radius now does kerberos auth, reads client entries from LDAP

4 files changed, 81 insertions, 11 deletions

diff --git a/ipa-server/ipa-install/share/60radius.ldif b/ipa-server/ipa-install/share/60radius.ldif
index 1802029ea..ac9e3befb 100644
--- a/ipa-server/ipa-install/share/60radius.ldif
+++ b/ipa-server/ipa-install/share/60radius.ldif
@@ -4,6 +4,11 @@
 # LDAP v3 version by Jochen Friedrich <jochen@scram.de>
 # Updates by Adrian Pavlykevych <pam@polynet.lviv.ua>
 # Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA
+#
+# Note: These OID's do not seem to be registered, the closest I could find
+# was 1.3.6.1.4.1.3317
+# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)}
+#
 ##############
 dn: cn=schema
 attributeTypes:
@@ -521,3 +526,44 @@ objectClasses:
         MUST cn
         MAY ( uid $ userPassword $ description )
   )
+attributeTypes:
+    ( 1.3.6.1.4.1.3317.4.3.1.63
+        NAME 'radiusClientNASIpAddress'
+        DESC ''
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+        SINGLE-VALUE
+    )
+attributeTypes:
+    ( 1.3.6.1.4.1.3317.4.3.1.64
+        NAME 'radiusClientSecret'
+        DESC ''
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+        SINGLE-VALUE
+    )
+attributeTypes:
+    ( 1.3.6.1.4.1.3317.4.3.1.65
+        NAME 'radiusClientNASType'
+        DESC ''
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+        SINGLE-VALUE
+    )
+attributeTypes:
+    ( 1.3.6.1.4.1.3317.4.3.1.66
+        NAME 'radiusClientShortName'
+        DESC ''
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+    )
+# c->ipaddr = radiusNASIpAddress
+# c->secret = radiusSecret
+objectClasses:
+    ( 1.3.6.1.4.1.3317.4.3.2.3
+        NAME 'radiusClientProfile'
+        SUP top STRUCTURAL
+        DESC 'A Container Objectclass to be used for describing radius clients'
+        MUST (radiusClientNASIpAddress $ radiusClientSecret)
+        MAY ( radiusClientNASType $ radiusClientShortName $ nsEncryptionAlgorithm $ description )
+  )
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index d793dd9ee..35d60a326 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -56,6 +56,24 @@ homeDirectory: /home/admin
 loginShell: /bin/bash
 gecos: Administrator
 
+dn: cn=services,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: services
+
+dn: cn=radius,cn=services,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: radius
+
+dn: cn=clients,cn=radius,cn=services,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: clients
+
 dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template
index d03105485..73d101c7e 100644
--- a/ipa-server/ipa-install/share/radius.radiusd.conf.template
+++ b/ipa-server/ipa-install/share/radius.radiusd.conf.template
@@ -57,9 +57,6 @@ thread pool {
 	max_requests_per_server = 0
 }
 modules {
-	pap {
-		auto_header = yes
-	}
 	chap {
 		authtype = CHAP
 	}
@@ -85,13 +82,17 @@ $$INCLUDE $${confdir}/eap.conf
 		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 		base_filter = "(objectclass=radiusprofile)"
 		start_tls = no
-		access_attr = "$ACCESS_ATTRIBUTE"
+		# FIXME: we'll want to toggle the access_attr feature on/off,
+		# but it needs a control, so disable it for now.
+		#access_attr = "$ACCESS_ATTRIBUTE"
+		#access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
 		dictionary_mapping = $${raddbdir}/ldap.attrmap
 		ldap_connections_number = 5
 		edir_account_policy_check=no
 		timeout = 4
 		timelimit = 3
 		net_timeout = 1
+		clients_basedn = "$CLIENTS_BASEDN"
 	}
 	realm IPASS {
 		format = prefix
@@ -229,6 +230,10 @@ $$INCLUDE $${confdir}/eap.conf
 		override = no
 		maximum-timeout = 0
 	}
+	krb5 {
+		keytab = "$RADIUS_KEYTAB"
+		service_principal = "$RADIUS_PRINCIPAL"
+	}
 }
 instantiate {
 	exec
@@ -242,20 +247,18 @@ authorize {
 	eap
 	#files
 	ldap
-	pap
 }
 authenticate {
-	Auth-Type PAP {
-		pap
-	}
 	Auth-Type CHAP {
 		chap
 	}
 	Auth-Type MS-CHAP {
 		mschap
 	}
-	unix
 	eap
+	Auth-Type Kerberos {
+		krb5
+	}
 }
 preacct {
 	preprocess
diff --git a/ipa-server/ipaserver/radiusinstance.py b/ipa-server/ipaserver/radiusinstance.py
index 2aee09b33..90727758f 100644
--- a/ipa-server/ipaserver/radiusinstance.py
+++ b/ipa-server/ipaserver/radiusinstance.py
@@ -79,10 +79,11 @@ class RadiusInstance(service.Service):
 
     def create_instance(self, realm_name, host_name, ldap_server):
         self.realm        = realm_name.upper()
+        self.suffix       = realm_to_suffix(self.realm)
         self.fqdn         = host_name
         self.ldap_server  = ldap_server
         self.principal    = "%s/%s@%s" % (RADIUS_SERVICE_NAME, self.fqdn, self.realm)
-        self.basedn       = realm_to_suffix(self.realm)
+        self.basedn       = self.suffix
         self.user_basedn  = "%s,%s" % (DefaultUserContainer, self.basedn) # FIXME, should be utility to get this
         self.radius_version = get_radius_version()
         self.start_creation(4, "Configuring radiusd")
@@ -115,7 +116,9 @@ class RadiusInstance(service.Service):
                     'RADIUS_KEYTAB'            : IPA_KEYTAB_FILEPATH,
                     'RADIUS_PRINCIPAL'         : self.principal,
                     'RADIUS_USER_BASE_DN'      : self.user_basedn,
-                    'ACCESS_ATTRIBUTE'         : 'dialupAccess' 
+                    'ACCESS_ATTRIBUTE'         : '',
+                    'ACCESS_ATTRIBUTE_DEFAULT' : 'TRUE',
+                    'CLIENTS_BASEDN'           : 'cn=clients,cn=radius,cn=services,cn=etc,%s' % self.suffix
                     }
         try:
             radiusd_conf = template_file(RADIUSD_CONF_TEMPLATE_FILEPATH, sub_dict)