[Freeipa-devel] kerberos auth issue

Rob Crittenden rcritten at redhat.com
Thu Aug 2 20:02:13 UTC 2007 

Karl MacMillan wrote:
> On Thu, 2007-08-02 at 14:36 -0400, Rob Crittenden wrote:
>> I ran into a problem with my kerberos authentication in the gui
>> and just as I was preparing the patch.
>>
>> The current code calls for the XML-RPC server to be protected by 
>> kerberos. If authenticated, the server takes REMOTE_USER and uses that 
>> as the uid when doing proxying (we could also do a search using it as 
>> krbPrincipalName) so the request comes in via something like 
>> ipa-finduser which makes the actual HTTP request using the XML-RPC 
>> client (rpcclient.py)
>>
>> It is in there, during the XML-RPC request, that the GSSAPI magic happens.
>>
>> Now this same code in rpcclient.py was orignally going to be used by the 
>> GUI as well (write once, use for both) but the GUI is making the request 
>> through turbogears/Apache so we won't have the kerberos ticket because 
>> forwarding doesn't seem to work. One could argue that we'd do the 
>> kerberos auth in the web server that the GUI attaches to, but then how 
>> do we pass in the principal name to the XML-RPC server? An unprotected 
>> URI? Seems risky and we'd still need to get Apache to set REMOTE_USER.
>>
> 
> I thought that the backend of the xml-rpc library was going to be a
> python library that the web gui would use directly. The architecture
> would be:
> 
> xmlrpc-client -----> xmlrpc-server -------> DS
>                krb                   cert
> browser -----------> web server ----------> DS
> 
> That eliminates all of the problems, right?

It does but it also means the two clients aren't playing on the same 
field. I don't think there is another easy way around it without 
introducing some ugly mechanism (uglier than a web server talking to a 
web server).

I'll have to consider the impact on the client libraries.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070802/a39a50c9/attachment.bin>

More information about the Freeipa-devel mailing list