[Freeipa-devel] Freeipa and Kerberos

Stoyan Gaydarov sgayda2 at uiuc.edu
Sun Nov 30 07:13:59 UTC 2008 

Jason Gerard DeRose wrote:
> Stoyan Gaydarov wrote:
>> Hi my name is Stoyan and I am working on a project that involves python,
>> xmlrpc, and Kerberos, similarly like Freeipa does, and i wanted to see
>> if someone could help me in understanding how Freeipa does their
>> authentication so that i can do something similar for our project. I
>> have looked at the code and saw that the client side uses the xmlrpclib
>> that is part of python and it extends the transport layer. This seems
>> perfectly reasonable and i understand most of it. However the server
>> side is a little more complex. I would like some help understanding what
>> is going on. Currently I just use the SimpleXMLRPCServer that is part of
>> python and I just extend it. I don't need the server do to anything
>> special other then Kerberos authentication so it works well for me. Any
>> information about how it works would be greatly appreciated.
>>
>> -Stoyan
> 
> Stoyan,
> 
> In a production deployment, freeIPA runs under Apache2 and we use
> mod_auth_kerb as our first layer of authentication. For information on
> mod_auth_kerb, see:
> 
>   http://modauthkerb.sourceforge.net/
> 
> Our second layer of authentication is to do an LDAP bind using the
> user's Kerberos credentials. We rely on LDAP to determine what the user
> can and can't do because (at least in v1) all the things a user might do
> involve reading from or writing to LDAP. So in freeIPA itself all we
> really do is make sure no anonymous access is allow (users always need a
> valid Kerberos ticket).
> 
> I don't know v1 very well (I pretty much just work on v2), so other
> people on the list might be able to fill in more v1 details. However,
> authentication in v2 is more or less the same except we also have
> development XML-RPC and web-UI servers designed to run from within the
> source tree, so these development server don't have the mod_auth_kerb
> layer (because they don't run under Apache2).
> 
> I hope this helps. Best of luck on your project! And if you get an itch
> to work on another Python/Kerberos/XML-RPC project, we *always* welcome
> new freeIPA developers!
> 
> Cheers,
> Jason
> 
> 

Thank you so much for the information. As I had suspected, you do rely 
on apache do the authentication. I am however interested in v2 now 
because as you say there will be components that run outside of apache, 
and still need the kerberos authentication. This is similar to what I am 
working on. Do you know anything about it or do you know where I can get 
some information on this. Any help would be great.

-Stoyan

More information about the Freeipa-devel mailing list