[Freeipa-devel] Talking json/rpc with java client
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 18 16:26:07 UTC 2014
On Tue, 18 Mar 2014, Massimiliano Perrone (tirasa.net) wrote:
>>>The difference between the two calls is on the last TGS_REQ;
>>>because the first one is on ldap/olmo.example.com at EXAMPLE.COM and
>>>it's OK whereas the second one is on
>>>HTTP/olmo.example.com at EXAMPLE.COM that returns a 401 (I suppose).
>>>
>>>Where's the error?
>>Am I correct that you have a user connecting to HTTP/ebano.example.com
>>and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
>>using credentials of the user?
>>
>>FreeIPA uses constraint delegation of the credentials, with the help of
>>S4U2Proxy extension. You need to allow HTTP/ebano.example.com to delegate
>>credentials to HTTP/olmo.example.com.
>>
>>I have written an article how to do that:
>>https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>>
>>
>Hi Alexander, thanks for your reply.
>I read carefully your interesting post and I follow it to delegate
>HTTP/ebano.example.com credentials to HTTP/olmo.example.com.
>
>Now, two questions:
>1) How can I check that my configuration, now is ok? Because this
>ldapsearch returns result: 0
>
>ldapsearch -Y GSSAPI -H ldap://olmo.tirasa.net -b
>"cn=s4u2proxy,cn=etc,dc=example,dc=com"
>"cn=ipa-http-delegation-targets" dn
You need to create these delegation entries yourself, like the article
says. Note that your app talks to IPA server's HTTP service, so create
dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation
memberPrincipal: HTTP/ebano.example.com at EXAMPLE.COM
ipaAllowedTarget: cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
This entry says: "HTTP/ebano.example.com is allowed to delegate users'
credentials to whatever Kerberos principal is a member of
cn=ebano-http-delegation-targets group"
Now, this is the group:
dn: cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation-targets
memberPrincipal: HTTP/olomo.example.com at EXAMPLE.COM
With these two entries we would have HTTP/ebano.example.com allowed to
delegate users' credentials to HTTP/olomo.example.com
You don't need to allow HTTP/olomo.example.com to further delegate
credentials to ldap/olomo.example.com because this entry already exists
-- each IPA master's HTTP service is allowed to delegate users'
credentials to own ldap/ service.
>2) This time however I read also /var/log/httpd/error_log and I
>noticed this:
>#############
>[Tue Mar 18 16:38:14.117207 2014] [:error] [pid 11268] ipa: ERROR:
>500 Internal Server Error:
>jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment
>#############
>whereas LDAP logs are OK.
>In your opinion, I have this error because of wrong environment
>configuration or other cause?
This is most likely because you have no Kerberos ticket available.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list