[Freeipa-devel] When ticket fwding fails
Karl MacMillan
kmacmill at redhat.com
Mon Oct 29 14:37:46 UTC 2007
On Wed, 2007-10-24 at 16:34 -0400, Rob Crittenden wrote:
> Sit down for a nice little story.
>
> Once upon a time we wanted to do kerberos ticket forwarding and use that
> to authenticate to FDS. Unfortunately our hero (that's me) couldn't get
> it working.
>
> So instead we decided to use LDAP proxy authentication instead. What we
> would do is take the principal that was authenticated and use that to
> find the DN of the person. We would then send that DN along in a server
> control when doing LDAP operations.
>
> Things were fine but the evil ACIs were causing troubles.
>
> Then our hero found a patch on a mailing list that made mod_auth_kerb
> play nice and actually do ticket forwarding so we switched to that.
>
> The code for proxy auth was left in as a fallback but as things
> progressed that code suffered serious bit-rot and much was ripped out
> (those evil ACI's for one).
>
> Here were are in the present day and someone tried to use freeipa
> without using the magical mod_auth_kerb that does ticket forwarding and
> it tried to fall back to proxy auth which not only failed, it threw some
> nasty Python errors because the argument list changed.
>
> As I see it we have 3 options:
>
> 1. Slay the beast and remove all vestigates of proxy auth
> 2. Ignore the beast and leave things as they are with the probably
> unfulfilled promise of tackling it later
> 3. Fix it so proxy auth can work again
>
> I think I'm inclined to go route #2, perhaps adding an "except" in so we
> can better tell the user was is wrong rather than having to remember
> what a cryptic Python stack means.
I was so entertained I forgot to reply . . . #2 w/ better error messages
seems good to me.
Karl
More information about the Freeipa-devel
mailing list