On 08/24/2010 11:22 PM, david klein wrote:
Sorry to those who have already seen this; I posted to the wrong
mailing list (the -interest mailing list instead of the -users list).
As an NMS engineer, I have a use for integrated TACACS+ with a unified
identity solution, so that the same account name and password can
grant access for managing network infrastructure devices as well as
UNIX and Linux servers, and so that network rights can be assigned and
delegated through the same GUI as systems rights.
There is an open source TACACS+ service called "tac_plus", which used
to be maintained by Cisco, and which is now maintained by Shrubbery
Networks, Inc (http://www.shrubbery.net/tac_plus/). It appears that
under Shrubbery's guidance and development, the tac_plus daemon can
use LDAP by way of PAM to handle authentication, according to
http://www.shrubbery.net/tac_plus/PAM_guide.txt. At this point, only
authentication appears to have been externalized, but it does prove
the concept.
How does Redhat currently measure the degree of interest in possible
features for inclusion in the FreeIPA/EnterpriseIPA product, and would
it be worthwhile to gather statements from other systems
administrators to help demonstrate the desirability and usefulness of
this feature request? This would be a very helpful capability, as it
would remove dependence on ACS, which is expensive and complex (and
complicated) TACACS+ server.
This is the first request I've seen for TACAS support. Since IPA is a
unified identity solution at it's core it's not clear to me at the
moment what advantage there would be to TACAS other than as emulating a
TACAS server for legacy and/or 3rd party products which depend on the
TACAS protocol. If one wants to set up a TACAS daemon there is a
reasonable chance it could validate against IPA (more investigation
would be needed) and this would give you something which provide TACAS
protocol but be backed by IPA and it's management tools.
We do have plans on our roadmap to support RADIUS which is often used as
an alternative to TACAS.
But perhaps I haven't fully understood your request. So let me rephrase
it and see if I have it correct. You want something on your network
which speaks the TACAS+ protocol but whose identity management is backed
by our IPA server. Is that correct?
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
