[tech] mussel upgrades and koha

David Adam zanchey at ucc.gu.uwa.edu.au
Mon Feb 23 19:14:12 WST 2009

On Sun, 22 Feb 2009, David Adam wrote:
> On Sat, 21 Feb 2009, James Andrewartha wrote:
> > 
> > As you may have noticed due to the various things that broke today, mussel 
> > got upgraded to lenny. [MSH] accidentally upgraded a few packages to lenny 
> > yesterday, but what precipitated the upgrade was [PXY] looking into Koha's 
> > malfunctioning and finding the errors were "fetchrow failed: fetch() 
> > without execute()", and hypothesised that it was from an old version of 
> > Koha talking to a new version of MySQL. So I embarked upon a full upgrade 
> > of mussel so I could install the latest Koha.
> > <snip>
> > If you notice anything still broken, please email tech, talk to someone on 
> > #ucc, or file a ticket at https://secure.ucc.asn.au/glpi/
> RADIUS is broken, which means the PPTP VPN (pptp.ucc/snap.ucc) refuses to 
> authenticate users. I'm not really sure what's going on - the proximal 
> cause appears to be:
> <snip> 
> but PEAP was apparently disabled with OpenSSL removal in the Debian 
> version 1.0.0-1, and we've been running 1.1.3-3 successfully for a while.
> Not really sure what's going on here, and I don't have a huge amount of 
> time to fiddle around. RADIUS is pretty nasty and FreeRADIUS has a 
> sprawling and complex set of configuration files but if anyone has any 
> suggestsion or wants to take a crack let me know.

OK, this is fixed now, and the VPN should be working again.

FreeRADIUS was upgraded to 2.0.4, with some subtle rearrangments of the 
configuation files. This was causing all sorts of interesting issues with 
the config files, so first I copied all the new files over the old ones.

Some changes needed to be made to ldap.attrmap to match the Samba LDAP 

The LDAP server details were added to the configuration, and mschapv2 set 
as the default EAP method (PEAP is not required, that was a red herring).

Requests were still failing with this message from freeradius:

 rlm_mschap: No User-Password configured.  Cannot create LM-Password.
 rlm_mschap: No User-Password configured.  Cannot create NT-Password.
 rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
 rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
 rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

Further inspection showed that the server was not requesting the 
sambaNTPassword attribute from LDAP, because 'ldap' was not set in the 
'authorize' section. This is in direct opposition to what the comments 
above the ldap stanza in the authorize section say, but there you go.

David Adam
UCC Wheel Member

More information about the tech mailing list