Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
On Sat, 2012-03-03 at 18:09 -0500, Dmitri Pal wrote: > On 03/01/2012 09:21 AM, Pavel Zhukov wrote: > > Simo, thank you for your answer > > FreeRADIUS uses very customized (for complex network ACLs) MySQL schema > > and network team > > manages it. Unfortunately, I cannot change FreeRADIUS related > > infrastructure. > > > AuthHub is your friend then. > https://fedorahosted.org/AuthHub/ > > I am CC Nathaniel who is the developer on this project. I know he is > looking into RADIUS integration. Any help would be appreciated. So the answer is that AuthHub will support RADIUS very soon (it is currently our highest priority). This means that krb5 >= 1.10 + AuthHub will soon support RADIUS. When this support will hit FreeIPA directly, I'm not sure. But we can definitely use as much help testing AuthHub as possible. Nathaniel signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
On 03/01/2012 09:21 AM, Pavel Zhukov wrote: > Simo, thank you for your answer > FreeRADIUS uses very customized (for complex network ACLs) MySQL schema and > network team > manages it. Unfortunately, I cannot change FreeRADIUS related > infrastructure. > AuthHub is your friend then. https://fedorahosted.org/AuthHub/ I am CC Nathaniel who is the developer on this project. I know he is looking into RADIUS integration. Any help would be appreciated. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
Simo, thank you for your answer FreeRADIUS uses very customized (for complex network ACLs) MySQL schema and network team manages it. Unfortunately, I cannot change FreeRADIUS related infrastructure. -- Best regards, Pavel Zhukov mailto:pa...@zhukoff.net On Thu, 01 Mar 2012, Simo Sorce wrote: > On Thu, 2012-03-01 at 16:35 +0400, Pavel Zhukov wrote: > > Hi all > > I'm going to deploy "kerberised network" and have some questions. > > I've deployed FreeIPA server and enrolled hosts, it's OK, > > I've deployed RHEV and configured FreeIPA as DS, it's OK. > > > > FreeRADIUS is used for user login (thought Cisco FireWall or Cisco > > VPN) and contains user database (mysql). > > > > Is it possible to integrate FreeRADIUS server and FreeIPA? For > > security reasons replication of transfer) of passwords is impossible. > > > > possible scenario: > > User tries to access some resource (ssh for example) -> ssh server > > goes to kerberos (IPA) server -> IPA (LDAP?) goes to RADIUS (using > > kerberos if possible?) -> krb ticket -> login > > No doesn't work this way. > But you can use LDAP as a backend for FreeRADIUS so that Radius goes to > FreeIPA to try to authenticate users. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
I have configured a freeradius server that uses the FreeIPA LDAP backend for user and device authentication. It's not at all difficult. On Thu, Mar 1, 2012 at 9:11 AM, Simo Sorce wrote: > On Thu, 2012-03-01 at 16:35 +0400, Pavel Zhukov wrote: > > Hi all > > I'm going to deploy "kerberised network" and have some questions. > > I've deployed FreeIPA server and enrolled hosts, it's OK, > > I've deployed RHEV and configured FreeIPA as DS, it's OK. > > > > FreeRADIUS is used for user login (thought Cisco FireWall or Cisco > > VPN) and contains user database (mysql). > > > > Is it possible to integrate FreeRADIUS server and FreeIPA? For > > security reasons replication of transfer) of passwords is impossible. > > > > possible scenario: > > User tries to access some resource (ssh for example) -> ssh server > > goes to kerberos (IPA) server -> IPA (LDAP?) goes to RADIUS (using > > kerberos if possible?) -> krb ticket -> login > > No doesn't work this way. > But you can use LDAP as a backend for FreeRADIUS so that Radius goes to > FreeIPA to try to authenticate users. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
On Thu, 2012-03-01 at 16:35 +0400, Pavel Zhukov wrote: > Hi all > I'm going to deploy "kerberised network" and have some questions. > I've deployed FreeIPA server and enrolled hosts, it's OK, > I've deployed RHEV and configured FreeIPA as DS, it's OK. > > FreeRADIUS is used for user login (thought Cisco FireWall or Cisco > VPN) and contains user database (mysql). > > Is it possible to integrate FreeRADIUS server and FreeIPA? For > security reasons replication of transfer) of passwords is impossible. > > possible scenario: > User tries to access some resource (ssh for example) -> ssh server > goes to kerberos (IPA) server -> IPA (LDAP?) goes to RADIUS (using > kerberos if possible?) -> krb ticket -> login No doesn't work this way. But you can use LDAP as a backend for FreeRADIUS so that Radius goes to FreeIPA to try to authenticate users. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users