[Freeipa-devel] kerberos auth issue

[Rob Crittenden]

I ran into a problem with my kerberos authentication in the gui
and just as I was preparing the patch.

The current code calls for the XML-RPC server to be protected by 
kerberos. If authenticated, the server takes REMOTE_USER and uses that 
as the uid when doing proxying (we could also do a search using it as 
krbPrincipalName) so the request comes in via something like 
ipa-finduser which makes the actual HTTP request using the XML-RPC 
client (rpcclient.py)

It is in there, during the XML-RPC request, that the GSSAPI magic happens.

Now this same code in rpcclient.py was orignally going to be used by the 
GUI as well (write once, use for both) but the GUI is making the request 
through turbogears/Apache so we won't have the kerberos ticket because 
forwarding doesn't seem to work. One could argue that we'd do the 
kerberos auth in the web server that the GUI attaches to, but then how 
do we pass in the principal name to the XML-RPC server? An unprotected 
URI? Seems risky and we'd still need to get Apache to set REMOTE_USER.

So I'm not sure what to do. I've attached a picture that shows the 
current architecture. The RPC client is a library that we'll ship and 
will be used on any client machine. It cannot be trusted.

This would be trivial if forwarded tickets actually worked.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa.odg
Type: application/vnd.oasis.opendocument.graphics
Size: 9421 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070802/ef549607/attachment.odg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070802/ef549607/attachment.bin>