From eeb70b280594307c702aca0b0f1ef4973136d3d8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 10 Jul 2020 01:39:24 +0000 Subject: [PATCH] import freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f --- .freeradius.metadata | 1 + .gitignore | 1 + ...nfiguration-to-fit-Red-Hat-specifics.patch | 60 + ...-Use-system-crypto-policy-by-default.patch | 86 + .../freeradius-bootstrap-create-only.patch | 103 + ...ixes-to-python3-module-since-v3.0.20.patch | 1955 +++++++++++++ SOURCES/freeradius-logrotate | 57 + .../freeradius-no-buildtime-cert-gen.patch | 104 + SOURCES/freeradius-pam-conf | 6 + SOURCES/freeradius-tmpfiles.conf | 1 + SOURCES/radiusd.service | 15 + SPECS/freeradius.spec | 2437 +++++++++++++++++ 12 files changed, 4826 insertions(+) create mode 100644 .freeradius.metadata create mode 100644 .gitignore create mode 100644 SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch create mode 100644 SOURCES/freeradius-Use-system-crypto-policy-by-default.patch create mode 100644 SOURCES/freeradius-bootstrap-create-only.patch create mode 100644 SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch create mode 100644 SOURCES/freeradius-logrotate create mode 100644 SOURCES/freeradius-no-buildtime-cert-gen.patch create mode 100644 SOURCES/freeradius-pam-conf create mode 100644 SOURCES/freeradius-tmpfiles.conf create mode 100644 SOURCES/radiusd.service create mode 100644 SPECS/freeradius.spec diff --git a/.freeradius.metadata b/.freeradius.metadata new file mode 100644 index 0000000..69b8b0b --- /dev/null +++ b/.freeradius.metadata @@ -0,0 +1 @@ +3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..87a728a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/freeradius-server-3.0.20.tar.bz2 diff --git a/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch b/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch new file mode 100644 index 0000000..6b2329b --- /dev/null +++ b/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch @@ -0,0 +1,60 @@ +From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Mon, 8 Sep 2014 12:32:13 +0300 +Subject: [PATCH] Adjust configuration to fit Red Hat specifics + +--- + raddb/mods-available/eap | 4 ++-- + raddb/radiusd.conf.in | 7 +++---- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index 2621e183c..94494b2c6 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -533,7 +533,7 @@ + # You should also delete all of the files + # in the directory when the server starts. + # +- # tmpdir = /tmp/radiusd ++ # tmpdir = /var/run/radiusd/tmp + + # The command used to verify the client cert. + # We recommend using the OpenSSL command-line +@@ -548,7 +548,7 @@ + # deleted by the server when the command + # returns. + # +- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" ++ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + } + + # OCSP Configuration +diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in +index a83c1f687..e500cf97b 100644 +--- a/raddb/radiusd.conf.in ++++ b/raddb/radiusd.conf.in +@@ -70,8 +70,7 @@ certdir = ${confdir}/certs + cadir = ${confdir}/certs + run_dir = ${localstatedir}/run/${name} + +-# Should likely be ${localstatedir}/lib/radiusd +-db_dir = ${raddbdir} ++db_dir = ${localstatedir}/lib/radiusd + + # + # libdir: Where to find the rlm_* modules. +@@ -398,8 +397,8 @@ security { + # member. This can allow for some finer-grained access + # controls. + # +-# user = radius +-# group = radius ++ user = radiusd ++ group = radiusd + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. +-- +2.13.2 + diff --git a/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch b/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch new file mode 100644 index 0000000..199e583 --- /dev/null +++ b/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch @@ -0,0 +1,86 @@ +From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 8 May 2019 10:16:31 -0400 +Subject: [PATCH] Use system-provided crypto-policies by default + +Signed-off-by: Alexander Scheel +--- + raddb/mods-available/eap | 4 ++-- + raddb/mods-available/inner-eap | 2 +- + raddb/sites-available/abfab-tls | 2 +- + raddb/sites-available/tls | 4 ++-- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap +index 36849e10f2..b28c0f19c6 100644 +--- a/raddb/mods-available/eap ++++ b/raddb/mods-available/eap +@@ -368,7 +368,7 @@ eap { + # + # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" + # +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) +@@ -912,7 +912,7 @@ eap { + # Note - for OpenSSL 1.1.0 and above you may need + # to add ":@SECLEVEL=0" + # +- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" ++ # cipher_list = "PROFILE=SYSTEM" + + # PAC lifetime in seconds (default: seven days) + # +diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap +index 576eb7739e..ffa07188e2 100644 +--- a/raddb/mods-available/inner-eap ++++ b/raddb/mods-available/inner-eap +@@ -77,7 +77,7 @@ eap inner-eap { + # certificates. If so, edit this file. + ca_file = ${cadir}/ca.pem + +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + # You may want to set a very small fragment size. + # The TLS data here needs to go inside of the +diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls +index 92f1d6330e..cd69b3905a 100644 +--- a/raddb/sites-available/abfab-tls ++++ b/raddb/sites-available/abfab-tls +@@ -19,7 +19,7 @@ listen { + dh_file = ${certdir}/dh + fragment_size = 8192 + ca_path = ${cadir} +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + cache { + enable = no +diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls +index bbc761b1c5..83cd35b851 100644 +--- a/raddb/sites-available/tls ++++ b/raddb/sites-available/tls +@@ -215,7 +215,7 @@ listen { + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) +@@ -517,7 +517,7 @@ home_server tls { + # Set this option to specify the allowed + # TLS cipher suites. The format is listed + # in "man 1 ciphers". +- cipher_list = "DEFAULT" ++ cipher_list = "PROFILE=SYSTEM" + } + + } +-- +2.21.0 + diff --git a/SOURCES/freeradius-bootstrap-create-only.patch b/SOURCES/freeradius-bootstrap-create-only.patch new file mode 100644 index 0000000..7af7c94 --- /dev/null +++ b/SOURCES/freeradius-bootstrap-create-only.patch @@ -0,0 +1,103 @@ +From d38836ca4158b42c27f4d7f474e64f4f10aed16d Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 8 May 2019 10:29:08 -0400 +Subject: [PATCH] Don't clobber existing files on bootstrap + +Signed-off-by: Alexander Scheel +--- + raddb/certs/bootstrap | 39 ++++++++++++--------------------------- + 1 file changed, 12 insertions(+), 27 deletions(-) + +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 0f719aafd4..be81a2d697 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -13,17 +13,6 @@ + umask 027 + cd `dirname $0` + +-make -h > /dev/null 2>&1 +- +-# +-# If we have a working "make", then use it. Otherwise, run the commands +-# manually. +-# +-if [ "$?" = "0" ]; then +- make all +- exit $? +-fi +- + # + # The following commands were created by running "make -n", and edited + # to remove the trailing backslash, and to add "exit 1" after the commands. +@@ -31,52 +20,51 @@ fi + # Don't edit the following text. Instead, edit the Makefile, and + # re-generate these commands. + # +-if [ ! -f dh ]; then ++if [ ! -e dh ]; then + openssl dhparam -out dh 2048 || exit 1 +- if [ -e /dev/urandom ] ; then +- ln -sf /dev/urandom random +- else +- date > ./random; +- fi ++ ln -sf /dev/urandom random + fi + +-if [ ! -f server.key ]; then ++if [ ! -e server.key ]; then + openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 + fi + +-if [ ! -f ca.key ]; then ++if [ ! -e ca.key ]; then + openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 + fi + +-if [ ! -f index.txt ]; then ++if [ ! -e index.txt ]; then + touch index.txt + fi + +-if [ ! -f serial ]; then ++if [ ! -e serial ]; then + echo '01' > serial + fi + +-if [ ! -f server.crt ]; then ++if [ ! -e server.crt ]; then + openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 + fi + +-if [ ! -f server.p12 ]; then ++if [ ! -e server.p12 ]; then + openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 + fi + +-if [ ! -f server.pem ]; then ++if [ ! -e server.pem ]; then + openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 + openssl verify -CAfile ca.pem server.pem || exit 1 + fi + +-if [ ! -f ca.der ]; then ++if [ ! -e ca.der ]; then + openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 + fi + +-if [ ! -f client.key ]; then ++if [ ! -e client.key ]; then + openssl req -new -out client.csr -keyout client.key -config ./client.cnf + fi + +-if [ ! -f client.crt ]; then ++if [ ! -e client.crt ]; then + openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf + fi ++ ++chown root:radiusd dh ca.* client.* server.* ++chmod 644 dh ca.* client.* server.* +-- +2.21.0 + diff --git a/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch b/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch new file mode 100644 index 0000000..fb96df2 --- /dev/null +++ b/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch @@ -0,0 +1,1955 @@ +From 322f3b0d94f32e01e2db0c76fd38409eddf392ce Mon Sep 17 00:00:00 2001 +From: Jorge Pereira +Date: Thu, 5 Dec 2019 16:02:18 -0300 +Subject: [PATCH] Fix rlm_python3 build + +Just backporting from the master branch. + +Backport from rlm_python (#3184) changes to rlm_python3 + +Brief: + +We should append the 'python_path' to sys.path #3180 + +we should append 'python_path' paths in 'sys.path', due to PySys_SetPath() +reset the entire python path causing problems to use the existing libraries + +Remove unnecessary src/modules/rlm_python3/radiusd_test.py + +Don't call if 'instantiate' and 'detach' are not declared. + +It's related to the discussion in #3185. + +Fix missing destroy for some statements + +Fix Py_SetProgramName() use (#3196) + +As the documentation says, the use of Py_SetProgramName() with wchar_t* +should be only from Python >= 3.5.x + +References: + +Python <= 3.4.x https://docs.python.org/3.4/extending/embedding.html#very-high-level-embedding +Python >= 3.5.x https://docs.python.org/3.5/extending/embedding.html#very-high-level-embedding + +Add missing 'ifdef WITH_PROXY' checks (#3198) + +Clean up (#3197) + +don't try and build rlm_python3 if we can't configure it + +Just call Py_DECREF() (#3199) + +Fix libpython3 cross platform load (#3284) + +Python3 fixes (#3350) + +* python3-config for Python 3.8 requires --embed parameter + +As described in https://bugs.python.org/issue36721, python3-config now +requires --embed for embedded interpreters. Otherwise, -lpython3.8 is +not included in ldflags + +* Python 3.8 has removed the "m" suffix in the library name + +As discussed in: https://bugs.python.org/issue36707 + +* Use dl_iterate_phdr to find the appropriate python library + +Otherwise, installation of the libpython3-dev packages is required +in most distributions + +* Update configure file for rlm_python3 + +* Use AX_COMPARE_VERSION to check Python version + +Keep the module directory in python_path +--- + raddb/mods-available/python | 2 +- + raddb/mods-available/python3 | 2 +- + src/include/conf.h | 8 + + src/main/modules.c | 8 - + src/modules/rlm_python3/configure | 1008 ++++++++--------------- + src/modules/rlm_python3/configure.ac | 163 ++-- + src/modules/rlm_python3/radiusd_test.py | 63 -- + src/modules/rlm_python3/rlm_python3.c | 188 ++--- + 8 files changed, 516 insertions(+), 926 deletions(-) + delete mode 100644 src/modules/rlm_python3/radiusd_test.py + +diff --git a/raddb/mods-available/python b/raddb/mods-available/python +index bd172dca05..c19ddcd87e 100644 +--- a/raddb/mods-available/python ++++ b/raddb/mods-available/python +@@ -13,7 +13,7 @@ python { + # item is GLOBAL TO THE SERVER. That is, you cannot have two + # instances of the python module, each with a different path. + # +-# python_path="/path/to/python/files:/another_path/to/python_files/" ++# python_path="${modconfdir}/${.:name}:/path/to/python/files:/another_path/to/python_files/" + + module = example + +diff --git a/raddb/mods-available/python3 b/raddb/mods-available/python3 +index 246dfd74ce..0593c69f1a 100644 +--- a/raddb/mods-available/python3 ++++ b/raddb/mods-available/python3 +@@ -13,7 +13,7 @@ python3 { + # item is GLOBAL TO THE SERVER. That is, you cannot have two + # instances of the python module, each with a different path. + # +-# python_path="/path/to/python/files:/another_path/to/python_files/" ++# python_path="${modconfdir}/${.:name}:/another_path/to/python_files" + + module = example + +diff --git a/src/include/conf.h b/src/include/conf.h +index 758a332b6e..95005d545f 100644 +--- a/src/include/conf.h ++++ b/src/include/conf.h +@@ -13,3 +13,11 @@ + #define SRADUTMP LOGDIR "/sradutmp" + #define RADWTMP LOGDIR "/radwtmp" + #define SRADWTMP LOGDIR "/sradwtmp" ++ ++#ifdef __APPLE__ ++# define LT_SHREXT ".dylib" ++#elif defined (WIN32) ++# define LT_SHREXT ".dll" ++#else ++# define LT_SHREXT ".so" ++#endif +diff --git a/src/main/modules.c b/src/main/modules.c +index 319879c870..c05aa5bf67 100644 +--- a/src/main/modules.c ++++ b/src/main/modules.c +@@ -95,14 +95,6 @@ const section_type_value_t section_type_value[MOD_COUNT] = { + #define RTLD_LOCAL (0) + #endif + +-#ifdef __APPLE__ +-# define LT_SHREXT ".dylib" +-#elif defined (WIN32) +-# define LT_SHREXT ".dll" +-#else +-# define LT_SHREXT ".so" +-#endif +- + /** Check if the magic number in the module matches the one in the library + * + * This is used to detect potential ABI issues caused by running with modules which +diff --git a/src/modules/rlm_python3/configure b/src/modules/rlm_python3/configure +index ff89a16149..05907f12c3 100755 +--- a/src/modules/rlm_python3/configure ++++ b/src/modules/rlm_python3/configure +@@ -588,7 +588,17 @@ LIBOBJS + targetname + mod_cflags + mod_ldflags +-PYTHON3_BIN ++AWK ++PYTHON3_CONFIG_BIN ++pkgpyexecdir ++pyexecdir ++pkgpythondir ++pythondir ++PYTHON_PLATFORM ++PYTHON_EXEC_PREFIX ++PYTHON_PREFIX ++PYTHON_VERSION ++PYTHON + CPP + OBJEXT + EXEEXT +@@ -638,9 +648,7 @@ SHELL' + ac_subst_files='' + ac_user_opts=' + enable_option_checking +-with_rlm_python3_bin +-with_rlm_python3_lib_dir +-with_rlm_python3_include_dir ++with_rlm_python3_config_bin + ' + ac_precious_vars='build_alias + host_alias +@@ -650,7 +658,8 @@ CFLAGS + LDFLAGS + LIBS + CPPFLAGS +-CPP' ++CPP ++PYTHON' + + + # Initialize some variables set by options. +@@ -1257,9 +1266,7 @@ if test -n "$ac_init_help"; then + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) +- --with-rlm-python3-bin=PATH Path to python3 binary +- --with-rlm-python3-lib-dir=DIR Directory for Python library files +- --with-rlm-python3-include-dir=DIR Directory for Python include files ++ --with-rlm-python3-config-bin=PATH Path to python-config3 binary + + Some influential environment variables: + CC C compiler command +@@ -1270,6 +1277,7 @@ Some influential environment variables: + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if + you have headers in a nonstandard directory + CPP C preprocessor ++ PYTHON the Python interpreter + + Use these variables to override the choices made by `configure' or to help + it to find libraries and programs with nonstandard names/locations. +@@ -2822,46 +2830,92 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ + ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +- PYTHON3_BIN= + +-# Check whether --with-rlm-python3-bin was given. +-if test "${with_rlm_python3_bin+set}" = set; then : +- withval=$with_rlm_python3_bin; case "$withval" in +- no) +- as_fn_error $? "Need rlm-python3-bin" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- PYTHON3_BIN="$withval" +- ;; +- esac + +-fi + + +- if test "x$PYTHON3_BIN" = x; then +- for ac_prog in python3 +-do +- # Extract the first word of "$ac_prog", so it can be a program name with args. +-set dummy $ac_prog; ac_word=$2 ++ ++ if test -n "$PYTHON"; then ++ # If the user set $PYTHON, use it and don't search something else. ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.0" >&5 ++$as_echo_n "checking whether $PYTHON version is >= 3.0... " >&6; } ++ prog="import sys ++# split strings by '.' and convert to numeric. Append some zeros ++# because we need at least 4 digits for the hex conversion. ++# map returns an iterator in Python 3.0 and a list in 2.x ++minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0] ++minverhex = 0 ++# xrange is not present in Python 3.0 and range returns an iterator ++for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] ++sys.exit(sys.hexversion < minverhex)" ++ if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5 ++ ($PYTHON -c "$prog") >&5 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ as_fn_error $? "Python interpreter is too old" "$LINENO" 5 ++fi ++ am_display_PYTHON=$PYTHON ++ else ++ # Otherwise, try each interpreter until we find one that satisfies ++ # VERSION. ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.0" >&5 ++$as_echo_n "checking for a Python interpreter with version >= 3.0... " >&6; } ++if ${am_cv_pathless_PYTHON+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ ++ for am_cv_pathless_PYTHON in python python2 python3 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do ++ test "$am_cv_pathless_PYTHON" = none && break ++ prog="import sys ++# split strings by '.' and convert to numeric. Append some zeros ++# because we need at least 4 digits for the hex conversion. ++# map returns an iterator in Python 3.0 and a list in 2.x ++minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0] ++minverhex = 0 ++# xrange is not present in Python 3.0 and range returns an iterator ++for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] ++sys.exit(sys.hexversion < minverhex)" ++ if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5 ++ ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; then : ++ break ++fi ++ done ++fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5 ++$as_echo "$am_cv_pathless_PYTHON" >&6; } ++ # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON. ++ if test "$am_cv_pathless_PYTHON" = none; then ++ PYTHON=: ++ else ++ # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args. ++set dummy $am_cv_pathless_PYTHON; ac_word=$2 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 + $as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_PYTHON3_BIN+:} false; then : ++if ${ac_cv_path_PYTHON+:} false; then : + $as_echo_n "(cached) " >&6 + else +- if test -n "$PYTHON3_BIN"; then +- ac_cv_prog_PYTHON3_BIN="$PYTHON3_BIN" # Let the user override the test. +-else +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-as_dummy="${PATH}:/usr/bin:/usr/local/bin" +-for as_dir in $as_dummy ++ case $PYTHON in ++ [\\/]* | ?:[\\/]*) ++ ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path. ++ ;; ++ *) ++ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++for as_dir in $PATH + do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_prog_PYTHON3_BIN="$ac_prog" ++ ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +@@ -2869,708 +2923,358 @@ done + done + IFS=$as_save_IFS + ++ ;; ++esac + fi +-fi +-PYTHON3_BIN=$ac_cv_prog_PYTHON3_BIN +-if test -n "$PYTHON3_BIN"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON3_BIN" >&5 +-$as_echo "$PYTHON3_BIN" >&6; } ++PYTHON=$ac_cv_path_PYTHON ++if test -n "$PYTHON"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5 ++$as_echo "$PYTHON" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi + + +- test -n "$PYTHON3_BIN" && break +-done +-test -n "$PYTHON3_BIN" || PYTHON3_BIN="not-found" +- +- fi +- +- if test "x$PYTHON3_BIN" = "xnot-found"; then +- fail="python-binary" +- fi +- +- PY_LIB_DIR= +- +-# Check whether --with-rlm-python3-lib-dir was given. +-if test "${with_rlm_python3_lib_dir+set}" = set; then : +- withval=$with_rlm_python3_lib_dir; case "$withval" in +- no) +- as_fn_error $? "Need rlm-python3-lib-dir" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- PY_LIB_DIR="$withval" +- ;; +- esac +- +-fi ++ fi ++ am_display_PYTHON=$am_cv_pathless_PYTHON ++ fi + + +- PY_INC_DIR= ++ if test "$PYTHON" = :; then ++ : ++ else + +-# Check whether --with-rlm-python3-include-dir was given. +-if test "${with_rlm_python3_include_dir+set}" = set; then : +- withval=$with_rlm_python3_include_dir; case "$withval" in +- no) +- as_fn_error $? "Need rlm-python3-include-dir" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- PY_INC_DIR="$withval" +- ;; +- esac + ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5 ++$as_echo_n "checking for $am_display_PYTHON version... " >&6; } ++if ${am_cv_python_version+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"` + fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5 ++$as_echo "$am_cv_python_version" >&6; } ++ PYTHON_VERSION=$am_cv_python_version + + +- if test x$fail = x; then +- PY_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.prefix)'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python sys.prefix \"${PY_PREFIX}\"" >&5 +-$as_echo "$as_me: Python sys.prefix \"${PY_PREFIX}\"" >&6;} +- +- PY_EXEC_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.exec_prefix)'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python sys.exec_prefix \"${PY_EXEC_PREFIX}\"" >&5 +-$as_echo "$as_me: Python sys.exec_prefix \"${PY_EXEC_PREFIX}\"" >&6;} +- +- PY_SYS_VERSION=`${PYTHON3_BIN} -c 'import sys ; print(sys.version[0:3])'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python sys.version \"${PY_SYS_VERSION}\"" >&5 +-$as_echo "$as_me: Python sys.version \"${PY_SYS_VERSION}\"" >&6;} +- +- if test "x$PY_LIB_DIR" = "x"; then +- PY_LIB_DIR="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- PY_LIB_LOC="-L$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- fi +- +- PY_MAKEFILE="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config/Makefile" +- if test -f ${PY_MAKEFILE}; then +- PY_LOCAL_MOD_LIBS=`sed -n -e 's/^LOCALMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/^ *//;s/ *$//'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python local_mod_libs \"${PY_LOCAL_MOD_LIBS}\"" >&5 +-$as_echo "$as_me: Python local_mod_libs \"${PY_LOCAL_MOD_LIBS}\"" >&6;} +- +- PY_BASE_MOD_LIBS=`sed -n -e 's/^BASEMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/^ *//;s/ *$//'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python base_mod_libs \"${PY_BASE_MOD_LIBS}\"" >&5 +-$as_echo "$as_me: Python base_mod_libs \"${PY_BASE_MOD_LIBS}\"" >&6;} +- +- PY_OTHER_LIBS=`sed -n -e 's/^LIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- PY_OTHER_LDFLAGS=`sed -n -e 's/^LINKFORSHARED=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python other_libs \"${PY_OTHER_LDFLAGS} ${PY_OTHER_LIBS}\"" >&5 +-$as_echo "$as_me: Python other_libs \"${PY_OTHER_LDFLAGS} ${PY_OTHER_LIBS}\"" >&6;} +- fi +- PY_EXTRA_LIBS="$PY_LOCALMODLIBS $PY_BASE_MOD_LIBS $PY_OTHER_LIBS" +- +- old_CFLAGS=$CFLAGS +- CFLAGS="$CFLAGS $PY_CFLAGS" +- smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION" +- + ++ PYTHON_PREFIX='${prefix}' + +-ac_safe=`echo "Python.h" | sed 'y%./+-%__pm%'` +-old_CPPFLAGS="$CPPFLAGS" +-smart_include= +-smart_include_dir="/usr/local/include /opt/include" ++ PYTHON_EXEC_PREFIX='${exec_prefix}' + +-_smart_try_dir= +-_smart_include_dir= + +-for _prefix in $smart_prefix ""; do +- for _dir in $smart_try_dir; do +- _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" +- done +- +- for _dir in $smart_include_dir; do +- _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" +- done +-done +- +-if test "x$_smart_try_dir" != "x"; then +- for try in $_smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python.h in $try" >&5 +-$as_echo_n "checking for Python.h in $try... " >&6; } +- CPPFLAGS="-isystem $try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem $try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break + ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5 ++$as_echo_n "checking for $am_display_PYTHON platform... " >&6; } ++if ${am_cv_python_platform+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- done +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_include" = "x"; then +- for _prefix in $smart_prefix; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/Python.h" >&5 +-$as_echo_n "checking for ${_prefix}/Python.h... " >&6; } +- +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem ${_prefix}/" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- ++ am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"` ++fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5 ++$as_echo "$am_cv_python_platform" >&6; } ++ PYTHON_PLATFORM=$am_cv_python_platform ++ ++ ++ # Just factor out some code duplication. ++ am_python_setup_sysconfig="\ ++import sys ++# Prefer sysconfig over distutils.sysconfig, for better compatibility ++# with python 3.x. See automake bug#10227. ++try: ++ import sysconfig ++except ImportError: ++ can_use_sysconfig = 0 ++else: ++ can_use_sysconfig = 1 ++# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: ++# ++try: ++ from platform import python_implementation ++ if python_implementation() == 'CPython' and sys.version[:3] == '2.7': ++ can_use_sysconfig = 0 ++except ImportError: ++ pass" ++ ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5 ++$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; } ++if ${am_cv_python_pythondir+:} false; then : ++ $as_echo_n "(cached) " >&6 + else ++ if test "x$prefix" = xNONE ++ then ++ am_py_prefix=$ac_default_prefix ++ else ++ am_py_prefix=$prefix ++ fi ++ am_cv_python_pythondir=`$PYTHON -c " ++$am_python_setup_sysconfig ++if can_use_sysconfig: ++ sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) ++else: ++ from distutils import sysconfig ++ sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') ++sys.stdout.write(sitedir)"` ++ case $am_cv_python_pythondir in ++ $am_py_prefix*) ++ am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` ++ am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` ++ ;; ++ *) ++ case $am_py_prefix in ++ /usr|/System*) ;; ++ *) ++ am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages ++ ;; ++ esac ++ ;; ++ esac + +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- done + fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5 ++$as_echo "$am_cv_python_pythondir" >&6; } ++ pythondir=$am_cv_python_pythondir + +-if test "x$smart_include" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python.h" >&5 +-$as_echo_n "checking for Python.h... " >&6; } + +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ + +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : ++ pkgpythondir=\${pythondir}/$PACKAGE + +- smart_include=" " +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break + ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5 ++$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; } ++if ${am_cv_python_pyexecdir+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } ++ if test "x$exec_prefix" = xNONE ++ then ++ am_py_exec_prefix=$am_py_prefix ++ else ++ am_py_exec_prefix=$exec_prefix ++ fi ++ am_cv_python_pyexecdir=`$PYTHON -c " ++$am_python_setup_sysconfig ++if can_use_sysconfig: ++ sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) ++else: ++ from distutils import sysconfig ++ sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') ++sys.stdout.write(sitedir)"` ++ case $am_cv_python_pyexecdir in ++ $am_py_exec_prefix*) ++ am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` ++ am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` ++ ;; ++ *) ++ case $am_py_exec_prefix in ++ /usr|/System*) ;; ++ *) ++ am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages ++ ;; ++ esac ++ ;; ++ esac + + fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +-fi +- +-if test "x$smart_include" = "x"; then ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5 ++$as_echo "$am_cv_python_pyexecdir" >&6; } ++ pyexecdir=$am_cv_python_pyexecdir + +- for prefix in $smart_prefix; do + + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file="${_prefix}/${1}" ++ pkgpyexecdir=\${pyexecdir}/$PACKAGE + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi +- +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi +- +- already=`echo \$_smart_include_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi + +-eval "_smart_include_dir=\"\$_smart_include_dir $DIRS\"" + +- done ++ fi + + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=Python.h + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi ++ PYTHON3_CONFIG_BIN= + +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi ++# Check whether --with-rlm-python3-config-bin was given. ++if test "${with_rlm_python3_config_bin+set}" = set; then : ++ withval=$with_rlm_python3_config_bin; case "$withval" in ++ no) ++ as_fn_error $? "Need rlm-python3-config-bin" "$LINENO" 5 ++ ;; ++ yes) ++ ;; ++ *) ++ PYTHON3_CONFIG_BIN="$withval" ++ ;; ++ esac + +- already=`echo \$_smart_include_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done + fi + +-eval "_smart_include_dir=\"\$_smart_include_dir $DIRS\"" +- +- +- for try in $_smart_include_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python.h in $try" >&5 +-$as_echo_n "checking for Python.h in $try... " >&6; } +- CPPFLAGS="-isystem $try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem $try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break + ++ if test "x$PYTHON3_CONFIG_BIN" = x; then ++ for ac_prog in python3-config ++do ++ # Extract the first word of "$ac_prog", so it can be a program name with args. ++set dummy $ac_prog; ac_word=$2 ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 ++$as_echo_n "checking for $ac_word... " >&6; } ++if ${ac_cv_prog_PYTHON3_CONFIG_BIN+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++ if test -n "$PYTHON3_CONFIG_BIN"; then ++ ac_cv_prog_PYTHON3_CONFIG_BIN="$PYTHON3_CONFIG_BIN" # Let the user override the test. ++else ++as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++as_dummy="${PATH}:/usr/bin:/usr/local/bin" ++for as_dir in $as_dummy ++do ++ IFS=$as_save_IFS ++ test -z "$as_dir" && as_dir=. ++ for ac_exec_ext in '' $ac_executable_extensions; do ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ++ ac_cv_prog_PYTHON3_CONFIG_BIN="$ac_prog" ++ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 ++ break 2 ++ fi ++done + done +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_include" != "x"; then +- eval "ac_cv_header_$ac_safe=yes" +- CPPFLAGS="$smart_include $old_CPPFLAGS" +- SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +-fi +- +-smart_prefix= +- +- CFLAGS=$old_CFLAGS +- +- if test "x$ac_cv_header_Python_h" = "xyes"; then +- mod_cflags="$SMART_CPPFLAGS" +- else +- fail="$fail Python.h" +- targetname= +- fi +- +- old_LIBS=$LIBS +- LIBS="$LIBS $PY_LIB_LOC $PY_EXTRA_LIBS -lm" +- smart_try_dir=$PY_LIB_DIR +- +- +-sm_lib_safe=`echo "python${PY_SYS_VERSION}" | sed 'y%./+-%__p_%'` +-sm_func_safe=`echo "Py_Initialize" | sed 'y%./+-%__p_%'` +- +-old_LIBS="$LIBS" +-old_CPPFLAGS="$CPPFLAGS" +-smart_lib= +-smart_ldflags= +-smart_lib_dir= +- +-if test "x$smart_try_dir" != "x"; then +- for try in $smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION} $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++IFS=$as_save_IFS + +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" + fi +- +-if test "x$smart_lib" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION} $old_LIBS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- ++PYTHON3_CONFIG_BIN=$ac_cv_prog_PYTHON3_CONFIG_BIN ++if test -n "$PYTHON3_CONFIG_BIN"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON3_CONFIG_BIN" >&5 ++$as_echo "$PYTHON3_CONFIG_BIN" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- LIBS="$old_LIBS" +-fi + +-if test "x$smart_lib" = "x"; then + ++ test -n "$PYTHON3_CONFIG_BIN" && break ++done ++test -n "$PYTHON3_CONFIG_BIN" || PYTHON3_CONFIG_BIN="not-found" + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}${libltdl_cv_shlibext} +- +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi +- +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi +- +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi +- +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" +- +- +- +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}.a +- +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi +- +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi +- +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi +- +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" +- +- +- for try in $smart_lib_dir /usr/local/lib /opt/lib; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION} $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++ fi + ++ if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then ++ fail="$fail python3-config" ++ else ++ old_CFLAGS="$CFLAGS" ++ unset CFLAGS ++ ++ python3_cflags=`${PYTHON3_CONFIG_BIN} --cflags` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&5 ++$as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&6;} ++ ++ mod_cflags=`echo $python3_cflags | sed -e '\ ++ s/-I/-isystem/g;\ ++ s/-isysroot[ =]\{0,1\}[^-]*//g;\ ++ s/-O[^[[:blank:]]]*//g;\ ++ s/-Wp,-D_FORTIFY_SOURCE=[[:digit:]]//g;\ ++ s/-g[^ ]*//g;\ ++ s/-W[^ ]*//g;\ ++ s/-DNDEBUG[[:blank:]]*//g; ++ '` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized cflags were \"${mod_cflags}\"" >&5 ++$as_echo "$as_me: Sanitized cflags were \"${mod_cflags}\"" >&6;} ++ ++ for ac_prog in gawk mawk nawk awk ++do ++ # Extract the first word of "$ac_prog", so it can be a program name with args. ++set dummy $ac_prog; ac_word=$2 ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 ++$as_echo_n "checking for $ac_word... " >&6; } ++if ${ac_cv_prog_AWK+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext ++ if test -n "$AWK"; then ++ ac_cv_prog_AWK="$AWK" # Let the user override the test. ++else ++as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++for as_dir in $PATH ++do ++ IFS=$as_save_IFS ++ test -z "$as_dir" && as_dir=. ++ for ac_exec_ext in '' $ac_executable_extensions; do ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ++ ac_cv_prog_AWK="$ac_prog" ++ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 ++ break 2 ++ fi ++done + done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_lib" != "x"; then +- eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" +- LIBS="$smart_ldflags $smart_lib $old_LIBS" +- SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" +-fi +- +- LIBS=$old_LIBS +- +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=rlm_python3 +- else +- +- +-sm_lib_safe=`echo "python${PY_SYS_VERSION}m" | sed 'y%./+-%__p_%'` +-sm_func_safe=`echo "Py_Initialize" | sed 'y%./+-%__p_%'` +- +-old_LIBS="$LIBS" +-old_CPPFLAGS="$CPPFLAGS" +-smart_lib= +-smart_ldflags= +-smart_lib_dir= +- +-if test "x$smart_try_dir" != "x"; then +- for try in $smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION}m $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}m" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++IFS=$as_save_IFS + +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" + fi +- +-if test "x$smart_lib" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}m" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}m... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION}m $old_LIBS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}m" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- ++AWK=$ac_cv_prog_AWK ++if test -n "$AWK"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 ++$as_echo "$AWK" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- LIBS="$old_LIBS" +-fi + +-if test "x$smart_lib" = "x"; then + ++ test -n "$AWK" && break ++done + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}m${libltdl_cv_shlibext} + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi + +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi + +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi ++ # Used to indicate true or false condition ++ ax_compare_version=false + +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" ++ # Convert the two version strings to be compared into a format that ++ # allows a simple string comparison. The end result is that a version ++ # string of the form 1.12.5-r617 will be converted to the form ++ # 0001001200050617. In other words, each number is zero padded to four ++ # digits, and non digits are removed. + ++ ax_compare_version_A=`echo "${PYTHON_VERSION}" | sed -e 's/\([0-9]*\)/Z\1Z/g' \ ++ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/[^0-9]//g'` + + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}m.a ++ ax_compare_version_B=`echo "3.8" | sed -e 's/\([0-9]*\)/Z\1Z/g' \ ++ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/[^0-9]//g'` + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi + +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi ++ ax_compare_version=`echo "x$ax_compare_version_A ++x$ax_compare_version_B" | sed 's/^ *//' | sort -r | sed "s/x${ax_compare_version_A}/true/;s/x${ax_compare_version_B}/false/;1q"` + +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi + +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" + ++ if test "$ax_compare_version" = "true" ; then ++ EMBED="--embed" ++ fi + +- for try in $smart_lib_dir /usr/local/lib /opt/lib; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION}m $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : + +- smart_lib="-lpython${PY_SYS_VERSION}m" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&5 ++$as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&6;} + +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" +-fi ++ mod_ldflags=`echo $python3_ldflags | sed -e '\ ++ s/-Wl,-O[[:digit:]][[:blank:]]*//g;\ ++ s/-Wl,-Bsymbolic-functions[[:blank:]]*//g;\ ++ s/-Xlinker -export-dynamic//g;\ ++ s/-Wl,-stack_size,[[:digit:]]*[[:blank:]]//g; ++ '` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized ldflags were \"${mod_ldflags}\"" >&5 ++$as_echo "$as_me: Sanitized ldflags were \"${mod_ldflags}\"" >&6;} + +-if test "x$smart_lib" != "x"; then +- eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" +- LIBS="$smart_ldflags $smart_lib $old_LIBS" +- SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" +-fi ++ CFLAGS=$old_CFLAGS + +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=rlm_python3 +- else +- targetname= +- fail="$fail libpython$PY_SYS_VERSION" +- fi +- fi ++ targetname="rlm_python3" + fi + +- for ac_func in dl_iterate_phdr ++for ac_func in dl_iterate_phdr + do : + ac_fn_c_check_func "$LINENO" "dl_iterate_phdr" "ac_cv_func_dl_iterate_phdr" + if test "x$ac_cv_func_dl_iterate_phdr" = xyes; then : +@@ -3603,11 +3307,7 @@ ac_config_headers="$ac_config_headers config.h" + + + +- +- unset ac_cv_env_LIBS_set +- unset ac_cv_env_LIBS_value +- +- ac_config_files="$ac_config_files all.mk" ++ac_config_files="$ac_config_files all.mk" + + cat >confcache <<\_ACEOF + # This file is a shell script that caches the results of configure +@@ -4187,6 +3887,7 @@ gives unlimited permission to copy, distribute and modify it." + + ac_pwd='$ac_pwd' + srcdir='$srcdir' ++AWK='$AWK' + test -n "\$AWK" || AWK=awk + _ACEOF + +@@ -4881,4 +4582,3 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} + fi + +- +diff --git a/src/modules/rlm_python3/configure.ac b/src/modules/rlm_python3/configure.ac +index a00320fda4..698a8c1d18 100644 +--- a/src/modules/rlm_python3/configure.ac ++++ b/src/modules/rlm_python3/configure.ac +@@ -7,128 +7,81 @@ if test x$with_[]modname != xno; then + + AC_PROG_CC + AC_PROG_CPP ++ AM_PATH_PYTHON([3.0],, [:]) + +- dnl extra argument: --with-rlm-python3-bin +- PYTHON3_BIN= +- AC_ARG_WITH(rlm-python3-bin, +- [ --with-rlm-python3-bin=PATH Path to python3 binary []], ++ dnl extra argument: --with-rlm-python3-config-bin ++ PYTHON3_CONFIG_BIN= ++ AC_ARG_WITH(rlm-python3-config-bin, ++ [ --with-rlm-python3-config-bin=PATH Path to python-config3 binary []], + [ case "$withval" in + no) +- AC_MSG_ERROR(Need rlm-python3-bin) ++ AC_MSG_ERROR(Need rlm-python3-config-bin) + ;; + yes) + ;; + *) +- PYTHON3_BIN="$withval" ++ PYTHON3_CONFIG_BIN="$withval" + ;; + esac ] + ) + +- if test "x$PYTHON3_BIN" = x; then +- AC_CHECK_PROGS(PYTHON3_BIN, [ python3 ], not-found, [${PATH}:/usr/bin:/usr/local/bin]) ++ if test "x$PYTHON3_CONFIG_BIN" = x; then ++ AC_CHECK_PROGS(PYTHON3_CONFIG_BIN, [ python3-config ], not-found, [${PATH}:/usr/bin:/usr/local/bin]) + fi + +- if test "x$PYTHON3_BIN" = "xnot-found"; then +- fail="python-binary" +- fi +- +- dnl extra argument: --with-rlm-python3-lib-dir +- PY_LIB_DIR= +- AC_ARG_WITH(rlm-python3-lib-dir, +- [ --with-rlm-python3-lib-dir=DIR Directory for Python library files []], +- [ case "$withval" in +- no) +- AC_MSG_ERROR(Need rlm-python3-lib-dir) +- ;; +- yes) +- ;; +- *) +- PY_LIB_DIR="$withval" +- ;; +- esac ] +- ) +- +- dnl extra argument: --with-rlm-python3-include-dir +- PY_INC_DIR= +- AC_ARG_WITH(rlm-python3-include-dir, +- [ --with-rlm-python3-include-dir=DIR Directory for Python include files []], +- [ case "$withval" in +- no) +- AC_MSG_ERROR(Need rlm-python3-include-dir) +- ;; +- yes) +- ;; +- *) +- PY_INC_DIR="$withval" +- ;; +- esac ] +- ) +- +- if test x$fail = x; then +- PY_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.prefix)'` +- AC_MSG_NOTICE([Python sys.prefix \"${PY_PREFIX}\"]) +- +- PY_EXEC_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.exec_prefix)'` +- AC_MSG_NOTICE([Python sys.exec_prefix \"${PY_EXEC_PREFIX}\"]) +- +- PY_SYS_VERSION=`${PYTHON3_BIN} -c 'import sys ; print(sys.version[[0:3]])'` +- AC_MSG_NOTICE([Python sys.version \"${PY_SYS_VERSION}\"]) +- +- if test "x$PY_LIB_DIR" = "x"; then +- PY_LIB_DIR="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- PY_LIB_LOC="-L$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- fi +- +- PY_MAKEFILE="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config/Makefile" +- if test -f ${PY_MAKEFILE}; then +- PY_LOCAL_MOD_LIBS=`sed -n -e 's/^LOCALMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/^ *//;s/ *$//'` +- AC_MSG_NOTICE([Python local_mod_libs \"${PY_LOCAL_MOD_LIBS}\"]) +- +- PY_BASE_MOD_LIBS=`sed -n -e 's/^BASEMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/^ *//;s/ *$//'` +- AC_MSG_NOTICE([Python base_mod_libs \"${PY_BASE_MOD_LIBS}\"]) +- +- PY_OTHER_LIBS=`sed -n -e 's/^LIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- PY_OTHER_LDFLAGS=`sed -n -e 's/^LINKFORSHARED=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- AC_MSG_NOTICE([Python other_libs \"${PY_OTHER_LDFLAGS} ${PY_OTHER_LIBS}\"]) +- fi +- PY_EXTRA_LIBS="$PY_LOCALMODLIBS $PY_BASE_MOD_LIBS $PY_OTHER_LIBS" ++ if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then ++ fail="$fail python3-config" ++ else ++ dnl # ++ dnl # It is necessary due to a weird behavior with 'python3-config' ++ dnl # ++ old_CFLAGS="$CFLAGS" ++ unset CFLAGS ++ ++ python3_cflags=`${PYTHON3_CONFIG_BIN} --cflags` ++ AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"]) ++ ++ dnl # Convert -I to -isystem to get rid of warnings about issues in Python headers ++ dnl # Strip -systemroot ++ dnl # Strip optimisation flags (-O[0-9]?). We decide our optimisation level, not python. ++ dnl # -D_FORTIFY_SOURCE needs -O. ++ dnl # Strip debug symbol flags (-g[0-9]?). We decide on debugging symbols, not python ++ dnl # Strip -W*, we decide what warnings are important ++ dnl # Strip -DNDEBUG ++ mod_cflags=`echo $python3_cflags | sed -e '\ ++ s/-I/-isystem/g;\ ++ s/-isysroot[[ =]]\{0,1\}[[^-]]*//g;\ ++ s/-O[[^[[:blank:]]]]*//g;\ ++ s/-Wp,-D_FORTIFY_SOURCE=[[[:digit:]]]//g;\ ++ s/-g[[^ ]]*//g;\ ++ s/-W[[^ ]]*//g;\ ++ s/-DNDEBUG[[[:blank:]]]*//g; ++ '` ++ AC_MSG_NOTICE([Sanitized cflags were \"${mod_cflags}\"]) ++ ++ dnl # From python 3.8, --embed is required ++ dnl # https://bugs.python.org/issue36721 ++ AX_COMPARE_VERSION(${PYTHON_VERSION}, [ge], [3.8], [EMBED="--embed"], []) ++ ++ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED` ++ AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"]) ++ ++ dnl # Strip -Wl,-O1... Is -O even a valid linker flag?? ++ dnl # Strip -Wl,-Bsymbolic-functions as thats not always supported or required ++ dnl # Strip -Xlinker -export-dynamic as it causes weird linking issues on Linux ++ dnl # See: https://bugs.python.org/issue36508 ++ mod_ldflags=`echo $python3_ldflags | sed -e '\ ++ s/-Wl,-O[[[:digit:]]][[[:blank:]]]*//g;\ ++ s/-Wl,-Bsymbolic-functions[[[:blank:]]]*//g;\ ++ s/-Xlinker -export-dynamic//g;\ ++ s/-Wl,-stack_size,[[[:digit:]]]*[[[:blank:]]]//g; ++ '` ++ AC_MSG_NOTICE([Sanitized ldflags were \"${mod_ldflags}\"]) + +- old_CFLAGS=$CFLAGS +- CFLAGS="$CFLAGS $PY_CFLAGS" +- smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION" +- FR_SMART_CHECK_INCLUDE(Python.h) + CFLAGS=$old_CFLAGS + +- if test "x$ac_cv_header_Python_h" = "xyes"; then +- mod_cflags="$SMART_CPPFLAGS" +- else +- fail="$fail Python.h" +- targetname= +- fi +- +- old_LIBS=$LIBS +- LIBS="$LIBS $PY_LIB_LOC $PY_EXTRA_LIBS -lm" +- smart_try_dir=$PY_LIB_DIR +- FR_SMART_CHECK_LIB(python${PY_SYS_VERSION}, Py_Initialize) +- LIBS=$old_LIBS +- +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=modname +- else +- FR_SMART_CHECK_LIB(python${PY_SYS_VERSION}m, Py_Initialize) +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=modname +- else +- targetname= +- fail="$fail libpython$PY_SYS_VERSION" +- fi +- fi ++ targetname="rlm_python3" + fi +- + AC_CHECK_FUNCS([dl_iterate_phdr]) + else + targetname= +diff --git a/src/modules/rlm_python3/radiusd_test.py b/src/modules/rlm_python3/radiusd_test.py +deleted file mode 100644 +index 8582716ccb..0000000000 +--- a/src/modules/rlm_python3/radiusd_test.py ++++ /dev/null +@@ -1,63 +0,0 @@ +-#! /usr/bin/env python3 +-# +-# Python module test +-# Miguel A.L. Paraz +-# +-# $Id: 8582716ccbf340be00ce081ecf5ab078e93d1183 $ +- +-import radiusd +- +-def instantiate(p): +- print "*** instantiate ***" +- print p +- +-def authorize(p): +- print "*** authorize ***" +- print +- radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') +- print +- print p +- return radiusd.RLM_MODULE_OK +- +-def preacct(p): +- print "*** preacct ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def accounting(p): +- print "*** accounting ***" +- radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***') +- print +- print p +- return radiusd.RLM_MODULE_OK +- +-def pre_proxy(p): +- print "*** pre_proxy ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def post_proxy(p): +- print "*** post_proxy ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def post_auth(p): +- print "*** post_auth ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def recv_coa(p): +- print "*** recv_coa ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def send_coa(p): +- print "*** send_coa ***" +- print p +- return radiusd.RLM_MODULE_OK +- +- +-def detach(): +- print "*** goodbye from radiusd_test.py ***" +- return radiusd.RLM_MODULE_OK +- +diff --git a/src/modules/rlm_python3/rlm_python3.c b/src/modules/rlm_python3/rlm_python3.c +index 06187e4ffa..5da23f4d71 100644 +--- a/src/modules/rlm_python3/rlm_python3.c ++++ b/src/modules/rlm_python3/rlm_python3.c +@@ -41,8 +41,17 @@ RCSID("$Id$") + #include + #endif + ++/* ++ * Since version 3.8, the "m" suffix is no longer available. ++ * https://bugs.python.org/issue36707 ++ */ ++#if PY_MINOR_VERSION >= 8 + #define LIBPYTHON_LINKER_NAME \ +- "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m.so" ++ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) LT_SHREXT ++#else ++#define LIBPYTHON_LINKER_NAME \ ++ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m" LT_SHREXT ++#endif + + static uint32_t python_instances = 0; + static void *python_dlhandle; +@@ -67,8 +76,10 @@ static CONF_PARSER module_config[] = { + A(preacct) + A(accounting) + A(checksimul) ++#ifdef WITH_PROXY + A(pre_proxy) + A(post_proxy) ++#endif + A(post_auth) + #ifdef WITH_COA + A(recv_coa) +@@ -98,7 +109,9 @@ static struct { + A(L_AUTH) + A(L_INFO) + A(L_ERR) ++#ifdef WITH_PROXY + A(L_PROXY) ++#endif + A(L_ACCT) + A(L_DBG_WARN) + A(L_DBG_ERR) +@@ -186,18 +199,16 @@ static void python_error_log(void) + + if (!pExcType || !pExcValue) { + ERROR("%s:%d, Unknown error", __func__, __LINE__); +- if (pExcType) { +- Py_DecRef(pExcType); +- } +- if (pExcValue) { +- Py_DecRef(pExcValue); +- } ++ Py_XDECREF(pExcType); ++ Py_XDECREF(pExcValue); + return; + } + + if (((pStr1 = PyObject_Str(pExcType)) != NULL) && + ((pStr2 = PyObject_Str(pExcValue)) != NULL)) { + ERROR("%s:%d, Exception type: %s, Exception value: %s", __func__, __LINE__, PyUnicode_AsUTF8(pStr1), PyUnicode_AsUTF8(pStr2)); ++ Py_DECREF(pStr1); ++ Py_DECREF(pStr2); + } + + if (pExcTraceback) { +@@ -217,46 +228,23 @@ static void python_error_log(void) + char *str = PyBytes_AsString(pTraceString); + ERROR("%s:%d, full_backtrace: %s", __func__, __LINE__, str); + +- if (pyth_val) { +- Py_DecRef(pyth_val); +- } +- if (pystr) { +- Py_DecRef(pystr); +- } +- if (pTraceString) { +- Py_DecRef(pTraceString); +- } ++ Py_DECREF(pyth_val); ++ Py_DECREF(pystr); ++ Py_DECREF(pTraceString); ++ Py_DECREF(pyth_func); + } +- if (pyth_func) { +- Py_DecRef(pyth_func); +- } +- Py_DecRef(pyth_module); ++ Py_DECREF(pyth_module); + } else { + ERROR("%s:%d, py_module is null, name: %p", __func__, __LINE__, module_name); + } + +- if (module_name) { +- Py_DecRef(module_name); +- } +- +- Py_DecRef(pRepr); ++ Py_DECREF(module_name); ++ Py_DECREF(pRepr); ++ Py_DECREF(pExcTraceback); + } + +- if (pExcType) { +- Py_DecRef(pExcType); +- } +- if (pExcValue) { +- Py_DecRef(pExcValue); +- } +- if (pExcTraceback) { +- Py_DecRef(pExcTraceback); +- } +- if (pStr1) { +- Py_DecRef(pStr1); +- } +- if (pStr2) { +- Py_DecRef(pStr2); +- } ++ Py_DECREF(pExcType); ++ Py_DECREF(pExcValue); + } + + static void mod_vptuple(TALLOC_CTX *ctx, REQUEST *request, VALUE_PAIR **vps, PyObject *pValue, +@@ -510,6 +498,7 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + goto finish; + } + ++#ifdef WITH_PROXY + /* fill proxy vps */ + if (request->proxy) { + if (!mod_populate_vps(pArgs, 4, request->proxy->vps)) { +@@ -517,10 +506,13 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + ret = RLM_MODULE_FAIL; + goto finish; + } +- } else { ++ } else ++#endif ++ { + mod_populate_vps(pArgs, 4, NULL); + } + ++#ifdef WITH_PROXY + /* fill proxy_reply vps */ + if (request->proxy_reply) { + if (!mod_populate_vps(pArgs, 5, request->proxy_reply->vps)) { +@@ -528,7 +520,9 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + ret = RLM_MODULE_FAIL; + goto finish; + } +- } else { ++ } else ++#endif ++ { + mod_populate_vps(pArgs, 5, NULL); + } + +@@ -550,9 +544,14 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + PyDict_SetItemString(pDictInput, "request", PyTuple_GET_ITEM(pArgs, 0)) || + PyDict_SetItemString(pDictInput, "reply", PyTuple_GET_ITEM(pArgs, 1)) || + PyDict_SetItemString(pDictInput, "config", PyTuple_GET_ITEM(pArgs, 2)) || +- PyDict_SetItemString(pDictInput, "session-state", PyTuple_GET_ITEM(pArgs, 3)) || ++ PyDict_SetItemString(pDictInput, "session-state", PyTuple_GET_ITEM(pArgs, 3)) ++#ifdef WITH_PROXY ++ || + PyDict_SetItemString(pDictInput, "proxy-request", PyTuple_GET_ITEM(pArgs, 4)) || +- PyDict_SetItemString(pDictInput, "proxy-reply", PyTuple_GET_ITEM(pArgs, 5))) { ++ PyDict_SetItemString(pDictInput, "proxy-reply", PyTuple_GET_ITEM(pArgs, 5)) ++#endif ++ ) { ++ + ERROR("%s:%d, %s - PyDict_SetItemString failed", __func__, __LINE__, funcname); + ret = RLM_MODULE_FAIL; + goto finish; +@@ -819,8 +818,10 @@ MOD_FUNC(authorize) + MOD_FUNC(preacct) + MOD_FUNC(accounting) + MOD_FUNC(checksimul) ++#ifdef WITH_PROXY + MOD_FUNC(pre_proxy) + MOD_FUNC(post_proxy) ++#endif + MOD_FUNC(post_auth) + #ifdef WITH_COA + MOD_FUNC(recv_coa) +@@ -1102,7 +1103,7 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + python_dlhandle = dlopen_libpython(RTLD_NOW | RTLD_GLOBAL); + if (!python_dlhandle) WARN("Failed loading libpython symbols into global symbol table"); + +-#if PY_VERSION_HEX > 0x03050000 ++#if PY_VERSION_HEX >= 0x03050000 + { + wchar_t *name; + +@@ -1110,13 +1111,6 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + Py_SetProgramName(name); /* The value of argv[0] as a wide char string */ + PyMem_RawFree(name); + } +-#elif PY_VERSION_HEX > 0x0300000 +- { +- wchar_t *name; +- +- MEM(name = _Py_char2wchar(main_config.name, NULL)); +- Py_SetProgramName(inst->wide_name); /* The value of argv[0] as a wide char string */ +- } + #else + { + char *name; +@@ -1163,37 +1157,34 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + * the lifetime of the module. + */ + if (inst->python_path) { ++ char *p, *path; ++ PyObject *sys = PyImport_ImportModule("sys"); ++ PyObject *sys_path = PyObject_GetAttrString(sys, "path"); ++ ++ memcpy(&p, &inst->python_path, sizeof(path)); ++ ++ for (path = strtok(p, ":"); path != NULL; path = strtok(NULL, ":")) { + #if PY_VERSION_HEX > 0x03050000 +- { +- wchar_t *path; +- PyObject* sys = PyImport_ImportModule("sys"); +- PyObject* sys_path = PyObject_GetAttrString(sys,"path"); +- +- MEM(path = Py_DecodeLocale(inst->python_path, NULL)); +- PyList_Append(sys_path, PyUnicode_FromWideChar(path,-1)); +- PyObject_SetAttrString(sys,"path",sys_path); +- PyMem_RawFree(path); +- } ++ wchar_t *py_path; ++ ++ MEM(py_path = Py_DecodeLocale(path, NULL)); ++ PyList_Append(sys_path, PyUnicode_FromWideChar(py_path, -1)); ++ PyMem_RawFree(py_path); + #elif PY_VERSION_HEX > 0x03000000 +- { +- wchar_t *path; +- PyObject* sys = PyImport_ImportModule("sys"); +- PyObject* sys_path = PyObject_GetAttrString(sys,"path"); +- +- MEM(path = _Py_char2wchar(inst->python_path, NULL)); +- PyList_Append(sys_path, PyUnicode_FromWideChar(path,-1)); +- PyObject_SetAttrString(sys,"path",sys_path); +- } +-#else +- { +- char *path; ++ wchar_t *py_path; + +- memcpy(&path, &inst->python_path, sizeof(path)); +- Py_SetPath(path); +- } ++ MEM(py_path = _Py_char2wchar(path, NULL)); ++ PyList_Append(sys_path, PyUnicode_FromWideChar(py_path, -1)); ++ PyMem_RawFree(py_path); ++#else ++ PyList_Append(sys_path, PyLong_FromString(path)); + #endif +- } ++ } + ++ PyObject_SetAttrString(sys, "path", sys_path); ++ Py_DecRef(sys); ++ Py_DecRef(sys_path); ++ } + } else { + inst->module = main_module; + Py_IncRef(inst->module); +@@ -1220,7 +1211,7 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + static int mod_instantiate(CONF_SECTION *conf, void *instance) + { + rlm_python_t *inst = instance; +- int code = 0; ++ int code = RLM_MODULE_OK; + + inst->name = cf_section_name2(conf); + if (!inst->name) inst->name = cf_section_name1(conf); +@@ -1245,8 +1236,10 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + PYTHON_FUNC_LOAD(preacct); + PYTHON_FUNC_LOAD(accounting); + PYTHON_FUNC_LOAD(checksimul); ++#ifdef WITH_PROXY + PYTHON_FUNC_LOAD(pre_proxy); + PYTHON_FUNC_LOAD(post_proxy); ++#endif + PYTHON_FUNC_LOAD(post_auth); + #ifdef WITH_COA + PYTHON_FUNC_LOAD(recv_coa); +@@ -1257,12 +1250,14 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + /* + * Call the instantiate function. + */ +- code = do_python_single(NULL, inst->instantiate.function, "instantiate", inst->pass_all_vps, inst->pass_all_vps_dict); +- if (code < 0) { +- error: +- python_error_log(); /* Needs valid thread with GIL */ +- PyEval_SaveThread(); +- return -1; ++ if (inst->instantiate.function) { ++ code = do_python_single(NULL, inst->instantiate.function, "instantiate", inst->pass_all_vps, inst->pass_all_vps_dict); ++ if (code < 0) { ++ error: ++ python_error_log(); /* Needs valid thread with GIL */ ++ PyEval_SaveThread(); ++ return -1; ++ } + } + PyEval_SaveThread(); + +@@ -1272,22 +1267,31 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + static int mod_detach(void *instance) + { + rlm_python_t *inst = instance; +- int ret; ++ int ret = RLM_MODULE_OK; + + /* + * Call module destructor + */ + PyEval_RestoreThread(inst->sub_interpreter); + +- ret = do_python_single(NULL, inst->detach.function, "detach", inst->pass_all_vps, inst->pass_all_vps_dict); ++ if (inst->detach.function) ret = do_python_single(NULL, inst->detach.function, "detach", inst->pass_all_vps, inst->pass_all_vps_dict); + + #define PYTHON_FUNC_DESTROY(_x) python_function_destroy(&inst->_x) + PYTHON_FUNC_DESTROY(instantiate); +- PYTHON_FUNC_DESTROY(authorize); + PYTHON_FUNC_DESTROY(authenticate); ++ PYTHON_FUNC_DESTROY(authorize); + PYTHON_FUNC_DESTROY(preacct); + PYTHON_FUNC_DESTROY(accounting); + PYTHON_FUNC_DESTROY(checksimul); ++#ifdef WITH_PROXY ++ PYTHON_FUNC_DESTROY(pre_proxy); ++ PYTHON_FUNC_DESTROY(post_proxy); ++#endif ++ PYTHON_FUNC_DESTROY(post_auth); ++#ifdef WITH_COA ++ PYTHON_FUNC_DESTROY(recv_coa); ++ PYTHON_FUNC_DESTROY(send_coa); ++#endif + PYTHON_FUNC_DESTROY(detach); + + Py_DecRef(inst->pythonconf_dict); +@@ -1313,14 +1317,8 @@ static int mod_detach(void *instance) + PyThreadState_Swap(main_interpreter); /* Swap to the main thread */ + Py_Finalize(); + dlclose(python_dlhandle); +- +-#if PY_VERSION_HEX > 0x03050000 +- //if (inst->wide_name) PyMem_RawFree(inst->wide_name); +- //if (inst->wide_path) PyMem_RawFree(inst->wide_path); +-#endif + } + +- + return ret; + } + +@@ -1348,8 +1346,10 @@ module_t rlm_python3 = { + [MOD_PREACCT] = mod_preacct, + [MOD_ACCOUNTING] = mod_accounting, + [MOD_SESSION] = mod_checksimul, ++#ifdef WITH_PROXY + [MOD_PRE_PROXY] = mod_pre_proxy, + [MOD_POST_PROXY] = mod_post_proxy, ++#endif + [MOD_POST_AUTH] = mod_post_auth, + #ifdef WITH_COA + [MOD_RECV_COA] = mod_recv_coa, +-- +2.26.2 + diff --git a/SOURCES/freeradius-logrotate b/SOURCES/freeradius-logrotate new file mode 100644 index 0000000..e1e58be --- /dev/null +++ b/SOURCES/freeradius-logrotate @@ -0,0 +1,57 @@ +# You can use this to rotate the /var/log/radius/* files, simply copy +# it to /etc/logrotate.d/radiusd + +# There are different detail-rotating strategies you can use. One is +# to write to a single detail file per IP and use the rotate config +# below. Another is to write to a daily detail file per IP with: +# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail +# (or similar) in radiusd.conf, without rotation. If you go with the +# second technique, you will need another cron job that removes old +# detail files. You do not need to comment out the below for method #2. +/var/log/radius/radacct/*/detail { + monthly + rotate 4 + nocreate + missingok + compress + su radiusd radiusd +} + +/var/log/radius/checkrad.log { + monthly + rotate 4 + create + missingok + compress + su radiusd radiusd +} + + +/var/log/radius/radius.log { + monthly + rotate 4 + create + missingok + compress + su radiusd radiusd + postrotate + /usr/bin/systemctl reload-or-try-restart radiusd + endscript +} + +/var/log/radius/radwtmp { + monthly + rotate 4 + create + compress + missingok + su radiusd radiusd +} +/var/log/radius/sqltrace.sql { + monthly + rotate 4 + create + compress + missingok + su radiusd radiusd +} diff --git a/SOURCES/freeradius-no-buildtime-cert-gen.patch b/SOURCES/freeradius-no-buildtime-cert-gen.patch new file mode 100644 index 0000000..aa3be66 --- /dev/null +++ b/SOURCES/freeradius-no-buildtime-cert-gen.patch @@ -0,0 +1,104 @@ +From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 8 May 2019 12:58:02 -0400 +Subject: [PATCH] Don't generate certificates in reproducible builds + +Signed-off-by: Alexander Scheel +--- + Make.inc.in | 5 +++++ + configure | 4 ++++ + configure.ac | 3 +++ + raddb/all.mk | 4 ++++ + 4 files changed, 16 insertions(+) + +diff --git a/Make.inc.in b/Make.inc.in +index 0b2cd74de8..8c623cf95c 100644 +--- a/Make.inc.in ++++ b/Make.inc.in +@@ -173,3 +173,8 @@ else + TESTBINDIR = ./$(BUILD_DIR)/bin + TESTBIN = ./$(BUILD_DIR)/bin + endif ++ ++# ++# With reproducible builds, do not generate certificates during installation ++# ++ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@ +diff --git a/configure b/configure +index c2c599c92b..3d4403a844 100755 +--- a/configure ++++ b/configure +@@ -655,6 +655,7 @@ RUSERS + SNMPWALK + SNMPGET + PERL ++ENABLE_REPRODUCIBLE_BUILDS + openssl_version_check_config + WITH_DHCP + modconfdir +@@ -5586,6 +5587,7 @@ else + fi + + ++ENABLE_REPRODUCIBLE_BUILDS=yes + # Check whether --enable-reproducible-builds was given. + if test "${enable_reproducible_builds+set}" = set; then : + enableval=$enable_reproducible_builds; case "$enableval" in +@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h + ;; + *) + reproducible_builds=no ++ ENABLE_REPRODUCIBLE_BUILDS=no + esac + + fi +@@ -5604,6 +5607,7 @@ fi + + + ++ + CHECKRAD=checkrad + # Extract the first word of "perl", so it can be a program name with args. + set dummy perl; ac_word=$2 +diff --git a/configure.ac b/configure.ac +index a7abf0025a..35b013f4af 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config]) + dnl # + dnl # extra argument: --enable-reproducible-builds + dnl # ++ENABLE_REPRODUCIBLE_BUILDS=yes + AC_ARG_ENABLE(reproducible-builds, + [AS_HELP_STRING([--enable-reproducible-builds], + [ensure the build does not change each time])], +@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds, + ;; + *) + reproducible_builds=no ++ ENABLE_REPRODUCIBLE_BUILDS=no + esac ] + ) ++AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS) + + + dnl ############################################################# +diff --git a/raddb/all.mk b/raddb/all.mk +index c966edd657..c8e976a499 100644 +--- a/raddb/all.mk ++++ b/raddb/all.mk +@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize + ifneq "$(LOCAL_CERT_PRODUCTS)" "" + $(LOCAL_CERT_PRODUCTS): + @echo BOOTSTRAP raddb/certs/ ++ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes" ++ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk ++else + @$(MAKE) -C $(R)$(raddbdir)/certs/ ++endif + + # Bootstrap is special + $(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS) +-- +2.21.0 + diff --git a/SOURCES/freeradius-pam-conf b/SOURCES/freeradius-pam-conf new file mode 100644 index 0000000..090c4a5 --- /dev/null +++ b/SOURCES/freeradius-pam-conf @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include password-auth +account required pam_nologin.so +account include password-auth +password include password-auth +session include password-auth diff --git a/SOURCES/freeradius-tmpfiles.conf b/SOURCES/freeradius-tmpfiles.conf new file mode 100644 index 0000000..8f20796 --- /dev/null +++ b/SOURCES/freeradius-tmpfiles.conf @@ -0,0 +1 @@ +D /run/radiusd 0710 radiusd radiusd - diff --git a/SOURCES/radiusd.service b/SOURCES/radiusd.service new file mode 100644 index 0000000..f545280 --- /dev/null +++ b/SOURCES/radiusd.service @@ -0,0 +1,15 @@ +[Unit] +Description=FreeRADIUS high performance RADIUS server. +After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service + +[Service] +Type=forking +PIDFile=/var/run/radiusd/radiusd.pid +ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd +ExecStartPre=/usr/sbin/radiusd -C +ExecStart=/usr/sbin/radiusd -d /etc/raddb +ExecReload=/usr/sbin/radiusd -C +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec new file mode 100644 index 0000000..4555d6a --- /dev/null +++ b/SPECS/freeradius.spec @@ -0,0 +1,2437 @@ +%if 0%{?rhel} > 7 +# Disable python2 build by default +%bcond_with python2 +%else +%bcond_without python2 +%endif + + +Summary: High-performance and highly configurable free RADIUS server +Name: freeradius +Version: 3.0.20 +Release: 1%{?dist} +License: GPLv2+ and LGPLv2+ +Group: System Environment/Daemons +URL: http://www.freeradius.org/ + +# Is elliptic curve cryptography supported? +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 20 +%global HAVE_EC_CRYPTO 1 +%else +%global HAVE_EC_CRYPTO 0 +%endif + +%global dist_base freeradius-server-%{version} + +Source0: ftp://ftp.freeradius.org/pub/radius/%{dist_base}.tar.bz2 +Source100: radiusd.service +Source102: freeradius-logrotate +Source103: freeradius-pam-conf +Source104: freeradius-tmpfiles.conf + +Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch +Patch2: freeradius-Use-system-crypto-policy-by-default.patch +Patch3: freeradius-bootstrap-create-only.patch +Patch4: freeradius-no-buildtime-cert-gen.patch +Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch + +%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} + +BuildRequires: autoconf +BuildRequires: make +BuildRequires: gcc +BuildRequires: gdbm-devel +BuildRequires: openssl +BuildRequires: openssl-devel +BuildRequires: pam-devel +BuildRequires: zlib-devel +BuildRequires: net-snmp-devel +BuildRequires: net-snmp-utils +BuildRequires: readline-devel +BuildRequires: libpcap-devel +BuildRequires: systemd-units +BuildRequires: libtalloc-devel +BuildRequires: pcre-devel + +%if ! 0%{?rhel} +BuildRequires: libyubikey-devel +BuildRequires: ykclient-devel +%endif + +# Require OpenSSL version we built with, or newer, to avoid startup failures +# due to runtime OpenSSL version checks. +Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl) +Requires(pre): shadow-utils glibc-common +Requires(post): systemd-sysv +Requires(post): systemd-units +# Needed for certificate generation +Requires(post): make +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description +The FreeRADIUS Server Project is a high performance and highly configurable +GPL'd free RADIUS server. The server is similar in some respects to +Livingston's 2.0 server. While FreeRADIUS started as a variant of the +Cistron RADIUS server, they don't share a lot in common any more. It now has +many more features than Cistron or Livingston, and is much more configurable. + +FreeRADIUS is an Internet authentication daemon, which implements the RADIUS +protocol, as defined in RFC 2865 (and others). It allows Network Access +Servers (NAS boxes) to perform authentication for dial-up users. There are +also RADIUS clients available for Web servers, firewalls, Unix logins, and +more. Using RADIUS allows authentication and authorization for a network to +be centralized, and minimizes the amount of re-configuration which has to be +done when adding or deleting new users. + +%package doc +Group: Documentation +Summary: FreeRADIUS documentation + +%description doc +All documentation supplied by the FreeRADIUS project is included +in this package. + +%package utils +Group: System Environment/Daemons +Summary: FreeRADIUS utilities +Requires: %{name} = %{version}-%{release} +Requires: libpcap >= 0.9.4 + +%description utils +The FreeRADIUS server has a number of features found in other servers, +and additional features not found in any other server. Rather than +doing a feature by feature comparison, we will simply list the features +of the server, and let you decide if they satisfy your needs. + +Support for RFC and VSA Attributes Additional server configuration +attributes Selecting a particular configuration Authentication methods + +%package devel +Group: System Environment/Daemons +Summary: FreeRADIUS development files +Requires: %{name} = %{version}-%{release} + +%description devel +Development headers and libraries for FreeRADIUS. + +%package ldap +Summary: LDAP support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: openldap-devel + +%description ldap +This plugin provides the LDAP support for the FreeRADIUS server project. + +%package krb5 +Summary: Kerberos 5 support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: krb5-devel + +%description krb5 +This plugin provides the Kerberos 5 support for the FreeRADIUS server project. + +%package perl +Summary: Perl support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +%{?fedora:BuildRequires: perl-devel} +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: perl(ExtUtils::Embed) + +%description perl +This plugin provides the Perl support for the FreeRADIUS server project. + +%if %{with python2} +%package -n python2-freeradius +Summary: Python 2 support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: python2-devel +%{?python_provide:%python_provide python2-freeradius} +# Remove before F30 +Provides: %{name}-python = %{version}-%{release} +Provides: %{name}-python%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} + +%description -n python2-freeradius +This plugin provides the Python 2 support for the FreeRADIUS server project. +# endif: with python2 +%endif + +%package -n python3-freeradius +Summary: Python 3 support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: python3-devel +%{?python_provide:%python_provide python3-freeradius} + +%description -n python3-freeradius +This plugin provides the Python 3 support for the FreeRADIUS server project. + +%package mysql +Summary: MySQL support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: mariadb-connector-c-devel + +%description mysql +This plugin provides the MySQL support for the FreeRADIUS server project. + +%package postgresql +Summary: Postgresql support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: postgresql-devel + +%description postgresql +This plugin provides the postgresql support for the FreeRADIUS server project. + +%package sqlite +Summary: SQLite support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: sqlite-devel + +%description sqlite +This plugin provides the SQLite support for the FreeRADIUS server project. + +%package unixODBC +Summary: Unix ODBC support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: unixODBC-devel + +%description unixODBC +This plugin provides the unixODBC support for the FreeRADIUS server project. + +%package rest +Summary: REST support for freeradius +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +BuildRequires: libcurl-devel +BuildRequires: json-c-devel + +%description rest +This plugin provides the REST support for the FreeRADIUS server project. + +%prep +%setup -q -n %{dist_base} +# Note: We explicitly do not make patch backup files because 'make install' +# mistakenly includes the backup files, especially problematic for raddb config files. +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +%build +# Force compile/link options, extra security for network facing daemon +%global _hardened_build 1 + +# Hack: rlm_python3 as stable; prevents building other unstable modules. +sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i + +# python3-config is broken: +# https://bugzilla.redhat.com/show_bug.cgi?id=1772988 +export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')" +export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')" + +%configure \ + --libdir=%{_libdir}/freeradius \ + --enable-reproducible-builds \ + --disable-openssl-version-check \ + --with-openssl \ + --with-udpfromto \ + --with-threads \ + --with-docdir=%{docdir} \ + --with-rlm-sql_postgresql-include-dir=/usr/include/pgsql \ + --with-rlm-sql-postgresql-lib-dir=%{_libdir} \ + --with-rlm-sql_mysql-include-dir=/usr/include/mysql \ + --with-mysql-lib-dir=%{_libdir}/mariadb \ + --with-unixodbc-lib-dir=%{_libdir} \ + --with-rlm-dbm-lib-dir=%{_libdir} \ + --with-rlm-krb5-include-dir=/usr/kerberos/include \ + --with-rlm_python3 \ + --with-rlm-python3-lib-dir=$PY3_LIB_DIR \ + --with-rlm-python3-include-dir=$PY3_INC_DIR \ +%if %{without python2} + --without-rlm-python2 \ +%endif + --without-rlm_eap_ikev2 \ + --without-rlm_eap_tnc \ + --without-rlm_sql_iodbc \ + --without-rlm_sql_firebird \ + --without-rlm_sql_db2 \ + --without-rlm_sql_oracle \ + --without-rlm_unbound \ + --without-rlm_redis \ + --without-rlm_rediswho \ + --without-rlm_cache_memcached + +make + +%install +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd +make install R=$RPM_BUILD_ROOT + +# logs +mkdir -p $RPM_BUILD_ROOT/var/log/radius/radacct +touch $RPM_BUILD_ROOT/var/log/radius/{radutmp,radius.log} + +install -D -m 644 %{SOURCE100} $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service +install -D -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/radiusd +install -D -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/radiusd + +mkdir -p %{buildroot}%{_tmpfilesdir} +mkdir -p %{buildroot}%{_localstatedir}/run/ +install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp +install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf + +# install SNMP MIB files +mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ +install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ + +# remove unneeded stuff +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.pem +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.p12 +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/index.* +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/serial* +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/dh +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/random + +rm -f $RPM_BUILD_ROOT/usr/sbin/rc.radiusd +rm -f $RPM_BUILD_ROOT/usr/bin/rbmonkey +rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.a +rm -rf $RPM_BUILD_ROOT/%{_libdir}/freeradius/*.la + +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/mssql + +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool/oracle +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/ippool-dhcp/oracle +rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle +rm -r $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/moonshot-targeted-ids + +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/abfab* +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/moonshot-targeted-ids +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/abfab* +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/moonshot-targeted-ids +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab* + +rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so + +# Remove yubikey on RHEL +%if 0%{?rhel} +rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey +rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so +%endif + +# remove unsupported config files +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf + +# Mongo will never be supported on Fedora or RHEL +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf + +# install doc files omitted by standard install +for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do + cp $f $RPM_BUILD_ROOT/%{docdir} +done +cp LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.gpl +cp src/lib/LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.lgpl +cp src/LICENSE.openssl $RPM_BUILD_ROOT/%{docdir}/LICENSE.openssl + +# add Red Hat specific documentation +cat >> $RPM_BUILD_ROOT/%{docdir}/REDHAT << EOF + +Red Hat, RHEL, Fedora, and CentOS specific information can be found on the +FreeRADIUS Wiki in the Red Hat FAQ. + +http://wiki.freeradius.org/guide/Red-Hat-FAQ + +Please reference that document. + +All documentation is in the freeradius-doc sub-package. + +EOF + + +# Make sure our user/group is present prior to any package or subpackage installation +%pre +getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1 +getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1 +exit 0 + +%post +%systemd_post radiusd.service +if [ $1 -eq 1 ]; then # install + # Initial installation + if [ ! -e /etc/raddb/certs/server.pem ]; then + /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 + fi +fi +exit 0 + +%preun +%systemd_preun radiusd.service + +%postun +%systemd_postun_with_restart radiusd.service +if [ $1 -eq 0 ]; then # uninstall + getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1 + getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1 +fi +exit 0 + +/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || : + + +%files +%defattr(-,root,root) + +# doc +%license %{docdir}/LICENSE.gpl +%license %{docdir}/LICENSE.lgpl +%license %{docdir}/LICENSE.openssl +%doc %{docdir}/REDHAT + +# system +%config(noreplace) %{_sysconfdir}/pam.d/radiusd +%config(noreplace) %{_sysconfdir}/logrotate.d/radiusd +%{_unitdir}/radiusd.service +%{_tmpfilesdir}/radiusd.conf +%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd +%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp +%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd + +# configs (raddb) +%dir %attr(755,root,radiusd) /etc/raddb +%defattr(-,root,radiusd) +/etc/raddb/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/panic.gdb + +%attr(644,root,radiusd) %config(noreplace) /etc/raddb/dictionary +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/clients.conf + +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/templates.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/trigger.conf + +# symlink: /etc/raddb/hints -> ./mods-config/preprocess/hints +%config /etc/raddb/hints + +# symlink: /etc/raddb/huntgroups -> ./mods-config/preprocess/huntgroups +%config /etc/raddb/huntgroups + +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/proxy.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/radiusd.conf + +# symlink: /etc/raddb/users -> ./mods-config/files/authorize +%config(noreplace) /etc/raddb/users + +# certs +%dir %attr(770,root,radiusd) /etc/raddb/certs +%config(noreplace) /etc/raddb/certs/Makefile +%config(noreplace) /etc/raddb/certs/passwords.mk +/etc/raddb/certs/README +%config(noreplace) /etc/raddb/certs/xpextensions +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf +%attr(750,root,radiusd) /etc/raddb/certs/bootstrap + +# mods-config +%dir %attr(750,root,radiusd) /etc/raddb/mods-config +/etc/raddb/mods-config/README.rst +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/attr_filter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/attr_filter/* +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/files +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/files/* +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/preprocess +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/preprocess/* + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main + +# sites-available +%dir %attr(750,root,radiusd) /etc/raddb/sites-available +/etc/raddb/sites-available/README +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/control-socket +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/decoupled-accounting +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa-relay +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/check-eap-tls +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/status +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp.relay +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/virtual.example.com +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/originate-coa +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/vmps +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/default +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/proxy-inner-tunnel +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dynamic-clients +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/copy-acct-to-home-server +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/buffered-sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge + +# sites-enabled +# symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx +%dir %attr(750,root,radiusd) /etc/raddb/sites-enabled +%config(missingok) /etc/raddb/sites-enabled/inner-tunnel +%config(missingok) /etc/raddb/sites-enabled/default + +# mods-available +%dir %attr(750,root,radiusd) /etc/raddb/mods-available +/etc/raddb/mods-available/README.rst +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/date +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.example.com +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/detail.log +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sqlippool +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/digest +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dynamic_clients +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/echo +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/etc_group +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/exec +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/expiration +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/expr +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/files +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/idn +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/inner-eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ippool +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/linelog +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/logintime +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2ip +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mac2vlan +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/mschap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ntlm_auth +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/opendirectory +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/otp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pam +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python3 +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rediswho +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/replicate +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/smbpasswd +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/smsotp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/soh +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sometimes +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlcounter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sqlippool +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sradutmp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unix +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/unpack +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8 +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax + +%if ! 0%{?rhel} +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey +%endif + +# mods-enabled +# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx +%dir %attr(750,root,radiusd) /etc/raddb/mods-enabled +%config(missingok) /etc/raddb/mods-enabled/always +%config(missingok) /etc/raddb/mods-enabled/attr_filter +%config(missingok) /etc/raddb/mods-enabled/cache_eap +%config(missingok) /etc/raddb/mods-enabled/chap +%config(missingok) /etc/raddb/mods-enabled/date +%config(missingok) /etc/raddb/mods-enabled/detail +%config(missingok) /etc/raddb/mods-enabled/detail.log +%config(missingok) /etc/raddb/mods-enabled/digest +%config(missingok) /etc/raddb/mods-enabled/dynamic_clients +%config(missingok) /etc/raddb/mods-enabled/eap +%config(missingok) /etc/raddb/mods-enabled/echo +%config(missingok) /etc/raddb/mods-enabled/exec +%config(missingok) /etc/raddb/mods-enabled/expiration +%config(missingok) /etc/raddb/mods-enabled/expr +%config(missingok) /etc/raddb/mods-enabled/files +%config(missingok) /etc/raddb/mods-enabled/linelog +%config(missingok) /etc/raddb/mods-enabled/logintime +%config(missingok) /etc/raddb/mods-enabled/mschap +%config(missingok) /etc/raddb/mods-enabled/ntlm_auth +%config(missingok) /etc/raddb/mods-enabled/pap +%config(missingok) /etc/raddb/mods-enabled/passwd +%config(missingok) /etc/raddb/mods-enabled/preprocess +%config(missingok) /etc/raddb/mods-enabled/radutmp +%config(missingok) /etc/raddb/mods-enabled/realm +%config(missingok) /etc/raddb/mods-enabled/replicate +%config(missingok) /etc/raddb/mods-enabled/soh +%config(missingok) /etc/raddb/mods-enabled/sradutmp +%config(missingok) /etc/raddb/mods-enabled/unix +%config(missingok) /etc/raddb/mods-enabled/unpack +%config(missingok) /etc/raddb/mods-enabled/utf8 + +# policy +%dir %attr(750,root,radiusd) /etc/raddb/policy.d +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/accounting +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/canonicalization +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/control +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/cui +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/debug +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/dhcp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/rfc7542 + + +# binaries +%defattr(-,root,root) +/usr/sbin/checkrad +/usr/sbin/raddebug +/usr/sbin/radiusd +/usr/sbin/radmin + +# dictionaries +%dir %attr(755,root,root) /usr/share/freeradius +/usr/share/freeradius/* + +# logs +%dir %attr(700,radiusd,radiusd) /var/log/radius/ +%dir %attr(700,radiusd,radiusd) /var/log/radius/radacct/ +%ghost %attr(644,radiusd,radiusd) /var/log/radius/radutmp +%ghost %attr(600,radiusd,radiusd) /var/log/radius/radius.log + +# libs +%attr(755,root,root) %{_libdir}/freeradius/lib*.so* + +# loadable modules +%dir %attr(755,root,root) %{_libdir}/freeradius +%{_libdir}/freeradius/proto_dhcp.so +%{_libdir}/freeradius/proto_vmps.so +%{_libdir}/freeradius/rlm_always.so +%{_libdir}/freeradius/rlm_attr_filter.so +%{_libdir}/freeradius/rlm_cache.so +%{_libdir}/freeradius/rlm_cache_rbtree.so +%{_libdir}/freeradius/rlm_chap.so +%{_libdir}/freeradius/rlm_counter.so +%{_libdir}/freeradius/rlm_cram.so +%{_libdir}/freeradius/rlm_date.so +%{_libdir}/freeradius/rlm_detail.so +%{_libdir}/freeradius/rlm_dhcp.so +%{_libdir}/freeradius/rlm_digest.so +%{_libdir}/freeradius/rlm_dynamic_clients.so +%{_libdir}/freeradius/rlm_eap.so +%{_libdir}/freeradius/rlm_eap_fast.so +%{_libdir}/freeradius/rlm_eap_gtc.so +%{_libdir}/freeradius/rlm_eap_leap.so +%{_libdir}/freeradius/rlm_eap_md5.so +%{_libdir}/freeradius/rlm_eap_mschapv2.so +%{_libdir}/freeradius/rlm_eap_peap.so +%if %{HAVE_EC_CRYPTO} +%{_libdir}/freeradius/rlm_eap_pwd.so +%endif +%{_libdir}/freeradius/rlm_eap_sim.so +%{_libdir}/freeradius/rlm_eap_tls.so +%{_libdir}/freeradius/rlm_eap_ttls.so +%{_libdir}/freeradius/rlm_exec.so +%{_libdir}/freeradius/rlm_expiration.so +%{_libdir}/freeradius/rlm_expr.so +%{_libdir}/freeradius/rlm_files.so +%{_libdir}/freeradius/rlm_ippool.so +%{_libdir}/freeradius/rlm_linelog.so +%{_libdir}/freeradius/rlm_logintime.so +%{_libdir}/freeradius/rlm_mschap.so +%{_libdir}/freeradius/rlm_otp.so +%{_libdir}/freeradius/rlm_pam.so +%{_libdir}/freeradius/rlm_pap.so +%{_libdir}/freeradius/rlm_passwd.so +%{_libdir}/freeradius/rlm_preprocess.so +%{_libdir}/freeradius/rlm_radutmp.so +%{_libdir}/freeradius/rlm_realm.so +%{_libdir}/freeradius/rlm_replicate.so +%{_libdir}/freeradius/rlm_soh.so +%{_libdir}/freeradius/rlm_sometimes.so +%{_libdir}/freeradius/rlm_sql.so +%{_libdir}/freeradius/rlm_sqlcounter.so +%{_libdir}/freeradius/rlm_sqlippool.so +%{_libdir}/freeradius/rlm_sql_null.so +%{_libdir}/freeradius/rlm_unix.so +%{_libdir}/freeradius/rlm_unpack.so +%{_libdir}/freeradius/rlm_utf8.so +%{_libdir}/freeradius/rlm_wimax.so + +%if ! 0%{?rhel} +%{_libdir}/freeradius/rlm_yubikey.so +%endif + +# main man pages +%doc %{_mandir}/man5/clients.conf.5.gz +%doc %{_mandir}/man5/dictionary.5.gz +%doc %{_mandir}/man5/radiusd.conf.5.gz +%doc %{_mandir}/man5/radrelay.conf.5.gz +%doc %{_mandir}/man5/rlm_always.5.gz +%doc %{_mandir}/man5/rlm_attr_filter.5.gz +%doc %{_mandir}/man5/rlm_chap.5.gz +%doc %{_mandir}/man5/rlm_counter.5.gz +%doc %{_mandir}/man5/rlm_detail.5.gz +%doc %{_mandir}/man5/rlm_digest.5.gz +%doc %{_mandir}/man5/rlm_expr.5.gz +%doc %{_mandir}/man5/rlm_files.5.gz +%doc %{_mandir}/man5/rlm_idn.5.gz +%doc %{_mandir}/man5/rlm_mschap.5.gz +%doc %{_mandir}/man5/rlm_pap.5.gz +%doc %{_mandir}/man5/rlm_passwd.5.gz +%doc %{_mandir}/man5/rlm_realm.5.gz +%doc %{_mandir}/man5/rlm_sql.5.gz +%doc %{_mandir}/man5/rlm_unix.5.gz +%doc %{_mandir}/man5/unlang.5.gz +%doc %{_mandir}/man5/users.5.gz +%doc %{_mandir}/man8/raddebug.8.gz +%doc %{_mandir}/man8/radiusd.8.gz +%doc %{_mandir}/man8/radmin.8.gz +%doc %{_mandir}/man8/radrelay.8.gz + +# MIB files +%{_datadir}/snmp/mibs/*RADIUS*.mib + +%files doc + +%doc %{docdir}/ + + +%files utils +/usr/bin/* + +# utils man pages +%doc %{_mandir}/man1/radclient.1.gz +%doc %{_mandir}/man1/radeapclient.1.gz +%doc %{_mandir}/man1/radlast.1.gz +%doc %{_mandir}/man1/radtest.1.gz +%doc %{_mandir}/man1/radwho.1.gz +%doc %{_mandir}/man1/radzap.1.gz +%doc %{_mandir}/man1/rad_counter.1.gz +%doc %{_mandir}/man1/smbencrypt.1.gz +%doc %{_mandir}/man1/dhcpclient.1.gz +%doc %{_mandir}/man5/checkrad.5.gz +%doc %{_mandir}/man8/radcrypt.8.gz +%doc %{_mandir}/man8/radsniff.8.gz +%doc %{_mandir}/man8/radsqlrelay.8.gz +%doc %{_mandir}/man8/rlm_ippool_tool.8.gz + +%files devel +/usr/include/freeradius + +%files krb5 +%{_libdir}/freeradius/rlm_krb5.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/krb5 + +%files perl +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/perl + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/perl +%attr(640,root,radiusd) /etc/raddb/mods-config/perl/example.pl + +%{_libdir}/freeradius/rlm_perl.so + +%if %{with python2} +%files -n python2-freeradius +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python +/etc/raddb/mods-config/python/example.py* +/etc/raddb/mods-config/python/radiusd.py* +%{_libdir}/freeradius/rlm_python.so +# endif: with python2 +%endif + +%files -n python3-freeradius +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python3 +/etc/raddb/mods-config/python3/example.py* +/etc/raddb/mods-config/python3/radiusd.py* +%{_libdir}/freeradius/rlm_python3.so + +%files mysql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql/extras/wimax +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/ndb +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/ndb/setup.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/ndb/schema.sql +/etc/raddb/mods-config/sql/main/ndb/README + +%{_libdir}/freeradius/rlm_sql_mysql.so + +%files postgresql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/postgresql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/procedure.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql + +%{_libdir}/freeradius/rlm_sql_postgresql.so + +%files sqlite +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/dailycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/sqlite/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/sqlite/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/sqlite/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/schema.sql + +%{_libdir}/freeradius/rlm_sql_sqlite.so + +%files ldap +%{_libdir}/freeradius/rlm_ldap.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap + +%files unixODBC +%{_libdir}/freeradius/rlm_sql_unixodbc.so + +%files rest +%{_libdir}/freeradius/rlm_rest.so +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest + +%changelog +* Mon Jun 08 2020 Alexander Scheel - 3.0.20-1 +- Update to FreeRADIUS server version 3.0.20 +- Introduce Python 3 support; resolves: bz#1623069 +- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809 +- Create tmp files in /run; resolves: bz#1805975 + +* Fri Nov 22 2019 Alexander Scheel - 3.0.17-7 +- Fix information leak due to aborting when needing more than 10 iterations + Resolves: bz#1751797 + +* Fri Jun 14 2019 Alexander Scheel - 3.0.17-6 +- Fix handling of IPv6-only hostnames with listen.ipaddr + Resolves: bz#1685546 + +* Fri Jun 14 2019 Alexander Scheel - 3.0.17-5 +- Fix possible privilege escalation due to insecure logrotate configuration + Resolves: bz#1719369 + +* Fri Dec 14 2018 Alexander Scheel - 3.0.17-4 +- Fixes two EAP-PWD security issues + Resolves: bz#1699417 authentication bypass with an invalid curve attack + Resolves: bz#1699421 fake authentication using reflection + +* Fri Dec 14 2018 Alexander Scheel - 3.0.17-2 +- Updates radiusd.service to start after network-online.target + Resolves: bz#1637275 + +* Thu Oct 18 2018 Alexander Scheel - 3.0.17-1 +- Update to FreeRADIUS server version 3.0.17 +- Adds OpenSSL HMAC patches from upstream (unreleased) +- Adds Python2 shebang patches from upstream (unreleased) + +* Mon Sep 17 2018 Nikolai Kondrashov - 3.0.15-18 +- Actually apply patches added previously. + Related: Bug#1612512 Man page scan results for freeradius + +* Fri Sep 14 2018 Nikolai Kondrashov - 3.0.15-17 +- Fix a few minor manpage issues. + Resolves: Bug#1612512 Man page scan results for freeradius + +* Wed Sep 12 2018 Nikolai Kondrashov - 3.0.15-16 +- Add make to Requires(post) to fix certificate generation on install. + Resolves: Bug#1628213 FreeRADIUS fails to start due to default certificate + permissions + +* Mon Jul 30 2018 Florian Weimer - 3.0.15-15 +- Rebuild with fixed binutils + +* Wed Jul 25 2018 Petr Kubat - 3.0.15-14 +- Rebuilt for gdbm + +* Mon Jun 11 2018 Charalampos Stratakis - 3.0.15-13 +- Disable the python2 subpackage + +* Tue Mar 06 2018 Björn Esser - 3.0.15-12 +- Rebuilt for libjson-c.so.4 (json-c v0.13.1) + +* Fri Feb 09 2018 Igor Gnatenko - 3.0.15-11 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 3.0.15-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Jan 20 2018 Björn Esser - 3.0.15-9 +- Rebuilt for switch to libxcrypt + +* Fri Jan 05 2018 Iryna Shcherbina - 3.0.15-8 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Sun Dec 10 2017 Björn Esser - 3.0.15-7 +- Rebuilt for libjson-c.so.3 + +* Thu Oct 26 2017 Nikolai Kondrashov - 3.0.15-6 +- Use mariadb-connector-c-devel instead of mysql-devel or mariadb-devel + Resolves: Bug#1493904 Use mariadb-connector-c-devel instead of mysql-devel + or mariadb-devel + +* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek - 3.0.15-5 +- Add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 3.0.15-4 +- Python 2 binary package renamed to python2-freeradius + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Wed Aug 02 2017 Fedora Release Engineering - 3.0.15-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.0.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jul 18 2017 Nikolai Kondrashov - 3.0.15-1 +- Upgrade to upstream v3.0.15 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). +- Resolves: Bug#1471848 CVE-2017-10978 freeradius: Out-of-bounds read/write + due to improper output buffer size check in + make_secret() +- Resolves: Bug#1471860 CVE-2017-10983 freeradius: Out-of-bounds read in + fr_dhcp_decode() when decoding option 63 +- Resolves: Bug#1471861 CVE-2017-10984 freeradius: Out-of-bounds write in + data2vp_wimax() +- Resolves: Bug#1471863 CVE-2017-10985 freeradius: Infinite loop and memory + exhaustion with 'concat' attributes +- Resolves: Bug#1471864 CVE-2017-10986 freeradius: Infinite read in + dhcp_attr2vp() +- Resolves: Bug#1471865 CVE-2017-10987 freeradius: Buffer over-read in + fr_dhcp_decode_suboptions() +- Resolves: Bug#1456220 freeradius-3.0.15 is available + +* Thu Jul 13 2017 Nikolai Kondrashov - 3.0.14-3 +- Rebuild with updated MySQL client library + +* Sun Jun 04 2017 Jitka Plesnikova - 3.0.14-2 +- Perl 5.26 rebuild + +* Tue May 30 2017 Nikolai Kondrashov - 3.0.14-1 +- Upgrade to upstream v3.0.14 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). +- Fix TLS resumption authentication bypass (CVE-2017-9148) + +* Wed Mar 29 2017 Nikolai Kondrashov - 3.0.13-3 +- Explicitly disable rlm_cache_memcached to avoid error when the module's + dependencies are installed, and it is built, but not packaged. +- Prevent segfaults by adding a missing handling of connection errors in + rlm_ldap. +- Make radtest use Cleartext-Password for EAP, fixing its support for eap-md5. + +* Wed Mar 15 2017 Nikolai Kondrashov - 3.0.13-2 +- Fix permissions of default key files in raddb/certs. +- Require OpenSSL version we built with, or newer, to avoid startup failures + due to runtime OpenSSL version checks. + Resolves: Bug#1299388 +- Fix some issues found with static analyzers. + +* Tue Mar 07 2017 Nikolai Kondrashov - 3.0.13-1 +- Upgrade to upstream v3.0.13 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + +* Tue Feb 21 2017 Nikolai Kondrashov - 3.0.12-3 +- Do not fail logrotate if radiusd is not running. +- Fix output to log file specified with -l option. +- Fix long hostnames interpreted as IP addresses. +- Avoid clashes with libtool library symbols. +- Remove mentions of Auth-Type = System from docs. +- Improve ip/v4/v6/addr documentation. + +* Mon Feb 20 2017 Nikolai Kondrashov - 3.0.12-2 +- Fix three cases of comparing pointers to zero characters +- Support OpenSSL v1.1.0 + Resolves: Bug#1385588 + +* Fri Feb 17 2017 Nikolai Kondrashov - 3.0.12-1 +- Upgrade to upstream v3.0.12 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + +* Fri Feb 17 2017 Nikolai Kondrashov - 3.0.11-7 +- Make sure FreeRADIUS starts after IPA, directory, and Kerberos servers +- Don't rotate radutmp, as it's not a log file +- Logrotate with "systemctl" instead of "service" +- Remove executable bits from "radiusd.service" + +* Fri Feb 10 2017 Fedora Release Engineering - 3.0.11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 16 2017 Nikolai Kondrashov - 3.0.11-5 +- Move tmpfiles.d config to %%{_tmpfilesdir} +- Install license files as %%license + +* Thu Jan 12 2017 Igor Gnatenko - 3.0.11-4 +- Rebuild for readline 7.x + +* Mon Sep 26 2016 Nikolai Kondrashov - 3.0.11-3 +- Switch default configuration to use system's crypto policy. + Resolves: Bug#1179224 + +* Tue May 17 2016 Jitka Plesnikova - 3.0.11-2 +- Perl 5.24 rebuild + +* Tue Apr 12 2016 Nikolai Kondrashov - 3.0.11-1 +- Upgrade to upstream v3.0.10 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + +* Wed Feb 03 2016 Fedora Release Engineering - 3.0.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Dec 09 2015 Nikolai Kondrashov - 3.0.10-1 +- Upgrade to upstream v3.0.10 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1133959 +- Remove rlm_eap_tnc support as the required package "tncfhh" was retired. + +* Wed Aug 19 2015 Nikolai Kondrashov - 3.0.9-1 +- Upgrade to upstream v3.0.9 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Resolves: Bug#1133959 + +* Wed Jun 17 2015 Fedora Release Engineering - 3.0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Jun 05 2015 Jitka Plesnikova - 3.0.8-2 +- Perl 5.22 rebuild + +* Tue Apr 28 2015 Nikolai Kondrashov - 3.0.8-1 +- Upgrade to upstream v3.0.7 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Related: Bug#1133959 + +* Thu Mar 19 2015 Nikolai Kondrashov - 3.0.7-1 +- Upgrade to upstream v3.0.7 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + Resolves: Bug#1133959 +- Add freeradius-rest package containing rlm_rest module. + Resolves: Bug#1196276 + +* Fri Feb 13 2015 Nikolai Kondrashov - 3.0.4-4 +- Bump release number to catch up with Fedora 21. + +* Mon Jan 19 2015 Nikolai Kondrashov - 3.0.4-3 +- Fix OpenSSL version parsing when checking for compatibility at run time. + Resolves: Bug#1173821 +- Don't remove backslash from unknown escape sequences in LDAP values. + Resolves: Bug#1173526 +- Improve dhcpclient and rad_counter online help. + Resolves: Bug#1146966 +- raddb: Move trigger.conf INCLUDE before modules, making it easier to refer + to trigger variables from module configurations. + Resolves: Bug#1155961 +- Fix ipaddr option fallback onto ipv6. + Resolves: Bug#1168868 +- raddb: Comment on ipaddr/ipv4addr/ipv6addr use. + Resolves: Bug#1168247 +- Disable rlm_rest building explicitly to avoid unintended builds on some + architectures breaking RPM build. + Resolves: Bug#1162156 +- Add -D option support to dhcpclient. + Related: Bug#1146939 +- Don't install rbmonkey - a test tool only useful to developers. + Related: Bug#1146966 +- Update clients(5) man page + Resolves: Bug#1147464 +- Fix possible group info corruption/segfault in rlm_unix' fr_getgrnam. +- Fix file configuration item parsing. +- Fix a number of trigger issues. + Resolves: Bug#1110407 radiusd doesn't send snmp trap after "radmin -e 'hup + files'" + Resolves: Bug#1110414 radiusd doesn't send snmp trap when sql connection is + opened,closed or fail + Resolves: Bug#1110186 radiusd doesn't send snmp trap when ldap connection + fails/opens/closes + Resolves: Bug#1109164 snmp trap messages send by radiusd are inconsistent + and incomplete +- Fix two omissions from radtest manpage. + Resolves: Bug#1146898 'eap-md5' value is missing in -t option in SYNOPSIS + of radtest man page + Resolves: Bug#1114669 Missing -P option in radtest manpage +- Disable OpenSSL version checking to avoid the need to edit radiusd.conf to + confirm heartbleed is fixed. + Resolves: Bug#1155070 FreeRADIUS doesn't start after upgrade due to failing + OpenSSL version check + +* Mon Oct 6 2014 Nikolai Kondrashov - 3.0.4-2 +- Fix abort on home server triggers. +- Fix segfault upon example.pl read failure. +- Fix example.pl permissions. +- Fix integer handling in various cases. +- Fix dhcpclient's dictionary.dhcp loading. + +* Mon Sep 15 2014 Nikolai Kondrashov - 3.0.4-1 +- Upgrade to upstream 3.0.4 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). +- Resolves: Bug#1099620 + +* Tue Sep 09 2014 Jitka Plesnikova - 3.0.4-0.2.rc2 +- Perl 5.20 mass + +* Mon Sep 8 2014 Nikolai Kondrashov - 3.0.4-0.1.rc2 +- Upgrade to upstream 3.0.4-rc2 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). + +* Tue Aug 26 2014 Jitka Plesnikova - 3.0.3-5 +- Perl 5.20 rebuild + +* Sat Aug 16 2014 Fedora Release Engineering - 3.0.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 3.0.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Jun 2 2014 Nikolai Kondrashov - 3.0.3-2 +- Add explicit dependency on OpenSSL package with fixed CVE-2014-0160 + (Heartbleed bug). +- Add confirmation of CVE-2014-0160 being fixed in OpenSSL to radiusd.conf. + +* Wed May 14 2014 Nikolai Kondrashov - 3.0.3-1 +- Upgrade to upstream 3.0.3 release. + See upstream ChangeLog for details (in freeradius-doc subpackage). +- Minor configuration parsing change: "Double-escaping of characters in Perl, + and octal characters has been fixed. If your configuration has text like + "\\000", you will need to remove one backslash." +- Additionally includes post-release fixes for: + * case-insensitive matching in compiled regular expressions not working, + * upstream issue #634 "3.0.3 SIGSEGV on config parse", + * upstream issue #635 "3.0.x - rlm_perl - strings are still + escaped when passed to perl from FreeRADIUS", + * upstream issue #639 "foreach may cause ABORT". +- Fixes bugs 1097266 1070447 + +* Wed May 7 2014 Nikolai Kondrashov - 3.0.2-1 +- Upgrade to upstream 3.0.2 release, configuration compatible with 3.0.1. + See upstream ChangeLog for details (in freeradius-doc subpackage) +- Fixes bugs 1058884 1061408 1070447 1079500 + +* Mon Feb 24 2014 Nikolai Kondrashov - 3.0.1-4 +- Fix CVE-2014-2015 "freeradius: stack-based buffer overflow flaw in rlm_pap + module" +- resolves: bug#1066984 (fedora 1066763) + +* Fri Feb 21 2014 John Dennis - 3.0.1-3 +- resolves: bug#1068798 (fedora 1068795) + rlm_perl attribute values truncated + +* Sun Jan 19 2014 John Dennis - 3.0.1-2 +- resolves: bug#1055073 (fedora 1055072) + rlm_ippool; bad config file attribute and fails to send reply attributes +- resolves: bug#1055567 (fedora 1056227) + bad mysql sql syntax +- change CFLAGS -imacros to -include to address gcc/gdb bug 1004526 + where gdb will not display source information, only + +* Tue Jan 14 2014 John Dennis - 3.0.1-1 +- Upgrade to upstream 3.0.1 release, full config compatible with 3.0.0. + This is a roll-up of all upstream bugs fixes found in 3.0.0 + See upstream ChangeLog for details (in freeradius-doc subpackage) +- fixes bugs 1053020 1044747 1048474 1043036 + +* Tue Nov 26 2013 John Dennis - 3.0.0-4 +- resolves: bug#1031035 + remove radeapclient man page, + upstream no longer supports radeapclient, use eapol_test instead +- resolves: bug#1031061 + rlm_eap_leap memory corruption, see freeradius-rlm_leap.patch +- move man pages for utils into utils subpackage from doc subpackage +- fix HAVE_EC_CRYPTO test to include f20 +- add new directory /var/run/radiusd/tmp + update mods-available/eap so tls-common.verify.tmpdir to point to it + +* Wed Nov 13 2013 John Dennis - 3.0.0-3 +- resolves: bug#1029941 + PW_TYPE_BOOLEAN config item should be declared int, not bool + +* Mon Oct 28 2013 John Dennis - 3.0.0-2 +- resolves: bug#1024119 + tncfhh-devel is now available in RHEL-7, remove conditional BuildRequires + +* Sun Oct 13 2013 John Dennis - 3.0.0-1 +- Offical 3.0 gold release from upstream +- resolves: bug#1016873 +- resolves: bug#891297 + +* Sun Sep 8 2013 John Dennis - 3.0.0-0.4.rc1 +- upgrade to second 3.0 release candidate rc1 + +* Mon Aug 26 2013 John Dennis - 3.0.0-0.3.rc0 +- add missingok config attribute to /etc/raddb/sites-enabled/* symlinks + +* Sat Aug 03 2013 Petr Pisar - 3.0.0-0.2.rc0 +- Perl 5.18 rebuild + +* Fri Jul 26 2013 Ville Skyttä - 3.0.0-0.1.rc0 +- Install docs to %%{_pkgdocdir} where available. + +* Mon Jul 22 2013 John Dennis - 3.0.0-0.rc0 +- Upgrade to new upstream major version release + +* Wed Jul 17 2013 Petr Pisar - 2.2.0-7 +- Perl 5.18 rebuild + +* Wed Feb 13 2013 Fedora Release Engineering - 2.2.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Dec 14 2012 John Dennis - 2.2.0-5 +- resolves: bug#850119 - Introduce new systemd-rpm macros (>= F18) + +* Thu Dec 13 2012 John Dennis - 2.2.0-4 +- add compile option -fno-strict-aliasing + +* Thu Dec 13 2012 John Dennis - 2.2.0-3 +- specify homedir (/var/lib/radiusd) for radiusd user in useradd, + do not permit useradd to default the homedir. + +* Wed Dec 12 2012 John Dennis - 2.2.0-2 +- add security options to compiler/linker + +* Mon Dec 10 2012 John Dennis - 2.2.0-1 +- resolves: bug#876564 - fails to start without freeradius-mysql +- use upstream version of freeradius-exclude-config-file.patch + +* Wed Oct 3 2012 John Dennis - 2.2.0-0 +- Add new patch to avoid reading .rpmnew, .rpmsave and other invalid + files when loading config files +- Upgrade to new 2.2.0 upstream release +- Upstream changelog for 2.1.12: + Feature improvements + * 100% configuration file compatible with 2.1.x. + The only fix needed is to disallow "hashsize=0" for rlm_passwd + * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware, + Redback, and Mikrotik dictionaries + * Switch to using SHA1 for certificate digests instead of MD5. + See raddb/certs/*.cnf + * Added copyright statements to the dictionaries, so that we know + when people are using them. + * Better documentation for radrelay and detail file writer. + See raddb/modules/radrelay and raddb/radrelay.conf + * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard + * Added -F to radwho + * Added query timeouts to MySQL driver. Patch from Brian De Wolf. + * Add /etc/default/freeradius to debian package. + Patch from Matthew Newton + * Finalize DHCP and DHCP relay code. It should now work everywhere. + See raddb/sites-available/dhcp, src_ipaddr and src_interface. + * DHCP capabilitiies are now compiled in by default. + It runs as a DHCP server ONLY when manually enabled. + * Added one letter expansions: %%G - request minute and %%I request + ID. + * Added script to convert ISC DHCP lease files to SQL pools. + See scripts/isc2ippool.pl + * Added rlm_cache to cache arbitrary attributes. + * Added max_use to rlm_ldap to force connection to be re-established + after a given number of queries. + * Added configtest option to Debian init scripts, and automatic + config test on restart. + * Added cache config item to rlm_krb5. When set to "no" ticket + caching is disabled which may increase performance. + + Bug fixes + * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12, + and 802.1X should upgrade immediately. + * Fix typo in detail file writer, to skip writing if the packet + was read from this detail file. + * Free cached replies when closing resumed SSL sessions. + * Fix a number of issues found by Coverity. + * Fix memory leak and race condition in the EAP-TLS session cache. + Thanks to Phil Mayers for tracking down OpenSSL APIs. + * Restrict ATTRIBUTE names to character sets that make sense. + * Fix EAP-TLS session Id length so that OpenSSL doesn't get + excited. + * Fix SQL IPPool logic for non-timer attributes. Closes bug #181 + * Change some informational messages to DEBUG rather than error. + * Portability fixes for FreeBSD. Closes bug #177 + * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols + nonsense. + * Safely handle extremely long lines in conf file variable expansion + * Fix for Debian bug #606450 + * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling + * The passwd module no longer permits "hashsize = 0". Setting that + is pointless for a host of reasons. It will also break the server. + * Fix proxied inner-tunnel packets sometimes having zero authentication + vector. Found by Brian Julin. + * Added $(EXEEXT) to Makefiles for portability. Closes bug #188. + * Fix minor build issue which would cause rlm_eap to be built twice. + * When using "status_check=request" for a home server, the username + and password must be specified, or the server will not start. + * EAP-SIM now calculates keys from the SIM identity, not from the + EAP-Identity. Changing the EAP type via NAK may result in + identities changing. Bug reported by Microsoft EAP team. + * Use home server src_ipaddr when sending Status-Server packets + * Decrypt encrypted ERX attributes in CoA packets. + * Fix registration of internal xlat's so %%{mschap:...} doesn't + disappear after a HUP. + * Can now reference tagged attributes in expansions. + e.g. %%{Tunnel-Type:1} and %%{Tunnel-Type:1[0]} now work. + * Correct calculation of Message-Authenticator for CoA and Disconnect + replies. Patch from Jouni Malinen + * Install rad_counter, for managing rlm_counter files. + * Add unique index constraint to all SQL flavours so that alternate + queries work correctly. + * The TTLS diameter decoder is now more lenient. It ignores + unknown attributes, instead of rejecting the TTLS session. + * Use "globfree" in detail file reader. Prevents very slow leak. + Closes bug #207. + * Operator =~ shouldn't copy the attribute, like :=. It should + instead behave more like ==. + * Build main Debian package without SQL dependencies + * Use max_queue_size in threading code + * Update permissions in raddb/sql/postgresql/admin.sql + * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL + wouldn't use methods it knew about. + * Add more sanity checks in dynamic_clients code so the server won't + crash if it attempts to load a badly formated client definition. + +* Thu Jul 19 2012 Fedora Release Engineering - 2.1.12-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 08 2012 Petr Pisar - 2.1.12-9 +- Perl 5.16 rebuild + +* Tue May 15 2012 John Dennis - 2.1.12-8 +- resolves: bug#821407 - openssl dependency + +* Sat Apr 14 2012 John Dennis - 2.1.12-7 +- resolves: bug#810605 Segfault with freeradius-perl threading + +* Tue Feb 28 2012 John Dennis - 2.1.12-6 + Fixing bugs in RHEL6 rebase, applying fixes here as well + resolves: bug#700870 freeradius not compiled with --with-udpfromto + resolves: bug#753764 shadow password expiration does not work + resolves: bug#712803 radtest script is not working with eap-md5 option + resolves: bug#690756 errors in raddb/sql/postgresql/admin.sql template + +* Tue Feb 7 2012 John Dennis - 2.1.12-5 +- resolves: bug#781877 (from RHEL5) rlm_dbm_parse man page misspelled +- resolves: bug#760193 (from RHEL5) radtest PPPhint option is not parsed properly + +* Sun Jan 15 2012 John Dennis - 2.1.12-4 +- resolves: bug#781744 + systemd service file incorrectly listed pid file as + /var/run/radiusd/radiusd which it should have been + /var/run/radiusd/radiusd.pid + +* Fri Jan 13 2012 Fedora Release Engineering - 2.1.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Oct 31 2011 John Dennis - 2.1.12-2 +- rename /etc/tmpfiles.d/freeradius.conf to /etc/tmpfiles.d/radiusd.conf + remove config(noreplace) because it must match files section and + permissions differ between versions. +- fixup macro usage for /var/run & /var/lib + +* Mon Oct 3 2011 John Dennis - 2.1.12-1 +- Upgrade to latest upstream release: 2.1.12 +- Upstream changelog for 2.1.12: + Feature improvements + * Updates to dictionary.erx, dictionary.siemens, dictionary.starent, + dictionary.starent.vsa1, dictionary.zyxel, added dictionary.symbol + * Added support for PCRE from Phil Mayers + * Configurable file permission in rlm_linelog + * Added "relaxed" option to rlm_attr_filter. This copies attributes + if at least one match occurred. + * Added documentation on dynamic clients. + See raddb/modules/dynamic_clients. + * Added support for elliptical curve cryptography. + See ecdh_curve in raddb/eap.conf. + * Added support for 802.1X MIBs in checkrad + * Added support for %%{rand:...}, which generates a uniformly + distributed number between 0 and the number you specify. + * Created "man" pages for all installed commands, and documented + options for all commands. Patch from John Dennis. + * Allow radsniff to decode encrypted VSAs and CoA packets. + Patch from Bjorn Mork. + * Always send Message-Authenticator in radtest. Patch from John Dennis. + radclient continues to be more flexible. + * Updated Oracle schema and queries + * Added SecurID module. See src/modules/rlm_securid/README + + Bug fixes + * Fix memory leak in rlm_detail + * Fix "failed to insert event" + * Allow virtual servers to be reloaded on HUP. + It no longer complains about duplicate virtual servers. + * Fix %%{string:...} expansion + * Fix "server closed socket" loop in radmin + * Set ownership of control socket when starting up + * Always allow root to connect to control socket, even if + "uid" is set. They're root. They can already do anything. + * Save all attributes in Access-Accept when proxying inner-tunnel + EAP-MSCHAPv2 + * Fixes for DHCP relaying. + * Check certificate validity when using OCSP. + * Updated Oracle "configure" script + * Fixed typos in dictionary.alvarion + * WARNING on potential proxy loop. + * Be more aggressive about clearing old requests from the + internal queue + * Don't open network sockets when using -C + +* Wed Sep 21 2011 Tom Callaway - 2.1.11-7 +- restore defattr customization in the main package + +* Fri Sep 9 2011 Tom Callaway - 2.1.11-6 +- add missing systemd scriptlets + +* Thu Sep 8 2011 Tom Callaway - 2.1.11-5 +- convert to systemd + +* Thu Jul 21 2011 Petr Sabata - 2.1.11-4 +- Perl mass rebuild + +* Wed Jul 20 2011 Petr Sabata - 2.1.11-3 +- Perl mass rebuild + +* Thu Jun 23 2011 John Dennis - 2.1.11-2 +- reload the server (i.e. HUP) after logrotate + +* Wed Jun 22 2011 John Dennis - 2.1.11-1 +- Upgrade to latest upstream release: 2.1.11 +- Remove the following two patches as upstream has incorporated them: + freeradius-radtest-ipv6.patch + freeradius-lt-dladvise.patch +- Upstream changelog for 2.1.11: + Feature improvements + * Added doc/rfc/rfc6158.txt: RADIUS Design Guidelines. + All vendors need to read it and follow its directions. + * Microsoft SoH support for PEAP from Phil Mayers. + See doc/SoH.txt + * Certificate "bootstrap" script now checks for certificate expiry. + See comments in raddb/eap.conf, and then "make_cert_command". + * Support for dynamic expansion of EAP-GTC challenges. + Patch from Alexander Clouter. + * OCSP support from Alex Bergmann. See raddb/eap.conf, "ocsp" + section. + * Updated dictionary.huawei, dictionary.3gpp, dictionary.3gpp3. + * Added dictionary.eltex, dictionary.motorola, and dictionary.ukerna. + * Experimental redis support from Gabriel Blanchard. + See raddb/modules/redis and raddb/modules/rediswho + * Add "key" to rlm_fastusers. Closes bug #126. + * Added scripts/radtee from original software at + http://horde.net/~jwm/software/misc/comparison-tee + * Updated radmin "man" page for new commands. + * radsniff now prints the hex decoding of the packet (-x -x -x) + * mschap module now reloads its configuration on HUP + * Added experimental "replicate" module. See raddb/modules/replicate + * Policy "foo" can now refer to module "foo". This lets you + over-ride the behavior of a module. + * Policy "foo.authorize" can now over-ride the behavior of module + "foo", "authorize" method. + * Produce errors in more situations when the configuration files + have invalid syntax. + + Bug fixes + * Ignore pre/post-proxy sections if proxying is disabled + * Add configure checks for pcap_fopen*. + * Fix call to otp_write in rlm_otp + * Fix issue with Access-Challenge checking from 2.1.10, when the + debug flag was set after server startup. Closes #116 and #117. + * Fix typo in zombie period start time. + * Fix leak in src/main/valuepair.c. Patch from James Ballantine. + * Allow radtest to use spaces in shared secret. + Patch from Cedric Carree. + * Remove extra calls to HMAC_CTX_init() in rlm_wimax, fixing leak. + Patch from James Ballantine. + * Remove MN-FA key generation. The NAS does this, not AAA. + Patch from Ben Weichman. + * Include dictionary.mikrotik by default. Closes bug #121. + * Add group membership query to MS-SQL examples. Closes bug #120. + * Don't cast NAS-Port to integer in Postgresql queries. + Closes bug #112. + * Fixes for libtool and autoconf from Sam Hartman. + * radsniff should read the dictionaries in more situations. + * Use fnmatch to check for detail file reader==writer. + Closes bug #128. + * Check for short writes (i.e. disk full) in rlm_detail. + Closes bug #130. Patches and testing from John Morrissey. + * Fix typo in src/lib/token.c. Closes bug #124 + * Allow workstation trust accounts to use MS-CHAP. + Closes bug #123. + * Assigning foo=`/bin/echo hello` now produces a syntax error + if it is done outside of an "update" section. + * Fix "too many open file descriptors" problem when using + "verify client" in eap.conf. + * Many fixes to dialup_admin for PHP5, by Stefan Winter. + * Allow preprocess module to have "hints = " and "huntgroups =", + which allows them to be empty or non-existent. + * Renamed "php3" files to "php" in dialup_admin/ + * Produce error when sub-TLVs are used in a dictionary. They are + supported only in the "master" branch, and not in 2.1.x. + * Minor fix in dictionary.redback. Closes bug #138. + * Fixed MySQL "NULL" issues in ippool.conf. Closes bug #129. + * Fix to Access-Challenge warning from Ken-ichirou Matsuzawa. + Closes bug #118. + * DHCP fixes to send unicast packets in more situations. + * Fix to udpfromto, to enable it to work on IPv6 networks. + * Fixes to the Oracle accounting_onoff_query. + * When using both IPv4 and IPv6 home servers, ensure that we use the + correct local socket for proxying. Closes bug #143. + * Suppress messages when thread pool is nearly full, all threads + are busy, and we can't create new threads. + * IPv6 is now enabled for udpfromto. Closes bug #141 + * Make sqlippool query buffer the same size as sql module. + Closes bug #139. + * Make Coa / Disconnect proxying work again. + * Configure scripts for rlm_caching from Nathaniel McCallum + * src/lib/dhcp.c and src/include/libradius.h are LGPL, not GPL. + * Updated password routines to use time-insensitive comparisons. + This prevents timing attacks (though none are known). + * Allow sqlite module to do normal SELECT queries. + * rlm_wimax now has a configure script + * Moved Ascend, USR, and Motorola "illegal" dictionaries to separate + files. See share/dictionary for explanations. + * Check for duplicate module definitions in the modules{} section, + and refuse to start if duplicates are found. + * Check for duplicate virtual servers, and refuse to start if + duplicates are found. + * Don't use udpfromto if source is INADDR_ANY. Closes bug #148. + * Check pre-conditions before running radmin "inject file". + * Don't over-ride "no match" with "match" for regexes. + Closes bug #152. + * Make retry and error message configurable in mschap. + See raddb/modules/mschap + * Allow EAP-MSCHAPv2 to send error message to client. This change + allows some clients to prompt the user for a new password. + See raddb/eap.conf, mschapv2 section, "send_error". + * Load the default virtual server before any others. + This matches what users expect, and reduces confusion. + * Fix configure checks for udpfromto. Fixes Debian bug #606866 + * Definitive fix for bug #35, where the server could crash under + certain loads. Changes src/lib/packet.c to use RB trees. + * Updated "configure" checks to allow IPv6 udpfromto on Linux. + * SQL module now returns NOOP if the accounting start/interim/stop + queries don't do anything. + * Allow %%{outer.control: ... } in string expansions + * home_server coa config now matches raddb/proxy.conf + * Never send a reply to a DHCP Release. + +* Thu Jun 16 2011 Marcela Mašláňová - 2.1.10-8 +- Perl mass rebuild + +* Wed Mar 23 2011 John Dennis - 2.1.10-7 +- Resolves: #689045 Using rlm_perl cause radiusd failed to start + Fix configure typo which caused lt_dladvise_* functions to be skipped. + run autogen.sh because HAVE_LT_DLADVISE_INIT isn't in src/main/autogen.h + Implemented by: freeradius-lt-dladvise.patch + +* Wed Mar 23 2011 John Dennis - 2.1.10-6 +- Resolves: #599528 - make radtest IPv6 compatible + +* Wed Mar 23 2011 Dan Horák - 2.1.10-5 +- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) + +* Tue Feb 08 2011 Fedora Release Engineering - 2.1.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sat Jan 1 2011 John Dennis - 2.1.10-3 +- bug 666589 - removing freeradius from system does not delete the user "radiusd" + fix scriptlet argument testing, simplify always exiting with zero + +* Thu Dec 30 2010 John Dennis - 2.1.10-2 +- rebuild for new MySQL libs + +* Tue Oct 19 2010 John Dennis - 2.1.10-1 + Feature improvements + * Install the "radcrypt" program. + * Enable radclient to send requests containing MS-CHAPv1 + Send packets with: MS-CHAP-Password = "password". It will + be automatically converted to the correct MS-CHAP attributes. + * Added "-t" command-line option to radtest. You can use "-t pap", + "-t chap", "-t mschap", or "-t eap-md5". The default is "-t pap" + * Make the "inner-tunnel" virtual server listen on 127.0.0.1:18120 + This change and the previous one makes PEAP testing much easier. + * Added more documentation and examples for the "passwd" module. + * Added dictionaries for RFC 5607 and RFC 5904. + * Added note in proxy.conf that we recommend setting + "require_message_authenticator = yes" for all home servers. + * Added example of second "files" configuration, with documentation. + This shows how and where to use two instances of a module. + * Updated radsniff to have it write pcap files, too. See '-w'. + * Print out large WARNING message if we send an Access-Challenge + for EAP, and receive no follow-up messages from the client. + * Added Cached-Session-Policy for EAP session resumption. See + raddb/eap.conf. + * Added support for TLS-Cert-* attributes. For details, see + raddb/sites-available/default, "post-auth" section. + * Added sample raddb/modules/{opendirectory,dynamic_clients} + * Updated Cisco and Huawei, HP, Redback, and ERX dictionaries. + * Added RFCs 5607, 5904, and 5997. + * For EAP-TLS, client certificates can now be validated using an + external command. See eap.conf, "validate" subsection of "tls". + * Made rlm_pap aware of {nthash} prefix, for compatibility with + legacy RADIUS systems. + * Add Module-Failure-Message for mschap module (ntlm_auth) + * made rlm_sql_sqlite database configurable. Use "filename" + in sql{} section. + * Added %%{tolower: ...string ... }, which returns the lowercase + version of the string. Also added %%{toupper: ... } for uppercase. + + Bug fixes + * Fix endless loop when there are multiple sub-options for + DHCP option 82. + * More debug output when sending / receiving DHCP packets. + * EAP-MSCHAPv2 should return the MPPE keys when used outside + of a TLS tunnel. This is needed for IKE. + * Added SSL "no ticket" option to prevent SSL from creating sessions + without IDs. We need the IDs, so this option should be set. + * Fix proxying of packets from inside a TTLS/PEAP tunnel. + Closes bug #25. + * Allow IPv6 address attributes to be created from domain names + Closes bug #82. + * Set the string length to the correct value when parsing double + quotes. Closes bug #88. + * No longer look users up in /etc/passwd in the default configuration. + This can be reverted by enabling "unix" in the "authorize" section. + * More #ifdef's to enable building on systems without certain + features. + * Fixed SQL-Group comparison to register only if the group + query is defined. + * Fixed SQL-Group comparison to register -SQL-Group, + just like rlm_ldap. This lets you have multiple SQL group checks. + * Fix scanning of octal numbers in "unlang". Closes bug #89. + * Be less aggressive about freeing "stuck" requests. Closes bug #35. + * Fix example in "originate-coa" to refer to the correct packet. + * Change default timeout for dynamic clients to 1 hour, not 1 day. + * Allow passwd module to map IP addresses, too. + * Allow passwd module to be used for CoA packets + * Put boot filename into DHCP header when DHCP-Boot-Filename + is specified. + * raddb/certs/Makefile no longer has certs depend on index.txt and + serial. Closes bug #64. + * Ignore NULL errorcode in PostgreSQL client. Closes bug #39 + * Made Exec-Program and Exec-Program-Wait work in accounting + section again. See sites-available/default. + * Fix long-standing memory leak in esoteric conditions. Found + by Jerry Nichols. + * Added "Password-With-Header == userPassword" to raddb/ldap.attrmap + This will automatically convert more passwords. + * Updated rlm_pap to decode Password-With-Header, if it was base64 + encoded, and to treat the contents as potentially binary data. + * Fix Novell eDir code to use the right function parameters. + Closes bug #86. + * Allow spaces to be escaped when executing external programs. + Closes bug #93. + * Be less restrictive about checking permissions on control socket. + If we're root, allow connecting to a non-root socket. + * Remove control socket on normal server exit. If the server isn't + running, the control socket should not exist. + * Use MS-CHAP-User-Name as Name field from EAP-MSCHAPv2 for MS-CHAP + calculations. It *MAY* be different (upper / lower case) from + the User-Name attribute. Closes bug #17. + * If the EAP-TLS methods have problems, more SSL errors are now + available in the Module-Failure-Message attribute. + * Update Oracle configure scripts. Closes bug #57. + * Added text to DESC fields of doc/examples/openldap.schema + * Updated more documentation to use "Restructured Text" format. + Thanks to James Lockie. + * Fixed typos in raddb/sql/mssql/dialup.conf. Closes bug #11. + * Return error for potential proxy loops when using "-XC" + * Produce better error messages when slow databases block + the server. + * Added notes on DHCP broadcast packets for FreeBSD. + * Fixed crash when parsing some date strings. Closes bug #98 + * Improperly formatted Attributes are now printed as "Attr-##". + If they are not correct, they should not use the dictionary name. + * Fix rlm_digest to be check the format of the Digest attributes, + and return "noop" rather than "fail" if they're not right. + * Enable "digest" in raddb/sites-available/default. This change + enables digest authentication to work "out of the box". + * Be less aggressive about marking home servers as zombie. + If they are responding to some packets, they are still alive. + * Added Packet-Transmit-Counter, to track detail file retransmits. + Closes bug #13. + * Added configure check for lt_dladvise_init(). If it exists, then + using it solves some issues related to libraries loading libraries. + * Added indexes to the MySQL IP Pool schema. + * Print WARNING message if too many attributes are put into a packet. + * Include dhcp test client (not built by default) + * Added checks for LDAP constraint violation. Closes bug #18. + * Change default raddebug timeout to 60 seconds. + * Made error / warning messages more consistent. + * Correct back-slash handling in variable expansion. Closes bug #46. + You SHOULD check your configuration for backslash expansion! + * Fix typo in "configure" script (--enable-libltdl-install) + * Use local libltdl in more situations. This helps to avoid + compile issues complaining about lt__PROGRAM__LTX_preloaded_symbols. + * Fix hang on startup when multiple home servers were defined + with "src_ipaddr" field. + * Fix 32/64 bit issue in rlm_ldap. Closes bug #105. + * If the first "listen" section defines 127.0.0.1, don't use that + as a source IP for proxying. It won't work. + * When Proxy-To-Realm is set to a non-existent realm, the EAP module + should handle the request, rather than expecting it to be proxied. + * Fix IPv4 issues with udpfromto. Closes bug #110. + * Clean up child processes of raddebug. Closes bugs #108 and #109 + * retry OTP if the OTP daemon fails. Closes bug #58. + * Multiple calls to ber_printf seem to work better. Closes #106. + * Fix "unlang" so that "attribute not found" is treated as a "false" + comparison, rather than a syntax error in the configuration. + * Fix issue with "Group" attribute. + +* Sat Jul 31 2010 Orcan Ogetbil - 2.1.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jun 01 2010 Marcela Maslanova - 2.1.9-2 +- Mass rebuild with perl-5.12.0 + +* Mon May 24 2010 John Dennis - 2.1.9-1 +- update to latest upstream, mainly bug fix release + Feature improvements + * Add radmin command "stats detail " to see what + is going on inside of a detail file reader. + * Added documentation for CoA. See raddb/sites-available/coa + * Add sub-option support for Option 82. See dictionary.dhcp + * Add "server" field to default SQL NAS table, and documented it. + + Bug fixes + * Reset "received ping" counter for Status-Server checks. In some + corner cases it was not getting reset. + * Handle large VMPS attributes. + * Count accounting responses from a home server in SNMP / statistics + code. + * Set EAP-Session-Resumed = Yes, not "No" when session is resumed. + * radmin packet counter statistics are now unsigned, for numbers + 2^31..2^32. After that they roll over to zero. + * Be more careful about expanding data in PAP and MS-CHAP modules. + This prevents login failures when passwords contain '{'. + * Clean up zombie children if there were many "exec" modules being + run for one packet, all with "wait = no". + * re-open log file after HUP. Closes bug #63. + * Fix "no response to proxied packet" complaint for Coa / Disconnect + packets. It shouldn't ignore replies to packets it sent. + * Calculate IPv6 netmasks correctly. Closes bug #69. + * Fix SQL module to re-open sockets if they unexpectedly close. + * Track scope for IPv6 addresses. This lets us use link-local + addresses properly. Closes bug #70. + * Updated Makefiles to no longer use the shell for recursing into + subdirs. "make -j 2" should now work. + * Updated raddb/sql/mysql/ippool.conf to use "= NULL". Closes + bug #75. + * Updated Makefiles so that "make reconfig" no longer uses the shell + for recursing into subdirs, and re-builds all "configure" files. + * Used above method to regenerate all configure scripts. + Closes bug #34. + * Updated SQL module to allow "server" field of "nas" table + to be blank: "". This means the same as it being NULL. + * Fixed regex realm example. Create Realm attribute with value + of realm from User-Name, not from regex. Closes bug #40. + * If processing a DHCP Discover returns "fail / reject", ignore + the packet rather than sending a NAK. + * Allow '%%' to be escaped in sqlcounter module. + * Fix typo internal hash table. + * For PEAP and TTLS, the tunneled reply is added to the reply, + rather than integrated via the operators. This allows multiple + VSAs to be added, where they would previously be discarded. + * Make request number unsigned. This changes nothing other than + the debug output when the server receives more than 2^31 packets. + * Don't block when reading child output in 'exec wait'. This means + that blocked children get killed, instead of blocking the server. + * Enabled building without any proxy functionality + * radclient now prefers IPv4, to match the default server config. + * Print useful error when a realm regex is invalid + * relaxed rules for preprocess module "with_cisco_vsa_hack". The + attributes can now be integer, ipaddr, etc. (i.e. non-string) + * Allow rlm_ldap to build if ldap_set_rebind_proc() has only + 2 arguments. + * Update configure script for rlm_python to avoid dynamic linking + problems on some platforms. + * Work-around for bug #35 + * Do suid to "user" when running in debug mode as root + * Make "allow_core_dumps" work in more situations. + * In detail file reader, treat bad records as EOF. + This allows it to continue working when the disk is full. + * Fix Oracle default accounting queries to work when there are no + gigawords attributes. Other databases already had the fix. + * Fix rlm_sql to show when it opens and closes sockets. It already + says when it cannot connect, so it should say when it can connect. + * "chmod -x" for a few C source files. + * Pull update spec files, etc. from RedHat into the redhat/ directory. + * Allow spaces when parsing integer values. This helps people who + put "too much" into an SQL value field. + +* Thu Jan 7 2010 John Dennis - 2.1.8-2 +- resolves: bug #526559 initial install should run bootstrap to create certificates + running radiusd in debug mode to generate inital temporary certificates + is no longer necessary, the /etc/raddb/certs/bootstrap is invoked on initial + rpm install (not upgrade) if there is no existing /etc/raddb/certs/server.pem file +- resolves: bug #528493 use sha1 algorithm instead of md5 during cert generation + the certificate configuration (/etc/raddb/certs/{ca,server,client}.cnf) files + were modifed to use sha1 instead of md5 and the validity reduced from 1 year to 2 months + +* Wed Dec 30 2009 John Dennis - 2.1.8-1 +- update to latest upstream + Feature improvements + * Print more descriptive error message for too many EAP sessions. + This gives hints on what to do when "failed to store handler" + * Commands received from radmin are now printed on stdout when + in debugging mode. + * Allow accounting packets to be written to a detail file, even + if they were read from a different detail file. + * Added OpenSSL license exception (src/LICENSE.openssl) + + Bug fixes + * DHCP sockets can now set the broadcast flag before binding to a + socket. You need to set "broadcast = yes" in the DHCP listener. + * Be more restrictive on string parsing in the config files + * Fix password length in scripts/create-users.pl + * Be more flexible about parsing the detail file. This allows + it to read files where the attributes have been edited. + * Ensure that requests read from the detail file are cleaned up + (i.e. don't leak) if they are proxied without a response. + * Write the PID file after opening sockets, not before + (closes bug #29) + * Proxying large numbers of packets no longer gives error + "unable to open proxy socket". + * Avoid mutex locks in libc after fork + * Retry packet from detail file if there was no response. + * Allow old-style dictionary formats, where the vendor name is the + last field in an ATTRIBUTE definition. + * Removed all recursive use of mutexes. Some systems just don't + support this. + * Allow !* to work as documented. + * make templates work (see templates.conf) + * Enabled "allow_core_dumps" to work again + * Print better errors when reading invalid dictionaries + * Sign client certificates with CA, rather than server certs. + * Fix potential crash in rlm_passwd when file was closed + * Fixed corner cases in conditional dynamic expansion. + * Use InnoDB for MySQL IP Pools, to gain transactional support + * Apply patch to libltdl for CVE-2009-3736. + * Fixed a few issues found by LLVM's static checker + * Keep track of "bad authenticators" for accounting packets + * Keep track of "dropped packets" for auth/acct packets + * Synced the "debian" directory with upstream + * Made "unlang" use unsigned 32-bit integers, to match the + dictionaries. + +* Wed Dec 30 2009 John Dennis - 2.1.7-7 +- Remove devel subpackage. It doesn't make much sense to have a devel package since + we don't ship libraries and it produces multilib conflicts. + +* Mon Dec 21 2009 John Dennis - 2.1.7-6 +- more spec file clean up from review comments +- remove freeradius-libs subpackage, move libfreeradius-eap and + libfreeradius-radius into the main package +- fix subpackage requires, change from freeradius-libs to main package +- fix description of the devel subpackage, remove referene to non-shipped libs +- remove execute permissions on src files included in debuginfo +- remove unnecessary use of ldconfig +- since all sub-packages now require main package remove user creation for sub-packages +- also include the LGPL library license file in addition to the GPL license file +- fix BuildRequires for perl so it's compatible with both Fedora, RHEL5 and RHEL6 + +* Mon Dec 21 2009 John Dennis - 2.1.7-5 +- fix various rpmlint issues. + +* Fri Dec 4 2009 Stepan Kasal - 2.1.7-4 +- rebuild against perl 5.10.1 + +* Thu Dec 3 2009 John Dennis - 2.1.7-3 +- resolves: bug #522111 non-conformant initscript + also change permission of /var/run/radiusd from 0700 to 0755 + so that "service radiusd status" can be run as non-root + +* Wed Sep 16 2009 Tomas Mraz - 2.1.7-2 +- use password-auth common PAM configuration instead of system-auth + +* Tue Sep 15 2009 John Dennis - 2.1.7-1 +- enable building of the rlm_wimax module +- pcap wire analysis support is enabled and available in utils subpackage +- Resolves bug #523053 radtest manpage in wrong package +- update to latest upstream release, from upstream Changelog: + Feature improvements + * Full support for CoA and Disconnect packets as per RFC 3576 + and RFC 5176. Both receiving and proxying CoA is supported. + * Added "src_ipaddr" configuration to "home_server". See + proxy.conf for details. + * radsniff now accepts -I, to read from a filename instead of + a device. + * radsniff also prints matching requests and any responses to those + requests when '-r' is used. + * Added example of attr_filter for Access-Challenge packets + * Added support for udpfromto in DHCP code + * radmin can now selectively mark modules alive/dead. + See "set module state". + * Added customizable messages on login success/fail. + See msg_goodpass && msg_badpass in log{} section of radiusd.conf + * Document "chase_referrals" and "rebind" in raddb/modules/ldap + * Preliminary implementation of DHCP relay. + * Made thread pool section optional. If it doesn't exist, + the server will run single-threaded. + * Added sample radrelay.conf for people upgrading from 1.x + * Made proxying more stable by failing over, rather than + rejecting the first request. See "response_window" in proxy.conf + * Allow home_server_pools to exist without realms. + * Add dictionary.iea (closes bug #7) + * Added support for RFC 5580 + * Added experimental sql_freetds module from Gabriel Blanchard. + * Updated dictionary.foundry + * Added sample configuration for MySQL cluster in raddb/sql/ndb + See the README file for explanations. + Bug fixes + * Fixed corner case where proxied packets could have extra + character in User-Password attribute. Fix from Niko Tyni. + * Extended size of "attribute" field in SQL to 64. + * Fixes to ruby module to be more careful about when it builds. + * Updated Perl module "configure" script to check for broken + Perl installations. + * Fix "status_check = none". It would still send packets + in some cases. + * Set recursive flag on the proxy mutex, which enables safer + cleanup on some platforms. + * Copy the EAP username verbatim, rather than escaping it. + * Update handling so that robust-proxy-accounting works when + all home servers are down for extended periods of time. + * Look for DHCP option 53 anywhere in the packet, not just + at the start. + * Fix processing of proxy fail handler with virtual servers. + * DHCP code now prints out correct src/dst IP addresses + when sending packets. + * Removed requirement for DHCP to have clients + * Fixed handling of DHCP packets with message-type buried in the packet + * Fixed corner case with negation in unlang. + * Minor fixes to default MySQL & PostgreSQL schemas + * Suppress MSCHAP complaints in debugging mode. + * Fix SQL module for multiple instance, and possible crash on HUP + * Fix permissions for radius.log for sites that change user/group, + but which don't create the file before starting radiusd. + * Fix double counting of packets when proxying + * Make %%l work + * Fix pthread keys in rlm_perl + * Log reasons for EAP failure (closes bug #8) + * Load home servers and pools that aren't referenced from a realm. + * Handle return codes from virtual attributes in "unlang" + (e.g. LDAP-Group). This makes "!(expr)" work for them. + * Enable VMPS to see contents of virtual server again + * Fix WiMAX module to be consistent with examples. (closes bug #10) + * Fixed crash with policies dependent on NAS-Port comparisons + * Allowed vendor IDs to be be higher than 32767. + * Fix crash on startup with certain regexes in "hints" file. + * Fix crash in attr_filter module when packets don't exist + * Allow detail file reader to be faster when "load_factor = 100" + * Add work-around for build failures with errors related to + lt__PROGRAM__LTX_preloaded_symbols. libltdl / libtool are horrible. + * Made ldap module "rebind" option aware of older, incompatible + versions of OpenLDAP. + * Check value of Fall-Through in attr_filter module. + +* Fri Aug 21 2009 Tomas Mraz - 2.1.6-6 +- rebuilt with new openssl + +* Fri Jul 24 2009 Fedora Release Engineering - 2.1.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jul 10 2009 John Dennis - 2.1.6-4 +- install COPYRIGHT CREDITS INSTALL LICENSE README into docdir + +* Tue Jun 23 2009 John Dennis - 2.1.6-3 +- resolves bug #507571 freeradius packages do not check for user/group existence + +* Tue Jun 2 2009 John Dennis - 2.1.6-2 +- make /etc/raddb/sites-available/* be config(noreplace) + +* Mon May 18 2009 John Dennis - 2.1.6-1 +- update to latest upstream release, from upstream Changelog: + Feature improvements + * radclient exits with 0 on successful (accept / ack), and 1 + otherwise (no response / reject) + * Added support for %%{sql:UPDATE ..}, and insert/delete + Patch from Arran Cudbard-Bell + * Added sample "do not respond" policy. See raddb/policy.conf + and raddb/sites-available/do_not_respond + * Cleanups to Suse spec file from Norbert Wegener + * New VSAs for Juniper from Bjorn Mork + * Include more RFC dictionaries in the default install + * More documentation for the WiMAX module + * Added "chase_referrals" and "rebind" configuration to rlm_ldap. + This helps with Active Directory. See raddb/modules/ldap + * Don't load pre/post-proxy if proxying is disabled. + * Added %%{md5:...}, which returns MD5 hash in hex. + * Added configurable "retry_interval" and "poll_interval" + for "detail" listeners. + * Added "delete_mppe_keys" configuration option to rlm_wimax. + Apparently some WiMAX clients misbehave when they see those keys. + * Added experimental rlm_ruby from + http://github.com/Antti/freeradius-server/tree/master + * Add Tunnel attributes to ldap.attrmap + * Enable virtual servers to be reloaded on HUP. For now, only + the "authorize", "authenticate", etc. processing sections are + reloaded. Clients and "listen" sections are NOT reloaded. + * Updated "radwatch" script to be more robust. See scripts/radwatch + * Added certificate compatibility notes in raddb/certs/README, + for compatibility with different operating systems. (i.e. Windows) + * Permit multiple "-e" in radmin. + * Add support for originating CoA-Request and Disconnect-Request. + See raddb/sites-available/originate-coa. + * Added "lifetime" and "max_queries" to raddb/sql.conf. + This helps address the problem of hung SQL sockets. + * Allow packets to be injected via radmin. See "inject help" + in radmin. + * Answer VMPS reconfirmation request. Patch from Hermann Lauer. + * Sample logrotate script in scripts/logrotate.freeradius + * Add configurable poll interval for "detail" listeners + * New "raddebug" command. This prints debugging information from + a running server. See "man raddebug. + * Add "require_message_authenticator" configuration to home_server + configuration. This makes the server add Message-Authenticator + to all outgoing Access-Request packets. + * Added smsotp module, as contributed by Siemens. + * Enabled the administration socket in the default install. + See raddb/sites-available/control-socket, and "man radmin" + * Handle duplicate clients, such as with replicated or + load-balanced SQL servers and "readclients = yes" + Bug fixes + * Minor changes to allow building without VQP. + * Minor fixes from John Center + * Fixed raddebug example + * Don't crash when deleting attributes via unlang + * Be friendlier to very fast clients + * Updated the "detail" listener so that it only polls once, + and not many times in a row, leaking memory each time... + * Update comparison for Packet-Src-IP-Address (etc.) so that + the operators other than '==' work. + * Did autoconf magic to work around weird libtool bug + * Make rlm_perl keep tags for tagged attributes in more situations + * Update UID checking for radmin + * Added "include_length" field for TTLS. It's needed for RFC + compliance, but not (apparently) for interoperability. + * Clean up control sockets when they are closed, so that we don't + leak memory. + * Define SUN_LEN for systems that don't have it. + * Correct some boundary conditions in the conditional checker ("if") + in "unlang". Bug noted by Arran Cudbard-Bell. + * Work around minor building issues in gmake. This should only + have affected developers. + * Change how we manage unprivileged user/group, so that we do not + create control sockets owned by root. + * Fixed more minor issues found by Coverity. + * Allow raddb/certs/bootstrap to run when there is no "make" + command installed. + * In radiusd.conf, run_dir depends on the name of the program, + and isn't hard-coded to "..../radiusd" + * Check for EOF in more places in the "detail" file reader. + * Added Freeswitch dictionary. + * Chop ethernet frames in VMPS, rather than droppping packets. + * Fix EAP-TLS bug. Patch from Arnaud Ebalard + * Don't lose string for regex-compares in the "users" file. + * Expose more functions in rlm_sql to rlm_sqlippool, which + helps on systems where RTLD_GLOBAL is off. + * Fix typos in MySQL schemas for ippools. + * Remove macro that was causing build issues on some platforms. + * Fixed issues with dead home servers. Bug noted by Chris Moules. + * Fixed "access after free" with some dynamic clients. + +- fix packaging bug, some directories missing execute permission + /etc/raddb/dictionary now readable by all. + +* Tue Feb 24 2009 John Dennis - 2.1.3-4 +- fix type usage in unixodbc to match new type usage in unixodbc API + +* Thu Feb 19 2009 John Dennis - 2.1.3-3 +- add pointer to Red Hat documentation in docdir + +* Sat Jan 24 2009 Caolán McNamara - 2.1.3-2 +- rebuild for dependencies + +* Thu Dec 4 2008 John Dennis - 2.1.3-1 +- upgrade to latest upstream release, upstream summary follows: + The focus of this release is stability. + Feature Improvements: + * Allow running with "user=radiusd" and binding to secure sockets. + * Start sending Status-Server "are you alive" messages earlier, which + helps with proxying multiple realms to a home server. + * Removed thread pool code from rlm_perl. It's not necessary. + * Added example Perl configuration to raddb/modules/perl + * Force OpenSSL to support certificates with SHA256. This seems to be + necessary for WiMAX certs. + Bug fixes: + * Fix Debian patch to allow it to build. + * Fix potential NULL dereference in debugging mode on certain + platforms for TTLS and PEAP inner tunnels. + * Fix uninitialized memory in handling of vendor definitions + * Fix parsing of quoted (but non-string) attributes in the "users" file. + * Initialize uknown NAS IP to 255.255.255.255, rather than 0.0.0.0 + * use SUN_LEN in control socket, to avoid truncation on some platforms. + * Correct internal handling of "debug condition" to prevent it from + being over-written. + * Check return code of regcomp in "unlang", so that invalid regular + expressions are caught rather than mishandled. + * Make rlm_sql use . Addresses bug #610. + * Document list "type = status" better. Closes bug #580. + * Set "default days" for certificates, because OpenSSL won't do it. + This closes bug #615. + * Reference correct list in example raddb/modules/ldap. Closes #596. + * Increase default schema size for Acct-Session-Id to 64. Closes #540. + * Fix use of temporary files in dialup-admin. Closes #605 and + addresses CVE-2008-4474. + * Addressed a number of minor issues found by Coverity. + * Added DHCP option 150 to the dictionary. Closes #618. + +* Wed Dec 3 2008 John Dennis - 2.1.1-8 +- add --with-system-libtool to configure as a workaround for +undefined reference to lt__PROGRAM__LTX_preloaded_symbols + +* Mon Dec 1 2008 John Dennis - 2.1.1-7 +- add obsoletes tag for dialupadmin subpackages which were removed + +* Mon Dec 1 2008 John Dennis - 2.1.1-7 +- add readline-devel BuildRequires + +* Sun Nov 30 2008 Ignacio Vazquez-Abrams - 2.1.1-4 +- Rebuild for Python 2.6 + +* Fri Nov 21 2008 John Dennis - 2.1.1-3 +- make spec file buildable on RHEL5.2 by making perl-devel a fedora only dependency. +- remove diaupadmin packages, it's not well supported and there are problems with it. + +* Fri Sep 26 2008 John Dennis - 2.1.1-1 +- Resolves: bug #464119 bootstrap code could not create initial certs in /etc/raddb/certs because + permissions were 750, radiusd running as euid radiusd could not write there, permissions now 770 + +* Thu Sep 25 2008 John Dennis - 2.1.1-1 +- upgrade to new upstream 2.1.1 release + +* Wed Jul 30 2008 John Dennis - 2.0.5-2 +- Resolves: bug #453761: FreeRADIUS %%post should not include chown -R + specify file attributes for /etc/raddb/ldap.attrmap + fix consistent use of tabs/spaces (rpmlint warning) + +* Mon Jun 9 2008 John Dennis - 2.0.5-1 +- upgrade to latest upstream, see Changelog for details, + upstream now has more complete fix for bug #447545, local patch removed + +* Wed May 28 2008 John Dennis - 2.0.4-1 +- upgrade to latest upstream, see Changelog for details +- resolves: bug #447545: freeradius missing /etc/raddb/sites-available/inner-tunnel + +* Fri May 16 2008 - 2.0.3-3 +- # Temporary fix for bug #446864, turn off optimization + +* Fri Apr 18 2008 John Dennis - 2.0.3-2 +- remove support for radrelay, it's different now +- turn off default inclusion of SQL config files in radiusd.conf since SQL + is an optional RPM install +- remove mssql config files + +* Thu Apr 17 2008 John Dennis - 2.0.3-1 +- Upgrade to current upstream 2.0.3 release +- Many thanks to Enrico Scholz for his spec file suggestions incorporated here +- Resolve: bug #438665: Contains files owned by buildsystem +- Add dialupadmin-mysql, dialupadmin-postgresql, dialupadmin-ldap subpackages + to further partition external dependencies. +- Clean up some unnecessary requires dependencies +- Add versioned requires between subpackages + +* Tue Mar 18 2008 Tom "spot" Callaway - 2.0.2-2 +- add Requires for versioned perl (libperl.so) + +* Thu Feb 28 2008 - 2.0.2-1 +- upgrade to new 2.0 release +- split into subpackages for more fine grained installation + +* Tue Feb 19 2008 Fedora Release Engineering - 1.1.7-4.4.ipa +- Autorebuild for GCC 4.3 + +* Thu Dec 06 2007 Release Engineering - 1.1.7-3.4.ipa +- Rebuild for deps + +* Sat Nov 10 2007 - 1.1.7-3.3.ipa +- add support in rlm_ldap for reading clients from ldap +- fix TLS parameter controling if a cert which fails to validate + will be accepted (i.e. self-signed), + rlm_ldap config parameter=tls_require_cert + ldap LDAP_OPT_X_TLS_REQUIRE_CERT parameter was being passed to + ldap_set_option() when it should have been ldap_int_tls_config() + +* Sat Nov 3 2007 - 1.1.7-3.2.ipa +- add support in rlm_ldap for SASL/GSSAPI binds to the LDAP server + +* Mon Sep 17 2007 Thomas Woerner 1.1.7-3.1 +- made init script fully lsb conform + +* Mon Sep 17 2007 Thomas Woerner 1.1.7-3 +- fixed initscript problem (rhbz#292521) + +* Tue Aug 28 2007 Thomas Woerner 1.1.7-2 +- fixed initscript for LSB (rhbz#243671, rhbz#243928) +- fixed license tag + +* Tue Aug 7 2007 Thomas Woerner 1.1.7-1 +- new versin 1.1.7 +- install snmp MIB files +- dropped LDAP_DEPRECATED flag, it is upstream +- marked config files for sub packages as config (rhbz#240400) +- moved db files to /var/lib/raddb (rhbz#199082) + +* Fri Jun 15 2007 Thomas Woerner 1.1.6-2 +- radiusd expects /etc/raddb to not be world readable or writable + /etc/raddb now belongs to radiusd, post script sets permissions + +* Fri Jun 15 2007 Thomas Woerner 1.1.6-1 +- new version 1.1.6 + +* Fri Mar 9 2007 Thomas Woerner 1.1.5-1 +- new version 1.1.5 + - no /etc/raddb/otppasswd.sample anymore + - build is pie by default, dropped pie patch +- fixed build requirement for perl (perl-devel) + +* Fri Feb 23 2007 Karsten Hopp 1.1.3-3 +- remove trailing dot from summary +- fix buildroot +- fix post/postun/preun requirements +- use rpm macros + +* Fri Dec 8 2006 Thomas Woerner 1.1.3-2.1 +- rebuild for new postgresql library version + +* Thu Nov 30 2006 Thomas Woerner 1.1.3-2 +- fixed ldap code to not use internals, added LDAP_DEPRECATED compile time flag + (#210912) + +* Tue Aug 15 2006 Thomas Woerner 1.1.3-1 +- new version 1.1.3 with lots of upstream bug fixes, some security fixes + (#205654) + +* Tue Aug 15 2006 Thomas Woerner 1.1.2-2 +- commented out include for sql.conf in radiusd.conf (#202561) + +* Wed Jul 12 2006 Jesse Keating - 1.1.2-1.1 +- rebuild + +* Thu Jun 1 2006 Thomas Woerner 1.1.2-1 +- new version 1.1.2 + +* Wed May 31 2006 Thomas Woerner 1.1.1-1 +- new version 1.1.1 +- fixed incorrect rlm_sql globbing (#189095) + Thanks to Yanko Kaneti for the fix. +- fixed chown syntax in post script (#182777) +- dropped gcc34, libdir and realloc-return patch +- spec file cleanup with additional libtool build fixes + +* Fri Feb 10 2006 Jesse Keating - 1.0.5-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.0.5-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Dec 13 2005 Thomas Woerner 1.0.5-1 +- new version 1.0.5 + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Sat Nov 12 2005 Tom Lane - 1.0.4-5 +- Rebuild due to mysql update. + +* Wed Nov 9 2005 Tomas Mraz - 1.0.4-4 +- rebuilt with new openssl +- fixed ignored return value of realloc + +* Fri Sep 30 2005 Tomas Mraz - 1.0.4-3 +- use include instead of pam_stack in pam config + +* Wed Jul 20 2005 Thomas Woerner 1.0.4-2 +- added missing build requires for libtool-ltdl-devel (#160877) +- modified file list to get a report for missing plugins + +* Tue Jun 28 2005 Thomas Woerner 1.0.4-1 +- new version 1.0.4 +- droppend radrelay patch (fixed upstream) + +* Thu Apr 14 2005 Warren Togami 1.0.2-2 +- rebuild against new postgresql-libs + +* Mon Apr 4 2005 Thomas Woerner 1.0.2-1 +- new version 1.0.2 + +* Fri Nov 19 2004 Thomas Woerner 1.0.1-3 +- rebuild for MySQL 4 +- switched over to installed libtool + +* Fri Nov 5 2004 Thomas Woerner 1.0.1-2 +- Fixed install problem of radeapclient (#138069) + +* Wed Oct 6 2004 Thomas Woerner 1.0.1-1 +- new version 1.0.1 +- applied radrelay CVS patch from Kevin Bonner + +* Wed Aug 25 2004 Warren Togami 1.0.0-3 +- BuildRequires pam-devel and libtool +- Fix errant text in description +- Other minor cleanups + +* Wed Aug 25 2004 Thomas Woerner 1.0.0-2.1 +- renamed /etc/pam.d/radius to /etc/pam.d/radiusd to match default + configuration (#130613) + +* Wed Aug 25 2004 Thomas Woerner 1.0.0-2 +- fixed BuildRequires for openssl-devel (#130606) + +* Mon Aug 16 2004 Thomas Woerner 1.0.0-1 +- 1.0.0 final + +* Mon Jul 5 2004 Thomas Woerner 1.0.0-0.pre3.2 +- added buildrequires for zlib-devel (#127162) +- fixed libdir patch to prefer own libeap instead of installed one (#127168) +- fixed samba account maps in LDAP for samba v3 (#127173) + +* Thu Jul 1 2004 Thomas Woerner 1.0.0-0.pre3.1 +- third "pre" release of version 1.0.0 +- rlm_ldap is using SASLv2 (#126507) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu Jun 3 2004 Thomas Woerner 0.9.3-4.1 +- fixed BuildRequires for gdbm-devel + +* Tue Mar 30 2004 Harald Hoyer - 0.9.3-4 +- gcc34 compilation fixes + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Tue Feb 24 2004 Thomas Woerner 0.9.3-3.2 +- added sql scripts for rlm_sql to documentation (#116435) + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Feb 5 2004 Thomas Woerner 0.9.3-2.1 +- using -fPIC instead of -fpic for s390 ans s390x + +* Thu Feb 5 2004 Thomas Woerner 0.9.3-2 +- radiusd is pie, now + +* Tue Nov 25 2003 Thomas Woerner 0.9.3-1 +- new version 0.9.3 (bugfix release) + +* Fri Nov 7 2003 Thomas Woerner 0.9.2-1 +- new version 0.9.2 + +* Mon Sep 29 2003 Thomas Woerner 0.9.1-1 +- new version 0.9.1 + +* Mon Sep 22 2003 Nalin Dahyabhai 0.9.0-2.2 +- modify default PAM configuration to remove the directory part of the module + name, so that 32- and 64-bit libpam (called from 32- or 64-bit radiusd) on + multilib systems will always load the right module for the architecture +- modify default PAM configuration to use pam_stack + +* Mon Sep 1 2003 Thomas Woerner 0.9.0-2.1 +- com_err.h moved to /usr/include/et + +* Tue Jul 22 2003 Thomas Woerner 0.9.0-1 +- 0.9.0 final + +* Wed Jul 16 2003 Thomas Woerner 0.9.0-0.9.0 +- new version 0.9.0 pre3 + +* Thu May 22 2003 Thomas Woerner 0.8.1-6 +- included directory /var/log/radius/radacct for logrotate + +* Wed May 21 2003 Thomas Woerner 0.8.1-5 +- moved log and run dir to files section, cleaned up post + +* Wed May 21 2003 Thomas Woerner 0.8.1-4 +- added missing run dir in post + +* Tue May 20 2003 Thomas Woerner 0.8.1-3 +- fixed module load patch + +* Fri May 16 2003 Thomas Woerner +- removed la files, removed devel package +- split into 4 packages: freeradius, freeradius-mysql, freeradius-postgresql, + freeradius-unixODBC +- fixed requires and buildrequires +- create logging dir in post if it does not exist +- fixed module load without la files + +* Thu Apr 17 2003 Thomas Woerner +- Initial build.