[Freeipa-devel] another snag with kerberos

Karl MacMillan kmacmill at redhat.com
Thu Jul 19 13:02:33 UTC 2007 

On Thu, 2007-07-19 at 12:36 +1000, Andrew Bartlett wrote:
> On Wed, 2007-07-18 at 22:13 -0400, Rob Crittenden wrote:
> > Andrew Bartlett wrote:
> > > On Tue, 2007-07-17 at 11:00 -0400, Rob Crittenden wrote:
> 
> > >> In any case we can't do anything until we find a way to do kerberos SSO 
> > >> with ticket forwarding using some sort of HTTP engine. 
> > > 
> > > Ticket forwarding is on the esoteric end of the kerberos spectrum, and I
> > > wonder if for IPAv1 we should instead have the XMLRPC server simply be
> > > trusted?  (Bind as EXTERNAL, then do LDAP proxy authorization). 
> > 
> > I'm all in favor of a solution that will work. Do you have any details 
> > on how one might do this and whether it is supported by mod_auth_kerb?
> > 
> > The way the communication goes is this:
> > 
> > Web -> Apache/mod_auth_kerb -> RPC client -> RPC server -> LDAP
> 
> Why do we have the RPC client -> RPC server layer here?  
> 
> > So we need some way of grabbing the credentials and passing them all the 
> > way to LDAP so we can bind as the user who is logging into Apache.
> > 
> > Knowing next-to-nothing about SASL I'm going to need some hand-holding 
> > to get this configured and working.
> 
> I suppose I expected (having clearly not followed this enough) that the
> layers were:
> 
> User-> web browsser -> Apache/mod_auth_kerb -> LDAP
> 
> User -> command-line-tool -> Apache/mod_auth_kerb -> LDAP
> 
> In these cases, you could authenticate the Apache/mod_auth_kerb by
> simply asserting your identity to LDAP over ldapi://
> 

Ahh - I see. So on local communications with the LDAP server you can
just assert your identity with no authentication.

That solves our problem assuming that we can somehow handle the
authentication through the web gui to the xmlrpc layer. We could:

1) remove the xmlrpc layer (either entirely or just for the web gui)
2) invent some way to pass who the user is and handle 'local'
communication between the gui and xmlrpc layer.

We've debated several times whether the xmlrpc layer is truly useful - I
like it mainly because it gives a language neutral interface. However,
since it is causing a signification amount of complexity (not just this
- there is also the API design issues) I suggest we drop it for v1. We
can simply use a common python library for the web and commandline
interfaces. That should reduce our development time as well.

Thoughts?

Karl

More information about the Freeipa-devel mailing list