[Freeipa-interest] Future direction (feature request)

david klein root at nachtmaus.us
Sat Aug 21 23:37:27 UTC 2010 

After some more reading and searching around, maintenance of tac_plus
(the open source TACACS+ daemon) has moved from Cisco to Shrubbery
Networks, Inc (http://www.shrubbery.net/tac_plus/). It appears that
under Shrubbery, the tac_plus daemon can use LDAP by way of PAM to
handle authentication, according to
http://www.shrubbery.net/tac_plus/PAM_guide.txt. At this point, only
authentication appears to have been externalized, but it does prove
the concept.

How does Redhat currently measure the degree of interest in possible
features for inclusion in the FreeIPA/EnterpriseIPA product, and would
it be worthwhile to gather statements from other systems
administrators to help demonstrate the desirability and usefulness of
this feature request?


Thank you.

On Mon, Jun 28, 2010 at 9:21 AM, Dmitri Pal <dpal at redhat.com> wrote:
> david t. klein wrote:
>>
>>
>>
>> Is there any chance that a TACACS+ daemon could be integrated into a
>> future version of FreeIPA, so that network rights can be assigned and
>> delegated the same way as system rights? I have looked through Cisco's
>> tac_plus (ftp://ftp-eng.cisco.com/pub/tacacs), and while I do not have
>> the development skill to do so, I think that the daemon could be
>> altered to take its rights-assignments and configuration from a
>> directory, instead of from configuration file. This functionality
>> would greatly increase the value of the tool to a couple of
>> organizations that I have spoken to.
>>
>
> The chance is always there. However we are not TACACS experts.
> For us to integrate it into IPA we would need (together with the TACACS
> community and I am not sure we should work with...) sort out:
> * Licensing
> * The TACACS community should make the configuration pluggable so that
> different plugins can be developed
> * Then we can work together on the LDAP back end. We can consult and
> help with the LDAP schema design. I would hope that work will be mostly
> done by someone who is familiar with TACACS since it will take a lot
> less time than for us.
>
> But we are definitely open for a further discussion.
>
> Thank you for your suggestion. If there is a need we are always
> interested to address it.
>
> Dmitri
>
>
>>
>>
>>
>>
>> Thank you,
>>
>>
>>
>>  -DTK
>>
>>
>>
>>
>>
>>
>>
>> --
>> david t. klein
>>
>> Cisco Certified Network Associate (CSCO11281885)
>> Linux Professional Institute Certification (LPI000165615)
>> Redhat Certified Engineer (805009745938860)
>>
>> Quis custodiet ipsos custodes?
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-interest mailing list
>> Freeipa-interest at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-interest
>
>
>



-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?

More information about the Freeipa-interest mailing list