[Freeipa-devel] kerberos auth issue
Rob Crittenden
rcritten at redhat.com
Thu Aug 2 20:02:13 UTC 2007
Karl MacMillan wrote:
> On Thu, 2007-08-02 at 14:36 -0400, Rob Crittenden wrote:
>> I ran into a problem with my kerberos authentication in the gui
>> and just as I was preparing the patch.
>>
>> The current code calls for the XML-RPC server to be protected by
>> kerberos. If authenticated, the server takes REMOTE_USER and uses that
>> as the uid when doing proxying (we could also do a search using it as
>> krbPrincipalName) so the request comes in via something like
>> ipa-finduser which makes the actual HTTP request using the XML-RPC
>> client (rpcclient.py)
>>
>> It is in there, during the XML-RPC request, that the GSSAPI magic happens.
>>
>> Now this same code in rpcclient.py was orignally going to be used by the
>> GUI as well (write once, use for both) but the GUI is making the request
>> through turbogears/Apache so we won't have the kerberos ticket because
>> forwarding doesn't seem to work. One could argue that we'd do the
>> kerberos auth in the web server that the GUI attaches to, but then how
>> do we pass in the principal name to the XML-RPC server? An unprotected
>> URI? Seems risky and we'd still need to get Apache to set REMOTE_USER.
>>
>
> I thought that the backend of the xml-rpc library was going to be a
> python library that the web gui would use directly. The architecture
> would be:
>
> xmlrpc-client -----> xmlrpc-server -------> DS
> krb cert
> browser -----------> web server ----------> DS
>
> That eliminates all of the problems, right?
It does but it also means the two clients aren't playing on the same
field. I don't think there is another easy way around it without
introducing some ugly mechanism (uglier than a web server talking to a
web server).
I'll have to consider the impact on the client libraries.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070802/a39a50c9/attachment.bin>
More information about the Freeipa-devel
mailing list