[Freeipa-devel] kerberos auth issue

Rob Crittenden rcritten at redhat.com
Thu Aug 2 20:33:05 UTC 2007


Karl MacMillan wrote:
> On Thu, 2007-08-02 at 16:02 -0400, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> On Thu, 2007-08-02 at 14:36 -0400, Rob Crittenden wrote:
>>>> I ran into a problem with my kerberos authentication in the gui
>>>> and just as I was preparing the patch.
>>>>
>>>> The current code calls for the XML-RPC server to be protected by 
>>>> kerberos. If authenticated, the server takes REMOTE_USER and uses that 
>>>> as the uid when doing proxying (we could also do a search using it as 
>>>> krbPrincipalName) so the request comes in via something like 
>>>> ipa-finduser which makes the actual HTTP request using the XML-RPC 
>>>> client (rpcclient.py)
>>>>
>>>> It is in there, during the XML-RPC request, that the GSSAPI magic happens.
>>>>
>>>> Now this same code in rpcclient.py was orignally going to be used by the 
>>>> GUI as well (write once, use for both) but the GUI is making the request 
>>>> through turbogears/Apache so we won't have the kerberos ticket because 
>>>> forwarding doesn't seem to work. One could argue that we'd do the 
>>>> kerberos auth in the web server that the GUI attaches to, but then how 
>>>> do we pass in the principal name to the XML-RPC server? An unprotected 
>>>> URI? Seems risky and we'd still need to get Apache to set REMOTE_USER.
>>>>
>>> I thought that the backend of the xml-rpc library was going to be a
>>> python library that the web gui would use directly. The architecture
>>> would be:
>>>
>>> xmlrpc-client -----> xmlrpc-server -------> DS
>>>                krb                   cert
>>> browser -----------> web server ----------> DS
>>>
>>> That eliminates all of the problems, right?
>> It does but it also means the two clients aren't playing on the same 
>> field.
> 
> Sure - but that is a good thing. The interactivity of the web browser
> and the likelihood of viewing much more data mean that removing the
> xmlrpc layer could improve performance substantially. I'm not that
> worried about performance with the commandline tools because of how they
> are likely to be used.

That's fine, it's just a change from what was originally discussed.

>>  I don't think there is another easy way around it without 
>> introducing some ugly mechanism (uglier than a web server talking to a 
>> web server).
>>
> 
> Not certain what you mean.

I mean doing something funky like another SSL client auth and embed the 
kerberos ticket name in the xml-rpc request.

>> I'll have to consider the impact on the client libraries.
>>
> 
> Sure - it will require coding things somewhat differently.

The biggest change is that XML-RPC transforms the data. So while the 
calls between the CLI and GUI will probably have the same names the data 
format will be completely different.

I'm not necessarily opposed to this I just want to be sure it really is 
our last option.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070802/70fd9ef3/attachment.bin>


More information about the Freeipa-devel mailing list