[Freeipa-devel] [PATCH] ticket forwarding and TurboGears
Rob Crittenden
rcritten at redhat.com
Thu Sep 13 18:24:17 UTC 2007
I got ticket forwarding working with TurboGears yesterday. This raises
some issues though. First an explanation of how I'm doing it.
I require Kerberos auth for connections to Apache. If delegation is
available then Apache will save a copy of the ticket.
For the XML-RPC interface this is enough as it runs through mod_python.
We grab a pointer to the file and use the ticket.
With TurboGears I'm using mod_proxy to forward the requests after
authentication. What I do is grab a copy of the environment variables
REMOTE_USER and KRB5CCNAME and include those as request headers to
TurboGears. TG then can identify the principle and the location of that
users keytab. We will need to restrict the TurboGears listener to
localhost. If we wanted to be absolutely sure that nothing funny was
going on we could use the Authorization header to re-verify the ticket.
I lack the kerberos know-how to do this.
This means we can do away with all the proxying mess and not issue a
client cert to the web server.
Do we want to go ahead and remove that now or leave it in as dead code?
We can remove the proxy ACIs which will prevent people from proxying in
and leave the code alone for a while I suppose.
For GUI developers there is a way to not use mod_proxy and continue
contacting it directly. What you'll need to do is look in
ipa-gui/ipagui/proxyprovider.py and hardcode the principal name and
keytab location. For the keytab run: kinit | grep FILE and use the whole
FILE: url.
And remember, this requires the mod_auth_kerb that I supplied earlier.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-179-ticket.patch
Type: text/x-patch
Size: 6874 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070913/61a88311/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070913/61a88311/attachment-0001.bin>
More information about the Freeipa-devel
mailing list