[Freeipa-devel] Freeipa and Kerberos

Jason Gerard DeRose jderose at redhat.com
Sun Nov 30 19:48:36 UTC 2008 

Stoyan Gaydarov wrote:
> Jason Gerard DeRose wrote:
>> Stoyan Gaydarov wrote:
>>> Hi my name is Stoyan and I am working on a project that involves python,
>>> xmlrpc, and Kerberos, similarly like Freeipa does, and i wanted to see
>>> if someone could help me in understanding how Freeipa does their
>>> authentication so that i can do something similar for our project. I
>>> have looked at the code and saw that the client side uses the xmlrpclib
>>> that is part of python and it extends the transport layer. This seems
>>> perfectly reasonable and i understand most of it. However the server
>>> side is a little more complex. I would like some help understanding what
>>> is going on. Currently I just use the SimpleXMLRPCServer that is part of
>>> python and I just extend it. I don't need the server do to anything
>>> special other then Kerberos authentication so it works well for me. Any
>>> information about how it works would be greatly appreciated.
>>>
>>> -Stoyan
>>
>> Stoyan,
>>
>> In a production deployment, freeIPA runs under Apache2 and we use
>> mod_auth_kerb as our first layer of authentication. For information on
>> mod_auth_kerb, see:
>>
>>   http://modauthkerb.sourceforge.net/
>>
>> Our second layer of authentication is to do an LDAP bind using the
>> user's Kerberos credentials. We rely on LDAP to determine what the user
>> can and can't do because (at least in v1) all the things a user might do
>> involve reading from or writing to LDAP. So in freeIPA itself all we
>> really do is make sure no anonymous access is allow (users always need a
>> valid Kerberos ticket).
>>
>> I don't know v1 very well (I pretty much just work on v2), so other
>> people on the list might be able to fill in more v1 details. However,
>> authentication in v2 is more or less the same except we also have
>> development XML-RPC and web-UI servers designed to run from within the
>> source tree, so these development server don't have the mod_auth_kerb
>> layer (because they don't run under Apache2).
>>
>> I hope this helps. Best of luck on your project! And if you get an itch
>> to work on another Python/Kerberos/XML-RPC project, we *always* welcome
>> new freeIPA developers!
>>
>> Cheers,
>> Jason
>>
>>
> 
> Thank you so much for the information. As I had suspected, you do rely
> on apache do the authentication. I am however interested in v2 now
> because as you say there will be components that run outside of apache,
> and still need the kerberos authentication. This is similar to what I am
> working on. Do you know anything about it or do you know where I can get
> some information on this. Any help would be great.
> 
> -Stoyan

First, to make sure we're on the same page, these v2 components that run
outside of Apache are special servers that are *only* used for
development within the source tree, are never used in a production
deployment. They're simply a convenience to the developers.

Anyway, outside Apache mod_auth_kerb, the only authentication we do is
an LDAP bind using the user's Kerberos credentials. Unless your
application uses LDAP this wont help you because we totally rely on LDAP
to do the authentication... all we do is forward the user's Kerberos
ticket. So based on what you've told me, I don't think freeIPA (v1 or
v2) does any Kerberos authentication the way you are planing to.

However, there are two Kerberos-related Python libraries that we use,
and I'm sure one of them can do what you need (although I don't
personally know how to do it).

We use the Apple Kerberos/GSSAPI python library:

  http://trac.calendarserver.org/browser/PyKerberos

And we use the Red Hat python-krbV binding to the Kerberos C library:

  http://people.redhat.com/mikeb/python-krbV/

One other thing: because our production version always runs behind
Apache, we send the Kerberos ticket in the HTTP headers (which is what
mod_auth_kerb expects). But if you aren't planning to run behind Apache,
it will probably be more convenient for you (and for the consumers of
your XML-RPC API) to send the Kerberos ticket as an XML-RPC argument
(say the first argument).





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20081130/1f9d18d4/attachment.sig>

More information about the Freeipa-devel mailing list