[Freeipa-devel] [PATCH] Jumbo patch to add kerberos auth, do other stuff

Rob Crittenden rcritten at redhat.com
Mon Aug 6 15:54:42 UTC 2007 

So this is a pretty huge patch and a smaller one. Going to need a few 
eyeballs on these.

The smaller patch (which requires the jumbo one) does realm substitution 
for /etc/httpd/conf.d/ipa.conf. I think now that most of the hardcoding 
is now gone. The only things left I believe are ports and perhaps a 
hostname or two (set to localhost).

The jumbo patch does the following:

- Abstracted client class to work directly or over RPC
- Update tools to use kerberos
- Add User class
- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to 
LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication

So in other words, it touches just about everything.

For this to work you'll need the PyKerberos RPM I sent to the list earlier.

Now once all this stuff is built and installed, it won't quite work. 
Here are the steps I take to get a working system:

1. Import a user to test with: ldapmodify -x -D "cn=Directory Manager" 
-w PASSWORD < /usr/share/ipa/test-users.ldif
2. edit /etc/krb5.conf and replace the value of ldap_kadmind_dn with 
cn=Directory Manager. NOTE: if you decide to restart the krb5 service 
you'll have to switch this back otherwise you'll get a completely 
cryptic error back
3. set the new password for cn=Directory Manager in 
/var/kerberos/krb5kdc/ldappwd. I move the old file out of the way and 
create a new one. If you use freeipa as the DS password then the value 
is: cn=Directory Manager#{HEX}66726565697061
4. Set a password for test at REALM: kadmin.local -> cpw test at REALM
5. chmod 644 /usr/share/ipa/*.pem /usr/share/ipa/cacert.asc
6. (I'd do this as a user, not root): kinit test at REALM
7. /usr/sbin/ipa-finduser test

This will exercise just about everything. Once step 7 returns a user you 
can try adding one with ipa-adduser.

I haven't tested Kevin's revamped GUI yet but my old clunker works with 
this.

Noted deficiencies of current code:

1. A bind is done with every operation. No attempt is made at caching 
LDAP connections
2. A new session is created even using the local way (for the GUI). 
There is surely a way to create one client object and re-use it
3. Fields for add user in the GUI are still hardcoded
4. ipa-adduser still has some odd options

Kevin, some things of note for you:

1. I removed the userPassword question. Would have required another ACI 
to allow it and I just didn't feel like messing with it.
2. You want to import ipaclient now and invoke things like this:

     client = ipaclient.IPAClient(True)
     client.set_principal("test at REALM")
     users = client.add_user (kw)

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jumbo.patch
Type: text/x-patch
Size: 61465 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070806/e24a12b6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa.patch
Type: text/x-patch
Size: 3803 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070806/e24a12b6/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070806/e24a12b6/attachment-0002.bin>

More information about the Freeipa-devel mailing list