[Freeipa-devel] another snag with kerberos

Andrew Bartlett abartlet at samba.org
Thu Jul 19 02:36:10 UTC 2007 

On Wed, 2007-07-18 at 22:13 -0400, Rob Crittenden wrote:
> Andrew Bartlett wrote:
> > On Tue, 2007-07-17 at 11:00 -0400, Rob Crittenden wrote:

> >> In any case we can't do anything until we find a way to do kerberos SSO 
> >> with ticket forwarding using some sort of HTTP engine. 
> > 
> > Ticket forwarding is on the esoteric end of the kerberos spectrum, and I
> > wonder if for IPAv1 we should instead have the XMLRPC server simply be
> > trusted?  (Bind as EXTERNAL, then do LDAP proxy authorization). 
> 
> I'm all in favor of a solution that will work. Do you have any details 
> on how one might do this and whether it is supported by mod_auth_kerb?
> 
> The way the communication goes is this:
> 
> Web -> Apache/mod_auth_kerb -> RPC client -> RPC server -> LDAP

Why do we have the RPC client -> RPC server layer here?  

> So we need some way of grabbing the credentials and passing them all the 
> way to LDAP so we can bind as the user who is logging into Apache.
> 
> Knowing next-to-nothing about SASL I'm going to need some hand-holding 
> to get this configured and working.

I suppose I expected (having clearly not followed this enough) that the
layers were:

User-> web browsser -> Apache/mod_auth_kerb -> LDAP

User -> command-line-tool -> Apache/mod_auth_kerb -> LDAP

In these cases, you could authenticate the Apache/mod_auth_kerb by
simply asserting your identity to LDAP over ldapi://

> > This would also allow non-kerberos authentication, and remove a pile of
> > complexities that could bite us very badly.  For example:  Even if we
> > get the forwarded ticket, will it have an address restriction on it?
> > (The mechanism clients have used - dns lookup of target principal - for
> > choosing those addresses have sometimes given very poor results). 
> > 
> > We could then revisit this later, perhaps combined with KDC
> > modifications to be far less dependent on client behaviour (Heimdal has
> > some very neat solutions, driven by the practical integration needs of
> > the University of Stockholm). 
> 
> We're committed to MIT at this point.

Yeah, while I think that's a poor commitment, it's not one I expect to
influence.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070719/767db8fe/attachment.sig>

More information about the Freeipa-devel mailing list