svn commit: r342768 - in head/net/freeradius3: . files
Ryan Steinmetz
zi at FreeBSD.org
Wed Feb 5 16:37:54 UTC 2014
Author: zi
Date: Wed Feb 5 16:37:52 2014
New Revision: 342768
URL: http://svnweb.freebsd.org/changeset/ports/342768
QAT: https://qat.redports.org/buildarchive/r342768/
Log:
- More rlm_krb5 fixes
- Add Cisco ASA dictionary file
- Bump PORTREVISION
Added:
head/net/freeradius3/files/dictionary.cisco.asa (contents, props changed)
Modified:
head/net/freeradius3/Makefile
head/net/freeradius3/files/patch-rlm_krb5
head/net/freeradius3/pkg-plist
Modified: head/net/freeradius3/Makefile
==============================================================================
--- head/net/freeradius3/Makefile Wed Feb 5 16:34:47 2014 (r342767)
+++ head/net/freeradius3/Makefile Wed Feb 5 16:37:52 2014 (r342768)
@@ -3,7 +3,7 @@
PORTNAME= freeradius
DISTVERSION= 3.0.1
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net
MASTER_SITES= ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \
ftp://ftp.ntua.gr/pub/net/radius/freeradius/%SUBDIR%/ \
@@ -86,7 +86,7 @@ ${UNIQUENAME}_SET+= KERBEROS
.if ${PORT_OPTIONS:MHEIMDAL_PORT}
LIB_DEPENDS+= krb5:${PORTSDIR}/security/heimdal
.endif
-CONFIGURE_ARGS+=--enable-heimdal-krb5
+CONFIGURE_ARGS+=--enable-heimdal-krb5 --enable-pthread-support
.else
LIB_DEPENDS+= krb5:${PORTSDIR}/security/krb5
.endif
@@ -201,23 +201,6 @@ PLIST_SUB+= RLMRUBY="@comment "
EXPM= yes
.endif
-# No SMB option yet; rlm_smb is still unbuildable
-.if ${PORT_OPTIONS:MSMB}
-LIB_DEPENDS= smbclient:${PORTSDIR}/net/samba-libsmbclient
-CONFIGURE_ARGS+=--with-rlm_smb
-CONFIGURE_ARGS+=--with-rlm-smb-lib-dir=${LOCALBASE}/lib
-CONFIGURE_ARGS+=--with-rlm-smb-include-dir=${LOCALBASE}/include
-PLIST_SUB+= SMB=""
-.else
-CONFIGURE_ARGS+=--without-rlm_smb
-PLIST_SUB+= SMB="@comment "
-.endif
-
-# SMB module is still experimental
-.if ${PORT_OPTIONS:MSMB} && empty(PORT_OPTIONS:MEXPERIMENTAL)
-EXPM= yes
-.endif
-
.if ${PORT_OPTIONS:MREDIS}
LIB_DEPENDS+= hiredis:${PORTSDIR}/databases/hiredis
CONFIGURE_ARGS+=--with-rlm_redis --with-rlm_rediswho
@@ -412,6 +395,7 @@ pre-install:
PRE-INSTALL
post-install:
+ @${INSTALL_DATA} ${FILESDIR}/dictionary.cisco.asa ${DATADIR}
# If ${PREFIX}/etc/raddb isn't a directory (or a symlink), make a copy
# of ${EXAMPLESDIR}/raddb as ${PREFIX}/etc/raddb, then bootstrap the
# certificates
Added: head/net/freeradius3/files/dictionary.cisco.asa
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/net/freeradius3/files/dictionary.cisco.asa Wed Feb 5 16:37:52 2014 (r342768)
@@ -0,0 +1,369 @@
+# -*- text -*-
+# Copyright (C) 2013 The FreeRADIUS Server project and contributors
+#
+# Cisco Adaptative Security Appliance (ASA) Dictionary
+#
+# http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extserver.html#wp1802187
+#
+# $Id$
+#
+
+VENDOR Cisco-ASA 3076
+
+BEGIN-VENDOR Cisco-ASA
+
+ATTRIBUTE ASA-Simultaneous-Logins 2 integer
+ATTRIBUTE ASA-Primary-DNS 5 string
+ATTRIBUTE ASA-Secondary-DNS 6 string
+ATTRIBUTE ASA-Primary-WINS 7 string
+ATTRIBUTE ASA-Secondary-WINS 8 string
+ATTRIBUTE ASA-SEP-Card-Assignment 9 integer
+ATTRIBUTE ASA-Tunneling-Protocols 11 integer
+ATTRIBUTE ASA-IPsec-Sec-Association 12 string
+ATTRIBUTE ASA-IPsec-Authentication 13 integer
+ATTRIBUTE ASA-Banner1 15 string
+ATTRIBUTE ASA-IPsec-Allow-Passwd-Store 16 integer
+ATTRIBUTE ASA-Use-Client-Address 17 integer
+ATTRIBUTE ASA-PPTP-Encryption 20 integer
+ATTRIBUTE ASA-L2TP-Encryption 21 integer
+ATTRIBUTE ASA-Group-Policy 25 string
+ATTRIBUTE ASA-IPsec-Split-Tunnel-List 27 string
+ATTRIBUTE ASA-IPsec-Default-Domain 28 string
+ATTRIBUTE ASA-IPsec-Split-DNS-Names 29 string
+ATTRIBUTE ASA-IPsec-Tunnel-Type 30 integer
+ATTRIBUTE ASA-IPsec-Mode-Config 31 integer
+ATTRIBUTE ASA-IPsec-Over-UDP 34 integer
+ATTRIBUTE ASA-IPsec-Over-UDP-Port 35 integer
+ATTRIBUTE ASA-Banner2 36 string
+ATTRIBUTE ASA-PPTP-MPPC-Compression 37 integer
+ATTRIBUTE ASA-L2TP-MPPC-Compression 38 integer
+ATTRIBUTE ASA-IPsec-IP-Compression 39 integer
+ATTRIBUTE ASA-IPsec-IKE-Peer-ID-Check 40 integer
+ATTRIBUTE ASA-IKE-Keep-Alives 41 integer
+ATTRIBUTE ASA-IPsec-Auth-On-Rekey 42 integer
+ATTRIBUTE ASA-Required-Client-Firewall-Vendor-Code 45 integer
+ATTRIBUTE ASA-Required-Client-Firewall-Product-Code 46 integer
+ATTRIBUTE ASA-Required-Client-Firewall-Description 47 string
+ATTRIBUTE ASA-Require-HW-Client-Auth 48 integer
+ATTRIBUTE ASA-Required-Individual-User-Auth 49 integer
+ATTRIBUTE ASA-Authenticated-User-Idle-Timeout 50 integer
+ATTRIBUTE ASA-Cisco-IP-Phone-Bypass 51 integer
+ATTRIBUTE ASA-IPsec-Split-Tunneling-Policy 55 integer
+ATTRIBUTE ASA-IPsec-Required-Client-Firewall-Capability 56 integer
+ATTRIBUTE ASA-IPsec-Client-Firewall-Filter-Name 57 string
+ATTRIBUTE ASA-IPsec-Client-Firewall-Filter-Optional 58 integer
+ATTRIBUTE ASA-IPsec-Backup-Servers 59 integer
+ATTRIBUTE ASA-IPsec-Backup-Server-List 60 string
+ATTRIBUTE ASA-DHCP-Network-Scope 61 string
+ATTRIBUTE ASA-Intercept-DHCP-Configure-Msg 62 integer
+ATTRIBUTE ASA-MS-Client-Subnet-Mask 63 integer
+ATTRIBUTE ASA-Allow-Network-Extension-Mode 64 integer
+ATTRIBUTE ASA-Authorization-Type 65 integer
+ATTRIBUTE ASA-Authorization-Required 66 integer
+ATTRIBUTE ASA-Authorization-DN-Field 67 string
+ATTRIBUTE ASA-Authorization-DN-Field 67 string
+ATTRIBUTE ASA-IKE-KeepAlive-Confidence-Interval 68 integer
+ATTRIBUTE ASA-WebVPN-Content-Filter-Parameters 69 integer
+ATTRIBUTE ASA-WebVPN-HTML-Filter 69 integer
+ATTRIBUTE ASA-WebVPN-URL-List 71 string
+ATTRIBUTE ASA-WebVPN-Port-Forwarding-List 72 string
+ATTRIBUTE ASA-WebVPN-Access-List 73 string
+ATTRIBUTE ASA-WebVPNACL 73 string
+ATTRIBUTE ASA-WebVPN-HTTP-Proxy-IP-Address 74 string
+ATTRIBUTE ASA-Cisco-LEAP-Bypass 75 integer
+ATTRIBUTE ASA-WebVPN-Default-Homepage 76 string
+ATTRIBUTE ASA-Client-Type-Version-Limiting 77 string
+ATTRIBUTE ASA-WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List 78 string
+ATTRIBUTE ASA-WebVPN-Port-Forwarding-Name 79 string
+ATTRIBUTE ASA-IE-Proxy-Server 80 string
+ATTRIBUTE ASA-IE-Proxy-Server-Policy 81 integer
+ATTRIBUTE ASA-IE-Proxy-Exception-List 82 string
+ATTRIBUTE ASA-IE-Proxy-Bypass-Local 83 integer
+ATTRIBUTE ASA-IKE-Keepalive-Retry-Interval 84 integer
+ATTRIBUTE ASA-Tunnel-Group-Lock 85 string
+ATTRIBUTE ASA-Access-List-Inbound 86 string
+ATTRIBUTE ASA-Access-List-Outbound 87 string
+ATTRIBUTE ASA-Perfect-Forward-Secrecy-Enable 88 integer
+ATTRIBUTE ASA-NAC-Enable 89 integer
+ATTRIBUTE ASA-NAC-Status-Query-Timer 90 integer
+ATTRIBUTE ASA-NAC-Revalidation-Timer 91 integer
+ATTRIBUTE ASA-NAC-Default-ACL 92 string
+ATTRIBUTE ASA-WebVPN-URL-Entry-Enable 93 integer
+ATTRIBUTE ASA-WebVPN-File-Access-Enable 94 integer
+ATTRIBUTE ASA-WebVPN-File-Server-Entry-Enable 95 integer
+ATTRIBUTE ASA-WebVPN-File-Server-Browsing-Enable 96 integer
+ATTRIBUTE ASA-WebVPN-Port-Forwarding-Enable 97 integer
+ATTRIBUTE ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable 98 integer
+ATTRIBUTE ASA-WebVPN-Port-Forwarding-HTTP-Proxy 99 integer
+ATTRIBUTE ASA-WebVPN-Citrix-Metaframe-Enable 101 integer
+ATTRIBUTE ASA-WebVPN-Apply-ACL 102 integer
+ATTRIBUTE ASA-WebVPN-SSL-VPN-Client-Enable 103 integer
+ATTRIBUTE ASA-WebVPN-SSL-VPN-Client-Required 104 integer
+ATTRIBUTE ASA-WebVPN-SSL-VPN-Client-Keep-Installation 105 integer
+ATTRIBUTE ASA-SVC-Keepalive 107 integer
+ATTRIBUTE ASA-WebVPN-SVC-Keepalive-Frequency 107 integer
+ATTRIBUTE ASA-SVC-DPD-Interval-Client 108 integer
+ATTRIBUTE ASA-WebVPN-SVC-Client-DPD-Frequency 108 integer
+ATTRIBUTE ASA-SVC-DPD-Interval-Gateway 109 integer
+ATTRIBUTE ASA-WebVPN-SVC-Gateway-DPD-Frequency 109 integer
+ATTRIBUTE ASA-SVC-Rekey-Time 110 integer
+ATTRIBUTE ASA-WebVPN-SVC-Rekey-Time 110 integer
+ATTRIBUTE ASA-WebVPN-SVC-Rekey-Method 111 integer
+ATTRIBUTE ASA-WebVPN-SVC-Compression 112 integer
+ATTRIBUTE ASA-WebVPN-Customization 113 string
+ATTRIBUTE ASA-WebVPN-SSO-Server-Name 114 string
+ATTRIBUTE ASA-WebVPN-Deny-Message 116 string
+ATTRIBUTE ASA-WebVPN-HTTP-Compression 120 integer
+ATTRIBUTE ASA-WebVPN-Keepalive-Ignore 121 integer
+ATTRIBUTE ASA-Extended-Authentication-On-Rekey 122 integer
+ATTRIBUTE ASA-SVC-DTLS 123 integer
+ATTRIBUTE ASA-WebVPN-SVC-DTLS-Enable 123 integer
+ATTRIBUTE ASA-WebVPN-Auto-HTTP-Signon 124 string
+ATTRIBUTE ASA-SVC-MTU 125 integer
+ATTRIBUTE ASA-WebVPN-SVC-DTLS-MTU 125 integer
+ATTRIBUTE ASA-WebVPN-Hidden-Shares 126 integer
+ATTRIBUTE ASA-SVC-Modules 127 string
+ATTRIBUTE ASA-SVC-Profiles 128 string
+ATTRIBUTE ASA-SVC-Ask 131 integer
+ATTRIBUTE ASA-SVC-Ask-Timeout 132 integer
+ATTRIBUTE ASA-IE-Proxy-PAC-URL 133 string
+ATTRIBUTE ASA-Strip-Realm 135 integer
+ATTRIBUTE ASA-Smart-Tunnel 136 string
+ATTRIBUTE ASA-WebVPN-Smart-Tunnel 136 string
+ATTRIBUTE ASA-WebVPN-ActiveX-Relay 137 integer
+ATTRIBUTE ASA-Smart-Tunnel-Auto 138 integer
+ATTRIBUTE ASA-WebVPN-Smart-Tunnel-Auto-Start 138 integer
+ATTRIBUTE ASA-Smart-Tunnel-Auto-Signon-Enable 139 string
+ATTRIBUTE ASA-WebVPN-Smart-Tunnel-Auto-Sign-On 139 string
+ATTRIBUTE ASA-VLAN 140 integer
+ATTRIBUTE ASA-NAC-Settings 141 string
+ATTRIBUTE ASA-Member-Of 145 string
+ATTRIBUTE ASA-TunnelGroupName 146 string
+ATTRIBUTE ASA-WebVPN-Idle-Timeout-Alert-Interval 148 integer
+ATTRIBUTE ASA-WebVPN-Session-Timeout-Alert-Interval 149 integer
+ATTRIBUTE ASA-ClientType 150 integer
+ATTRIBUTE ASA-SessionType 151 integer
+ATTRIBUTE ASA-SessionSubtype 152 integer
+ATTRIBUTE ASA-WebVPN-Download_Max-Size 157 integer
+ATTRIBUTE ASA-WebVPN-Upload-Max-Size 158 integer
+ATTRIBUTE ASA-WebVPN-Post-Max-Size 159 integer
+ATTRIBUTE ASA-WebVPN-User-Storage 160 string
+ATTRIBUTE ASA-WebVPN-Storage-Objects 161 string
+ATTRIBUTE ASA-WebVPN-Storage-Key 162 string
+ATTRIBUTE ASA-WebVPN-VDI 163 string
+ATTRIBUTE ASA-Address-Pools 217 string
+ATTRIBUTE ASA-IPv6-Address-Pools 218 string
+ATTRIBUTE ASA-IPv6-VPN-Filter 219 string
+ATTRIBUTE ASA-Privilege-Level 220 integer
+ATTRIBUTE ASA-WebVPN-UNIX-User-ID 221 integer
+ATTRIBUTE ASA-WebVPN-UNIX-Group-ID 222 integer
+ATTRIBUTE ASA-WebVPN-Macro-Substitution-Value1 223 string
+ATTRIBUTE ASA-WebVPN-Macro-Substitution-Value2 224 string
+ATTRIBUTE ASA-WebVPNSmart-Card-Removal-Disconnect 225 integer
+ATTRIBUTE ASA-WebVPN-Smart-Tunnel-Tunnel-Policy 227 string
+ATTRIBUTE ASA-WebVPN-Home-Page-Use-Smart-Tunnel 228 integer
+
+VALUE ASA-Authorization-Required No 0
+VALUE ASA-Authorization-Required Yes 1
+
+VALUE ASA-Authorization-Type None 0
+VALUE ASA-Authorization-Type Radius 1
+VALUE ASA-Authorization-Type LDAP 2
+
+VALUE ASA-Cisco-IP-Phone-Bypass Disabled 0
+VALUE ASA-Cisco-IP-Phone-Bypass Enabled 1
+
+VALUE ASA-Cisco-LEAP-Bypass Disabled 0
+VALUE ASA-Cisco-LEAP-Bypass Enabled 1
+
+VALUE ASA-ClientType Cisco-VPN-Client-IKEv1 1
+VALUE ASA-ClientType AnyConnect-Client-SSL-VPN 2
+VALUE ASA-ClientType Clientless-SSL-VPN 3
+VALUE ASA-ClientType Cut-Through-Proxy 4
+VALUE ASA-ClientType L2TP/IPsec-SSL-VPN 5
+VALUE ASA-ClientType AnyConnect-Client-IPSec-VPN-IKEv2 6
+
+VALUE ASA-Extended-Authentication-On-Rekey Disabled 0
+VALUE ASA-Extended-Authentication-On-Rekey Enabled 1
+
+VALUE ASA-IE-Proxy-Bypass-Local None 0
+VALUE ASA-IE-Proxy-Bypass-Local Local 1
+
+VALUE ASA-IE-Proxy-Server-Policy No-Modify 1
+VALUE ASA-IE-Proxy-Server-Policy No-Proxy 2
+VALUE ASA-IE-Proxy-Server-Policy Auto-detect 3
+VALUE ASA-IE-Proxy-Server-Policy Use-Concentrator-Setting 4
+
+VALUE ASA-IKE-Keep-Alives Disabled 0
+VALUE ASA-IKE-Keep-Alives Enabled 1
+
+VALUE ASA-Allow-Network-Extension-Mode Disabled 0
+VALUE ASA-Allow-Network-Extension-Mode Enabled 1
+
+VALUE ASA-Intercept-DHCP-Configure-Msg Disabled 0
+VALUE ASA-Intercept-DHCP-Configure-Msg Enabled 1
+
+VALUE ASA-IPsec-Allow-Passwd-Store Disabled 0
+VALUE ASA-IPsec-Allow-Passwd-Store Enabled 1
+
+VALUE ASA-IPsec-Authentication None 0
+VALUE ASA-IPsec-Authentication RADIUS 1
+VALUE ASA-IPsec-Authentication LDAP-Authorization-only 2
+VALUE ASA-IPsec-Authentication NT-Domain 3
+VALUE ASA-IPsec-Authentication SDI 4
+VALUE ASA-IPsec-Authentication Internal 5
+VALUE ASA-IPsec-Authentication RADIUS-with-Expiry 6
+VALUE ASA-IPsec-Authentication Kerberos/Active-Directory 7
+
+VALUE ASA-IPsec-Auth-On-Rekey Disabled 0
+VALUE ASA-IPsec-Auth-On-Rekey Enabled 1
+
+VALUE ASA-IPsec-Backup-Servers Use-Client-Configured-List 1
+VALUE ASA-IPsec-Backup-Servers Disable-and-clear-client-list 2
+VALUE ASA-IPsec-Backup-Servers Use-Backup-Server-List 3
+
+VALUE ASA-IPsec-Client-Firewall-Filter-Optional Required 0
+VALUE ASA-IPsec-Client-Firewall-Filter-Optional Optional 1
+
+VALUE ASA-IPsec-IKE-Peer-ID-Check Required 1
+VALUE ASA-IPsec-IKE-Peer-ID-Check If-Supported-By-Peer-Certificate 2
+VALUE ASA-IPsec-IKE-Peer-ID-Check Do-Not-Check 3
+
+VALUE ASA-IPsec-IP-Compression Disabled 0
+VALUE ASA-IPsec-IP-Compression Enabled 1
+
+VALUE ASA-IPsec-Mode-Config Disabled 0
+VALUE ASA-IPsec-Mode-Config Enabled 1
+
+VALUE ASA-IPsec-Over-UDP Disabled 0
+VALUE ASA-IPsec-Over-UDP Enabled 1
+
+VALUE ASA-IPsec-Required-Client-Firewall-Capability None 0
+VALUE ASA-IPsec-Required-Client-Firewall-Capability Policy-Remotely-Defined 1
+VALUE ASA-IPsec-Required-Client-Firewall-Capability Policy-Pushed 2
+VALUE ASA-IPsec-Required-Client-Firewall-Capability Policy-from-Server 4
+
+VALUE ASA-IPsec-Split-Tunneling-Policy No-Split-Tunneling 0
+VALUE ASA-IPsec-Split-Tunneling-Policy Split-Tunneling 1
+VALUE ASA-IPsec-Split-Tunneling-Policy Local-LAN-Permitted 2
+
+VALUE ASA-IPsec-Tunnel-Type LAN-to-LAN 1
+VALUE ASA-IPsec-Tunnel-Type Remote-Access 2
+
+VALUE ASA-L2TP-MPPC-Compression Disabled 0
+VALUE ASA-L2TP-MPPC-Compression Enabled 1
+
+VALUE ASA-NAC-Enable No 0
+VALUE ASA-NAC-Enable Yes 1
+
+VALUE ASA-Perfect-Forward-Secrecy-Enable No 0
+VALUE ASA-Perfect-Forward-Secrecy-Enable Yes 1
+
+VALUE ASA-PPTP-MPPC-Compression Disabled 0
+VALUE ASA-PPTP-MPPC-Compression Enabled 1
+
+VALUE ASA-Required-Client-Firewall-Vendor-Code Cisco-CIC 1
+VALUE ASA-Required-Client-Firewall-Vendor-Code Zone-Labs 2
+VALUE ASA-Required-Client-Firewall-Vendor-Code NetworkICE 3
+VALUE ASA-Required-Client-Firewall-Vendor-Code Sygate 4
+VALUE ASA-Required-Client-Firewall-Vendor-Code Cisco-IPSA 5
+
+VALUE ASA-Required-Individual-User-Auth Disabled 0
+VALUE ASA-Required-Individual-User-Auth Enabled 1
+
+VALUE ASA-Require-HW-Client-Auth Disabled 0
+VALUE ASA-Require-HW-Client-Auth Enabled 1
+
+VALUE ASA-SessionSubtype None 0
+VALUE ASA-SessionSubtype Clientless 1
+VALUE ASA-SessionSubtype Client 2
+VALUE ASA-SessionSubtype Client-Only 3
+
+VALUE ASA-SessionType None 0
+VALUE ASA-SessionType AnyConnect-Client-SSL-VPN 1
+VALUE ASA-SessionType AnyConnect-Client-IPSec-VPN/IKEv2 2
+VALUE ASA-SessionType Clientless-SSL-VPN 3
+VALUE ASA-SessionType Clientless-Email-Proxy 4
+VALUE ASA-SessionType Cisco-VPN-Client/IKEv1 5
+VALUE ASA-SessionType IKEv1-LAN-to-LAN 6
+VALUE ASA-SessionType IKEv2-LAN-to-LAN 7
+VALUE ASA-SessionType VPN-Load-Balancing 8
+
+VALUE ASA-Smart-Tunnel-Auto Disabled 0
+VALUE ASA-Smart-Tunnel-Auto Enabled 1
+VALUE ASA-Smart-Tunnel-Auto AutoStart 2
+
+VALUE ASA-Strip-Realm Disabled 0
+VALUE ASA-Strip-Realm Enabled 1
+
+VALUE ASA-SVC-Ask Disabled 0
+VALUE ASA-SVC-Ask Enabled 1
+VALUE ASA-SVC-Ask Enable-Default-Service 3
+VALUE ASA-SVC-Ask Enable-Default-Clientless 5
+
+VALUE ASA-SVC-DTLS FALSE 0
+VALUE ASA-SVC-DTLS TRUE 1
+
+VALUE ASA-Use-Client-Address Disabled 0
+VALUE ASA-Use-Client-Address Enabled 1
+
+VALUE ASA-WebVPN-Apply-ACL Disabled 0
+VALUE ASA-WebVPN-Apply-ACL Enabled 1
+
+VALUE ASA-WebVPN-Citrix-Metaframe-Enable Disabled 0
+VALUE ASA-WebVPN-Citrix-Metaframe-Enable Enabled 1
+
+VALUE ASA-WebVPN-File-Access-Enable Disabled 0
+VALUE ASA-WebVPN-File-Access-Enable Enabled 1
+
+VALUE ASA-WebVPN-File-Server-Browsing-Enable Disabled 0
+VALUE ASA-WebVPN-File-Server-Browsing-Enable Enabled 1
+
+VALUE ASA-WebVPN-File-Server-Entry-Enable Disabled 0
+VALUE ASA-WebVPN-File-Server-Entry-Enable Enabled 1
+
+VALUE ASA-WebVPN-Hidden-Shares None 0
+VALUE ASA-WebVPN-Hidden-Shares Visible 1
+
+VALUE ASA-WebVPN-HTTP-Compression Off 0
+VALUE ASA-WebVPN-HTTP-Compression Deflate-Compression 1
+
+VALUE ASA-WebVPN-Port-Forwarding-Enable Disabled 0
+VALUE ASA-WebVPN-Port-Forwarding-Enable Enabled 1
+
+VALUE ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable Disabled 0
+VALUE ASA-WebVPN-Port-Forwarding-Exchange-Proxy-Enable Enabled 1
+
+VALUE ASA-WebVPN-Port-Forwarding-HTTP-Proxy Disabled 0
+VALUE ASA-WebVPN-Port-Forwarding-HTTP-Proxy Enabled 1
+
+VALUE ASA-WebVPNSmart-Card-Removal-Disconnect Disabled 0
+VALUE ASA-WebVPNSmart-Card-Removal-Disconnect Enabled 1
+
+VALUE ASA-WebVPN-Smart-Tunnel-Auto-Start Disabled 0
+VALUE ASA-WebVPN-Smart-Tunnel-Auto-Start Enabled 1
+VALUE ASA-WebVPN-Smart-Tunnel-Auto-Start AutoStart 2
+
+VALUE ASA-WebVPN-SSL-VPN-Client-Enable Disabled 0
+VALUE ASA-WebVPN-SSL-VPN-Client-Enable Enabled 1
+
+VALUE ASA-WebVPN-SSL-VPN-Client-Keep-Installation Disabled 0
+VALUE ASA-WebVPN-SSL-VPN-Client-Keep-Installation Enabled 1
+
+VALUE ASA-WebVPN-SSL-VPN-Client-Required Disabled 0
+VALUE ASA-WebVPN-SSL-VPN-Client-Required Enabled 1
+
+VALUE ASA-WebVPN-SVC-DTLS-Enable Disabled 0
+VALUE ASA-WebVPN-SVC-DTLS-Enable Enabled 1
+
+VALUE ASA-WebVPN-SVC-Rekey-Method Off 0
+VALUE ASA-WebVPN-SVC-Rekey-Method SSL 1
+VALUE ASA-WebVPN-SVC-Rekey-Method New-Tunnel 2
+
+VALUE ASA-WebVPN-SVC-Compression Off 0
+VALUE ASA-WebVPN-SVC-Compression Deflate-Compression 1
+
+VALUE ASA-WebVPN-URL-Entry-Enable Disabled 0
+VALUE ASA-WebVPN-URL-Entry-Enable Enabled 1
+
+END-VENDOR Cisco-ASA
Modified: head/net/freeradius3/files/patch-rlm_krb5
==============================================================================
--- head/net/freeradius3/files/patch-rlm_krb5 Wed Feb 5 16:34:47 2014 (r342767)
+++ head/net/freeradius3/files/patch-rlm_krb5 Wed Feb 5 16:37:52 2014 (r342768)
@@ -1,5 +1,5 @@
--- ./src/modules/rlm_krb5/configure.orig 2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/configure 2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/configure 2014-02-05 08:27:14.000000000 -0500
@@ -1468,6 +1468,73 @@
} # ac_fn_c_try_link
@@ -728,7 +728,7 @@
--- ./src/modules/rlm_krb5/configure.ac.orig 2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/configure.ac 2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/configure.ac 2014-02-05 08:27:14.000000000 -0500
@@ -31,9 +31,9 @@
dnl #
if test "$krb5_config" != 'not-found'; then
@@ -777,13 +777,13 @@
AC_SUBST(mod_ldflags)
AC_SUBST(mod_cflags)
--- ./src/modules/rlm_krb5/krb5.c.orig 2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/krb5.c 2014-02-03 14:47:32.000000000 -0500
++++ ./src/modules/rlm_krb5/krb5.c 2014-02-05 08:27:22.000000000 -0500
@@ -15,19 +15,19 @@
*/
/**
- * $Id: 81ed1d4bd3c41b41042141caa8e862d51f1f75df $
-+ * $Id: c830bff1cbb89a9e3faf56a3275b9ba00c5b57d0 $
++ * $Id: dbe33449063caf68e2299b99acb57fd4678f77c8 $
* @file krb5.h
* @brief Context management functions for rlm_krb5
*
@@ -791,7 +791,7 @@
* @copyright 2013 Arran Cudbard-Bell <a.cudbardb at freeradius.org>
*/
-RCSID("$Id: 81ed1d4bd3c41b41042141caa8e862d51f1f75df $")
-+RCSID("$Id: c830bff1cbb89a9e3faf56a3275b9ba00c5b57d0 $")
++RCSID("$Id: dbe33449063caf68e2299b99acb57fd4678f77c8 $")
#include <freeradius-devel/radiusd.h>
#include "krb5.h"
@@ -806,26 +806,67 @@
ret = fr_thread_local_set(krb5_error_buffer, buffer);
if (ret != 0) {
- ERROR("Failed setting up TLS for krb5 error buffer: %s", fr_syserror(ret));
-+ ERROR("Failed setting up TLS for krb5 error buffer.");
++ ERROR("Failed setting up TLS for krb5 error buffer: %s", strerror(ret));
free(buffer);
return NULL;
}
-@@ -69,7 +69,13 @@
+@@ -69,7 +69,18 @@
msg = krb5_get_error_message(context, code);
if (msg) {
strlcpy(buffer, msg, KRB5_STRERROR_BUFSIZE);
+#ifdef HAVE_KRB5_FREE_ERROR_MESSAGE
krb5_free_error_message(context, msg);
+#elif defined(HAVE_KRB5_FREE_ERROR_STRING)
-+ krb5_free_error_string(context, msg);
++ {
++ char *free;
++
++ memcpy(&free, &msg, sizeof(free));
++ krb5_free_error_string(context, free);
++ }
+#else
+# error "No way to free error strings, missing krb5_free_error_message() and krb5_free_error_string()"
+#endif
} else {
strlcpy(buffer, "Unknown error", KRB5_STRERROR_BUFSIZE);
}
+@@ -102,6 +113,13 @@
+ if (conn->keytab) {
+ krb5_kt_close(conn->context, conn->keytab);
+ }
++
++#ifdef HEIMDAL_KRB5
++ if (conn->ccache) {
++ krb5_cc_destroy(conn->context, conn->ccache);
++ }
++#endif
++
+ return 0;
+ }
+
+@@ -140,14 +158,13 @@
+ }
+
+ #ifdef HEIMDAL_KRB5
+- /*
+- * Setup krb5_verify_user options
+- *
+- * Not entirely sure this is necessary, but as we use context
+- * to get the cache handle, we probably do have to do this with
+- * the cloned context.
+- */
+- krb5_cc_default(conn->context, &conn->ccache);
++ ret = krb5_cc_new_unique(conn->context, "MEMORY", NULL, &conn->ccache);
++ if (ret) {
++ ERROR("rlm_krb5 (%s): Credential cache creation failed: %s", inst->xlat_name,
++ rlm_krb5_error(conn->context, ret));
++
++ return NULL;
++ }
+
+ krb5_verify_opt_init(&conn->options);
+ krb5_verify_opt_set_ccache(&conn->options, conn->ccache);
--- ./src/modules/rlm_krb5/krb5.h.orig 2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/krb5.h 2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/krb5.h 2014-02-05 08:27:14.000000000 -0500
@@ -15,14 +15,14 @@
*/
@@ -853,13 +894,13 @@
# include <et/com_err.h>
# else
--- ./src/modules/rlm_krb5/rlm_krb5.c.orig 2014-01-13 20:13:56.000000000 -0500
-+++ ./src/modules/rlm_krb5/rlm_krb5.c 2014-02-03 14:45:22.000000000 -0500
++++ ./src/modules/rlm_krb5/rlm_krb5.c 2014-02-05 08:27:14.000000000 -0500
@@ -15,7 +15,7 @@
*/
/**
- * $Id: 4c96eb58baaf37c8bc7701ba772c09752ee0505c $
-+ * $Id: caf186e694151905d607447151fa65e429fb95e3 $
++ * $Id: 1f7833cc2ad4d507871cb4ad2d08c009dafe2144 $
* @file rlm_krb5.c
* @brief Authenticate users, retrieving their TGT from a Kerberos V5 TDC.
*
@@ -868,27 +909,175 @@
* @copyright 2000 Alan DeKok <aland at ox.org>
*/
-RCSID("$Id: 4c96eb58baaf37c8bc7701ba772c09752ee0505c $")
-+RCSID("$Id: caf186e694151905d607447151fa65e429fb95e3 $")
++RCSID("$Id: 1f7833cc2ad4d507871cb4ad2d08c009dafe2144 $")
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
-@@ -84,7 +84,7 @@
+@@ -82,15 +82,33 @@
+ DEBUG("Using MIT Kerberos library");
+ #endif
- #ifndef KRB5_IS_THREAD_SAFE
+-#ifndef KRB5_IS_THREAD_SAFE
++
if (!krb5_is_thread_safe()) {
- DEBUGI("libkrb5 is not threadsafe, recompile it, and the server with thread support enabled");
-+ WDEBUG("libkrb5 is not threadsafe, recompile it, and the server with thread support enabled");
++/*
++ * rlm_krb5 was built as threadsafe
++ */
++#ifdef KRB5_IS_THREAD_SAFE
++ ERROR("Build time libkrb5 was threadsafe, but run time library claims not to be");
++ ERROR("Modify runtime linker path (LD_LIBRARY_PATH on most systems), to prefer threadsafe libkrb5");
++ return -1;
++/*
++ * rlm_krb5 was not built as threadsafe
++ */
++#else
++ WDEBUG("libkrb5 is not threadsafe, recompile it with thread support enabled ("
++# ifdef HEIMDAL_KRB5
++ "--enable-pthread-support"
++# else
++ "--disable-thread-support=no"
++# endif
++ ")");
WDEBUG("rlm_krb5 will run in single threaded mode, performance may be degraded");
} else {
WDEBUG("Build time libkrb5 was not threadsafe, but run time library claims to be");
-@@ -331,8 +331,9 @@
- break;
+ WDEBUG("Reconfigure and recompile rlm_krb5 to enable thread support");
+- }
+ #endif
++ }
++
+ inst->xlat_name = cf_section_name2(conf);
+ if (!inst->xlat_name) {
+ inst->xlat_name = cf_section_name1(conf);
+@@ -277,6 +295,40 @@
+ return RLM_MODULE_OK;
+ }
+
++/** Log error message and return appropriate rcode
++ *
++ * Translate kerberos error codes into return codes.
++ * @param request Current request.
++ * @param ret code from kerberos.
++ * @param conn used in the last operation.
++ */
++static rlm_rcode_t krb5_process_error(REQUEST *request, rlm_krb5_handle_t *conn, int ret)
++{
++ rad_assert(ret != 0);
++ rad_assert(conn); /* Silences warnings */
++
++ switch (ret) {
++ case KRB5_LIBOS_BADPWDMATCH:
++ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
++ REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++ return RLM_MODULE_REJECT;
++
++ case KRB5KDC_ERR_KEY_EXP:
++ case KRB5KDC_ERR_CLIENT_REVOKED:
++ case KRB5KDC_ERR_SERVICE_REVOKED:
++ REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++ return RLM_MODULE_USERLOCK;
++
++ case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
++ RDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++ return RLM_MODULE_NOTFOUND;
++
++ default:
++ REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret));
++ return RLM_MODULE_FAIL;
++ }
++}
++
+ #ifdef HEIMDAL_KRB5
- case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+ /*
+@@ -316,34 +368,10 @@
+ */
+ ret = krb5_verify_user_opt(conn->context, client, request->password->vp_strvalue, &conn->options);
+ if (ret) {
+- switch (ret) {
+- case KRB5_LIBOS_BADPWDMATCH:
+- case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+- REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+- rcode = RLM_MODULE_REJECT;
+- break;
+-
+- case KRB5KDC_ERR_KEY_EXP:
+- case KRB5KDC_ERR_CLIENT_REVOKED:
+- case KRB5KDC_ERR_SERVICE_REVOKED:
+- REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+- rcode = RLM_MODULE_USERLOCK;
+- break;
+-
+- case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
- RDEBUG("User not found: %s (%i)", ret, rlm_krb5_error(conn->context, ret));
-+ RDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret));
- rcode = RLM_MODULE_NOTFOUND;
-+ break;
+- rcode = RLM_MODULE_NOTFOUND;
+-
+- default:
+- REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+- rcode = RLM_MODULE_FAIL;
+- break;
+- }
+-
+- goto cleanup;
++ rcode = krb5_process_error(request, conn, ret);
+ }
+
+- cleanup:
++cleanup:
+ if (client) {
+ krb5_free_principal(conn->context, client);
+ }
+@@ -401,45 +429,20 @@
+ * Retrieve the TGT from the TGS/KDC and check we can decrypt it.
+ */
+ memcpy(&password, &request->password->vp_strvalue, sizeof(password));
++ RDEBUG("Retrieving and decrypting TGT");
+ ret = krb5_get_init_creds_password(conn->context, &init_creds, client, password,
+ NULL, NULL, 0, NULL, inst->gic_options);
+ if (ret) {
+- error:
+- switch (ret) {
+- case KRB5_LIBOS_BADPWDMATCH:
+- case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+- REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+- rcode = RLM_MODULE_REJECT;
+- break;
+-
+- case KRB5KDC_ERR_KEY_EXP:
+- case KRB5KDC_ERR_CLIENT_REVOKED:
+- case KRB5KDC_ERR_SERVICE_REVOKED:
+- REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+- rcode = RLM_MODULE_USERLOCK;
+- break;
+-
+- case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+- REDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+- rcode = RLM_MODULE_NOTFOUND;
+- break;
+-
+- default:
+- REDEBUG("Error retrieving or verifying credentials (%i): %s", ret,
+- rlm_krb5_error(conn->context, ret));
+- rcode = RLM_MODULE_FAIL;
+- break;
+- }
+-
+- goto cleanup;
++ rcode = krb5_process_error(request, conn, ret);
+ }
- default:
- REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret));
+- RDEBUG("Successfully retrieved and decrypted TGT");
+-
++ RDEBUG("Attempting to authenticate against service principal");
+ ret = krb5_verify_init_creds(conn->context, &init_creds, inst->server, conn->keytab, NULL, inst->vic_options);
+- if (ret) goto error;
++ if (ret) {
++ rcode = krb5_process_error(request, conn, ret);
++ }
+
+- cleanup:
++cleanup:
+ if (client) {
+ krb5_free_principal(conn->context, client);
+ }
Modified: head/net/freeradius3/pkg-plist
==============================================================================
--- head/net/freeradius3/pkg-plist Wed Feb 5 16:34:47 2014 (r342767)
+++ head/net/freeradius3/pkg-plist Wed Feb 5 16:37:52 2014 (r342768)
@@ -428,6 +428,7 @@ include/freeradius/udpfromto.h
%%DATADIR%%/dictionary.camiant
%%DATADIR%%/dictionary.chillispot
%%DATADIR%%/dictionary.cisco
+%%DATADIR%%/dictionary.cisco.asa
%%DATADIR%%/dictionary.cisco.bbsm
%%DATADIR%%/dictionary.cisco.vpn3000
%%DATADIR%%/dictionary.cisco.vpn5000
More information about the svn-ports-head
mailing list