[Freeipa-devel] [PATCH] radius work, please review
John Dennis
jdennis at redhat.com
Thu Nov 29 18:00:26 UTC 2007
Attached are the patches for the radius work, please review.
* The first patch is for freeradius, it contains the C code
modifications for performing a SASL GSSAPI bind to the IPA directory
server using the radius service principal's keytab, for querying the
radius client information from LDAP, and the autoconf modifications
to support conditional compilation of the new krb and sasl code.
The rpms have been build using Koji and can be accessed here:
http://koji.fedoraproject.org/koji/buildinfo?buildID=26067
* The second patch is against our IPA source tree, please note this is
a patch showing the final cumulative differences for easier review,
not the 23 mercurial changesets comprising it. I will send Karl
the changeset file or he can pull the changes from my repo
depending on which he thinks is easier (contact me directly for the
repo address and password).
* These are the files changed in the patch:
ipa-admintools/ipa-addradiusclient
ipa-admintools/ipa-addradiusprofile
ipa-admintools/ipa-delradiusclient
ipa-admintools/ipa-delradiusprofile
ipa-admintools/ipa-findradiusclient
ipa-admintools/ipa-findradiusprofile
ipa-admintools/ipa-radiusclientmod
ipa-admintools/ipa-radiusprofilemod
ipa-admintools/Makefile
ipa-python/ipaclient.py
ipa-python/ipautil.py
ipa-python/ipavalidate.py
ipa-python/radius_util.py
ipa-python/rpcclient.py
ipa-server/ipa-install/share/60radius.ldif
ipa-server/ipa-install/share/bootstrap-template.ldif
ipa-server/ipa-install/share/default-aci.ldif
ipa-server/ipa-install/share/encrypted_attribute.ldif
ipa-server/ipa-install/share/radius.radiusd.conf.template
ipa-server/ipaserver/radiusinstance.py
ipa-server/xmlrpc-server/funcs.py
ipa-server/xmlrpc-server/ipaxmlrpc.py
* I believe all the changes are exclusively related to radius and no
code in the general IPA code base was touched otherwise.
* During review I would like to draw your attention to the following
items:
bootstrap-template.ldif: adds radius clients and profiles containers
under cn=services,cn=etc
encrypted_attribute.ldif: sets the secret attribute in the radius
client objectclass to be encrypted using AES. At some point the ldiff
should be replaced with calls to perform an ldap modify as discussed
on the mailing list.
default-aci.ldif: The ACI's were modified in two ways. First the
radiusprofile object class was added to the "Account Admins can manage
Users and Groups" acl. Second, the "Only radius and admin can access
radius service data" acl was added which denies all access to radius
service data except for the admin and the radius service principal.
* The command line utilities which manipulate LDAP attrbutes can:
- take the attribute/value as a command line arg
- take any number of argument strings containing any number of
attribute/value pairs
- can read attribute/value pairs from a file or stdin
- can interactively prompt for attribute/values with auto completion
of the attribute name and auto completion of the default value.
- can delete attributes (critical as radius sometimes uses the
presence or absense of an attribute as a flag, setting the
attribute value to the empty string is not sufficient).
* Some general utility code was added to ipautil.py which provides the
following:
- perform attribute/value pair auto completion on a TTY, returns set
of attribute/value pairs, values will auto complete to their
defaults or their previous value.
- perform name auto completion on a TTY, returns a list of names.
- parse attribute/value pairs from text strings (properly handles
quoting and escaped quotes)
- read attribute/value pairs from a file (file can contain comments)
- parse name list and read names from a file (can contain comments).
- format for output a list of names in standard column format
--
John Dennis <jdennis at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-1.1.7-ipa.patch
Type: text/x-patch
Size: 24681 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071129/db98699b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.patch
Type: text/x-patch
Size: 119743 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071129/db98699b/attachment-0001.bin>
More information about the Freeipa-devel
mailing list