[Freeipa-devel] radius status as of 11/14

[John Dennis]

In the past week:

The freeradius ldap module was modified:

* To read the client (e.g. NAS device) list from LDAP instead of from a 
flat file, postprocess the client info, and merge into the existing 
client list.

* Diagnosed and fixed a bug in the LDAP TLS code which prevented 
unsigned certificates from being accepted.

The radius support in IPA wes augmented:

* The LDAP schema was extended for radius clients

* The bootstrapping of the initial LDAP tree structure was extended to 
include radius service data (i.e. client list, user profile list)

* Initialization code was added to the ipa server install so the 
directory server would encrypt the NAS secret it stores so it can't be 
read in the directory server database file.

* The directory server configuration was extended to set ACI's (access 
controls) on the radius service data such that only the radius service 
principal and the admin and view and modify radius data.

* The ipa installation code for radius was modified to:

   - perform radius authentication for user's using the user's IPA
     kerberous ticket

   - enable client list LDAP lookup's in IPA

   - turn off authorization decisions based on the presence of an
     LDAP user attribute

   - enable profile groups, set a default profile, allow per user
     profile group indirection in the newly added profile section
     of ldap

* Added support for manipulating radius clients in IPA.
   - Added new command line utilities: ipa-radiusclient{add,
     modify, delete, list}

   - Added the internal data structure in IPA for radius clients

   - Added new sets of xmlrpc handling code for the radius
     clients.



-- 
John Dennis <jdennis at redhat.com>