diff options
author | John Dennis <jdennis@redhat.com> | 2007-11-10 00:09:07 -0500 |
---|---|---|
committer | John Dennis <jdennis@redhat.com> | 2007-11-10 00:09:07 -0500 |
commit | 84275328a0f5ff1ac0ddad65da18b7636312c0c1 (patch) | |
tree | deeb7f5cf490ca35c7cdfed34f641068aedfb650 /ipa-server | |
parent | 80c4ed7af26b5b6a581ccc8e0a9e65e53e43cc4c (diff) | |
download | freeipa-84275328a0f5ff1ac0ddad65da18b7636312c0c1.tar.gz freeipa-84275328a0f5ff1ac0ddad65da18b7636312c0c1.tar.xz freeipa-84275328a0f5ff1ac0ddad65da18b7636312c0c1.zip |
radius now does kerberos auth, reads client entries from LDAP
Diffstat (limited to 'ipa-server')
-rw-r--r-- | ipa-server/ipa-install/share/60radius.ldif | 46 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/bootstrap-template.ldif | 18 | ||||
-rw-r--r-- | ipa-server/ipa-install/share/radius.radiusd.conf.template | 21 | ||||
-rw-r--r-- | ipa-server/ipaserver/radiusinstance.py | 7 |
4 files changed, 81 insertions, 11 deletions
diff --git a/ipa-server/ipa-install/share/60radius.ldif b/ipa-server/ipa-install/share/60radius.ldif index 1802029ea..ac9e3befb 100644 --- a/ipa-server/ipa-install/share/60radius.ldif +++ b/ipa-server/ipa-install/share/60radius.ldif @@ -4,6 +4,11 @@ # LDAP v3 version by Jochen Friedrich <jochen@scram.de> # Updates by Adrian Pavlykevych <pam@polynet.lviv.ua> # Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA +# +# Note: These OID's do not seem to be registered, the closest I could find +# was 1.3.6.1.4.1.3317 +# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)} +# ############## dn: cn=schema attributeTypes: @@ -521,3 +526,44 @@ objectClasses: MUST cn MAY ( uid $ userPassword $ description ) ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.63 + NAME 'radiusClientNASIpAddress' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.64 + NAME 'radiusClientSecret' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.65 + NAME 'radiusClientNASType' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE + ) +attributeTypes: + ( 1.3.6.1.4.1.3317.4.3.1.66 + NAME 'radiusClientShortName' + DESC '' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ) +# c->ipaddr = radiusNASIpAddress +# c->secret = radiusSecret +objectClasses: + ( 1.3.6.1.4.1.3317.4.3.2.3 + NAME 'radiusClientProfile' + SUP top STRUCTURAL + DESC 'A Container Objectclass to be used for describing radius clients' + MUST (radiusClientNASIpAddress $ radiusClientSecret) + MAY ( radiusClientNASType $ radiusClientShortName $ nsEncryptionAlgorithm $ description ) + ) diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index d793dd9ee..35d60a326 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -56,6 +56,24 @@ homeDirectory: /home/admin loginShell: /bin/bash gecos: Administrator +dn: cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: services + +dn: cn=radius,cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: radius + +dn: cn=clients,cn=radius,cn=services,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: clients + dn: cn=admins,cn=groups,cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template index d03105485..73d101c7e 100644 --- a/ipa-server/ipa-install/share/radius.radiusd.conf.template +++ b/ipa-server/ipa-install/share/radius.radiusd.conf.template @@ -57,9 +57,6 @@ thread pool { max_requests_per_server = 0 } modules { - pap { - auto_header = yes - } chap { authtype = CHAP } @@ -85,13 +82,17 @@ $$INCLUDE $${confdir}/eap.conf filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" start_tls = no - access_attr = "$ACCESS_ATTRIBUTE" + # FIXME: we'll want to toggle the access_attr feature on/off, + # but it needs a control, so disable it for now. + #access_attr = "$ACCESS_ATTRIBUTE" + #access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT" dictionary_mapping = $${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 + clients_basedn = "$CLIENTS_BASEDN" } realm IPASS { format = prefix @@ -229,6 +230,10 @@ $$INCLUDE $${confdir}/eap.conf override = no maximum-timeout = 0 } + krb5 { + keytab = "$RADIUS_KEYTAB" + service_principal = "$RADIUS_PRINCIPAL" + } } instantiate { exec @@ -242,20 +247,18 @@ authorize { eap #files ldap - pap } authenticate { - Auth-Type PAP { - pap - } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } - unix eap + Auth-Type Kerberos { + krb5 + } } preacct { preprocess diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py index 2aee09b33..90727758f 100644 --- a/ipa-server/ipaserver/radiusinstance.py +++ b/ipa-server/ipaserver/radiusinstance.py @@ -79,10 +79,11 @@ class RadiusInstance(service.Service): def create_instance(self, realm_name, host_name, ldap_server): self.realm = realm_name.upper() + self.suffix = realm_to_suffix(self.realm) self.fqdn = host_name self.ldap_server = ldap_server self.principal = "%s/%s@%s" % (RADIUS_SERVICE_NAME, self.fqdn, self.realm) - self.basedn = realm_to_suffix(self.realm) + self.basedn = self.suffix self.user_basedn = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this self.radius_version = get_radius_version() self.start_creation(4, "Configuring radiusd") @@ -115,7 +116,9 @@ class RadiusInstance(service.Service): 'RADIUS_KEYTAB' : IPA_KEYTAB_FILEPATH, 'RADIUS_PRINCIPAL' : self.principal, 'RADIUS_USER_BASE_DN' : self.user_basedn, - 'ACCESS_ATTRIBUTE' : 'dialupAccess' + 'ACCESS_ATTRIBUTE' : '', + 'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE', + 'CLIENTS_BASEDN' : 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.suffix } try: radiusd_conf = template_file(RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict) |