[Freeipa-devel] status of radius IPA work

John Dennis jdennis at redhat.com
Fri Nov 2 20:54:15 UTC 2007 

Phew, this has been a long week, I've made progress.

The radius server is now able to perform a SASL bind to the IPA LDAP
server using kerberos tickets obtained during the IPA install. Radiusd
is can also successfully perform LDAP queries. The major components of
the work thus far have been:

* authored radiusinstance.py which does the following:
   - installs a radius LDAP schema in the slapd instance
   - generates and installs the radiusd configuration file
   - generates and installs the kerberos radius service keytab
   - starts and stops the radiusd server

* Modified the radius ldap module:
   - modified the autotool files to add configuration options
     for building with SASL2 and KRB5, these can be toggled on
     or off separately and the locations of the header files
     can be specified (often necessary because many distributions
     install these components in alternate locations or co-install
     different versions.

     All code additions properly #ifdef'ed by symbols defined by
     configure.

     Proper autotool support will be necessary for upstream
     acceptance.

   - added support for new options in the radiusd configuration file to
     handle ldap sasl and krb parameters.

   - added struct (object) to group all kerberos values into an
     'instance'

   - added code to acquire the kerberos service ticket, track it's
     expiration, and use it to perform a bind to the IPA LDAP server.

   - all code does proper initialization, shutdown with freeing and
     destroying of resources, debug tracing, and error handling in the
     context of the freeradius code.

* Successfully tested running the radius server in the IPA environment
   with radiusd doing a sasl bind to the IPA LDAP and retrieving
   attributes.

Next work items:

* Complete the implementation of the ipa command line tool used to
   modify the radius per user attributes in LDAP (so far I've been
   using ldapmodify and ldif files). This will call through the XMLRPC
   to perform the ldap modifications and queries.

Comments:

Getting the radius to the point of performing a SASL bind against IPA
was much more work than I originally anticipated. There was also
considerable work with properly integrating the changes. I had hoped
to have had that working by Wednesday with the IPA command line work
completed by today. That work took 2 more days than I expected, the
command line work won't being in earnest until Monday.

Even when you think you know a technology you get humbled by the
problems that you didn't anticipate, such was some of the kerberos
hurdles I had to overcome this week.

Generally I'm pretty satisfied with the progress so far. By the middle
of next week I think we'll be in a position to start testing against a
VPN concentrator. But don't be fooled, there is still plenty of work
ahead :-)

Note: None of the work to date or anticipated in the immediate future 
has addressed the issue of other authentication methods used by radius 
and whether we have the correct password hashes. Addressing those issues 
are not necessary to get to the point of testing VPN.
-- 
John Dennis <jdennis at redhat.com>

More information about the Freeipa-devel mailing list