Univention Bugzilla – Bug 46018
reduce ucsschool specific radius package
Last modified: 2019-03-12 10:58:45 CET
Integrate ucs-school-radius-802.1x into univention-radius. ucs-school-radius-802.1x should then install no code, just configuration.
It has to be checked, if univention-radius and ucs-school-radius-802.1x are functionally equal. There are reports, that machine accounts are not able to log in via univention-radius.
Feature branch (for ucs and ucs@school): juern/4.4/radius-merge
Some new tests are already checked in and built: Successful build Package: ucs-test Version: 9.0.0-16A~4.4.0.201901281123 Branch: ucs_4.4-0 ucs-test (9.0.0-16) 078415ae947d | Bug #46018: added additional tests for radius The new test 07_mac_whitelisting fails with version 6.0.1-2 of the radius package.
the ucr variable descriptions in the univention-radius package mention some default values. a lot of those seem to be outdated (they get set to different values in postinst).
> The new test 07_mac_whitelisting fails with version 6.0.1-2 of the radius > package. Thanks :) [juern/4.4/radius-merge be4fec87e1] Bug #46018: Fix mac address decoding
Changes in @school [4.4 675cc80b9] Bug #46018: Use config and code from univention-radius [4.4 18b42f839] Bug #46018: changelog [4.4 cdf60e5b4] Bug #46018: Merge branch 'juern/4.4/radius-merge' into 4.4 [4.4 07aa3fd8d] Bug #46018: Add version to dependency on univention-radius [4.4 0be835a03] Bug #46018: yaml Changes in ucs [4.4-0 078415ae94] Bug #46018: added additional tests for radius [4.4-0 aa2dced715] Bug #46018: Move python libs into seperate folder [4.4-0 6f20f7a0c9] Bug #46018: Refactor for logging and extensibility [4.4-0 d620977c28] Bug #46018: Remove deprecated readme [4.4-0 f3d98f5e55] Bug #46018: Remove package conflict with ucs@school [4.4-0 301064c011] Bug #46018: changelog [4.4-0 8ed14c20a8] Bug #46018: Merge branch 'juern/4.4/radius-merge' into 4.4-0 [4.4-0 70338fdced] Bug #46018: changelog
QA feedback: @school: [4.4 ba6e9947c] Bug #46018: Fix typo [4.4 3c8e5be73] Bug #46018: yaml ucs: [4.4-0 79b74ec40f] Bug #46018: fix typos; better loglevel conversion
The UCR variable "freeradius/auth/helper/ntlm/debug" with default value of "2" has been introduced. After installation, the RADIUS app only supports the LDAP flags that can be set for users and groups. As of UCS 4.4, UCS@school settings that could be set using UCR variables are no longer supported by the RADIUS app without UCS@school installed. After an installation of UCS@school, however, these are available again. For UCS@school installations that did NOT install the RADIUS app before, it must be noted that the RADIUS app is automatically installed during the update to UCS 4.4. So after the automatic installation of the RADIUS app, the LDAP flags are also evaluated. If the flags are still in the LDAP (e.g. after a previous test of the RADIUS app), they automatically become active again after the update of the RADIUS system to UCS 4.4! The RADIUS flags should therefore be checked immediately before/after the update. In order to install RADIUS on a UCS@school system, the package ucs-school-radius-802.1x must still be installed, since only this package contains the UCS@school part. However, the U@S package also automatically installs univention-radius via a dependency, so that only one installation step is necessary here. [UCS@school 4.4] d34c8fcc7 Bug #46018: add changelog entry 2fce74a1e Bug #46018: fixed syntax error 66a28923d Bug #46018: wording changes Package: ucs-school-radius-802.1x Version: 7.0.1-6A~4.4.0.201902270211 Branch: ucs_4.4-0 Scope: ucs-school-4.4 [UCS 4.4] da6ca83991 Bug #46018: rename UCR variable univention-radius-ntlm-auth/debug to freeradius/auth/helper/ntlm/debug Package: univention-radius Version: 6.0.2-8A~4.4.0.201902270136 Branch: ucs_4.4-0 OK: code change OK: functional change FIXED: manual tests - OK: UCS 4.4-0 master w/o UCS@school (user, groups, groups in groups) - FIXED: UCS 4.4-0 master w/ UCS@school (user, groups, groups in groups, UCR) → there was a syntax error in school_networkaccess.py (see commit above) - Update 4.3→4.4 - univention-radius only → only univention-radius installed after update - ucs-school-radius-802.1x → both packages installed after update REOPEN: tests - UCS 4.4-0 master w/ UCS@school (all ucs-test scripts were ok) - UCS 4.4-0 slave w/ UCS@school (08_clients_univention_conf FAILS) OK: changelog entry OK: package built and installable NEWBUG: manual → bugs 48797, 48798 NEWBUG: I think we need a logrotation config → Bug 48799 Example log output of /var/log/univention/radius_ntlm_auth.log: 2019-02-26 23:51:45,957 - radius-ntlm - INFO: [user=user4; mac=02:00:00:00:00:01] Loglevel set to: 4 2019-02-26 23:51:45,957 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] Given username: "user4" 2019-02-26 23:51:45,958 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] Given stationId: "02-00-00-00-00-01" 2019-02-26 23:51:45,958 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] UCS@school RADIUS support is not installed 2019-02-26 23:51:45,959 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] Checking ldap network access for user 2019-02-26 23:51:45,959 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] DENY 'uid=user4,cn=users,dc=nstx,dc=local' 2019-02-26 23:51:45,959 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] -> DENY 'cn=Domain Users,cn=groups,dc=nstx,dc=local' 2019-02-26 23:51:45,960 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] -> DENY 'cn=grpA,cn=groups,dc=nstx,dc=local' 2019-02-26 23:51:45,961 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] -> -> ALLOW 'cn=grpB,cn=groups,dc=nstx,dc=local' 2019-02-26 23:51:45,961 - radius-ntlm - INFO: [user=user4; mac=02:00:00:00:00:01] LDAP settings allow attempt to login 2019-02-26 23:51:45,961 - radius-ntlm - DEBUG: [user=user4; mac=02:00:00:00:00:01] MAC filtering is disabled by radius/mac/whitelisting. 2019-02-26 23:51:45,961 - radius-ntlm - INFO: [user=user4; mac=02:00:00:00:00:01] User is allowed to use RADIUS
(In reply to Sönke Schwardt-Krummrich from comment #8) > REOPEN: tests > - UCS 4.4-0 master w/ UCS@school (all ucs-test scripts were ok) > - UCS 4.4-0 slave w/ UCS@school (08_clients_univention_conf FAILS) Tourned out that the ucs-test script was faulty on UCS@school systems. ucs-test has been fixed. Package: ucs-test Version: 9.0.1-3A~4.4.0.201902271159 Branch: ucs_4.4-0 2be81fcf43 Bug #46018: Readd apptest tag to 45_radius/08_clients_univention_conf and fix computer object creation for UCS@school environments
UCS@school 4.4 v1 has been released. https://docs.software-univention.de/release-notes-ucsschool-4.4v1-de.html If this error occurs again, please clone this bug.