[Freeipa-devel] [PATCH] Jumbo patch to add kerberos auth, do other stuff
Rob Crittenden
rcritten at redhat.com
Mon Aug 6 15:54:42 UTC 2007
So this is a pretty huge patch and a smaller one. Going to need a few
eyeballs on these.
The smaller patch (which requires the jumbo one) does realm substitution
for /etc/httpd/conf.d/ipa.conf. I think now that most of the hardcoding
is now gone. The only things left I believe are ports and perhaps a
hostname or two (set to localhost).
The jumbo patch does the following:
- Abstracted client class to work directly or over RPC
- Update tools to use kerberos
- Add User class
- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to
LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication
So in other words, it touches just about everything.
For this to work you'll need the PyKerberos RPM I sent to the list earlier.
Now once all this stuff is built and installed, it won't quite work.
Here are the steps I take to get a working system:
1. Import a user to test with: ldapmodify -x -D "cn=Directory Manager"
-w PASSWORD < /usr/share/ipa/test-users.ldif
2. edit /etc/krb5.conf and replace the value of ldap_kadmind_dn with
cn=Directory Manager. NOTE: if you decide to restart the krb5 service
you'll have to switch this back otherwise you'll get a completely
cryptic error back
3. set the new password for cn=Directory Manager in
/var/kerberos/krb5kdc/ldappwd. I move the old file out of the way and
create a new one. If you use freeipa as the DS password then the value
is: cn=Directory Manager#{HEX}66726565697061
4. Set a password for test at REALM: kadmin.local -> cpw test at REALM
5. chmod 644 /usr/share/ipa/*.pem /usr/share/ipa/cacert.asc
6. (I'd do this as a user, not root): kinit test at REALM
7. /usr/sbin/ipa-finduser test
This will exercise just about everything. Once step 7 returns a user you
can try adding one with ipa-adduser.
I haven't tested Kevin's revamped GUI yet but my old clunker works with
this.
Noted deficiencies of current code:
1. A bind is done with every operation. No attempt is made at caching
LDAP connections
2. A new session is created even using the local way (for the GUI).
There is surely a way to create one client object and re-use it
3. Fields for add user in the GUI are still hardcoded
4. ipa-adduser still has some odd options
Kevin, some things of note for you:
1. I removed the userPassword question. Would have required another ACI
to allow it and I just didn't feel like messing with it.
2. You want to import ipaclient now and invoke things like this:
client = ipaclient.IPAClient(True)
client.set_principal("test at REALM")
users = client.add_user (kw)
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jumbo.patch
Type: text/x-patch
Size: 61465 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070806/e24a12b6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa.patch
Type: text/x-patch
Size: 3803 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070806/e24a12b6/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070806/e24a12b6/attachment-0002.bin>
More information about the Freeipa-devel
mailing list