On 08/25/2010 11:22 AM, James Roman wrote:
The more practical solution which may be available to you would be to
avail yourself of the PAM integration in the tac_plus project (but to
be honest I don't see how that would give you any of the sophisticated
features you cite as being a prime motivator for utilization of
TACACS). FreeIPA is an open source project and from what you say so is
tac_plus. I would imagine patches would be welcomed by both projects
which would allow the tac_plus daemon to utilize IPA as it's back end.
We would be happy to answer any questions for the person(s) who wanted
to undertake this and contribute their work.

   From what I can see it looks like the missing piece would be the
ability to look up tac_plus user->group assignments from the FreeIPA/389
LDAP server. It looks like tac_plus has ""integrated"" the
authentication with LDAP via PAM, but not the authorization. When
building an authentication solution for network devices with FreeIPA,
providing authentication via TACACS+ would be secondary, since you could
have your Cisco device directly authenticate the user against FreeIPA
using Kerberos. TACACS+ primary benefit is in the granular control of
Authorization to network device services. If you can get tac_plus to
reference an LDAP server for group membership, then you might have a
reasonable solution. You would still need to assign the group's network
permissions in the tac_plus configuration file, but that would be done
once. Once the group access was defined, you could assign LDAP users to
groups that match what's in the tac_plus config file.

This really requires the tac_plus team to code direct LDAP integration
into their application similar to the way Freeradius can rely on an LDAP
server as a back-end. The local PAM stack was not really intended to be
a service that can be farmed out for other systems to use. It was meant
as a way to provide access to local services running on that system. To
use PAM for group membership (I.E. through the pam_listfile ACL) would
require a separate tac_plus daemon and PAM configuration for each
network device.

Adding ldap queries to tac_plus would be the most general solution in which case this would have little direct relevance to IPA. However the schema we use, ACL's and internal "business logic" applied on top of LDAP queries might not map easily to a generic LDAP interface in tac_plus. I really don't know. All of this is to say there is another way to use IPA as a backend service besides connecting to our LDAP server. We do support an XML-RPC interface that is fully authenticated and encrypted. So another options would be for tac_plus to make RPC calls. Just a thought.

John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to