5 files changed, 83 insertions, 11 deletions

diff --git a/ipa-server/ipa-install/share/60radius.ldif b/ipa-server/ipa-install/share/60radius.ldif
index 1802029ea..93a5ba319 100644
--- a/ipa-server/ipa-install/share/60radius.ldif
+++ b/ipa-server/ipa-install/share/60radius.ldif
@@ -4,6 +4,11 @@
 # LDAP v3 version by Jochen Friedrich <jochen@scram.de>
 # Updates by Adrian Pavlykevych <pam@polynet.lviv.ua>
 # Modified by John Dennis <jdennis@redhat.com> for use with Directory Sever/IPA
+#
+# Note: These OID's do not seem to be registered, the closest I could find
+# was 1.3.6.1.4.1.3317
+# {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) gnome(3317)}
+#
 ##############
 dn: cn=schema
 attributeTypes:
@@ -487,7 +492,7 @@ objectClasses:
         NAME 'radiusprofile'
         SUP top AUXILIARY
         DESC ''
-        MUST cn
+        MUST uid
         MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
             radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
             radiusCalledStationId $ radiusCallingStationId $ radiusClass $
@@ -521,3 +526,34 @@ objectClasses:
         MUST cn
         MAY ( uid $ userPassword $ description )
   )
+attributeTypes:
+    ( 1.3.6.1.4.1.3317.4.3.1.64
+        NAME 'radiusClientSecret'
+        DESC ''
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+        SINGLE-VALUE
+    )
+attributeTypes:
+    ( 1.3.6.1.4.1.3317.4.3.1.65
+        NAME 'radiusClientNASType'
+        DESC ''
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+        SINGLE-VALUE
+    )
+attributeTypes:
+    ( 1.3.6.1.4.1.3317.4.3.1.66
+        NAME 'radiusClientShortName'
+        DESC ''
+        EQUALITY caseIgnoreIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+    )
+objectClasses:
+    ( 1.3.6.1.4.1.3317.4.3.2.3
+        NAME 'radiusClientProfile'
+        SUP top STRUCTURAL
+        DESC 'A Container Objectclass to be used for describing radius clients'
+        MUST (radiusClientIPAddress $ radiusClientSecret)
+        MAY ( radiusClientNASType $ radiusClientShortName $ description )
+  )
diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif
index 3f0558d11..9642070c7 100644
--- a/ipa-server/ipa-install/share/bootstrap-template.ldif
+++ b/ipa-server/ipa-install/share/bootstrap-template.ldif
@@ -81,6 +81,30 @@ homeDirectory: /home/admin
 loginShell: /bin/bash
 gecos: Administrator
 
+dn: cn=radius,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: radius
+
+dn: cn=clients,cn=radius,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: clients
+
+dn: cn=profiles,cn=radius,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: profiles
+
+dn: uid=ipa_default, cn=profiles,cn=radius,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: radiusprofile
+uid: ipa_default
+
 dn: cn=admins,cn=groups,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index 6b8afd28b..95743eebb 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -9,9 +9,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaN
 aci: (targetattr = "krbPrincipalName || krbUPEnabled || krbPrincipalKey || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData")(version 3.0; acl "KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (read, search, compare, write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
 aci: (targetattr = "userPassword || krbPrincipalKey ||sambaLMPassword || sambaNTPassword || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange")(version 3.0; acl "Kpasswd access to passowrd hashes for passowrd changes"; allow (read, write) userdn = "ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
-aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+aci: (targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr != "aci")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "givenName || sn || cn || displayName || initials || loginShell || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)
+aci: (target="ldap:///cn=radius,$SUFFIX")(version 3.0; acl "Only radius and admin can access radius service data"; deny (all) userdn!="ldap:///uid=admin,cn=sysaccounts,cn=etc,$SUFFIX || ldap:///krbprincipalname=radius/$FQDN@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
 
 dn: cn=ipaConfig,cn=etc,$SUFFIX
 changetype: modify
diff --git a/ipa-server/ipa-install/share/encrypted_attribute.ldif b/ipa-server/ipa-install/share/encrypted_attribute.ldif
new file mode 100644
index 000000000..3f5e1b43d
--- /dev/null
+++ b/ipa-server/ipa-install/share/encrypted_attribute.ldif
@@ -0,0 +1,6 @@
+dn: cn=$ENCRYPTED_ATTRIBUTE, cn=encrypted attributes, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
+changetype: add
+objectClass: top
+objectClass: nsAttributeEncryption
+cn: $ENCRYPTED_ATTRIBUTE
+nsEncryptionAlgorithm: AES
diff --git a/ipa-server/ipa-install/share/radius.radiusd.conf.template b/ipa-server/ipa-install/share/radius.radiusd.conf.template
index d03105485..3bc4927dd 100644
--- a/ipa-server/ipa-install/share/radius.radiusd.conf.template
+++ b/ipa-server/ipa-install/share/radius.radiusd.conf.template
@@ -57,9 +57,6 @@ thread pool {
 	max_requests_per_server = 0
 }
 modules {
-	pap {
-		auto_header = yes
-	}
 	chap {
 		authtype = CHAP
 	}
@@ -85,13 +82,19 @@ $$INCLUDE $${confdir}/eap.conf
 		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 		base_filter = "(objectclass=radiusprofile)"
 		start_tls = no
-		access_attr = "$ACCESS_ATTRIBUTE"
+		profile_attribute = "radiusProfileDn"
+		default_profile = "uid=ipa_default,cn=profiles,cn=radius,cn=services,cn=etc,$SUFFIX
+		# FIXME: we'll want to toggle the access_attr feature on/off,
+		# but it needs a control, so disable it for now.
+		#access_attr = "$ACCESS_ATTRIBUTE"
+		#access_attr_used_for_allow = "$ACCESS_ATTRIBUTE_DEFAULT"
 		dictionary_mapping = $${raddbdir}/ldap.attrmap
 		ldap_connections_number = 5
 		edir_account_policy_check=no
 		timeout = 4
 		timelimit = 3
 		net_timeout = 1
+		clients_basedn = "$CLIENTS_BASEDN"
 	}
 	realm IPASS {
 		format = prefix
@@ -229,6 +232,10 @@ $$INCLUDE $${confdir}/eap.conf
 		override = no
 		maximum-timeout = 0
 	}
+	krb5 {
+		keytab = "$RADIUS_KEYTAB"
+		service_principal = "$RADIUS_PRINCIPAL"
+	}
 }
 instantiate {
 	exec
@@ -242,20 +249,18 @@ authorize {
 	eap
 	#files
 	ldap
-	pap
 }
 authenticate {
-	Auth-Type PAP {
-		pap
-	}
 	Auth-Type CHAP {
 		chap
 	}
 	Auth-Type MS-CHAP {
 		mschap
 	}
-	unix
 	eap
+	Auth-Type Kerberos {
+		krb5
+	}
 }
 preacct {
 	preprocess