[Freeipa-devel] kerberos auth issue
Karl MacMillan
kmacmill at redhat.com
Thu Aug 2 20:06:31 UTC 2007
On Thu, 2007-08-02 at 15:35 -0400, Simo Sorce wrote:
> On Thu, 2007-08-02 at 15:30 -0400, Karl MacMillan wrote:
> > On Thu, 2007-08-02 at 14:36 -0400, Rob Crittenden wrote:
> > > I ran into a problem with my kerberos authentication in the gui
> > > and just as I was preparing the patch.
> > >
> > > The current code calls for the XML-RPC server to be protected by
> > > kerberos. If authenticated, the server takes REMOTE_USER and uses that
> > > as the uid when doing proxying (we could also do a search using it as
> > > krbPrincipalName) so the request comes in via something like
> > > ipa-finduser which makes the actual HTTP request using the XML-RPC
> > > client (rpcclient.py)
> > >
> > > It is in there, during the XML-RPC request, that the GSSAPI magic happens.
> > >
> > > Now this same code in rpcclient.py was orignally going to be used by the
> > > GUI as well (write once, use for both) but the GUI is making the request
> > > through turbogears/Apache so we won't have the kerberos ticket because
> > > forwarding doesn't seem to work. One could argue that we'd do the
> > > kerberos auth in the web server that the GUI attaches to, but then how
> > > do we pass in the principal name to the XML-RPC server? An unprotected
> > > URI? Seems risky and we'd still need to get Apache to set REMOTE_USER.
> > >
> >
> > I thought that the backend of the xml-rpc library was going to be a
> > python library that the web gui would use directly. The architecture
> > would be:
> >
> > xmlrpc-client -----> xmlrpc-server -------> DS
> > krb cert
> > browser -----------> web server ----------> DS
> >
> > That eliminates all of the problems, right?
>
> Even better if we can replace cert with krb on the right side as well,
> even without forwarding, just reauth as a service with LDAP/SASL/GSSAPI
>
Agreed, but the choice is being driven by ease of development right now
and it seems the python kerb libraries aren't the best.
Karl
More information about the Freeipa-devel
mailing list