[Freeipa-devel] How we should be integrating RADIUS
Andrew Bartlett
abartlet at samba.org
Thu Nov 8 20:25:19 UTC 2007
On Thu, 2007-11-08 at 09:51 -0500, John Dennis wrote:
> Andrew Bartlett wrote:
> > I came across this HOWTO about RADIUS, and I think it explains very well
> > why we need to have FreeRADIUS use Samba for MS-CHAP authentication.
> >
> > If we set it up right, this should 'just work' against the local Samba
> > as a frontend to FreeIPA.
> >
> > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
> >
> > I realise Samba isn't part of FreeIPA yet, but this just gives us
> > another reason why it needs to be. I've looked over the patch for
> > FreeIPA inclusion, but I can't quite see how to translate that into
> > Samba (3) inclusion.
>
> Thanks for the pointer Andrew, I'm familiar with the document. I'm sure
> at some point we may want to authenticate against AD but initially we're
> authenticating against IPA. There are many possible scenarios with how
> customers will want to use radius, our going in plan is to keep it
> simple for V1.
You miss my point. The Samba part of this would be targeted at IPA
(Samba as a DC against LDAP), not AD, and will handle MSCHAPv2 for
FreeRADIUS. In all other respects, the configuration would be
identical, as in both cases winbindd handles the details.
> One of the challenges of integrating radius into IPA is the fact radius
> is best thought of as a toolkit with multiple ways of setting it up
> tailored to the needs of the site.
Sure, but shouldn't the role of IPA be to provide all the backend
configuration, already completed?
> I think we're going to end up with a
> handful of pre-canned configurations that IPA supports, mschap/ntlm will
> will certainly be one of them in order to support Windows clients.
> Figuring out how we're going to handle mschap/ntlm is on hold till V2.
If it's any different to that HOWTO I'll be very surprised, but I look
forward to it.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071109/9ff83e30/attachment.sig>
More information about the Freeipa-devel
mailing list