[Freeipa-users] Feature request: TACACS+ integration

John Dennis jdennis at redhat.com
Wed Aug 25 17:06:51 UTC 2010 

On 08/25/2010 11:22 AM, James Roman wrote:
>> The more practical solution which may be available to you would be to
>> avail yourself of the PAM integration in the tac_plus project (but to
>> be honest I don't see how that would give you any of the sophisticated
>> features you cite as being a prime motivator for utilization of
>> TACACS). FreeIPA is an open source project and from what you say so is
>> tac_plus. I would imagine patches would be welcomed by both projects
>> which would allow the tac_plus daemon to utilize IPA as it's back end.
>> We would be happy to answer any questions for the person(s) who wanted
>> to undertake this and contribute their work.
>>
>    From what I can see it looks like the missing piece would be the
> ability to look up tac_plus user->group assignments from the FreeIPA/389
> LDAP server. It looks like tac_plus has ""integrated"" the
> authentication with LDAP via PAM, but not the authorization. When
> building an authentication solution for network devices with FreeIPA,
> providing authentication via TACACS+ would be secondary, since you could
> have your Cisco device directly authenticate the user against FreeIPA
> using Kerberos. TACACS+ primary benefit is in the granular control of
> Authorization to network device services. If you can get tac_plus to
> reference an LDAP server for group membership, then you might have a
> reasonable solution. You would still need to assign the group's network
> permissions in the tac_plus configuration file, but that would be done
> once. Once the group access was defined, you could assign LDAP users to
> groups that match what's in the tac_plus config file.
>
> This really requires the tac_plus team to code direct LDAP integration
> into their application similar to the way Freeradius can rely on an LDAP
> server as a back-end. The local PAM stack was not really intended to be
> a service that can be farmed out for other systems to use. It was meant
> as a way to provide access to local services running on that system. To
> use PAM for group membership (I.E. through the pam_listfile ACL) would
> require a separate tac_plus daemon and PAM configuration for each
> network device.

Adding ldap queries to tac_plus would be the most general solution in 
which case this would have little direct relevance to IPA. However the 
schema we use, ACL's and internal "business logic" applied on top of 
LDAP queries might not map easily to a generic LDAP interface in 
tac_plus. I really don't know. All of this is to say there is another 
way to use IPA as a backend service besides connecting to our LDAP 
server. We do support an XML-RPC interface that is fully authenticated 
and encrypted. So another options would be for tac_plus to make RPC 
calls. Just a thought.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list