Problem with migrating from macOS Server to FreeRADIUS 3.0.17

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Stephan Jung
Hello,

I am trying to migrate a Server from maOS Server Version 5.6.1 (17S2109) to FreeRADIUS 3.0.17 and I have to configure OpenDirectory integration. I am following Apple’s macOS Server— Service Migration Guide | March 2018 <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf> and set up everything accordingly.

The server runs currently macOS 10.13.6 and serves also Opendirectory, but the rlm_opendirectory.dylib is nowhere to be found!

I installed FreeRADIUS through brew.

A) on the step "Configure FreeRADIUS” of Apple’s migration guide

4) Run the following command:

ls /usr/local/lib/rlm_opendirectory.*
You should see the following in the output:
• rlm_opendirectory.a
• rlm_opendirectory.dylib
• rlm_opendirectory.la

Since I installed FreeRADIUS through Brew I checked in
ls /usr/local/Cellar/freeradius-server/3.0.17/lib/rlm_opendirectory.*
too, but nothing is found in both locations!

B) on the last step "Set up users” when testing the configuration I get:

/usr/local/Cellar/freeradius-server/3.0.17/etc/raddb/mods-enabled/opendirectory[20]: Failed to link to module 'rlm_opendirectory': dlopen(/usr/local/Cellar/freeradius-server/3.0.17/lib/rlm_opendirectory.dylib, 6): image not found

This is the complete output:


I wrote on stackoverfow <https://stackoverflow.com/questions/54617087/freeradius-problems-with-open-directory-no-rlm-opendirectory-existing>, serverfault <https://serverfault.com/questions/953195/suddenly-radius-authentication-is-gone-on-macos-server-tls-session-fails> as well as Apple discussion forum <https://discussions.apple.com/thread/250152034>.

Does someone now how to configure this?
Where these library files come from?
How to force macOS to write them?

Thank you very much in advance!!!

Stephan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Alan DeKok-2
On Feb 10, 2019, at 10:34 AM, Stephan Jung <[hidden email]> wrote:
>
> Hello,
>
> I am trying to migrate a Server from maOS Server Version 5.6.1 (17S2109) to FreeRADIUS 3.0.17 and I have to configure OpenDirectory integration. I am following Apple’s macOS Server— Service Migration Guide | March 2018 <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf> and set up everything accordingly.
>
> The server runs currently macOS 10.13.6 and serves also Opendirectory, but the rlm_opendirectory.dylib is nowhere to be found!
>
> I installed FreeRADIUS through brew.

  Ask the homebrew people why they haven't packaged rlm_opendirectory.

> A) on the step "Configure FreeRADIUS” of Apple’s migration guide

  That guide *also* tells you to build FreeRADIUS from source.  Which you should do.

> Does someone now how to configure this?

  The documentation says how to do it.

> Where these library files come from?

  They are created by building the server, when you follow the documentation.

> How to force macOS to write them?

  Follow the documentation and it will work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Stephan Jung
Thanks for your reply Alan DeKok!

So rlm_opendirectory.* are installed through FreeRADIUS? Ok, that helps me already to move forward.

I checked the github resource of https://github.com/FreeRADIUS/freeradius-server <https://github.com/FreeRADIUS/freeradius-server>, but there were no rlm_opendirectory.* present. Shouldn’t they be there? Where do they come from?

Where would you suggest asking the homebrew people? Since this should really be included.

Thanks in advance,

Stephan

> On 10 Feb, 2019, at 7:07 PM, Alan DeKok <[hidden email]> wrote:
>
> On Feb 10, 2019, at 10:34 AM, Stephan Jung <[hidden email]> wrote:
>>
>> Hello,
>>
>> I am trying to migrate a Server from maOS Server Version 5.6.1 (17S2109) to FreeRADIUS 3.0.17 and I have to configure OpenDirectory integration. I am following Apple’s macOS Server— Service Migration Guide | March 2018 <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf> and set up everything accordingly.
>>
>> The server runs currently macOS 10.13.6 and serves also Opendirectory, but the rlm_opendirectory.dylib is nowhere to be found!
>>
>> I installed FreeRADIUS through brew.
>
>  Ask the homebrew people why they haven't packaged rlm_opendirectory.
>
>> A) on the step "Configure FreeRADIUS” of Apple’s migration guide
>
>  That guide *also* tells you to build FreeRADIUS from source.  Which you should do.
>
>> Does someone now how to configure this?
>
>  The documentation says how to do it.
>
>> Where these library files come from?
>
>  They are created by building the server, when you follow the documentation.
>
>> How to force macOS to write them?
>
>  Follow the documentation and it will work.
>
>  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Alan DeKok-2
On Feb 10, 2019, at 1:16 PM, Stephan Jung <[hidden email]> wrote:
>
> So rlm_opendirectory.* are installed through FreeRADIUS? Ok, that helps me already to move forward.

  It's installed by downloading the source code, and building it as per the documentation.

> I checked the github resource of https://github.com/FreeRADIUS/freeradius-server <https://github.com/FreeRADIUS/freeradius-server>, but there were no rlm_opendirectory.* present. Shouldn’t they be there? Where do they come from?

  There *is* a rlm_opendirectory.c file.  That's source code.  When you build the server (as per the documentation), the output is a binary library.

> Where would you suggest asking the homebrew people? Since this should really be included.

  Ask them to include rlm_opendirectory in their package.

  All of this back and forth could have been avoided by reading the documentation and following it.  There's no need to ask the same question on 4 different sites when the answer is already in the documentation.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Stephan Jung
Thank you. I had some trouble compiling. Probably because my brew installed openssl@1.1.

  export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
  export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"

had not been exported. I added them to my .bash_profile and sourced it. Is that correct?

After some attempts it finally compiled. I copied the files to my brew installation and now:

$ sudo /usr/local/Cellar/freeradius-server/3.0.17/bin/radiusd -XC

passes.

The only thing that is mentioned is "Ignoring "ldap" (see raddb/mods-available/README.rst)":

server default { # from file /usr/local/Cellar/freeradius-server/3.0.17/etc/raddb/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default

Is that a problem? Can I do something?

RADIUS in macOS is really a niche, since Apple is iPhone it is increasingly difficult to get serious feedback on advanced topics … so thanks a lot for your reply! I probably posted in too many places, but since I will leave trace of how I solved it, I am fine with that.

Thanks in advance!

Stephan

> On 10 Feb, 2019, at 7:46 PM, Alan DeKok <[hidden email]> wrote:
>
> On Feb 10, 2019, at 1:16 PM, Stephan Jung <[hidden email]> wrote:
>>
>> So rlm_opendirectory.* are installed through FreeRADIUS? Ok, that helps me already to move forward.
>
>  It's installed by downloading the source code, and building it as per the documentation.
>
>> I checked the github resource of https://github.com/FreeRADIUS/freeradius-server <https://github.com/FreeRADIUS/freeradius-server>, but there were no rlm_opendirectory.* present. Shouldn’t they be there? Where do they come from?
>
>  There *is* a rlm_opendirectory.c file.  That's source code.  When you build the server (as per the documentation), the output is a binary library.
>
>> Where would you suggest asking the homebrew people? Since this should really be included.
>
>  Ask them to include rlm_opendirectory in their package.
>
>  All of this back and forth could have been avoided by reading the documentation and following it.  There's no need to ask the same question on 4 different sites when the answer is already in the documentation.
>
>  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Alan DeKok-2
On Feb 10, 2019, at 4:04 PM, Stephan Jung <[hidden email]> wrote:
>
> Thank you. I had some trouble compiling. Probably because my brew installed openssl@1.1.
>
>  export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
>  export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"
>
> had not been exported. I added them to my .bash_profile and sourced it. Is that correct?

  If it works.

> After some attempts it finally compiled. I copied the files to my brew installation and now:

  You really don't want to do that.  Brew owns the files in that directory, and will over-write them when you accidentally try to do "brew install freeradius".

> The only thing that is mentioned is "Ignoring "ldap" (see raddb/mods-available/README.rst)":
>
> server default { # from file /usr/local/Cellar/freeradius-server/3.0.17/etc/raddb/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "ldap" (see raddb/mods-available/README.rst)
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
>
> Is that a problem? Can I do something?

  Read the documentation that the message tells you to read?

  This shouldn't be difficult.

> RADIUS in macOS is really a niche, since Apple is iPhone it is increasingly difficult to get serious feedback on advanced topics … so thanks a lot for your reply! I probably posted in too many places, but since I will leave trace of how I solved it, I am fine with that.

  The documentation already said how to do all this...

  Reading documentation helps, and let's you quickly solve problems.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Nathan Ward
In reply to this post by Stephan Jung

> On 11/02/2019, at 10:04 AM, Stephan Jung <[hidden email]> wrote:
>
> Thank you. I had some trouble compiling. Probably because my brew installed openssl@1.1.
>
>  export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
>  export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"
>
> had not been exported. I added them to my .bash_profile and sourced it. Is that correct?

If that works for you then that should be fine. You can also do:
--with-openssl-includes=<whatever> --with-openssl-libraries=<whatever>

This is what homebrew itself does.

> After some attempts it finally compiled. I copied the files to my brew installation and now:
>
> $ sudo /usr/local/Cellar/freeradius-server/3.0.17/bin/radiusd -XC
>
> passes.
>
> The only thing that is mentioned is "Ignoring "ldap" (see raddb/mods-available/README.rst)":
>
> server default { # from file /usr/local/Cellar/freeradius-server/3.0.17/etc/raddb/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "ldap" (see raddb/mods-available/README.rst)
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
>
> Is that a problem? Can I do something?

When you read that README.rst file, what did you find? You should read that file before asking the list to explain to you what that file says. If there is something in that file that isn’t clear, then you should ask.

> RADIUS in macOS is really a niche, since Apple is iPhone it is increasingly difficult to get serious feedback on advanced topics … so thanks a lot for your reply! I probably posted in too many places, but since I will leave trace of how I solved it, I am fine with that.

Out of interest, does your new way to compile it get you rlm_opendirectory.dylib? The difference is “--enable-developer=yes”. You could, if you wanted, achieve the same by editing the home-brew recipe (brew edit freeradius-server) and adding that option (or --with-experimental-modules). I would suggest you do that, rather than overwrite whatever homebrew’s install etc. - instead, make homebrew work for you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with migrating from macOS Server to FreeRADIUS 3.0.17

Stephan Jung


> On 10 Feb, 2019, at 11:34 PM, Nathan Ward <[hidden email]> wrote:
>
>>
>> On 11/02/2019, at 10:04 AM, Stephan Jung <[hidden email] <mailto:[hidden email]>> wrote:
>>
>> Thank you. I had some trouble compiling. Probably because my brew installed openssl@1.1.
>>
>> export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"
>> export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"
>>
>> had not been exported. I added them to my .bash_profile and sourced it. Is that correct?
>
> If that works for you then that should be fine. You can also do:
> --with-openssl-includes=<whatever> --with-openssl-libraries=<whatever>
>
> This is what homebrew itself does.

I see

>> After some attempts it finally compiled. I copied the files to my brew installation and now:
>>
>> $ sudo /usr/local/Cellar/freeradius-server/3.0.17/bin/radiusd -XC
>>
>> passes.
>>
>> The only thing that is mentioned is "Ignoring "ldap" (see raddb/mods-available/README.rst)":
>>
>> server default { # from file /usr/local/Cellar/freeradius-server/3.0.17/etc/raddb/sites-enabled/default
>> # Loading authenticate {...}
>> # Loading authorize {...}
>> Ignoring "ldap" (see raddb/mods-available/README.rst)
>> # Loading preacct {...}
>> # Loading accounting {...}
>> # Loading post-proxy {...}
>> # Loading post-auth {...}
>> } # server default
>>
>> Is that a problem? Can I do something?
>
> When you read that README.rst file, what did you find? You should read that file before asking the list to explain to you what that file says. If there is something in that file that isn’t clear, then you should ask.

Had read it, but was not sure if I had to configure ldap in RADIUS for my particular system, that is why I asked, but probably too system dependent a question to ask. The point is that I am not configuring a system, but troubleshooting an existing system with no idea if the problem is in Cert, OD or RADIUS. Might have to ask in a separate thread.

>> RADIUS in macOS is really a niche, since Apple is iPhone it is increasingly difficult to get serious feedback on advanced topics … so thanks a lot for your reply! I probably posted in too many places, but since I will leave trace of how I solved it, I am fine with that.
>
> Out of interest, does your new way to compile it get you rlm_opendirectory.dylib? The difference is “--enable-developer=yes”. You could, if you wanted, achieve the same by editing the home-brew recipe (brew edit freeradius-server) and adding that option (or --with-experimental-modules). I would suggest you do that, rather than overwrite whatever homebrew’s install etc. - instead, make homebrew work for you.

Thanks so much, that helped! By adding:

--enable-developer=yes
--with-experimental-modules

.a and .dylib of the opendirectory library are created:

rlm_opendirectory.a
rlm_opendirectory.dylib

But no:

rlm_opendirectory.la

I will try to add both options to the brew recipe on github so that the next one doesn’t have this problem.

Thanks again,

Stephan

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html