diff --git a/freeradius-postgres-sql.patch b/freeradius-postgres-sql.patch new file mode 100644 index 0000000..08cc706 --- /dev/null +++ b/freeradius-postgres-sql.patch @@ -0,0 +1,11 @@ +diff -r -u freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql +--- freeradius-server-2.1.12.orig/raddb/sql/postgresql/admin.sql 2011-09-30 10:12:07.000000000 -0400 ++++ freeradius-server-2.1.12.work/raddb/sql/postgresql/admin.sql 2012-02-28 13:16:36.329403383 -0500 +@@ -28,5 +28,5 @@ + /* + * The server can write to the accounting and post-auth logging table. + */ +-GRANT ALL on radius.radacct TO radius; +-GRANT ALL on radius.radpostauth TO radius; ++GRANT ALL on radacct TO radius; ++GRANT ALL on radpostauth TO radius; diff --git a/freeradius-radeapclient-ipv6.patch b/freeradius-radeapclient-ipv6.patch new file mode 100644 index 0000000..761b599 --- /dev/null +++ b/freeradius-radeapclient-ipv6.patch @@ -0,0 +1,158 @@ +diff -r -u freeradius-server-2.1.12.orig/man/man1/radeapclient.1 freeradius-server-2.1.12.work/man/man1/radeapclient.1 +--- freeradius-server-2.1.12.orig/man/man1/radeapclient.1 2011-09-30 10:12:07.000000000 -0400 ++++ freeradius-server-2.1.12.work/man/man1/radeapclient.1 2012-02-28 11:11:46.023456307 -0500 +@@ -3,6 +3,8 @@ + radeapclient - send EAP packets to a RADIUS server, calculate responses + .SH SYNOPSIS + .B radeapclient ++.RB [ \-4 ] ++.RB [ \-6 ] + .RB [ \-c + .IR count ] + .RB [ \-d +@@ -27,7 +29,7 @@ + \fBradeapclient\fP is a radius client program. It can send arbitrary radius + packets to a radius server, then shows the reply. Radeapclient differs from + radclient in that if there is an EAP-MD5 challenge, then it will be responded +-to. ++to. + .PP + \fBradeapclient\fP is otherwise identical to \fBradclient\fP. + .PP +@@ -36,11 +38,15 @@ + .PP + .PP + The \fIEAP-MD5-Password\fP attribute, if present is used to respond to an +-MD5 challenge. ++MD5 challenge. + .PP + No other EAP types are currently supported. + + .SH OPTIONS ++.IP \-4 ++Use IPv4 (default) ++.IP \-6 ++Use IPv6 + .IP \-c\ \fIcount\fP + Send each packet \fIcount\fP times. + .IP \-d\ \fIraddb\fP +@@ -82,7 +88,7 @@ + echo 'EAP-Type-Identity = "bob"; + echo 'Message-Authenticator = 0x00'; + echo 'NAS-Port = 0' ) >req.txt +- ++ + radeapclient -x localhost auth testing123 dst_ipaddr; + port = packet->dst_port; + } +- ++ + /* + * Client-specific debugging re-prints the input + * packet into the client log. +@@ -975,15 +977,22 @@ + FILE *fp; + int count = 1; + int id; ++ int force_af = AF_UNSPEC; + + id = ((int)getpid() & 0xff); + fr_debug_flag = 0; + + radlog_dest = RADLOG_STDERR; + +- while ((c = getopt(argc, argv, "c:d:f:hi:qst:r:S:xXv")) != EOF) ++ while ((c = getopt(argc, argv, "46c:d:f:hi:qst:r:S:xXv")) != EOF) + { + switch(c) { ++ case '4': ++ force_af = AF_INET; ++ break; ++ case '6': ++ force_af = AF_INET6; ++ break; + case 'c': + if (!isdigit((int) *optarg)) + usage(); +@@ -1106,11 +1115,45 @@ + req->id = id; + + /* +- * Strip port from hostname if needed. ++ * Resolve hostname. + */ +- if ((p = strchr(argv[1], ':')) != NULL) { +- *p++ = 0; +- port = atoi(p); ++ if (force_af == AF_UNSPEC) force_af = AF_INET; ++ req->dst_ipaddr.af = force_af; ++ if (strcmp(argv[1], "-") != 0) { ++ const char *hostname = argv[1]; ++ const char *portname = argv[1]; ++ char buffer[256]; ++ ++ if (*argv[1] == '[') { /* IPv6 URL encoded */ ++ p = strchr(argv[1], ']'); ++ if ((size_t) (p - argv[1]) >= sizeof(buffer)) { ++ usage(); ++ } ++ ++ memcpy(buffer, argv[1] + 1, p - argv[1] - 1); ++ buffer[p - argv[1] - 1] = '\0'; ++ ++ hostname = buffer; ++ portname = p + 1; ++ ++ } ++ p = strchr(portname, ':'); ++ if (p && (strchr(p + 1, ':') == NULL)) { ++ *p = '\0'; ++ portname = p + 1; ++ } else { ++ portname = NULL; ++ } ++ ++ if (ip_hton(hostname, force_af, &req->dst_ipaddr) < 0) { ++ fprintf(stderr, "radclient: Failed to find IP address for host %s: %s\n", hostname, strerror(errno)); ++ exit(1); ++ } ++ ++ /* ++ * Strip port from hostname if needed. ++ */ ++ if (portname) port = atoi(portname); + } + + /* +@@ -1143,15 +1186,7 @@ + } else { + usage(); + } +- +- /* +- * Resolve hostname. +- */ + req->dst_port = port; +- if (ip_hton(argv[1], AF_INET, &req->dst_ipaddr) < 0) { +- fprintf(stderr, "radclient: Failed to find IP address for host %s\n", argv[1]); +- exit(1); +- } + + /* + * Add the secret. diff --git a/freeradius-unix-passwd-expire.patch b/freeradius-unix-passwd-expire.patch new file mode 100644 index 0000000..ee75c3a --- /dev/null +++ b/freeradius-unix-passwd-expire.patch @@ -0,0 +1,39 @@ +--- freeradius-server-2.1.12.orig/src/modules/rlm_unix/rlm_unix.c 2011-09-30 10:12:07.000000000 -0400 ++++ freeradius/freeradius-server/src/modules/rlm_unix/rlm_unix.c 2012-02-27 15:10:19.782821614 -0500 +@@ -274,9 +274,17 @@ + /* + * Check if password has expired. + */ ++ if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 && ++ (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) { ++ radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); ++ return RLM_MODULE_REJECT; ++ } ++ /* ++ * Check if account has expired. ++ */ + if (spwd && spwd->sp_expire > 0 && + (request->timestamp / 86400) > spwd->sp_expire) { +- radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name); ++ radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name); + return RLM_MODULE_REJECT; + } + #endif +@@ -363,7 +371,7 @@ + if (fr_crypt_check((char *) request->password->vp_strvalue, + (char *) vp->vp_strvalue) != 0) { + radlog_request(L_AUTH, 0, request, "invalid password \"%s\"", +- request->username->vp_strvalue); ++ request->password->vp_strvalue); + return RLM_MODULE_REJECT; + } + #endif /* OSFFIA */ +@@ -440,7 +448,7 @@ + * Which type is this. + */ + if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) { +- radlog(L_ERR, "rlm_unix: no Accounting-Status-Type attribute in request."); ++ RDEBUG("no Accounting-Status-Type attribute in request."); + return RLM_MODULE_NOOP; + } + status = vp->vp_integer; diff --git a/freeradius.spec b/freeradius.spec index 329fb30..b14d8e7 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 2.1.12 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -15,6 +15,9 @@ Source104: %{name}-tmpfiles.conf Patch1: freeradius-cert-config.patch Patch2: freeradius-radtest.patch Patch3: freeradius-man.patch +Patch4: freeradius-unix-passwd-expire.patch +Patch5: freeradius-radeapclient-ipv6.patch +Patch6: freeradius-postgres-sql.patch Obsoletes: freeradius-devel Obsoletes: freeradius-libs @@ -148,6 +151,10 @@ This plugin provides the unixODBC support for the FreeRADIUS server project. %patch1 -p1 -b .cert-config %patch2 -p1 -b .radtest %patch3 -p1 -b .man +%patch4 -p1 -b unix-passwd-expire +%patch5 -p1 -b radeapclient-ipv6 +%patch6 -p1 -b postgres-sql + # Some source files mistakenly have execute permissions set find $RPM_BUILD_DIR/freeradius-server-%{version} \( -name '*.c' -o -name '*.h' \) -a -perm /0111 -exec chmod a-x {} + @@ -162,6 +169,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic" --libdir=%{_libdir}/freeradius \ --with-system-libtool \ --disable-ltdl-install \ + --with-udpfromto \ --with-gnu-ld \ --with-threads \ --with-thread-pool \ @@ -590,6 +598,13 @@ exit 0 %{_libdir}/freeradius/rlm_sql_unixodbc-%{version}.so %changelog +* Tue Feb 28 2012 John Dennis - 2.1.12-6 + Fixing bugs in RHEL6 rebase, applying fixes here as well + resolves: bug#700870 freeradius not compiled with --with-udpfromto + resolves: bug#753764 shadow password expiration does not work + resolves: bug#712803 radtest script is not working with eap-md5 option + resolves: bug#690756 errors in raddb/sql/postgresql/admin.sql template + * Tue Feb 7 2012 John Dennis - 2.1.12-5 - resolves: bug#781877 (from RHEL5) rlm_dbm_parse man page misspelled - resolves: bug#760193 (from RHEL5) radtest PPPhint option is not parsed properly