Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread Kambiz Aghaiepour
James Roman wrote: > > From what I can see it looks like the missing piece would be the ability > to look up tac_plus user->group assignments from the FreeIPA/389 LDAP > server. It looks like tac_plus has ""integrated"" the authentication > with LDAP via PAM, but not the authorization. When buildi

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread Dmitri Pal
James Roman wrote: > >>> >>> From both a network and a security point of view, TACACS+ is >>> considered preferable to RADIUS; among other benefits, it enciphers >>> the entire conversation, rather than just portions of it, and can >>> provide more fine-grain authorization than RADIUS. Most Cisco

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread John Dennis
On 08/25/2010 11:22 AM, James Roman wrote: The more practical solution which may be available to you would be to avail yourself of the PAM integration in the tac_plus project (but to be honest I don't see how that would give you any of the sophisticated features you cite as being a prime motivato

Re: [Freeipa-users] FreeIPA-Samba4 integration?

2010-08-25 Thread Dmitri Pal
Attila Bogár wrote: > Hi, > > I would like to deploy an integrated Samba4 / FreeIPA environment. > > I would like to enquire, what's the current status of FreeIPA > 1.9.0.pre4 and Samba4 integration. > > I've tried http://freeipa.org/page/Samba_4_Configuration a month ago, > though the ldap provis

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread James Roman
From both a network and a security point of view, TACACS+ is considered preferable to RADIUS; among other benefits, it enciphers the entire conversation, rather than just portions of it, and can provide more fine-grain authorization than RADIUS. Most Cisco shops I've encountered consider RADIU

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread John Dennis
On 08/25/2010 08:21 AM, david klein wrote: On Wed, Aug 25, 2010 at 6:50 AM, John Dennis wrote: On 08/24/2010 11:22 PM, david klein wrote: Sorry to those who have already seen this; I posted to the wrong mailing list (the -interest mailing list instead of the -users list). As an NMS engineer,

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread david klein
On Wed, Aug 25, 2010 at 6:50 AM, John Dennis wrote: > On 08/24/2010 11:22 PM, david klein wrote: >> >> Sorry to those who have already seen this; I posted to the wrong >> mailing list (the -interest mailing list instead of the -users list). >> >> As an NMS engineer, I have a use for integrated TAC

Re: [Freeipa-users] Feature request: TACACS+ integration

2010-08-25 Thread John Dennis
On 08/24/2010 11:22 PM, david klein wrote: Sorry to those who have already seen this; I posted to the wrong mailing list (the -interest mailing list instead of the -users list). As an NMS engineer, I have a use for integrated TACACS+ with a unified identity solution, so that the same account nam