[Freeipa-devel] kerberos auth issue
Rob Crittenden
rcritten at redhat.com
Thu Aug 2 18:36:19 UTC 2007
I ran into a problem with my kerberos authentication in the gui
and just as I was preparing the patch.
The current code calls for the XML-RPC server to be protected by
kerberos. If authenticated, the server takes REMOTE_USER and uses that
as the uid when doing proxying (we could also do a search using it as
krbPrincipalName) so the request comes in via something like
ipa-finduser which makes the actual HTTP request using the XML-RPC
client (rpcclient.py)
It is in there, during the XML-RPC request, that the GSSAPI magic happens.
Now this same code in rpcclient.py was orignally going to be used by the
GUI as well (write once, use for both) but the GUI is making the request
through turbogears/Apache so we won't have the kerberos ticket because
forwarding doesn't seem to work. One could argue that we'd do the
kerberos auth in the web server that the GUI attaches to, but then how
do we pass in the principal name to the XML-RPC server? An unprotected
URI? Seems risky and we'd still need to get Apache to set REMOTE_USER.
So I'm not sure what to do. I've attached a picture that shows the
current architecture. The RPC client is a library that we'll ship and
will be used on any client machine. It cannot be trusted.
This would be trivial if forwarded tickets actually worked.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa.odg
Type: application/vnd.oasis.opendocument.graphics
Size: 9421 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070802/ef549607/attachment.odg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070802/ef549607/attachment.bin>
More information about the Freeipa-devel
mailing list