[Freeipa-devel] another snag with kerberos
Rob Crittenden
rcritten at redhat.com
Thu Jul 19 03:02:07 UTC 2007
Andrew Bartlett wrote:
> On Wed, 2007-07-18 at 22:13 -0400, Rob Crittenden wrote:
>> Andrew Bartlett wrote:
>>> On Tue, 2007-07-17 at 11:00 -0400, Rob Crittenden wrote:
>
>>>> In any case we can't do anything until we find a way to do kerberos SSO
>>>> with ticket forwarding using some sort of HTTP engine.
>>> Ticket forwarding is on the esoteric end of the kerberos spectrum, and I
>>> wonder if for IPAv1 we should instead have the XMLRPC server simply be
>>> trusted? (Bind as EXTERNAL, then do LDAP proxy authorization).
>> I'm all in favor of a solution that will work. Do you have any details
>> on how one might do this and whether it is supported by mod_auth_kerb?
>>
>> The way the communication goes is this:
>>
>> Web -> Apache/mod_auth_kerb -> RPC client -> RPC server -> LDAP
>
> Why do we have the RPC client -> RPC server layer here?
>
>> So we need some way of grabbing the credentials and passing them all the
>> way to LDAP so we can bind as the user who is logging into Apache.
>>
>> Knowing next-to-nothing about SASL I'm going to need some hand-holding
>> to get this configured and working.
>
> I suppose I expected (having clearly not followed this enough) that the
> layers were:
>
> User-> web browsser -> Apache/mod_auth_kerb -> LDAP
>
> User -> command-line-tool -> Apache/mod_auth_kerb -> LDAP
The purpose of RPC is to make it very easy for a customer to implement
their own GUI. It also lets us do all the hard work once and just glue
on a CLI and GUI on top of it.
> In these cases, you could authenticate the Apache/mod_auth_kerb by
> simply asserting your identity to LDAP over ldapi://
We're supposed to be hiding the fact that LDAP exists. In any case, I'm
not sure how I can assert identity if I can't forward the ticket using
the browser.
>>> This would also allow non-kerberos authentication, and remove a pile of
>>> complexities that could bite us very badly. For example: Even if we
>>> get the forwarded ticket, will it have an address restriction on it?
>>> (The mechanism clients have used - dns lookup of target principal - for
>>> choosing those addresses have sometimes given very poor results).
>>>
>>> We could then revisit this later, perhaps combined with KDC
>>> modifications to be far less dependent on client behaviour (Heimdal has
>>> some very neat solutions, driven by the practical integration needs of
>>> the University of Stockholm).
>> We're committed to MIT at this point.
>
> Yeah, while I think that's a poor commitment, it's not one I expect to
> influence.
I have no dog in that hunt but I agree.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070718/c3661745/attachment.bin>
More information about the Freeipa-devel
mailing list