[Freeipa-devel] Freeipa and Kerberos
Stoyan Gaydarov
sgayda2 at uiuc.edu
Sun Nov 30 07:13:59 UTC 2008
Jason Gerard DeRose wrote:
> Stoyan Gaydarov wrote:
>> Hi my name is Stoyan and I am working on a project that involves python,
>> xmlrpc, and Kerberos, similarly like Freeipa does, and i wanted to see
>> if someone could help me in understanding how Freeipa does their
>> authentication so that i can do something similar for our project. I
>> have looked at the code and saw that the client side uses the xmlrpclib
>> that is part of python and it extends the transport layer. This seems
>> perfectly reasonable and i understand most of it. However the server
>> side is a little more complex. I would like some help understanding what
>> is going on. Currently I just use the SimpleXMLRPCServer that is part of
>> python and I just extend it. I don't need the server do to anything
>> special other then Kerberos authentication so it works well for me. Any
>> information about how it works would be greatly appreciated.
>>
>> -Stoyan
>
> Stoyan,
>
> In a production deployment, freeIPA runs under Apache2 and we use
> mod_auth_kerb as our first layer of authentication. For information on
> mod_auth_kerb, see:
>
> http://modauthkerb.sourceforge.net/
>
> Our second layer of authentication is to do an LDAP bind using the
> user's Kerberos credentials. We rely on LDAP to determine what the user
> can and can't do because (at least in v1) all the things a user might do
> involve reading from or writing to LDAP. So in freeIPA itself all we
> really do is make sure no anonymous access is allow (users always need a
> valid Kerberos ticket).
>
> I don't know v1 very well (I pretty much just work on v2), so other
> people on the list might be able to fill in more v1 details. However,
> authentication in v2 is more or less the same except we also have
> development XML-RPC and web-UI servers designed to run from within the
> source tree, so these development server don't have the mod_auth_kerb
> layer (because they don't run under Apache2).
>
> I hope this helps. Best of luck on your project! And if you get an itch
> to work on another Python/Kerberos/XML-RPC project, we *always* welcome
> new freeIPA developers!
>
> Cheers,
> Jason
>
>
Thank you so much for the information. As I had suspected, you do rely
on apache do the authentication. I am however interested in v2 now
because as you say there will be components that run outside of apache,
and still need the kerberos authentication. This is similar to what I am
working on. Do you know anything about it or do you know where I can get
some information on this. Any help would be great.
-Stoyan
More information about the Freeipa-devel
mailing list