Commit a4a5cc4a authored by Robert Dubner's avatar Robert Dubner
Browse files

Added demonstration/test cabability

parent 5bcfcbe3
Pipeline #3688 passed with stage
in 53 minutes and 37 seconds
......@@ -81,10 +81,10 @@ certs/ca.pem:
# openssl x509 -noout -text -in certs/client.pem
rad: all
./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m peap -s testing123 abel1 abel1
./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m ttls -s testing123 abel1 abel1
./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m peap -s testing123 testing password
./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m ttls -s testing123 testing password
./radiusclient -d 256 -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m peap -s testing123 abel1 abel1
./radiusclient -d 256 -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m ttls -s testing123 abel1 abel1
./radiusclient -d 256 -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m peap -s testing123 testing password
./radiusclient -d 256 -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m ttls -s testing123 testing password
radd: all
gdb --args ./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m peap -s testing123 abel1 abel1
......
......@@ -780,6 +780,11 @@ initialize_SSL_CTX(const SSL_CONFIGURATION *conf)
if ( SSL_CTX_use_certificate_file(ctx, conf->certificate_file, conf->file_type ) != 1 )
{
report_tls_errors();
Debug( LDAP_DEBUG_ANY,
"%s(): "
"could not load certificate file \"%s\"\n",
__func__,
conf->certificate_file);
return NULL;
}
......
......@@ -83,6 +83,7 @@ typedef struct _SSL_CONFIGURATION
#define LDAP_DEBUG_TRACE 0x0001
#define LDAP_DEBUG_ARGS 0x0002
#define LDAP_DEBUG_BER 0x0010
#define LDAP_DEBUG_STATS 0x0100
#define LDAP_DEBUG_ANY -1
int LogTest(int debug_level);
......
......@@ -477,7 +477,7 @@ send_request(CLIENT_STATE *state, const struct sockaddr_in *server_address)
printf( "%s(): Dubner is soft in the head\nSomehow we processed a "
"challenge without generating a fresh request\n",
__func__);
abort();
exit(1);
}
ssize_t rc = sendto(
request_socket,
......@@ -556,13 +556,13 @@ get_server_response(CLIENT_STATE *state, const struct sockaddr_in *server_addres
nominal_packet);
nominal_packet += 1;
Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ARGS,
"%s(): recvfrom() received %d bytes\n",
__func__,
buffer_length);
if( buffer_length < 0 )
{
Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ARGS,
"%s(): Error while receiving server's msg\n",
__func__);
return -1;
......@@ -570,7 +570,7 @@ get_server_response(CLIENT_STATE *state, const struct sockaddr_in *server_addres
if( buffer_length == 0 )
{
Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ARGS,
"%s(): recvfrom reports orderly shutdown\n",
__func__);
return 0;
......@@ -885,7 +885,7 @@ process_the_received_packet(CLIENT_STATE *state)
"count is %d bytes\n",
__func__,
state->expected_incoming_byte_count);
abort();
exit(1);
}
if( state->expected_incoming_byte_count )
......@@ -1364,7 +1364,7 @@ process_the_challenge(CLIENT_STATE *state)
{
type_text = eap_message_types[eap_in_ttls->Type].description;
}
Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ARGS,
DPREFIX "%s(): We got an EAP_MESSAGE_TYPE "
"%s (%d) that we don't understand; sending Legacy NAK\n",
__func__,
......@@ -1439,7 +1439,7 @@ process_the_challenge(CLIENT_STATE *state)
Debug( LDAP_DEBUG_ARGS,
"%s(): We got an outer identity, and we don't know what to do\n",
__func__);
abort();
exit(1);
}
break;
}
......@@ -1468,7 +1468,7 @@ process_the_challenge(CLIENT_STATE *state)
Debug( LDAP_DEBUG_ARGS,
"%s(): What now, LT?\n",
__func__);
abort();
exit(1);
}
}
break;
......@@ -1498,7 +1498,7 @@ process_the_challenge(CLIENT_STATE *state)
Debug( LDAP_DEBUG_ARGS,
"%s(): What now, LT?\n",
__func__);
abort();
exit(1);
}
}
break;
......@@ -1526,7 +1526,7 @@ process_the_challenge(CLIENT_STATE *state)
default:
{
Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ARGS,
DPREFIX "%s(): We got an EAP_MESSAGE_TYPE "
"%s (%d) that we don't understand; sending Legacy NAK\n",
__func__,
......@@ -1629,7 +1629,9 @@ main(int argc, char *argv[])
const char *protocol = NULL;
int opt;
while ((opt = getopt(argc, argv, "vc:m:h:p:s:")) != -1)
extern int desired_debug_level;
desired_debug_level = 0;
while ((opt = getopt(argc, argv, "vc:m:h:p:s:d:")) != -1)
{
switch( opt )
{
......@@ -1637,6 +1639,12 @@ main(int argc, char *argv[])
client_config = optarg;
break;
case 'd':
// Adjust decimal debug level. Like LDAP_DEBUG_xxx, but without
// any symbolic translation.
desired_debug_level = atoi(optarg);
break;
case 'h':
host = optarg;
break;
......@@ -1703,7 +1711,7 @@ main(int argc, char *argv[])
{
printf( "%s(): initialize_SSL_CTX failure\n",
__func__);
abort();
return 1;
}
CLIENT_STATE state_;
......@@ -1730,7 +1738,7 @@ main(int argc, char *argv[])
{
printf( "%s(): client initialize_comm_session failure\n",
__func__);
abort();
return 1;
}
// Let's set things up so that we can abort when waiting for input
......@@ -1746,7 +1754,7 @@ main(int argc, char *argv[])
{
printf( "There was trouble resolving the server address %s:%d\n",
host, port);
abort();
return 1;
}
int authentication_succeeded = 0;
......@@ -1762,7 +1770,7 @@ main(int argc, char *argv[])
{
printf( "There was trouble sending the initial request packet %s:%d\n",
host, port);
abort();
return 1;
}
// We will *always* get some kind of response to any properly-formed
......@@ -1782,12 +1790,10 @@ main(int argc, char *argv[])
switch( packet_code )
{
case PC_Access_Accept:
printf("We got back an Access-Accept\n");
keep_running = 0;
authentication_succeeded = 1;
break;
case PC_Access_Reject:
printf("We got back an Access-Reject\n");
keep_running = 0;
authentication_succeeded = 0;
break;
......@@ -1797,7 +1803,7 @@ main(int argc, char *argv[])
printf( "We got back a packet code %d, which we don't know how "
"to handle\n",
packet_code);
abort();
return 1;
break;
}
......
......@@ -194,7 +194,7 @@ comm_process(COMM_SESSION *session)
else if( handshake_ret == 1 )
{
// The handshake has been successful, so just fall through.
Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ARGS,
"%s(): Handshake completed successfully\n",
__func__);
}
......@@ -205,10 +205,6 @@ comm_process(COMM_SESSION *session)
// the handshake hasn't completed yet, and we should go around and
// keep calling SSL_do_handshake()
int err = SSL_get_error(ssl, handshake_ret);
Debug( LDAP_DEBUG_ANY,
"%s(): SSL_get_error() returns %d\n",
__func__,
err);
switch( err )
{
......@@ -228,6 +224,10 @@ comm_process(COMM_SESSION *session)
default:
report_tls_errors();
// Debug( LDAP_DEBUG_ANY,
// "%s(): SSL_get_error() returns %d\n",
// __func__,
// err);
rc = 1;
break;
}
......
!Makefile
*.log
testdir
*.txt
*.pcapng
client.conf
radiustls.conf
SLAPD = ~/repos/openldap/servers/slapd/.libs/slapd
DEBUG_LEVEL=-1
DEBUG_LEVEL= 4083 # Everything but LDAP_DEBUG_CONNS (8) and LDAP_DEBUG_ARGS(4)
DEBUG_LEVEL=0
DEBUG_LEVEL= 4087 # Everything but LDAP_DEBUG_CONNS (8); it cuts down on noise during debugging
DEBUG_LEVEL=STATS
all:
@echo "'make scratch' to build up the LDAP DIT from scratch"
.PHONY: scratch
scratch: testdir/openldap-data/data.mdb
testdir/openldap-data/data.mdb: slapd.conf renbud.ldif
# Make sure slapd isn't running
sudo pkill -KILL slapd || true
# Clear out the log files
rm -f slapd.log
rm -f debug.log
# Clear out the database directory completely:
rm -fr testdir
# Create the database directory:
mkdir -p testdir/openldap-data
# Launch SLAPD
LDAPNOINIT=1 /usr/local/libexec/slapd -h "ldap://127.0.0.1:3899/" -s 0 -f slapd.conf -d $(DEBUG_LEVEL) > slapd.log 2>&1 &
@echo "Waiting 1 second..."
sleep 1
# Do the initial database population:
ldapadd -H ldap://127.0.0.1:3899/ -x -D "cn=Manager,dc=renbud,dc=com" -w secret -f renbud.ldif
# Having built the DIT, shut down slapd; each test will start it again, because each
# test can have its own configuration file
sudo pkill -KILL slapd || true
.PHONY: kill
kill:
sudo pkill -KILL slapd || true
.PHONY: test
test: scratch
./test.scr
Runs through numerous "should-succeed" and "should-fail" scenarios.
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI8d3AL5jnTgYCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECE+gNrHz75VHBIIEyMR+8KgySNdU
vnnsX4TxJYbDfbMr5p/ry0NT7iTbcoSVt0aZ3pWecLqOi7wRS/i1b7VRNWb4pDMP
QIbFLTCebMLooMA3U6PBErQxZt1xAcLigsNBWW8r6uFcN3Y3wE7+MXuguHluCVaZ
NbZt2FF0v6ef8jdRf+q8reI3KsNoHYKrJ6ZGNYnWsgsXI2vA50K4zK9XAzSfA7My
hU9wMscmlxU27ylUMfz5/i6KmvskFl20DbjlMZfQn+LhxFLnBKRJOjKrVG/jZRTb
nRwpUrIQWxzWmTaBd5kVHcHJnDYMMpbBzHpGmcqrafJ1ACfZUYh5Nw63thx6DRfU
ciSHhSrblQQvjcjT/pfg5jH9TKtLG5YKfJ/tT0cTF/wogg+z1yQbm4FC/qzGjssv
EDqDPkXjw6sDDIL/uPjshZjaA+BDzDdEqc55+tPiWqgRhGpf0EOddK6igfszpLDn
km1/61sqs1Vm33/s5sKulvjO4zLtcKX7YgKZXnM7QrEc6jrvxmOWiqEi/w/zjvtn
q+NSwJiHN9YjhU7p6FT1PIf5rWx6UxJiaUmtp8aJ0eSB76JfBADu9ppJmC6K4hSq
jH4aspfYSf/jRJJ6JTlo5RuzzyBk097OyBg64s6Q7o1099logxPlVkPoANjwo2wq
vtgbYQL+QuNMTuQUCJPhpZvi1dRliKqSMqr3xxiaN7iaFfK28yHrTTZ5Hntw7tN8
q4BjPlFiG8vBJ1WZArQTRHMj1Etx7kMzqhLGWm6BHHLxsnjmuee2uwcDHmZF/9SY
eUgGp1QZibJb5+MwSXMg9BWEdG87BEirs+CGdG5Foh9zThZh31dxDct2+zE8uCid
bjA0AgUSu6kyZDJsbYrJLL/GQefojZpfj+JhuGWEALbidKYg1HZHutusGuc1BLLd
yOl1Ileyu6kdjeBoORvBHCe7NVStSIFoiyFFT+rhXwBrf6UCwA9szg0iFkAWzb2c
prH/LNJoMM8U1SNkbSUetnyxZmNjTzMh/k+goMYVX0lmXtZN9JiNmLQQKfGAP6SU
hTHjb5vDRTNoWHDyaRhdwMFH8XDDZlUQDXfM57EuU3N8hJgznylROlixADH5PtYW
8zGFjwPxIry2b390r1nYTBn3+kl0Dn1xAwMPBg2TJlZa23irroM8w222c83Rrcc3
7Q8YfTtx6hJ+3tmfxm3ASlcA/ex11Cno6XZYVb+yI4/KFu8ULc6JI3QSBc3oRPK0
dXVbWDH7FqQJBoI+TGvSMctx7Ps1F9xllDgV5tktmENqcjlIaT9k7ColmOqrFMDi
PLU3xdNKOZlDjO9TFv6r6fm14f58kzgX/ZdmpnWR6k5uoOdj2pekHsZjV11VPGzv
iR3d6woOHR2q6eiPauQVUGkJT4IWKx1rtzgXCAf3rIBoCB45oOnWMIvFFPS7Ifj4
DvPd2bsIAZ0rQzbV32A+5q2eUTcjz11DcBxO2Eoodow43tMSsRroO6lYiUnNGRw2
/s2DE3F3F3/RPzDqm82b8HivR9WZ2S7b/mZNqO7749Udb1peKlY4bf06KfU7C28n
zAEz3RKaYtIbqfgCr1eKNl+gFMtA1Pbo7JEaECV7dgkSlNkYFDAu8LsNNJJIf2H8
7mdWdDokoKwdL69SkQG8VA==
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI2HyQXM+yMqQCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECF/M43V6lt5gBIIEyLXJJvb56boR
OpLt8I7shJjXQXh+FZu92eyaPv3CRXvE2fyoBa9ZDVL69gcHasyeatb2e1ss2Jey
vK4YtDTy7hsYlKhuUAECsi1rq517DsCscdSJ4hbYCz6CTv8u/4AcDVhfdtewODNT
VPucYBdsyMrZTRPgw+7l3Fopvv0clXJK1dt4Opd4ffhNQ09Eac4ZGdqcAa/CV+YY
imVE+aXviq0FiODZaVDAaE/Ct0/kbC4c4LlhUUEy1LlrCdnkSMbumloU6EMytFh+
1oXSGr1vUeBNlPiuueXBmolVSzlvF1A46uEuh9fJCOl/W4Ql5aGg6TJ1yDR6kZsN
8d1nlKHW2hXXj/L2Tok2GkHxwC4vJ3dxRuklsHbkL+LOD2bEzSIkRp4wGmEQUwLm
j80HdddKKQPLT1IHJFTaiaeYXcgpGvJBzZrozufkCScvKuGThgbX9m7iYnSeRCYL
1U5fD07atZ9VMye0doUl5U1YUjx8oEAkZEWPm6XCs1QnkUUr+ho35aFc++k7dzvF
4RF7jjTS/ogTUFYd0qWapocM8U1TNaTWbhvJDijb3xgBNlC2rc4VxAvrBnaTgYSW
5MpgdCjlbvkbBtFXuPYlLBaBTgGHqx8SjaHvkvDRoNRWYYh+5VXtPbgdihhPjvI0
APRjn7l5YK4ax5x+3UqORb+iPNn3sGrgmFa69EoVtdo5ihsivKJhEMrZhUhjZV87
t3Ku1MjXk9RJGpc8hSIG8WnaFUE41pVimBVO+BbmfqJDjiGdUNjr/vsCtaaZGaHM
lI4Yp4bZ9nH7zbGNy+8XAWCM56zxMAF3sCq42nQrDRrJ6PLnWn/I/7NE6H5aKrJD
GtD74C97XPAzjClRRbLUexKrWV/wfjaDH6rXzkfWZlzUAwbEFqL9DRW/jpbPdHc5
V1lQROoJD7uJwLbbvrJYj9ulMEpUf5w2jjwtzW5ZgftGDmy/g+GK4DnDsQuV02N7
CKU1Vx6qj93RGhbzm9cwZOS1nmI5/xKAKLkybQrBP1RnWLin93Zw2pxyDRpfoFGr
345TF77VdDXPyA5SC5Gpg4zeeX8WjF1Joa1Vr9gSO+13NWC4IEX0U9Z/r7ugn2mi
BD10bUpIJvzgz4VWCXtblOmXOVJsRBcUEly4UfphlsblZ4HgkV+TECrgNW6UrxCb
BuL1CwltDSh+fOZ4jlprtXc/TcnWFeM1xuLA8L9C9WTmzozxeZoQcvOSsY4K5tYT
7twpKRu64L/BuSFj9+Z6ZnULDiRjxfitiEILbYG5vCOlgbBJykz/LQDVgoZR8G4m
IdgPI93X/j9NipWqfRLjyMCucyXDIWGxxXaektPSzgmJErqML5SBEpzmYBCuOv+q
3fnHLRgbpMY/yndH3u/5RAeGez4stAeSJATcnQWXJb8jb3Gb7foTReh058QLWp4G
JsS4ltUZltb3aaKwYPnwvo6Z2TJQhgJdrkPj44PzwteQK+A0n47SFmAy4ufqONGO
oRZs+rjqPGCt4zMI/She9fKUaRX7v4K7Hgs7Mz2rcHZrW6iMcYvm+kPfhPEXvDON
zWJTwYSx8YW0onx2oAee+Zs2bNdfR3w9Ep1k6gUmg0lVJuyI0Cpf/qi5kWzW9E+V
cQA9ckuvbb57q9BUE+euxA==
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC9Z54XfrrZ4MmD
rqESNeP0J8BvB2VUSWW7ZudnxnefwH0Ds0lneJ6nElurhB89YiEwBLZE3DVs/Imq
oDm6i3lXxTp8MQL9TMJCDsPnwKSlOoskTcE0sGs1DWNyZMzu4z+8rB59L1b/s/mE
C6A+XNH78+dTXlbJRA+uGjOt6VSRYP6CNVNFi0CrHcNYqzg6rhjrPeIARIBqsc7k
wqhxa77ylTlVx1HotWjCTVdW8M2vBXuS5nznE3pTa/uT1JWII8HeC1ikcXryywfJ
06y0GMG+Hf8XOEB2Fcr+eo7xejzsHpvOens5UCDcAaXd1EWLfhO+7PSO+08W8VFO
OMbiNMdrAgMBAAECggEAcYPefhpYBijw3VkV9AIUYspITMLT+hYbQJvF6K5MF5SX
2FXlknv6KguYoU0IJBPh7BOG4fJQmscoAvkQYDsjOHVePfxp3EHa0xhiVU1h4B0c
M1/egaOSPTOO/IppQGs2Ue+ePkzXCV1mF7uYCIg82ZIufAq4XNvLwf62Jm8HXjEH
5FUHpi4NO8hDGjfhBHp+v9H4RbCxAhGMHfx+SP9LXawjXy5bf1i9ieRkbH85cBXb
AEBhY8nQW+ZS47T0wVuE8OcqycJhhNGko1ZGH9jjMVFzn+cKqqYena5TP3hDLL2c
mfB01iz5nvMrmefwy21ff0R9kCesBefvjy94R9UN0QKBgQD3HFjB9SePA9T6ZEtu
5RxQdeYpMrRHJBuWzjrcnVyArL1VukRcGvLVYZaoIZ63ueeQc1lDVY3yx2YLxfb4
48g5oz+G7inNW717WCLDJ1Ic4NfjF4XJgPq9Gl/mpRu8eWbin6dPja1zXzkgJrps
kZgcKWYBEVgsUJp3eZQqqIG9VQKBgQDEN9qjdtvHYmVnmptWLZ6WtrJoY/ilFewl
gLLqSDg/+WGtpVQyu4xX120pz/k82KOt8qzZz2RrPHbh4dzg/zzfB2W3Po5pibx/
rRmW08JwmsN9Wb2Uf1b7dd8h2oxXuCbJzkqsTG1MrMLSgxsvhYSnFkbZ6Uz4r8Mt
eIQT4X5xvwKBgQDok0NuecBbuG2RpSfiHb0CdZTEnbZTZsaYr01zKqBPc0VYFFIW
pj57WrgjUlFB9rTdndMbrsBFCisfVZlXM3vV07IM2sd5QqkaGB/PsYh1KaHHWPJQ
bxaPOO2d9TQftduB3GXqWBwyBCOOASVg3b9echBRXPOx8cMQQ9uSMrq5aQKBgQCx
uKE4U2yG7/FG4Hr3mEQ+3+VBteK8q9mCskna92SzVQ4KuGdFuCdKXJ3MNEnbuaCu
6dFzSmv60P4gY3Gq/KNGoq2XRnq4zn9D6SX3PX+sfBC6VXDnslq3UbCzOf7JaMsB
F+78lhCdVRD0mLkj1rwqlnu/3ZbQ3Glcov6F/0SGgwKBgQDFZx7M3zm50EK/HMuU
0dgsZWb84Nj7dZFm+jElGBPY2JOeHB/KgaL+WQRbMUn/zdblD2XJyx1Ms6Bx/cY8
AyH3K8hTMnYH0F31ZiWQd+sN58CPvl0coGmO6rqEHh4uP4SM4Yetd/rPncRHJbA1
AckqiGutgyz/FcXaH7CoS5V2bg==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIUWGbb01buvAGEd9lFh1VoAFFn+vkwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMTAxODE4MDAxMloXDTIxMTAx
OTE4MDAxMlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvWeeF3662eDJg66hEjXj9CfAbwdlVEllu2bnZ8Z3n8B9
A7NJZ3iepxJbq4QfPWIhMAS2RNw1bPyJqqA5uot5V8U6fDEC/UzCQg7D58CkpTqL
JE3BNLBrNQ1jcmTM7uM/vKwefS9W/7P5hAugPlzR+/PnU15WyUQPrhozrelUkWD+
gjVTRYtAqx3DWKs4Oq4Y6z3iAESAarHO5MKocWu+8pU5VcdR6LVowk1XVvDNrwV7
kuZ85xN6U2v7k9SViCPB3gtYpHF68ssHydOstBjBvh3/FzhAdhXK/nqO8Xo87B6b
znp7OVAg3AGl3dRFi34Tvuz0jvtPFvFRTjjG4jTHawIDAQABo1MwUTAdBgNVHQ4E
FgQUPZ7tI9khNiqb8EA6sCQIOJhvf+8wHwYDVR0jBBgwFoAUPZ7tI9khNiqb8EA6
sCQIOJhvf+8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJ735
HbrAItSZGJmuqoHlfvh1gnaroOThqtmDYe5A3kZ5mXpG7RG9M3gs1w3k86OOBqMg
Fg+J1jtxKbAok/b5VEo8heY/rh3RF5HICRxge070K4L+vRnTEpSf6FiwAog/m3lq
zkbbkXVWRT9bKl8py04Pv3lG0kYMjlNAs1bUcqC5ghHpqIY2ZsFLhHroRnps375b
q7aUQDpuTQl3bCSgWWZ1iNSMAaiIGqcmQbGzWaerXW/9y//th3hPGokkTP0mr4tz
YHkJqEHh1cm36ZmPDbF+b/rrvKTNosSCZDkYRDaxWc9vfpGXmLLpnuO8zTWAvGYY
FuOXwCcsbVciiqfGgg==
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIBPhmTpJTFK8CAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCKeZpr8es+tBIIEyBz9jq2jGB/c
2VuEXhp6DWNDMJU/mbEHSUcum/eUzG9icqKqcyE0KfD49OimI0RQtlugTeyh0nIq
O/xaoMgiuW5s6IrqtYKyWPWdzvM89VZeFDoQXIf7kkZVq77C0q4hXjF20NlU0Zoh
h99X1PXXle9hlZFlAALV1My8hU3f1VkfodxElBXpcNy3eeptwPjuGq6Tq0ehTC4D
kS3BYgP/a1Akxpe7UYlXOK6Bi5Oj47uaFJZJKz7LmKwxVodsfiUQewJ4AzAPbOPV
2OkQtEDwNA4Oa0n3He1jYlL0aK9t2fnCa9F6wwiov0d0RhP3uGwncSvhsGzw4hw6
LNK1WqdpUMEyg9T3gsgY5kXDppk1+QP9epgmWMbWHmWdHScUI/fM9WOeA1rjKurZ
6Fu6zCDFtVqyrfKL8M4cVFG2FgIUDCXIKhk4ErEzBFcaN7pRRmsQktIb++pozJ/u
AcYaIe94O6ChrF1RU4+SfM4xUQ1pppc/oc3Ni1Uox5Vax8mPTABcbvsqQBDVcobx
Fh3fYDMc3Q2MmIStOugUX75kP8OwCFdRWbAU2/j0MeQF9qrqCkJjEpIK9lvxPa3z
MtgQcKe/+cZ8K16gCxUmvOleEPI/v7ZjDzI2pK4MI5wSg6xCkCavD+Swf6t+G6tI
PLM16IgIE9kh3oanYQjk1N2MZmJ1ZXG7/q8tpt/77/xsMBKWxj0XTJ/DJW80U2LN
cO8+yKSqjiV/xfgUMShXHVSm5OylRwkl0jzi+o4iwPEWPhMlagbHsL+OvqzpTIt6
OyXRTGqa96sx5IFADSTCImDTdG9q2nCwpBXlAZSpdD4mzrLei31KNSzkH5PHeS8N
pOdy10ehaJwfgCGHppQEG5wVM5Bi+VMnSZhE7iYrXp5Kci7zx0BXvSA3A3KpOl7P
cqdqFq2+7CTzHJ4cLKj2FoGyE4jvtMxYP+TFwBtfy5vYOmh9GgHWo4WC8ues4D/Q
Tch/HATgI0Mf7wVtHNGSJeFuSFwplbi1k2OOFTCFHxttWrtNODK4AeSJAuXM8UkA
Hucj5If1hNkPWT7+JcbwuOTwysY9fIyww0hbJ7YJHtGt2hMlebrOPaaeIR6Hf6rm
SzcS+rTSbtw3PowUpv46T+8H9A7/FcJid0F7z1WmIMWm0ZaKlAzGjB2iWPW3piHZ
Mi70KyV3XmNbdCZ3mM7Vhapm3/Jvlh3aVfg2dGXkGY5xLtDxXtsppwEtx2gFGLks
IR0Eq906yAIrz/pbXiuTq0c2A7HAHpWvMOS2mbmMupkPsjrvk/8/hZbotJgQjR2d
KS3sEahZpoBMqWVpTvxNJ/x0H4XMjlspTaCt4TCahHXiPu0F4eJxD1V05cH5ZHNz
5MoY7v8/SZ93AQiHGBkBmbF0YJl3VlLSGu33Y+SPhrSlXObDoaQ1J3A3O15HGO1P
w94oivXMU8Qf3BReKDkd7ZSUu5c/Ck9Z/Cx9n+EK/kgtc//zw0srCDEv9nxPec0V
8E0IWVoAVjs7sP5a4bEAIlLQAssSFTfD3CZ6xVaNY4IPR8dtVQYpgk/2uW+j6cqk
H6nIDN2zLWSNw3dcFQ+j9bLcEbD9Wmtue39QVsEC77MkLjsVWrHdG8S/RjC8u5ne
qTXLqlxRbqAHZxKRiwW64Q==
-----END ENCRYPTED PRIVATE KEY-----
is_server No
tls_min_version TLS1_2_VERSION
tls_max_version TLS_MAX_VERSION
ca_path
ca_file certificates/CA.pem
certificate_file certificates/CLIENT.pem
private_key_file certificates/CLIENT.key
private_key_password whatever
verify_mode MODE
is_server No
tls_min_version TLS1_2_VERSION
tls_max_version TLS_MAX_VERSION
certificate_file
private_key_file
private_key_password
verify_mode MODE
all:
@echo "Hi!"
cp mod-ldap.original mod-ldap
sed -i '/port = 389/a \\tport = 3899' mod-ldap
sed -i "/identity = /a\ \tidentity = \'cn=Manager,dc=renbud,dc=com\'" mod-ldap
sed -i "/password = /a\ \tpassword = secret" mod-ldap
sed -i 's/dc=example,dc=org/dc=renbud,dc=com/g' mod-ldap
scp mod-ldap /usr/local/etc/raddb/mods-available/ldap
ln -f -s /usr/local/etc/raddb/mods-available/ldap /usr/local/etc/raddb/mods-enabled/ldap
# Disable ldap by uncommenting the following line
rm /usr/local/etc/raddb/mods-enabled/ldap
cp clients.conf.original clients.conf.mod
sed -i -e '$$aclient lap90a90 {' clients.conf.mod
sed -i -e '$$a\\tipaddr = 10.0.1.250' clients.conf.mod
sed -i -e '$$a\\tsecret = testing123' clients.conf.mod
sed -i -e '$$a\\trequire_message_authenticator = yes' clients.conf.mod
sed -i -e '$$a}' clients.conf.mod
cp clients.conf.mod /usr/local/etc/raddb/clients.conf
Modules in Version 3
====================
As of Version 3, all of the modules have been placed in the
"mods-available/" directory. This practice follows that used by other
servers such as Nginx, Apache, etc. The "modules" directory should
not be used.
Modules are enabled by creating a file in the mods-enabled/ directory.
You can also create a soft-link from one directory to another::
$ cd raddb/mods-enabled
$ ln -s ../mods-available/foo
This will enable module "foo". Be sure that you have configured the
module correctly before enabling it, otherwise the server will not
start. You can verify the server configuration by running
"radiusd -XC".
A large number of modules are enabled by default. This allows the
server to work with the largest number of authentication protocols.
Please be careful when disabling modules. You will likely need to
edit the "sites-enabled/" files to remove references to any disabled
modules.
Conditional Modules
-------------------
Version 3 allows modules to be conditionally loaded. This is useful
when you want to have a virtual server which references a module, but
does not require it. Instead of editing the virtual server file, you
can just conditionally enable the module.
Modules are conditionally enabled by adding a "-" before their name in
a virtual server. For example, you can do::
server {
authorize {
...
ldap
-sql
...
}
}
This says "require the LDAP module, but use the SQL module only if it
is configured."
This feature is not very useful for production configurations. It is,
however, very useful for the default examples that ship with the
server.
Ignoring module
---------------
If you see this message::
Ignoring module (see raddb/mods-available/README.rst)
Then you are in the right place. Most of the time this message can be
ignored. The message can be fixed by finding the references to "-module"
in the virtual server, and deleting them.
Another way to fix it is to configure the module, as described above.
Simplification
--------------
Allowing conditional modules simplifies the default virtual servers
that are shipped with FreeRADIUS. This means that if you want to
enable LDAP (for example), you no longer need to edit the files in
raddb/sites-available/ in order to enable it.
Instead, you should edit the raddb/mods-available/ldap file to point
to your local LDAP server. Then, enable the module via the soft-link
method described above.
Once the module is enabled, it will automatically be used in the
default configuration.
Multiple Instances
------------------
It is sometimes necessary to have the same module do two different
things. The server supports this functionality via "instances" of
modules.
Normally, a module configuration looks like this:
sql {
... sql stuff ...
}
This module is then refereed to as the "sql" module.
But what happens if you want to connect to two different SQL
databases? The solution is simple; copy the "sql" module
configuration, and add an instance name after the "sql" string:
sql mysql1 {
... configuration for connecting to mysql11 ...
}
sql mysql2 {
... configuration for connecting to mysql12 ...
}
This configuration says "load the SQL module, but create two copies of
it, with different configurations". The different configurations can
be referred to by name, as "mysql1" and "mysql2". That is, anywhere
you would normally use "sql", you could use either "mysql1" or
"mysql2".
For further examples of using module instances, see the "attr_filter"
module configuration in this directory.