[Freeipa-devel] another snag with kerberos
Andrew Bartlett
abartlet at samba.org
Thu Jul 19 14:10:06 UTC 2007
On Thu, 2007-07-19 at 08:49 -0400, Karl MacMillan wrote:
> On Thu, 2007-07-19 at 12:08 +1000, Andrew Bartlett wrote:
> > On Tue, 2007-07-17 at 11:00 -0400, Rob Crittenden wrote:
> > > Karl MacMillan wrote:
> > > > On Tue, 2007-07-17 at 10:33 -0400, John Dennis wrote:
> > > >> On Tue, 2007-07-17 at 09:02 -0400, Rob Crittenden wrote:
> > > >>> I don't see a way to add headers to the client request using xmlrpclib.py.
> > > >> I took a quick look at xmlrpclib.py. I agree there does not seem to be a
> > > >> way to add headers in the exported API. However, it's not a complicated
> > > >> module and fairly cleanly written so it looks like it would be
> > > >> relatively easy to edit the the module and add the authentication
> > > >> functionality. This would mean the IPA implementation would have it's
> > > >> own private copy of the module but I suspect once it's working a diff
> > > >> against the original sent as a patch to upstream would be most welcome
> > > >> and then at a later date you can nuke your private copy once upstream
> > > >> ships the fix.
> > > >
> > > > Not ideal - but seems workable. Rob - any other options or is this the
> > > > way you want to go?
> > > >
> > > > Karl
> > > >
> > >
> > > After looking at this some more I wonder if we could simply subclass the
> > > Transport method and include the headers that way. I'm not enough of a
> > > python expert to know how large a task this would be.
> > >
> > > In any case we can't do anything until we find a way to do kerberos SSO
> > > with ticket forwarding using some sort of HTTP engine.
> >
> > Ticket forwarding is on the esoteric end of the kerberos spectrum, and I
> > wonder if for IPAv1 we should instead have the XMLRPC server simply be
> > trusted? (Bind as EXTERNAL, then do LDAP proxy authorization).
> >
>
> Maybe I don't understand, but are you suggesting that the LDAP database
> not know the user identity? So the xmlrpc server would connect using a
> single identity?
That's the Samba approach, but no, that's not what I propose.
> We got to where we are today because we didn't want to recreate the
> access control layer that exists in the LDAP server in our xmlrpc
> server.
Indeed.
> So if what you're suggesting is the above then I would rather
> avoid that.
If the intermediary can say 'I've proved myself trusted over ldapi://,
then use ldap proxy authorization to assert that this operation occurs
as <origianal user dn>.
The con is that this intermediary can effectively become any user in the
directory (by assertion, if compromised).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070720/94cea9cb/attachment.sig>
More information about the Freeipa-devel
mailing list