On 2012-08-22, at 4:12 PM, Rob Crittenden wrote: > Michael Mercier wrote: >> Hello, >> >> In Aug 2010, someone posted a message to this list about integrating >> tacacs+ with freeipa >> https://www.redhat.com/archives/freeipa-users/2010-August/msg00058.html >> >> At the time, it was mentioned that this was not on the roadmap, has this >> changed? > > No, still not on the roadmap. > > >> If RedHat has no plans to do this, where can I find the freeipa >> documentation that would allow me to do a proof-of-concept? I would use >> the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a >> staring point. > > http://freeipa.org/page/Contribute (in Developer Documentation and > Developement Process) and > http://abbra.fedorapeople.org/freeipa-extensibility.html > >> >> Some of the specific things I am looking for: >> 1. How should passwords be verified? sssd, pam, ldap lookup, krb? >> 2. How the ldap schema should be designed for best integration? > > I'd start by seeing if there is already one defined as a real or quasi > standard. > >> 3. The proper way to query the ldap server (standard ldap calls or is >> there some specific freeipa api) > > Standard LDAP calls. > >> 4. I am sure I am not asking something!! >> >> I tried asking some similar questions on freeipa-devel but didn't >> receive a response. > > rob
Hello, I have started playing with having the tac_plus daemon use Freeipa and have some questions regarding HBAC. I have done the following: 1. Created a DNS entry for my device: pix.beta.local <-> 192.168.0.1 2. Disabled the 'allow_all' HBAC rule 3. Created an HBAC rule tacacs with the following: a) who: user group: ciscoadmin - user mike is part of ciscoadmin b) Accessing: hosts: pix.beta.local c) via service: tac_plus d) from: any host I can successfully login (auth) to a Cisco ASA via the tac_plus daemon using PAM. I have added some code to also attempt to do PAM accounting for the device and can't get this to work. Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:auth): authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=192.168.0.1 user=mike Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:account): Access denied for user mike: 6 (Permission denied) If I add the host (ipaserver.beta.local) the daemon is running on to the 'Accessing' list or enable the 'allow_all' rule, I am able to login. I see the following in my audit.log type=USER_AUTH msg=audit(1346184814.834:168): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=success' type=USER_ACCT msg=audit(1346184814.845:169): user pid=2217 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" hostname=192.168.0.1 addr=192.168.0.1 terminal=pts/0 res=failed' It seems that the machine the daemon is running on is being used for the HBAC rule (at least that is what is looks like from the dirsrv access log) [28/Aug/2012:16:13:33 -0400] conn=29 op=45 SRCH base="cn=hbac,dc=beta,dc=local" scope=2 filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=ipaserver.beta.local,cn=computers,cn=accounts,dc=beta,dc=local)))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory" Is it possible to get the 'hostname' (pix.beta.local/192.168.0.1) passed through to HBAC? It looks like the 'msg' portion of the audit data is coming from PAM (Is this correct)? Should I be posting this to the devel list instead? Thanks, Mike _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
