules/rlm_unix/README.md @@ -7,5 +7,3 @@ ## Summary Retrieves a user's encrypted password from the local system and places it into the ``control.Crypt-Password`` attribute. The password is retrieved via the ``getpwent()`` and ``getspwent()`` system calls. - -When used for accounting, works in conjunction with rlm_radutmp to update the utmp database. diff --git a/src/modules/stable b/src/modules/stable index 9fd0f6208cb..dab951dc5c4 100644 --- a/src/modules/stable +++ b/src/modules/stable @@ -22,7 +22,6 @@ rlm_pap rlm_passwd rlm_perl rlm_python -rlm_radutmp rlm_redis rlm_rest rlm_sql diff --git a/src/tests/bin/all.mk b/src/tests/bin/all.mk index 58c115120f0..d141b90ddbd 100644 --- a/src/tests/bin/all.mk +++ b/src/tests/bin/all.mk @@ -7,7 +7,6 @@ FILES := \ radmin \ radsniff \ radsnmp \ - radwho \ rbmonkey \ rlm_redis_ippool_tool \ unit_test_attribute \ @@ -19,7 +18,6 @@ FILES := \ # radmin \ # radsniff \ # radsnmp \ -# radwho \ # ring_buffer_test \ # smbencrypt \ # unit_test_attribute \ @@ -41,7 +39,6 @@ radict.ARGS = -D $(top_srcdir)/share/dictionary User-Name radmin.ARGS = -h radsniff.ARGS = -D $(top_srcdir)/share/dictionary -h radsnmp.ARGS = -h -radwho.ARGS = -h rlm_redis_ippool_tool.ARGS = -h unit_test_attribute.ARGS = -h unit_test_map.ARGS = -h diff --git a/src/tests/modules/radutmp/all.mk b/src/tests/modules/radutmp/all.mk deleted file mode 100644 index 03c386cfabd..00000000000 --- a/src/tests/modules/radutmp/all.mk +++ /dev/null @@ -1,3 +0,0 @@ -# -# Test the radutmp module -# diff --git a/src/tests/modules/radutmp/module.conf b/src/tests/modules/radutmp/module.conf deleted file mode 100644 index 7380793257b..00000000000 --- a/src/tests/modules/radutmp/module.conf +++ /dev/null @@ -1,13 +0,0 @@ -radutmp { - filename = $ENV{MODULE_TEST_DIR}radutmp - username = %{User-Name} - caller_id = yes -} - -exec { - wait = yes - shell_escape = yes - timeout = 1 - output_pairs = control - program = "./build/bin/local/radwho -D share/dictionary -F $ENV{MODULE_TEST_DIR}/radutmp -u %{User-Name} -c -R" -} diff --git a/src/tests/modules/radutmp/test.attrs b/src/tests/modules/radutmp/test.attrs deleted file mode 100644 index bc1528e9adf..00000000000 --- a/src/tests/modules/radutmp/test.attrs +++ /dev/null @@ -1,33 +0,0 @@ -# -# Input packet -# -Packet-Type = ::Access-Request -User-Name = 'user0@example.org' -NAS-Port = 17826193 -NAS-IP-Address = 192.0.2.10 -Calling-Station-Id = 00-11-22-33-44-55 -Framed-IP-Address = 198.51.100.59 -Acct-Status-Type = ::Start -Acct-Delay-Time = 1 -Acct-Input-Octets = 0 -Acct-Output-Octets = 0 -Acct-Session-Id = '00000001' -Acct-Session-Time = 0 -Acct-Input-Packets = 0 -Acct-Output-Packets = 0 -Acct-Input-Gigawords = 0 -Acct-Output-Gigawords = 0 -Event-Timestamp = 'Feb 1 2024 08:28:58 GMT' -NAS-Port-Type = ::Ethernet -NAS-Port-Id = 'port 001' -Service-Type = ::Framed-User -Framed-Protocol = ::PPP -Idle-Timeout = 0 -Session-Timeout = 604800 - -# -# Expected answer -# -# There's not an Accounting-Failed packet type in RADIUS... -# -Packet-Type == ::Access-Accept diff --git a/src/tests/modules/radutmp/test.unlang b/src/tests/modules/radutmp/test.unlang deleted file mode 100644 index 57849d03010..00000000000 --- a/src/tests/modules/radutmp/test.unlang +++ /dev/null @@ -1,68 +0,0 @@ -# -# Remove any historic radutmp file -# -%file.rm("$ENV{MODULE_TEST_DIR}/radutmp") - -# -# Call the module in accounting context to record the user's session -# -radutmp.accounting - -if (!ok) { - test_fail -} - -# -# Runs radwho to read back stored data as pairs into control -# -exec - -if !(NAS-Port == control.NAS-Port) { - test_fail -} - -# -# Use an Interim-Update and different Framed-IP-Address to check record update -# -Framed-IP-Address := 10.0.10.100 -Acct-Status-Type := ::Interim-Update - -radutmp.accounting - -if (!ok) { - test_fail -} - -control := {} - -exec - -if !(Framed-IP-Address == control.Framed-IP-Address) { - test_fail -} - -# -# Now use a Stop to clear the user's session -# -Acct-Status-Type := ::Stop - -radutmp.accounting - -if (!ok) { - test_fail -} - -control := {} - -exec - -if (control.NAS-Port) { - test_fail -} - -# -# Tidy up -# -%file.rm("$ENV{MODULE_TEST_DIR}/radutmp") - -test_pass