[Freeipa-devel] status of radius IPA work

Karl MacMillan kmacmill at redhat.com
Mon Nov 5 14:45:34 UTC 2007


On Fri, 2007-11-02 at 16:54 -0400, John Dennis wrote:
> Phew, this has been a long week, I've made progress.
> 
> The radius server is now able to perform a SASL bind to the IPA LDAP
> server using kerberos tickets obtained during the IPA install. Radiusd
> is can also successfully perform LDAP queries. The major components of
> the work thus far have been:
> 
> * authored radiusinstance.py which does the following:
>    - installs a radius LDAP schema in the slapd instance
>    - generates and installs the radiusd configuration file
>    - generates and installs the kerberos radius service keytab
>    - starts and stops the radiusd server
> 
> * Modified the radius ldap module:
>    - modified the autotool files to add configuration options
>      for building with SASL2 and KRB5, these can be toggled on
>      or off separately and the locations of the header files
>      can be specified (often necessary because many distributions
>      install these components in alternate locations or co-install
>      different versions.
> 
>      All code additions properly #ifdef'ed by symbols defined by
>      configure.
> 
>      Proper autotool support will be necessary for upstream
>      acceptance.
> 
>    - added support for new options in the radiusd configuration file to
>      handle ldap sasl and krb parameters.
> 
>    - added struct (object) to group all kerberos values into an
>      'instance'
> 
>    - added code to acquire the kerberos service ticket, track it's
>      expiration, and use it to perform a bind to the IPA LDAP server.
> 
>    - all code does proper initialization, shutdown with freeing and
>      destroying of resources, debug tracing, and error handling in the
>      context of the freeradius code.
> 

When will you submit this work to freeradius? I'm wondering whether we
will know if these changes are acceptable to upstream before freeipa v1.

Karl




More information about the Freeipa-devel mailing list