2004/08/xx - 0.9.9 - Added Target-Server attribute to radclient which can be used to specify one or more server:port/secret combos to be used for the query instead of those given on the command line. - Enhanced module interface; the receive window may be larger than 1; requests/replies may use a user defined job ticket attribute to refer to one of several outstanding requests. The module subprocess supervision watchdog now guards the oldest job on the receive queue. - The above two entries are really just a cryptic way of saying that full featured proxying is finally there. - Cleaned up and updated behaviour,configuration.sample-usersfile to demonstrate proxying and adds a Naslist interface that can be used to add NAS-specific attributes (in addition to RADIUS client-specific attributes; there's no difference if there are no proxies in between). - Added an example schema, configuration and behaviour file for PostgreSQL. The configuration- and behaviour files also show the new proxy features. - Added -a flag to radsql to turn autocommit off. Remember to make sure that multiple statements in the same transaction go through the same connection, by defining an interface with only a single 'prog=radsql' line when using this flag. - Improved module interface debugging output - Improved VM error messages (although you had probably rather seen that for the compiler) - Fixed some rare corner cases in module interface and language and some uninitialised structures; valgrind is completely happy now. 2004/01/16 - 0.9.8 - Added pidfile and 'reopen-output-at-HUP' feature by Brian Candler to radlogger for easier log rotation. - Made ascfile more forgiving about carriage returns at the start of lines. - Added 'exists' boolean unary postfix operator, which returns 0 if the left hand side argument is an unresolved attribute reference, and 1 otherwise. This is useful to distinguish between a false (empty or zero) valued attribute and no attribute at all. - Added 'not' and 'no' as synonyms for '!', the boolean not operator. This means you can write "no User-Password exists" and get the expected result. - Added a badly needed convenience feature: three behaviour file operators, accept, reject, and acctresp. These set RAD-Code to the appropriate value and halt, but before doing so, they remove certain A/V pairs from the reply list. This makes it much easier for your behaviour file to guarantee RFC-compliant responses. The rules are as follows: * acctresp deletes all attributes in space RAD-ATR from the reply list, unless the attribute has 'acctresp' set in the dictionary. This is normally only the case for Proxy-State, but you may set it for additional attributes if required. * reject deletes all attributes in space RAD-ATR from the reply list, unless the attribute has 'reject' set in the dictionary. This is normally only the case for Proxy-State and Reply-Message, but you may set it for additional attributes if required. * accept doesn't remove any attributes, it just sets RAD-Code to Access-Accept before halting. Included mainly for completeness. - Updated raddb/subdicts/dict.stdauth to include these flags. - Added SMB (Windows NT) authentication module by Brian McGraw - Made radldap use LDAPv3 instead of LDAPv2 by default, unless -2 is specified. - Increased max. subprocess message size and made subprocess ring buffer always follow chosen size. - Fixed a typo in jobs.c that caused a SIGSEGV on overflowing interface queues. - Fixed bug in radclient that prevented echoing of Radclient-Query-Id in case of succesful queries. - Made radclient not add a CHAP-Challenge attribute if the -p (don't encode given password attributes) is specified - Made radaccttest script accept same optional argument list as radtest (port, cli, dnis, etc). - Added groupname column in MySQL schema. This can be used to add attributes that are specific to a user-, client- or NAS-group, by doing a query in space 'groups' using the groupname values as returned by a query for users, clients or NASes. See the new behaviour.sample-mysql. - Fixed bug in behaviour.sample-mysql that prevented reply attributes returned by the client query from working correctly - Improved usefulness of authentication logging in SQL as done by behaviour.sample-mysql; the result is logged too, for example. - Cleaned up the default behaviour.sample-usersfile a little, and updated it to make use of the new preferred 'or' and 'and' synonyms for || and && and the new accept, reject and acctresp operators. - Added command line tool to precompile Ascend-Data-Filter definitions to binary form suitable for use in the behaviour file or MySQL. - Added Ascend dictionary using FreeRADIUS' dictionary and Brian Candler's free2openradius.pl script 2003/05/02 - 0.9.7 - Added 'radsql' module that supports generic queries to SQL databases, including queries that return FreeRADIUS-style check items or arbitrary A/V pairs. - Added 'delay' module that answers after delaying a number of seconds - Added '-s' (single line) flag to the radlogger module. (from Brian Candler ) - Made some minor improvements to radaccttest - Made radtest pass on the -i (interface) option - Added some optional request attribute args to the radtest script - Added radtest / radaccttest to list of files installed in .../bin - Made radlogger's error messages go to stderr instead of stdout - Fixed permission bits on Makefile.solgcc / sol5gcc - Added -lber to radldap's flags in Makefile.bsd - Updated main README with new build and test instructions 2003/04/03 - 0.9.6: - Added documentation for the client in tools/radclient/README - Added Cistron/FreeRADIUS-compatible radtest wrapper scripts in tools/radclient/radtest and -radaccttest - Changed default timeout in radclient to 5 seconds instead of 2 - Fixed typo in radclient.c that prevented replies to be correctly matched to requests - Added Acct-Status-Types from RFC 2869 (Tunneling) in dict.stdacct - Added Makefile.sol5gcc for Solaris 2.5.1; removes HAVE_VSNPRINTF - Removed unsupported -f (flood) option in radclient for now - Removed some outdated and redundant documentation files from doc/ 2003/02/25 - 0.9.5: - Added versatile radius client in tools/radclient; supports fully asynchronous operation, multiple target servers, the standard OpenRADIUS module interface, encoding of PAP and CHAP passwords, and much more. Can be used for trivial proxying purposes as well. - Fixed segfault when reading dictionary that occurred when an item referenced for adding constant value names is outside the default space. (from 0.9.4c) - Minor fixes for QNX4's Watcom C (which defaults to unsigned char). - Added a portable install script; installation now works hassle-free on Linux, NetBSD, FreeBSD, BSDI, SunOS 5, Solaris 7, Tru64 4.0, 5.1, and QNX 4. No longer overwrites existing configuration directories. - Complete rewrite of the build system, using a single-session make. At the cost of relying more heavily on GNU Make, rebuilds are now always correct, header dependencies are automatically generated and tracked without requiring things like 'make dep', and full builds are faster. (See the paper "Recursive Make Considered Harmful", by Peter Miller). Also fixes inconsistencies in various Make.conf.xxx files. - Changed default configuration directory from ...etc/raddb to ...etc/openradius. This makes it easier to keep it next to other servers and removes the suggestion that the files are compatible. - Ascfile module: multiline records are no longer delimited by blank lines; rather, a new record is started by any non-comment line whose first non-whitespace character is in column 0, for both single and multiline-record files. The distinction is gone, so the -s flag is not needed anymore either. (from Brian Candler ) - Added support for USR's NMC attributes in the dictionary; no actual attributes added yet though. - Fixed partially initialized sockaddr_in structure which caused bind errors on some platforms, particularly OS X. (from 0.9.4b) - Fixed wraparound error in ring buffer scanning functions which sometimes caused apparently random behaviour file compilation errors. (from 0.9.4a) 2002/06/25 - 0.9.4: - Put real, registered OIDs in distributed sample LDAP schema - Fixed CERT CA-2002-06 vulnerability #2 - Fixed conversion operators in language - A number of bugfixes and improvements in the behaviour language: * actually implemented the conversion from string to date; * date + int sets current type to date; * IP address + int sets current type to IP address; * 'and', 'or' synonyms for '&&', '||'; * divide by zero just aborts expression, instead of killing server * fixed '!' behaviour on strings; * made date conversions to/from strings use localtime() instead of gmtime(). Run the server with TZ set to UTC if you want the old behaviour. - Good cleanup of meta_buildtree() 2002/03/22 - 0.9.3: - Fix major bug in example behaviour files involving CHAP. It plainly didn't work at all. - Fixed bug in behaviour.sample-ldap-authbind, which would allow all non-PAP users in (that is, without checking any passwords). - Fix bug in dictionary that caused Accounting signature validation to fail. Corrected mix up of Acct-Authentic and Acct-Authenticator. - Included some test queries for PAP, CHAP and accounting for use with tools/radclient. - Changed server to use raddb as current directory for modules again, so that all configuration files are kept in one place. Modules' own configuration files are stored under raddb/modules now. Also fixes bug when using ASCII clients- and users files. 2002/03/20 - 0.9.2: - Added LDAP schema and ldif file with sample data; updated included example attribute mapping file; added proper example behaviour and configuration files for use with LDAP. - When (auto-)converting a decimal string attribute to a numeric one, and the string is not a valid number, we try to find lookup the value as a named constant for the string attribute. If found, that value is used instead. Handy for doing things like 'Framed-Protocol = str-Framed-Protocol', and allows to use constant names in LDAP different from our own. - Start modules using their own directory as cwd. This allows modules to operate without having absolute paths to their configuration files specified on their command lines. - Added elementary test command line client in tools/radclient. Reads list of ASCII A/V pairs on stdin (formatted as by ASCII modules) and displays pairs in response. Note that all attributes are sent as-is, including User-Password, and the response is not checked in any way, only displayed. Will add PAP/CHAP generator soon. - Plugged a couple of memory leaks; Mozilla's leaky tool doesn't show any now (thanks to dmelomed@devonitnet.com for pointing this out). - Fixed := operator bug that scribbled on memory when the instance assigned to was also referenced on right hand side. - Big makefile cleanup. Supports GNU Make only now. I've given in to the temptations of the slogan "don't bother with portable makefiles, use a portable make instead". Portable makefiles don't seem to be possible at all if you want to add text to variables (for making lists) and want to use a common settings file so you can call make in every subdirectory. - Added dictionary support for MS VSAs. - Merged fixes to make it run on Mac OS X, untested though. - Fixed (harmless) GCC warnings on LP64 platforms such as Alpha. 2001/12/08 - 0.9.1: - Added LDAP module. - Added some informational messages during server startup, to improve usefulness of '-d all', '-d misc -d recv' etc.; some other logging cleanups. - Prepended log lines with internal facility names. - Fixed bug caused by not emptying a channel's receive queue when its associated process dies. This caused the interface that the channel was associated with, not to recover gracefully from a subprocess restart. - Added some radius attributes to 'constants.h' to root and put it in the public domain, to facilitate module writing. - Put the Logger module (bourne shell script) in public domain as well. - BSD/SysV compatibility fixes: Made uint32_t / u_int32_t dependent on Make.conf setting; more Make.conf cleanups/fixes - Added more documentation for all modules. 2001/11/18 - 0.9: - Added a lot of language documentation. - Included the (bare) html files in the doc/html directory and generated the text files from that using lynx. The online docs are generated from them as well. - Some precedence table fixes in langcompile.c; moved 'hex', 'md5' together with other unary prefix operators (still lower because we have string-related ops always lower than integer ones); moved '.' just below lastof / firstof e.d. - Fixed minus handling for auto-radix numbers in meta_atoord; it used to require 0x-55 instead of -0x55. - Made 'statement' operators (interface calls, del, moveall etc). much more sane; they don't set the context to 'none' anymore so you can use them before closing a subexpression with ')'. They all leave something on the stack now. For del, delall and moveall, it's an int that reflects the number of pairs that were deleted resp. moved. - Removed the comma operator hack, which allowed it to be used in context 'none' as well, where it would emit a OP_NOP. Not needed anymore because no operator returns context 'none' anymore (except the comma operator itself, which only still exists as an unary postfix operator that emits OP_POP). - Made the pseudo-check items in dict.internal, that are likely to be returned by ascfile to be compared to request attributes rather than included in the actual reply, begin with a lowercase letter, so that you don't need to use REQ: all the time. Reflected that in example raddb/legacy/users as well. - Added unixpasswd module. Simple, but probably effective enough. - Also because of above, updated behaviour.sample and renamed to behaviour.sample-usersfile. Removed 'old', untested behaviour file. Kept configuration.old around, as it's slightly less misleading, although still just a more or less theoretic example, because most modules mentioned there still aren't written yet. Added DNS resolver example to it. Made behaviour.sample-unixpasswd the default one. - Fixed bug in config.c that caused behaviour file compilation errors to be ignored. - Makefile fixes in raddb/, modules/ and tools/. 2001/11/05 - v0.8: - First public release. 2001/10/09 - v0.7: - First version that actually gets the name OpenRADIUS and a version number, as all of the core functionality is finally implemented.