freeradius-2.1.6 + perl-5.8.9_3 + perl hook problem
Nick Rogers
ncrogers at gmail.com
Fri Jan 8 18:09:48 UTC 2010
One of the FreeRADIUS maintainers pointed out to me that there is a problem
with freeradius + rlm_perl module + libltdl/libtools 2.2, in that they are
still using the old libltdl API. You can fix this by either using libtools
1.5 (which is difficult since its been removed from the ports tree) or
upgrade the freeradius2 port to version 2.1.8 and add the following diff to
the port. I also had to manually update the pkg-plist.
--- src/main/modules.c 2010-01-08 06:43:51.000000000 -0800
+++ src/main/modules.c 2010-01-08 07:48:12.000000000 -0800
@@ -207,9 +207,6 @@
* Solve the issues of libraries linking to other libraries
* by using a newer libltdl API.
*/
-#ifndef HAVE_LT_DLADVISE_INIT
-#define fr_dlopenext lt_dlopenext
-#else
static lt_dlhandle fr_dlopenext(const char *filename)
{
lt_dlhandle handle = 0;
@@ -225,7 +222,6 @@
return handle;
}
-#endif /* HAVE_LT_DLADVISE_INIT */
#endif /* WITHOUT_LIBLTDL */
static int virtual_server_idx(const char *name)
On Thu, Jan 7, 2010 at 8:19 AM, Nick Rogers <ncrogers at gmail.com> wrote:
> I started a thread discussing a similar problem a few days ago but I would
> like to repost a more concise statement and a way to replicate easily.
>
> There seems to be some kind of shared library linking issue between the
> freeradius2 and perl packages compiled from RELEASE_8_0 ports tree branch.
> If one tries to use freeradius in conjunction with a perl hook (script) for
> authentication, and the perl script requires a perl module relying on a
> compiled shared object file (e.g., IO), then freeradius will fail to load
> the perl script and throws errors.
>
> Below is a dump that should make it easy to replicate the problem. This was
> done after freshly installing 8.0-RELEASE-i386 onto a system from the
> official ISO.
>
> Note that I have also tried to compile the ports myself and run into the
> same problem on i386 and amd64 architectures. I am going to try and compile
> the ports using portupgrade as suggested by someone on this list and see if
> that changes anything. Any further help would be greatly appreciated.
> Thanks!
>
>
>
> # uname -a
> FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009
> root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
> #
> # pkg_info
> #
> #
> # pkg_add -r freeradius
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/freeradius.tbz...
> Done.
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/python26-2.6.2_3.tbz...
> Done.
>
> ====
> Note that some of the standard modules are provided as separate
> ports since they require extra dependencies:
>
> bsddb databases/py-bsddb
> gdbm databases/py-gdbm
> sqlite3 databases/py-sqlite3
> tkinter x11-toolkits/py-tkinter
>
> Install them as needed.
> ====
>
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/perl-5.8.9_3.tbz...
> Done.
> Removing stale symlinks from /usr/bin...
> Skipping /usr/bin/perl
> Skipping /usr/bin/perl5
> Done.
> Creating various symlinks in /usr/bin...
> Symlinking /usr/local/bin/perl5.8.9 to /usr/bin/perl
> Symlinking /usr/local/bin/perl5.8.9 to /usr/bin/perl5
> Done.
> Cleaning up /etc/make.conf... Done.
> Spamming /etc/make.conf... Done.
> Cleaning up /etc/manpath.config... Done.
> Spamming /etc/manpath.config... Done.
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/libltdl-2.2.6a.tbz...
> Done.
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gdbm-1.8.3_3.tbz...
> Done.
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/libiconv-1.13.1.tbz...
> Done.
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gettext-0.17_1.tbz...
> Done.
> Fetching
> ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gmake-3.81_3.tbz...
> Done.
> ===> Created group freeradius
> ===> Created user freeradius
> ===> Setting user and group in radiusd.conf
> ===> Bootstrapping default certificates, please wait...
> ===> Adjusting ownership of directory /usr/local/etc/raddb
> ===> Adjusting ownership of directory /var/log/radacct
> ===> Adjusting ownership of directory /var/run/radiusd
> ===> Adjusting ownership of /var/log/radius.log
> ===> Adjusting ownership of /var/log/radutmp
> ===> Adjusting ownership of /var/log/radwtmp
> ===> Updating libdir in /usr/local/etc/raddb/radiusd.conf
>
>
> ===============================================================================
>
> To enable FreeRADIUS, put the following line in /etc/rc.conf
>
> radiusd_enable="YES"
>
>
> The sample configuration can be found at
> /usr/local/share/examples/freeradius/raddb
>
> If you are upgrading FreeRADIUS, you are advised to use this as a reference
> for updating your configuration.
>
>
> FreeRADIUS will look for its configuration directory at
> /usr/local/etc/raddb by default.
>
> If you did not already have a configuration at this location, the sample
> configuration has been copied to this location and has been bootstrapped.
>
>
> If you wish to point FreeRADIUS to a configuration at a different
> location, put the following line in /etc/rc.conf
>
> radiusd_flags="-d /path/to/raddb"
>
>
> To start the server in normal (daemon) mode, run:
>
> /usr/local/etc/rc.d/radiusd start
>
> and to stop the server, run:
>
> /usr/local/etc/rc.d/radiusd stop
>
>
> To start the server in debugging mode, run:
>
> /usr/local/etc/rc.d/radiusd debug
>
>
> You are advised to make cautious changes to the configuration, and to test
> frequently, using debugging mode where necessary. Try to resist the
> temptation to disable or delete things that you don't understand - you may
> well break things!
>
> The documentation has been installed at /usr/local/share/doc/freeradius
>
> Useful configuration advice can be found in the FreeRADIUS Wiki at
> http://wiki.freeradius.org
>
>
> ===============================================================================
>
>
> #
> # pkg_info
> en-freebsd-doc-20090913 Documentation from the FreeBSD Documentation
> Project
> freeradius-2.1.6 A free RADIUS server implementation
> gdbm-1.8.3_3 The GNU database manager
> gettext-0.17_1 GNU gettext package
> gmake-3.81_3 GNU version of 'make' utility
> libiconv-1.13.1 A character set conversion library
> libltdl-2.2.6a System independent dlopen wrapper
> perl-5.8.9_3 Practical Extraction and Report Language
> python26-2.6.2_3 An interpreted object-oriented programming language
>
> #
> # cat /usr/local/etc/raddb/radiusd.conf
> user = freeradius
> group = freeradius
> raddbdir = /usr/local/etc/raddb
> logdir = /var/log
> libdir = /usr/local/lib
> pidfile = /var/run/radiusd/radiusd.pid
> prefix = /usr/local
> exec_prefix = ${prefix}
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = /var/log/radius.log
> log_destination = files
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 256
>
> listen {
> ipaddr = *
> port = 1812
> type = auth
> }
>
> listen {
> ipaddr = *
> port = 1813
> type = acct
> }
>
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions = yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> proxy_requests = no
> snmp = no
>
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
>
> thread pool {
> start_servers = 1
> max_servers = 16
> min_spare_servers = 0
> max_spare_servers = 5
> max_requests_per_server = 0
> }
>
> modules {
> perl {
> module = /tmp/freeradius_hook
> }
>
> detail {
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0644
> }
>
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
>
> eap {
> default_eap_type = peap
> timer_expire = 60
> ignore_unknown_eap_types = no
>
> # Generic Token Card.
> #
> # Currently, this is only permitted inside of EAP-TTLS,
> # or EAP-PEAP. The module "challenges" the user with
> # text, and the response from the user is taken to be
> # the User-Password.
> #
> # Proxying the tunneled EAP-GTC session is a bad idea,
> # the users password will go over the wire in plain-text,
> # for anyone to see.
> #
> gtc {
> challenge = "Password: "
> auth_type = perl
> }
>
> tls {
> private_key_password =
> private_key_file = /etc/ssl/server.key
> certificate_file = /etc/ssl/server.crt
> CA_file = /etc/ssl/server.crt
> dh_file = /usr/local/etc/raddb/dhparam
> random_file = /space/rxg/rxgd/bin/random
> }
>
> ttls {
> default_eap_type = gtc
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> }
>
> peap {
> default_eap_type = gtc
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> }
> }
>
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> callerid = "yes"
> }
>
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
>
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
>
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
>
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> }
>
> authorize {
> preprocess
> eap
> perl
> }
>
> authenticate {
> Auth-Type PERL {
> perl
> }
> eap
> }
>
> preacct {
> preprocess
> acct_unique
> }
>
> accounting {
> detail
> radutmp
> perl
> }
>
> session {
> radutmp
> }
>
> #
> #
> # cat /tmp/freeradius_hook
> #!/usr/bin/perl
>
> use strict;
> use diagnostics;
>
> use IO ();
>
> #
> #
> # perl /tmp/freeradius_hook
> #
> # radiusd -X
> FreeRADIUS Version 2.1.6, for host i386-portbld-freebsd8.0, built on Oct 23
> 2009 at 17:50:57
> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /usr/local/etc/raddb/radiusd.conf
> group = freeradius
> user = freeradius
> including dictionary file /usr/local/etc/raddb/dictionary
> main {
> prefix = "/usr/local"
> localstatedir = "/var"
> logdir = "/var/log"
> libdir = "/usr/local/lib"
> radacctdir = "/var/log/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 256
> allow_core_dumps = no
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/local/sbin/checkrad"
> debug_level = 0
> proxy_requests = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> log_stripped_names = no
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> radiusd: #### Loading Clients ####
> radiusd: #### Instantiating modules ####
> radiusd: #### Loading Virtual Servers ####
> server {
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_perl
> Module: Instantiating perl
> perl {
> module = "/tmp/freeradius_hook"
> func_authorize = "authorize"
> func_authenticate = "authenticate"
> func_accounting = "accounting"
> func_preacct = "preacct"
> func_checksimul = "checksimul"
> func_detach = "detach"
> func_xlat = "xlat"
> func_pre_proxy = "pre_proxy"
> func_post_proxy = "post_proxy"
> func_post_auth = "post_auth"
> }
> Can't load '/usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so' for module IO:
> /usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so: Undefined symbol
> "PL_sv_undef" at /usr/local/lib/perl5/5.8.9/mach/XSLoader.pm line 70.
> at /usr/local/lib/perl5/5.8.9/mach/IO.pm line 11
> Compilation failed in require at /tmp/freeradius_hook line 6.
> BEGIN failed--compilation aborted at /tmp/freeradius_hook line 6 (#1)
> (F) The module you tried to load failed to load a dynamic extension.
> This
> may either mean that you upgraded your version of perl to one that is
> incompatible with your old dynamic extensions (which is known to happen
> between major versions of perl), or (more likely) that your dynamic
> extension was built against an older version of the library that is
> installed on your system. You may need to rebuild your old dynamic
> extensions.
>
> Uncaught exception from user code:
> Can't load '/usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so' for module IO:
> /usr/local/lib/perl5/5.8.9/mach/auto/IO/IO.so: Undefined symbol
> "PL_sv_undef" at /usr/local/lib/perl5/5.8.9/mach/XSLoader.pm line 70.
> at /usr/local/lib/perl5/5.8.9/mach/IO.pm line 11
> Compilation failed in require at /tmp/freeradius_hook line 6.
> BEGIN failed--compilation aborted at /tmp/freeradius_hook line 6.
> at /tmp/freeradius_hook line 6
> rlm_perl: perl_parse failed: /tmp/freeradius_hook not found or has syntax
> errors.
> /usr/local/etc/raddb/radiusd.conf[65]: Instantiation failed for module
> "perl"
> /usr/local/etc/raddb/radiusd.conf[169]: Failed to find module "perl".
> /usr/local/etc/raddb/radiusd.conf[169]: Failed to parse "perl" entry.
> Errors initializing modules
> #
>
>
>
More information about the freebsd-ports
mailing list