i just installed freeradius 1.1.7 from tarbal.
Actually i don't get any error in compile and installation process.
first,when i try to running on debug mode everything looked running well
stantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
Then i try to test user with following command, but i got reject packet from freeradius
radtest user 1111 127.0.0.1 1812 testing123
Sending Access-Request of id 19 to 127.0.0.1 port 1812
User-Name = "user"
User-Password = "1111"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=19, length=20
on debug mode i got message like bellow :
rad_recv: Access-Request packet from host 127.0.0.1:50886, id=90, length=56
User-Name = "user"
User-Password = "1111"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '#' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'user' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: MYSQL check_error: 1146 received
rlm_sql_getvpdata: database query error
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'user' ORDER BY id'
radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: MYSQL check_error: 1146 received
rlm_sql_getvpdata: database query error
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 90 to 127.0.0.1 port 50886
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 90 with timestamp 5130196a
Nothing to do. Sleeping until we see a request.
what should i do to solve this problem ?
Thanks
May be you should check your clients.conf file.
I think you didn't mention 127.0.0.1 as ipaddr in client localhost{}.
Related
I'd like to preface this with the fact that I am completely new to SAP and SAP HANA, and OData.
I was tasked with pulling changes from a SAP HANA table and transfer those to Kafka.
I noticed there was a Kafka source connector already written, which can be found here.
For this task, I was given a URL, a username and a password.
The URL looks like this:
https://blablabla.companyName.com/companyName/Foo/Bar/Baz/Foo/Table/Resource.xsodata
And this is a sample of the source connector's configs:
# The first few settings are required for all connectors:
# a name, the connector class to run, and the maximum number of
# tasks to create.
name = odatav4-source-connector
connector.class = org.init.ohja.kafka.connect.odatav4.source.OData4SourceConnector
tasks.max = 1
# The remaining configs are specific to the OData v4 source connector.
# OData server host as either DNS or IP
sap.odata.host.address = services.odata.org
# OData server port
sap.odata.host.port = 443
# OData protocol (supported values are http or https)
sap.odata.host.protocol = https
# OData user name for basic authentication
# For services not requiring authentication this can be set to any value
sap.odata.user.name = anonymous
# OData user password for basic authentication
# For services not requiring authentication this can be set to any value
sap.odata.user.pwd = anonymous
# Optional list of service URL query parameters in the form of "param1=value1,param2=value2", e.g. sap-client=200
#sap.odata.query-params=
# none(default): DECIMALs will be mapped to Connect Decimal data type
# primitive: DECIMALs will be mapped to INT64(id scale = 0) anf FLOAT64
#sap.odata.decimal.mapping = none
# maximum amount of retries in case of service connection/communication errors (e.g. HTTP status codes 400-599)
#sap.odata.max.retries = 30
# The backoff strategy applied will select a random number of milliseconds
# to wait between min.retry.backoff.ms and max.retry.backoff.ms before starting
# the next retry.
#sap.odata.min.retry.backoff.ms = 20000
#sap.odata.max.retry.backoff.ms = 180000
# Timeout in milliseconds for establishing http connections
#sap.odata.connection.connect.timeout.ms=3000
# Timeout in milliseconds for reading data from a http connection
#sap.odata.connection.read.timeout.ms=10000
# Individual configurations for each OData v4 service entity.
# service and entityset build up the primary key for each OData configuration.
# OData v4 URL service path
sap.odata#00.service = /V4/Northwind/Northwind.svc/
# OData v4 entity set name
# The entity set name can be queried from the /$metadata service URL
sap.odata#00.entityset = Order_Details
# Kafka topic name the data for this OData service entity set will be pushed to
sap.odata#00.topic = Order_Details
# Execution interval in seconds for the scheduled data extractions
# Set to -1 to process subscription events only
#sap.odata#00.exec-period = 900
# If changes to entities selected by the first query should be tracked and returned as deltas in subsequent polls
# Set to 1 to enable odata delta mode
#sap.odata#00.track-changes = 0
# Paging mode (server or client) determines the type of paging
# server: use HTTP prefer-headers to request a maximum package size from the odata server
# client: use query functions skip and top (not compatible to change tracking)
#sap.odata#00.paging.mode = server
# Packaging size in count of entity set records
#sap.odata#00.paging.size = 50000
# Optional: Hierarchy level up to which recommendations for the expand.list configuration (query option $expand) will
# be shown in the Confluent Control Center
#sap.odata#00.expand.level = 1
# Optional: List of expand query options that will define the deep structure of returned entity messages
#sap.odata#00.expand.list =
# Optional: comma separated list of selected non-key fields to be extracted
#sap.odata#00.projection =
# Optional: filter query options
# Supported logical operations/options are: eq, ne, le, lt, ge, gt, bt, nb, in
#sap.odata#00.select#00.fieldname =
#sap.odata#00.select#00.option =
#sap.odata#00.select#00.low =
#sap.odata#00.select#00.high =
# If set to 1 the connector will subscribe to push-notifications issued by the corresponding OData service entity
#sap.odata#00.subscription.enable = 0
So I tried to create my own, like so:
{
"name": "sap-hana-source-connector",
"config": {
"connector.class": "org.init.ohja.kafka.connect.odatav4.source.OData4SourceConnector",
"sap.odata.user.name": "username",
"sap.odata.host.address": "blablabla.companyName.com",
"sap.odata.host.port": "443",
"sap.odata.host.protocol": "https",
"sap.odata#00.service": "/companyName/Foo/Bar/Baz/Foo/Table/Resource.xsodata",
"sap.odata#00.entityset": "Resource",
"sap.odata.user.pwd": "pwd"
}
}
The issue is that the only error I get is this:
{
"error_code": 400,
"message": "Connector configuration is invalid and contains the following 14 error(s):\nInvalid configuration sap.odata.host.address: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.host.protocol: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.host.port: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.user.name: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.user.pwd: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.max.retries: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.min.retry.backoff.ms: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.max.retry.backoff.ms: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.connection.connect.timeout.ms: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.connection.read.timeout.ms: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.query-params: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.trace.mode: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.trace.path: No configured service reachable. Maybe invalid destination configuration?\nInvalid configuration sap.odata.decimal.mapping: No configured service reachable. Maybe invalid destination configuration?\nYou can also find the above list of errors at the endpoint `/connector-plugins/{connectorType}/config/validate`"
}
As someone who is completely new to OData and SAP, I don't know how I'd debug this.
I noticed that, in the OData's Kafka Source Connector documentation the services end in .svc and not .xsodata; so maybe it's something to do with that?
Also, what am I supposed to be for the sap.odata#00.entityset config?
Is there a way to get a more detailed error message?
Thanks.
How to get the special port information which only dependent on the ip-address field by openstacksdk API, like the result as the openstack-client tool show:
# openstack port list --fixed-ip ip-address=1.1.1.1
+-----+------+-------------+---------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+-----+------+-------------+---------------------------------------+--------+
| f23 | | fa:*****:ad | ip_address='1.1.1.1', subnet_id='821' | ACTIVE |
+-----+------+-------------+---------------------------------------+--------+
I had try these methods, none work:
port = conn.network.get_port(openstack.network.v2.port.Port(fixed_ips=[{'subnet_id'" '821', 'ip_address': '1.1.1.1'}]))
err: openstack.exceptions.InvalidRequest: Request requires an ID but none was found
port = conn.network.ports(fixed_ips=[{'ip_address': '1.1.1.1'}])
err: openstack.exceptions.BadRequestException: BadRequestException: 400: Client Error for url: domain:9696/v2.0/ports?fixed_ips=ip_address, Invalid input for operation: 'ip_address' is not of the form <key>=[value].
port = conn.network.ports(fixed_ips=['1.1.1.1'])
err: penstack.exceptions.BadRequestException: BadRequestException: 400: Client Error for url: domain:9696/v2.0/ports?fixed_ips=1.1.1.1, Invalid input for operation: '1.1.1.1' is not of the form <key>=[value].
port = conn.network.ports(ip_address='1.1.1.1')
err: openstack.exceptions.BadRequestException: BadRequestException: 400: Client Error for url: https://gzi-ost.2980.com:9696/v2.0/ports?ip_address=1.1.1.1, ['ip_address'] is invalid attribute for filtering
Refer to these documentation: network.port-operations and openstack api list-ports-detail .
How could I achieve that? Thank you in advance.
One more thing, I couldn't know the port_id before, only know the fixed ip-address.
Obviously, my bad, the problem is that my request parameter has a wrong format data.
Solve it by import urllib to encode the request json data in Python 3.
conn.network.ports(fixed_ips=urllib.parse.urlencode({'ip_address': '1.1.1.1'}))
Returns: A generator of port objects.
or
conn.list_ports({'fixed_ips': urllib.parse.urlencode({'ip_address': '1.1.1.1'})})
Returns: A list of port munch.Munch.
I have been scouring the internet with no luck. I have a basic LUA script for HAProxy, which looks like this:
core.Info("LUA script for parsing request ID element - loaded");
function parseId(txn, salt)
local payload = txn.sf:req_body()
-- parses hex value from element named "ID". Example payload: {"Platform":"xyz.hu","RecipientId":"xyz.hu","Channel":"xyz","CallbackURL":"http://x.x.x.x:123","ID":"5f99453d000000000a0c5164233e0002"}
local value = string.sub(string.match(payload, "\"ID\":\"[0-9a-f]+\""), 8, -2)
core.Info("ID : " .. value)
return value
end
-- register HAProxy "fetch"
core.register_fetches("parseId", parseId)
What it does is what it says: takes a 32 characater long ID from an incoming request. In the HAProxy config file, the result is used for sticky-session handling:
stick-table type string len 32 size 30k expire 30m
stick on "lua.parseId" table gw_back
This produces two lines of log for each request:
ID: xyz which is logged from the LUA script
The detailed request data which is logged from the HAProxy config file using "log-format", e.g.:
Jan 20 22:13:52 localhost haproxy[12991]: Client IP:port = [x.x.x.x:123], Start Time = [20/Jan/2022:22:13:52.069], Frontend Name = [gw_front], Backend Name = [gw_back], Backend Server = [gw1], Time to receive full request = [0 ms], Response time = [449 ms], Status Code = [200], Bytes Read = [308], Request = ["POST /Gateway/init HTTP/1.1"], ID = [""], Request Body = [{"Platform":"xyz.hu","RecipientId":"xyz.hu","Channel":"xyz","CallbackURL":"http://x.x.x.x:123","ID":"61e9d03e000000000a0c5164233e0002"}]
I wanted to extend logging due to some strange issues happening sometimes, so I wanted to one (or both) of below approaches:
Pass the "ID" value back from the LUA script into the HAProxy config as a variable, and log it along with the request details. I can log the full request body, but don't want to due to GDPR and whatnot.
Get some request details in the LUA script itself, and log it along with the ID.
So, basically, to be able to connect the ID with the request details. If multiple requests are coming to same URL very quickly, it is difficult to find which of them belongs to a specific ID. However I couldn't accomplish these.
For the first one, I added this line into the LUA before returning the "value" variable:
txn:set_var("req_id", value)
I was hoping this would create a variable in HAProxy called "req_id", and I can log it with "log-format", but all I got was empty string:
ID = [""]
For the second one, I'm at a complete loss. I'm not able to find ANY documentation on these. I have been scouring the internet with no luck. E.g. the txn.sf:req_body() function which I know is working, I simply cannot find it documented anywhere, so I'm not sure what other functions are available to get some request details.
Any ideas for either or both of my approaches? I'm attaching my full HAProxy config here at the end, just in case:
global
log 127.0.0.1 len 10000 local2 debug
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
lua-load /opt/LUA/parseId.lua
stats socket /etc/haproxy/haproxysock level admin
defaults
log global
option httplog
option dontlognull
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
# Request body is temporarily logged in test environment
log-format "Client IP:port = [%ci:%cp], Start Time = [%tr], Frontend Name = [%ft], Backend Name = [%b], Backend Server = [%s], Time to receive full request = [%TR ms], Response time = [%Tr ms], Status Code = [%ST], Bytes Read = [%B], Request = [%{+Q}r], ID = [%{+Q}[var(txn.req_id)]], Request Body = [%[capture.req.hdr(0)]]"
frontend gw_front
bind *:8776
option http-buffer-request
declare capture request len 40000
http-request capture req.body id 0
http-request track-sc0 src table gw_back
use_backend gw_back
backend gw_back
balance roundrobin
stick-table type string len 32 size 30k expire 30m
stick on "lua.parseId" table gw_back
# Use HTTP check mode with /ping interface instead of TCP-only check
option httpchk POST /Gateway/ping
server gw1 x.x.x.x:8080 check inter 10s
server gw2 y.y.y.y:8080 check inter 10s
listen stats
bind *:8774 ssl crt /etc/haproxy/haproxy.cer
mode http
maxconn 5
stats enable
stats refresh 10s
stats realm Haproxy\ Statistics
stats uri /stats
stats auth user:password
I used haproxy Socket class as outlined here https://www.haproxy.com/blog/5-ways-to-extend-haproxy-with-lua/#actions to make http request to external service from lua code (See code below).
How can I make an https request to the service?
Is it possible to specify a domain name instead of IP address of the service to connect to?
Any help is appreciated.
local function http_request(txn, data)
local addr = <external-IP>
local port = 80
-- Set up a request to the service
local hdrs = {
[1] = string.format('host: %s:%s', addr, port),
[2] = 'accept: */*',
[3] = 'connection: close'
}
local req = {
[1] = string.format('GET %s HTTP/1.1', data.path),
[2] = table.concat(hdrs, '\r\n'),
[3] = '\r\n'
}
req = table.concat(req, '\r\n')
-- Use core.tcp to get an instance of the Socket class
local socket = core.tcp()
socket:settimeout(data.timeout)
-- Connect to the service and send the request
if socket:connect(addr, port) then
if socket:send(req) then
-- Skip response headers
while true do
local line, _ = socket:receive('*l')
if not line then break end
if line == '' then break end
end
-- Get response body, if any
local content = socket:receive('*a')
return content
else
core.Alert('Could not connect to server (send)')
end
socket:close()
else
core.Alert('Could not connect to server (connect)')
end
end
Recently while working on a problem I figured out that we cannot pass domain name. I was using http.lua lib. This http.lua lib uses Socket class as you are doing in your code.
Also after searching a lot I was unable to find a dns resolver lib. One was there something related to nginx lua, but it requires installing lots of different lua libs, so I skipped it.
The work around I did is, created my own dns resolver service http://127.0.0.1:53535 in HAProxy as below
listen lua_dns
bind 127.0.0.1:53535
http-request do-resolve(txn.dstip,mydns,ipv4) hdr(ResolveHost),lower
http-request return status 200 content-type text/plain lf-string OK hdr ResolvedIp "%[var(txn.dstip)]"
To this service I pass the domain name in request header ResolveHost and get the IP in response header ResolvedIp.
Now the lua functions to parse the domain from URL and call dns resolver service is as below
local function parse_domain(url)
local schema, host, _ = url:match("^(.*)://(.-)[?/](.*)$")
if not schema then
-- maybe path (request uri) is missing
schema, host = url:match("^(.*)://(.-)$")
if not schema then
core.Info("ERROR :: Could not parse URL: "..url)
return nil
end
end
return host
end
local function resolve_domain(domain)
local d = parse_domain(domain)
local r, msg = http.get{ url = "http://127.0.0.1:53535", headers={ResolveHost=d} }
if r == nil then
core.Info("ERROR: "..msg..". While resolving doamin: "..d)
return msg
end
return r.headers['resolvedip']
end
Now replace the resolved IP with the domain name in the URL using gsub()
url = string:gsub(domain_name, resolved_ip)
and then call your API using http.lua
local res, msg = http.get{ url=url, headers=headers }
Here the http.lua lib will handle HTTP and HTTPS urls.
I am looking to proxy EAP-SIM request from freeRADIUS to freeDiameter, the process involves:
Set proxy on freeRADIUS (my status is requested is not being proxied)
Set NAS on freeDiameter (due to lack of documentation I am not able to understand where to define Radius as a NAS)
Send message back to freeRADIUS (I think this will be done automatically by Diameter once the above tasks are completed)
my current status is freeRADIUS is:
[suffix] Looking up realm "wlan.mnc010.mcc404.3gppnetwork.org" for ser-Name = "1404100508859867#wlan.mnc010.mcc404.3gppnetwork.org"
[suffix] Found realm "wlan.mnc010.mcc404.3gppnetwork.org"
[suffix] Adding Stripped-User-Name = "1404100508859867"
[suffix] Adding Realm = "wlan.mnc010.mcc404.3gppnetwork.org"
[suffix] Proxying request from user 1404100508859867 to realm wlan.mnc010.mcc404.3gppnetwork.org
[suffix] Preparing to proxy authentication request to realm "wlan.mnc010.mcc404.3gppnetwork.org"
++[suffix] = updated
[eap] Request is supposed to be proxied to Realm wlan.mnc010.mcc404.3gppnetwork.org. Not doing EAP.
++[eap] = noop
in the end, I get an error message which says:
+} # group authorize = updated
ERROR: Failed to find live home server for realm wlan.mnc010.mcc404.3gppnetwork.org
There was no response configured: rejecting request 6
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> 1404100508859867#wlan.mnc010.mcc404.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
I am not able to understand what I might be doing wrong
Also, a point to note I don't get any debug in my Diameter:
freeDiameterd
libfdproto initialized.
libgnutls '2.12.23', libgcrypt '1.4.5', initialized.
Generating fresh Diffie-Hellman parameters of size 1024 (this takes some time)...
All extensions loaded.
-- Configuration :
Debug trace level ...... : +1
Configuration file ..... : /usr/etc/freeDiameter/freeDiameter.conf
Diameter Identity ...... : diameter.<identity hidden> (l:19)
Diameter Realm ......... : <identity hidden> (l:10)
Tc Timer ............... : 30
Tw Timer ............... : 30
Local port ............. : 3868
Local secure port ...... : 3869
Number of SCTP streams . : 30
Number of server threads : 4
Local endpoints ........ :
[103.206.180.2]:0 {C---}
Local applications ..... : (none)
Flags : - IP ........... : Enabled
- IPv6 ......... : DISABLED
- Relay app .... : DISABLED
- TCP .......... : Enabled
- SCTP ......... : DISABLED
- Pref. proto .. : SCTP
- TLS method ... : Separate port
TLS : - Certificate .. : /etc/ssl/certs/freeDiameter.pem
- Private key .. : /etc/ssl/private/freeDiameter.key
- CA (trust) ... : /etc/ssl/certs/freeDiameter.pem (1 certs)
- CRL .......... : (none)
- Priority ..... : (default: 'NORMAL')
- DH bits ...... : 1024
Origin-State-Id ........ : 1493381358
freeDiameterd daemon initialized.
All the help in this will be highly appreciable.