Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
On Sat, 2012-03-03 at 18:09 -0500, Dmitri Pal wrote: On 03/01/2012 09:21 AM, Pavel Zhukov wrote: Simo, thank you for your answer FreeRADIUS uses very customized (for complex network ACLs) MySQL schema and network team manages it. Unfortunately, I cannot change FreeRADIUS related infrastructure. AuthHub is your friend then. https://fedorahosted.org/AuthHub/ I am CC Nathaniel who is the developer on this project. I know he is looking into RADIUS integration. Any help would be appreciated. So the answer is that AuthHub will support RADIUS very soon (it is currently our highest priority). This means that krb5 = 1.10 + AuthHub will soon support RADIUS. When this support will hit FreeIPA directly, I'm not sure. But we can definitely use as much help testing AuthHub as possible. Nathaniel signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
On 03/01/2012 09:21 AM, Pavel Zhukov wrote: Simo, thank you for your answer FreeRADIUS uses very customized (for complex network ACLs) MySQL schema and network team manages it. Unfortunately, I cannot change FreeRADIUS related infrastructure. AuthHub is your friend then. https://fedorahosted.org/AuthHub/ I am CC Nathaniel who is the developer on this project. I know he is looking into RADIUS integration. Any help would be appreciated. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
On Thu, 2012-03-01 at 16:35 +0400, Pavel Zhukov wrote: Hi all I'm going to deploy kerberised network and have some questions. I've deployed FreeIPA server and enrolled hosts, it's OK, I've deployed RHEV and configured FreeIPA as DS, it's OK. FreeRADIUS is used for user login (thought Cisco FireWall or Cisco VPN) and contains user database (mysql). Is it possible to integrate FreeRADIUS server and FreeIPA? For security reasons replication of transfer) of passwords is impossible. possible scenario: User tries to access some resource (ssh for example) - ssh server goes to kerberos (IPA) server - IPA (LDAP?) goes to RADIUS (using kerberos if possible?) - krb ticket - login No doesn't work this way. But you can use LDAP as a backend for FreeRADIUS so that Radius goes to FreeIPA to try to authenticate users. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
I have configured a freeradius server that uses the FreeIPA LDAP backend for user and device authentication. It's not at all difficult. On Thu, Mar 1, 2012 at 9:11 AM, Simo Sorce s...@redhat.com wrote: On Thu, 2012-03-01 at 16:35 +0400, Pavel Zhukov wrote: Hi all I'm going to deploy kerberised network and have some questions. I've deployed FreeIPA server and enrolled hosts, it's OK, I've deployed RHEV and configured FreeIPA as DS, it's OK. FreeRADIUS is used for user login (thought Cisco FireWall or Cisco VPN) and contains user database (mysql). Is it possible to integrate FreeRADIUS server and FreeIPA? For security reasons replication of transfer) of passwords is impossible. possible scenario: User tries to access some resource (ssh for example) - ssh server goes to kerberos (IPA) server - IPA (LDAP?) goes to RADIUS (using kerberos if possible?) - krb ticket - login No doesn't work this way. But you can use LDAP as a backend for FreeRADIUS so that Radius goes to FreeIPA to try to authenticate users. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA use FreeRADIUS as users provider
Simo, thank you for your answer FreeRADIUS uses very customized (for complex network ACLs) MySQL schema and network team manages it. Unfortunately, I cannot change FreeRADIUS related infrastructure. -- Best regards, Pavel Zhukov mailto:pa...@zhukoff.net On Thu, 01 Mar 2012, Simo Sorce wrote: On Thu, 2012-03-01 at 16:35 +0400, Pavel Zhukov wrote: Hi all I'm going to deploy kerberised network and have some questions. I've deployed FreeIPA server and enrolled hosts, it's OK, I've deployed RHEV and configured FreeIPA as DS, it's OK. FreeRADIUS is used for user login (thought Cisco FireWall or Cisco VPN) and contains user database (mysql). Is it possible to integrate FreeRADIUS server and FreeIPA? For security reasons replication of transfer) of passwords is impossible. possible scenario: User tries to access some resource (ssh for example) - ssh server goes to kerberos (IPA) server - IPA (LDAP?) goes to RADIUS (using kerberos if possible?) - krb ticket - login No doesn't work this way. But you can use LDAP as a backend for FreeRADIUS so that Radius goes to FreeIPA to try to authenticate users. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users