Michael Mercier wrote:
On 2012-08-22, at 4:12 PM, Rob Crittenden wrote:

Michael Mercier wrote:

In Aug 2010, someone posted a message to this list about integrating
tacacs+ with freeipa

At the time, it was mentioned that this was not on the roadmap, has this

No, still not on the roadmap.

If RedHat has no plans to do this, where can I find the freeipa
documentation that would allow me to do a proof-of-concept?  I would use
the freely available tac_plus (http://www.shrubbery.net/tac_plus/) as a
staring point.

http://freeipa.org/page/Contribute (in Developer Documentation and Developement 
Process) and

Some of the specific things I am looking for:
1.  How should passwords be verified?  sssd, pam, ldap lookup, krb?
2.  How the ldap schema should be designed for best integration?

I'd start by seeing if there is already one defined as a real or quasi standard.

3.  The proper way to query the ldap server (standard ldap calls or is
there some specific freeipa api)

Standard LDAP calls.

4.  I am sure I am not asking something!!

I tried asking some similar questions on freeipa-devel but didn't
receive a response.



I have started playing with having the tac_plus daemon use Freeipa and have 
some questions regarding HBAC.

I have done the following:

1.  Created a DNS entry for my device:  pix.beta.local <->
2.  Disabled the 'allow_all' HBAC rule
3.  Created an HBAC rule tacacs with the following:
   a) who: user group: ciscoadmin - user mike is part of ciscoadmin
   b) Accessing: hosts: pix.beta.local
   c) via service: tac_plus
   d) from: any host

I can successfully login (auth) to a Cisco ASA via the tac_plus daemon using 
PAM.  I have added some code to also attempt to do PAM accounting for the 
device and can't get this to work.

Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:auth): 
authentication success; logname=root uid=0 euid=0 tty= ruser= rhost= 
Aug 28 16:13:34 ipaserver tac_plus[2217]: pam_sss(tac_plus:account): Access 
denied for user mike: 6 (Permission denied)

If I add the host (ipaserver.beta.local) the daemon is running on to the 
'Accessing' list or enable the 'allow_all' rule, I am able to login.

I see the following in my audit.log
type=USER_AUTH msg=audit(1346184814.834:168): user pid=2217 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication 
acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" 
hostname= addr= terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1346184814.845:169): user pid=2217 uid=0 auid=0 ses=1 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
acct="mike" exe="/home/tacacs/tacacs+-F4.0.4.26/.libs/lt-tac_plus" 
hostname= addr= terminal=pts/0 res=failed'

It seems that the machine the daemon is running on is being used for the HBAC 
rule (at least that is what is looks like from the dirsrv access log)
[28/Aug/2012:16:13:33 -0400] conn=29 op=45 SRCH base="cn=hbac,dc=beta,dc=local" scope=2 
 attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService 
serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory"

Is it possible to get the 'hostname' (pix.beta.local/ passed 
through to HBAC?
It looks like the 'msg' portion of the audit data is coming from PAM (Is this 
Should I be posting this to the devel list instead?

An educated guess would be that the tac_plus daemon would need to be modified to send the requesting server hostname to PAM.


Freeipa-users mailing list

Reply via email to