[Freeipa-devel] How we should be integrating RADIUS

John Dennis jdennis at redhat.com
Thu Nov 8 21:26:58 UTC 2007 

Andrew Bartlett wrote:
> You miss my point.  The Samba part of this would be targeted at IPA
> (Samba as a DC against LDAP), not AD, and will handle MSCHAPv2 for
> FreeRADIUS.  In all other respects, the configuration would be
> identical, as in both cases winbindd handles the details. 

When samba is integrated with IPA as a DC we can do this but thats not 
the case today for v1.

FWIW, a lot of the current IPA radius work has little to do with 
specific authentication methods but rather management of users and 
clients, that infrastructure has to be in place first. This is staged 
development, mschap is down the road.

>> One of the challenges of integrating radius into IPA is the fact radius 
>> is best thought of as a toolkit with multiple ways of setting it up 
>> tailored to the needs of the site. 
> 
> Sure, but shouldn't the role of IPA be to provide all the backend
> configuration, already completed?

I'm afraid I don't follow what you mean by having all the backend 
configuration completed.

>> I think we're going to end up with a 
>> handful of pre-canned configurations that IPA supports, mschap/ntlm will 
>> will certainly be one of them in order to support Windows clients. 
>> Figuring out how we're going to handle mschap/ntlm is on hold till V2.
> 
> If it's any different to that HOWTO I'll be very surprised, but I look
> forward to it.

Yes you're right, for that one case it will look similar. What will be 
different from the HOWTO is all the places in the HOWTO where it says 
hand edit such and such, or where it fails to talk about the management 
of NAS devices or the management of per user NAS attributes, all of that 
infrastructure is getting automated as part of the v1 work. When that's 
done we can apply the HOWTO receipe. The initial goal is to avoid any 
direct manipulation of service configuration and the data the service 
needs to access, the HOWTO glosses over those issue with the presumption 
a human sys admin is actively involved in managing it. That's why mschap 
is slated for v2 not v1.


-- 
John Dennis <jdennis at redhat.com>

More information about the Freeipa-devel mailing list