| *** Embalmed has quit (Remote host closed the connection) | 03:47 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 03:48 | |
| *** Embalmed has quit (Remote host closed the connection) | 03:48 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 03:51 | |
| *** Embalmed has quit (Remote host closed the connection) | 03:51 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 03:52 | |
| *** Embalmed has quit (Remote host closed the connection) | 04:16 | |
| *** Embalmed (embalmed@204.188.217.2) has joined #wikid | 04:19 | |
| *** Lake_Lurker (~Just@h22.164.17.98.dynamic.ip.windstream.net) has joined #wikid | 11:10 | |
| *** Lake_Lurker has parted #wikid (None) | 11:10 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 12:13 | |
| *** perestrelka has quit (Quit: Computer has gone to sleep) | 14:42 | |
| *** nowen has parted #wikid (None) | 16:06 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 16:13 | |
| *** mick_laptop has quit (Changing host) | 18:03 | |
| *** mick_laptop (~mick@clamwin/admin/mickhome) has joined #wikid | 18:03 | |
| *** Luudes (42df3895@gateway/web/freenode/ip.66.223.56.149) has joined #wikid | 18:16 | |
| Luudes | hola! | 18:17 |
|---|---|---|
| Luudes | or hello, whatever works | 18:17 |
| nowen | hi | 18:17 |
| Luudes | wanna chat about wikid | 18:18 |
| Luudes | specifically.. authorization while using radius | 18:18 |
| nowen | good place for that :) | 18:18 |
| nowen | ok | 18:18 |
| Luudes | i am trying to forklift ourselves away from another soluition while building up a PCI compliance product | 18:19 |
| Luudes | one of the goals is to simplify management of whatever we intend to use | 18:20 |
| nowen | ok | 18:20 |
| Luudes | for a unix/windows environment, is there anyway to use Active Directory to authorization while using RADIUS and WiKID for authentication? | 18:21 |
| Luudes | I am not very deep in RADIUS, so there might some power there... | 18:21 |
| Luudes | but... in our current solution, we need to bind the unix boxes to LDAP (winbind) for group auth | 18:22 |
| Luudes | and then strong authententication using what we have now... | 18:22 |
| nowen | yes, use the windows radius plugin | 18:22 |
| nowen | IAS/NPS | 18:22 |
| Luudes | it is user provisioning and deprovisioning that is the real issue.. the manual process.. | 18:23 |
| nowen | you can set up a script to allow users to add their own tokens based on the AD creds too | 18:23 |
| Luudes | yeah, I was reading about that on the support site, but didn't find anything about authorization, espeically around SSH access to the unix hosts | 18:24 |
| nowen | so, for ssh, you want to use pam_radius | 18:24 |
| Luudes | oh, that is what I like about WiKID, welcome package will come with teh 360 about setting up a software token | 18:24 |
| Luudes | so no IT support required :D | 18:24 |
| nowen | point them to IAS/NPS and then have IAS/NPS proxy to wikid | 18:24 |
| Luudes | for the authorization piece then.... | 18:25 |
| Luudes | say, I have an unix host and we are trying to authorize levels of access using sudo... | 18:25 |
| Luudes | AD group 1 = sysadmin | 18:26 |
| Luudes | AD group 2 = not so much sysadmin | 18:26 |
| Luudes | AD group 3 = you can only run 'ls' from your home directory... | 18:26 |
| Luudes | i am trying to figure out how to make that work without queryring LDAP (AD) for group memberships | 18:27 |
| nowen | ok, that's moving beyond my knowledge. I mainly to authn, not authz | 18:27 |
| nowen | plus I hate ldap :) | 18:28 |
| Luudes | unix hates AD LDAP :) | 18:28 |
| Luudes | unix hates winbind | 18:28 |
| Luudes | :) | 18:28 |
| nowen | hehe | 18:28 |
| Luudes | actually redhat ES 6 hates all of it | 18:28 |
| Luudes | which is kind of fun | 18:28 |
| Luudes | anyway... | 18:28 |
| nowen | but it should be doable, have the auth line in /etc/pam.d/sudo point to radius and the account line point to ldap, right? | 18:29 |
| Luudes | LDAP is fine... getting people to stop using '*' in attribute queries is a huge thing in performance :D | 18:29 |
| Luudes | that could work... | 18:30 |
| Luudes | i probably need to get a little deeper into RADIUS to see what I can do | 18:31 |
| nowen | pam_radius is pretty easy | 18:32 |
| nowen | are you on windows 2003 or 8? | 18:32 |
| Luudes | it would be awesome if RADIUS from WiKID could say.. "hey, this dude is good to go for authn, and is part of the this group in WiKID which returns an attribute value pair back to the client...) | 18:33 |
| Luudes | 2008 NPS | 18:33 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps/?searchterm=nps | 18:34 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to/?searchterm=pam%20radius | 18:34 |
| Luudes | oh man, i didn't see that one! | 18:34 |
| Luudes | <- thumbs down for not looking hard enough! | 18:34 |
| nowen | hehe. for the record, our search tool works pretty well | 18:35 |
| nowen | we have a lot of stuff on the site. it's hard to see it all | 18:35 |
| nowen | you will have to compile pam_radius from source, but the .so can then be used on all your rhel systems, I think | 18:36 |
| Luudes | for sure! let me digest that document and see what i can do! | 18:36 |
| Luudes | thanks for the heads up! | 18:36 |
| Luudes | you guys in ATL? | 18:36 |
| nowen | yes | 18:36 |
| Luudes | me too.. Marietta St | 18:37 |
| nowen | ahh | 18:37 |
| Luudes | might need to buy ya a beer if this works out :) | 18:37 |
| nowen | hehe | 18:37 |
| Luudes | alright, outta here, thanks for the help! | 18:38 |
| nowen | later! | 18:38 |
| *** Luudes has quit (Quit: Page closed) | 18:38 | |
| nowen | asofrank: you there? | 19:46 |
| *** nowen has parted #wikid (None) | 21:56 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!