[Freeipa-devel] How we should be integrating RADIUS

Thu Nov 8 21:33:39 UTC 2007

On Thu, 2007-11-08 at 16:26 -0500, John Dennis wrote:
> Andrew Bartlett wrote:
> > You miss my point.  The Samba part of this would be targeted at IPA
> > (Samba as a DC against LDAP), not AD, and will handle MSCHAPv2 for
> > FreeRADIUS.  In all other respects, the configuration would be
> > identical, as in both cases winbindd handles the details. 
> 
> When samba is integrated with IPA as a DC we can do this but thats not 
> the case today for v1.

This I think is a big mistake (leaving Samba out of V1), but that's not
where we are going for now. :-(

> FWIW, a lot of the current IPA radius work has little to do with 
> specific authentication methods but rather management of users and 
> clients, that infrastructure has to be in place first. This is staged 
> development, mschap is down the road.

OK. 

> >> One of the challenges of integrating radius into IPA is the fact radius 
> >> is best thought of as a toolkit with multiple ways of setting it up 
> >> tailored to the needs of the site. 
> > 
> > Sure, but shouldn't the role of IPA be to provide all the backend
> > configuration, already completed?
> 
> I'm afraid I don't follow what you mean by having all the backend 
> configuration completed.

I mean the glue between FreeRADIUS and whatever it is using (Samba,
krb5) to validate and authorise access. 

> >> I think we're going to end up with a 
> >> handful of pre-canned configurations that IPA supports, mschap/ntlm will 
> >> will certainly be one of them in order to support Windows clients. 
> >> Figuring out how we're going to handle mschap/ntlm is on hold till V2.
> > 
> > If it's any different to that HOWTO I'll be very surprised, but I look
> > forward to it.
> 
> Yes you're right, for that one case it will look similar. What will be 
> different from the HOWTO is all the places in the HOWTO where it says 
> hand edit such and such, or where it fails to talk about the management 
> of NAS devices or the management of per user NAS attributes, all of that 
> infrastructure is getting automated as part of the v1 work. When that's 
> done we can apply the HOWTO receipe. The initial goal is to avoid any 
> direct manipulation of service configuration and the data the service 
> needs to access, the HOWTO glosses over those issue with the presumption 
> a human sys admin is actively involved in managing it. That's why mschap 
> is slated for v2 not v1.

I look forward to seeing the progress here, in part because Samba4 will
at some point probably need much the same treatment of FreeRADIUS.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071109/76d4b204/attachment.sig>