== Proposal topic ==
Allow the mod_auth_xradius binaries to be built with the bundled library libradius.
== Overview ==
The tarball of the mod_auth_xradius Apache module under [https://bugzilla.redhat.com/show_bug.cgi?id=820488| review] bundles an old version of the libradius client included in the [http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libradius/| base FreeBSD system].
The code itself is licensed under the BSD license. This library is required for building the module and does not produce a shared object but is linked as part of the module.
The difference from this module and the mod_auth_radius module shipped by the [ftp://ftp.freeradius.org/pub/radius/| FreeRadius project] is that this one is much more faster and can manage high availability between multiple Radius Servers.
== Solution overview ==
mod_auth_xradius should get the permission to be built with the bundled sources of libradius. There is currently no radius auth module in Apache in Fedora; all other distributions had this for years.
Seeing as radius, or indeed, mod_auth* packages in general, are highly security sensitive, I don't see adequate justification for granting this. Could you provide some more justification? Otherwise it'll likely be a tough fight for you to get this approved.
Well, apart the fact that there's no radius module for apache in Fedora and the fact that xradius has the following benefits compared to the FreeRadius one I have nothing to say :(
If this is not a viable option I'll try to package mod_auth_radius and create another review. It does not contain any libraries but it surely has less features.
This is the readme included in the tarball:
{{{ This libradius library implements the client side of the Remote Authentication Dial In User Service (RADIUS). RADIUS, defined in RFCs 2138 and 2139, allows clients to perform authentication and accounting by means of network requests to remote servers.
This software was originally written by John Polstra, and donated to the FreeBSD project by Juniper Networks, Inc. Oleg Semyonov subsequently added the ability to perform RADIUS accounting.
The following source files were extracted from a FreeBSD 5-STABLE system as of 20-Sep-2004:
/usr/src/sys/sys/md5.h /usr/src/lib/libmd/md5c.c /usr/src/lib/libradius/libradius.3 /usr/src/lib/libradius/radius.conf.5 /usr/src/lib/libradius/radlib.c /usr/src/lib/libradius/radlib.h /usr/src/lib/libradius/radlib_private.h /usr/src/lib/libradius/radlib_vs.h }}}
Since that md5 can be bundled as "bundled(md5-polstra)"; could be that it goes to "bundled(libradius-polstra)"? (just guessing).
Thanks.
I don't think that's quite the same thing. md5 is a copylib because of the profusion of implementations and the rampant historical bundling. Ideally, we'd like to have all programs that use md5 link against on of the standard implementations. Simply because they're bundled from the same source doesn't necessarily mean they should both be excepted.
For the record, my suggestion that this be brought before FPC was not to indicate that I felt that the exception should be granted (though I'm not opposed if it plays out that way) but simply that this certainly needs FPC attention and should either be excepted or rejected.
I'd ideally like to see libradius packaged separately, with a solib, etc. Any luck with that so far?
I'll look at packaging http://portal-to-web.de/tacacs/libradius.php and get back to this with my results.
Ok, so libradius needs libmd. So grab and build this:
http://fedorapeople.org/~limb/review/libmd/
Then install libmd and libmd-devel. Then grab and build this:
http://fedorapeople.org/~limb/review/libradius/
Then install libradius and libradius-devel. You should then be able to rm -rf libradius/ in %setup of mod_auth_xradius, and patch the results to build with these.
The bundled version of libradius differs from this version, but I'm not sure yet what needs patching. See if it works and then I'll go from there, and if it all works I'll submit these two packages for review.
Many thanks for taking the time for looking into this; I had to leave for a work trip and I don't have access at my laptop until Sunday.
I'll try to package and fix everything Monday morning as soon as I get into the office. Maybe a newer version of libradius could work as well; I think it's worth a try.
No worries. My computer access will be intermittent until Monday also. Monday's also an open question, since I'm in Chicago and we've got NATO. Wheee! Keep me posted. :)
Hello,
I've made some small changes to libmd and libradius spec files:
https://bugzilla.redhat.com/show_bug.cgi?id=823444
https://bugzilla.redhat.com/show_bug.cgi?id=823446
Modified mod_auth_xradius:
https://bugzilla.redhat.com/show_bug.cgi?id=820488
I hope that's ok for review. Many thanks for your work.
Ok, great, if that all works, then we're good.
Login to comment on this ticket.