I second that request. There are some others that I documented over at Diamond, I just need to update those docs and possibly we can wrap all the contexts up in one policy.
That said... Sam, do we know what you're going to call the user for the TIDS? The sooner I know, the sooner I can get Diamond's deployment scripts correctly set.
Also, they've asked for an init.d script for TIDS (they don't use Upstart over there), but they're happy to craft one themselves for the time being.
Regards
Stefan
________________________________________
From: Moonshot community list [[log in to unmask]] on behalf of Rhys Smith [[log in to unmask]]
Sent: 27 June 2014 17:30
To: [log in to unmask]
Subject: Re: psk_keys
Can we add the selinux policy for the db and (when it exists) the tids user writing to the db to the packaging? That would be good.
Rhys.
--
Dr Rhys Smith
Identity, Access, and Middleware Specialist
Cardiff University & Janet, the UK's research and education network
email: [log in to unmask] / [log in to unmask]
GPG: 0x4638C985
On 27 Jun 2014, at 17:15, Stefan Paetow <[log in to unmask]> wrote:
> Please also be aware that if you run SELINUX in Enforcing mode (like some organisations do), you will need a SELINUX policy to allow FR to read the database. I have a policy file for this from Diamond (where we just traced this).
>
> I suspect that another policy will be needed to allow the TIDS user to write to the database. I don't have the policy file for that yet.
>
> Stefan
>
> ________________________________________
> From: Moonshot community list [[log in to unmask]] on behalf of Mark Donnelly [[log in to unmask]]
> Sent: 26 June 2014 18:15
> To: [log in to unmask]
> Subject: Re: psk_keys
>
> Kristof:
>
>> But I think freeradius also needs to access the database (could someone
>> explain it, please?)
>
> When some remote RADIUS system needs to authenticate a user who claims
> to be part of this identity provider's realm, that remote system has to
> obtain the credentials into this identity provider that allows it to
> submit the RADIUS request. The database is a conduit for the
> credentials; the Trust Router system generates them (in the form of the
> Temporary IDentity Server) and FreeRADIUS consumes them. The Trust
> Router systems deliver a copy of the credentials back to the remote
> RADIUS system, which then uses them to access the Identity Provider's
> FreeRADIUS system to ask about the user.
>
> Cheers,
> --Mark
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|