James Roman wrote:
> From what I can see it looks like the missing piece would be the ability
> to look up tac_plus user->group assignments from the FreeIPA/389 LDAP
> server. It looks like tac_plus has ""integrated"" the authentication
> with LDAP via PAM, but not the authorization. When building an
> authentication solution for network devices with FreeIPA, providing
> authentication via TACACS+ would be secondary, since you could have your
> Cisco device directly authenticate the user against FreeIPA using
> Kerberos. TACACS+ primary benefit is in the granular control of
> Authorization to network device services. If you can get tac_plus to
> reference an LDAP server for group membership, then you might have a
> reasonable solution. You would still need to assign the group's network
> permissions in the tac_plus configuration file, but that would be done
> once. Once the group access was defined, you could assign LDAP users to
> groups that match what's in the tac_plus config file.
> This really requires the tac_plus team to code direct LDAP integration
> into their application similar to the way Freeradius can rely on an LDAP
> server as a back-end. The local PAM stack was not really intended to be
> a service that can be farmed out for other systems to use. It was meant
> as a way to provide access to local services running on that system. To
> use PAM for group membership (I.E. through the pam_listfile ACL) would
> require a separate tac_plus daemon and PAM configuration for each
> network device.

Yep.  We're using tac_plus from shrubbery and have configured it for pam
auth for login (they've intentionally not allowed pam auth for enable
access).  It would be nice to not have to worry about enumerating users
in the tac_plus configuration and pull data out of LDAP though that
seems more to be a feature request against tac_plus than IPA.  We're
also using freeradius2 with LDAP auth (via pam) mostly to support a
Cisco NCM installation because the Tacacs+ support in the current
version of NCM is broken and fails to authenticate users if their
password is >15 characters, but I digress.  Some future integration of
tacacs+ configuration with freeipa would be nice allowing for management
via the web management interface, though I think as has been stated, the
first step may be more to get the tac_plus code to look for particular
group memberships.  Our current user definitions are simply in the form:

user = someuser {
    member = some_group

with the one time effort of setting up the groups.


"All tyranny needs to gain a foothold is for people of
good conscience to remain silent."  --Thomas Jefferson

Freeipa-users mailing list

Reply via email to