[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Tue May 26 13:57:56 UTC 2015

On Fri, 2015-05-22 at 12:24 +0200, Christian Heimes wrote:
> Here is what I have so far:
> 
> 1) The FreeIPA webui already depends on Apache and mod_wsgi. KDC 
> proxy
> will run from the same Apache HTTPD instance but it will use a 
> different
> mod_wsgi daemon configuration. A second WSGI daemon is easily 
> configured
> and allows us to tune the daemon for KDC proxy's needs. FreeIPA is
> mounted at /ipa, KDC Proxy will be available at /KdcProxy or /kdc.

/KdcProxy

"The URI uses the virtual directory /KdcProxy unless otherwise
configured."

https://msdn.microsoft.com/en-us/library/hh553891.aspx

Also, the proxy should be available over both HTTP and HTTPS.

> 3) An administrator must be able to enable/disable the new feature. 
> The
> state of the switch will be read when Apache is started or reloaded. 
> The
> feature must be configurable for each replica, too. A WSGI wrapper 
> will
> read the setting from ipaConfigString=enabledService in
> cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. When the feature is
> disabled, it will reply with 404 Not Found error.

I prefer enabled by default unless there is some performance or
security consideration. Mere proxying isn't a security consideration
since we already expose the KDC by default.

> 4) In order to read the state of the switch, the WSGI script needs to 
> be
> able to connect to LDAP. I can use Apache's / FreeIPA webui's keytab 
> to
> get a ticket for GSSAPI bind. However Apache has no permission to 
> read
> ipaConfigStrings in the masters subtree. A new role/permission and 
> ACI
> is required here.

This is, indeed, a security problem. Do we have a strong use case for
per-replica control? If not, let's just do a single global control
since we can easily make this globally readable.

> 5) python-kdcproxy can read its configuration from multiple places. 
> For
> performance reasons we don't want DNS lookups. Therefore our proxy
> instance will only use libkrb5.so to read a list of KDCs, kpasswd and
> admin servers from /etc/krb5.conf.
> 
> Open questions / issues
> -----------------------
> 
> For 3) and 4) the Apache HTTP principal must be able to read or at 
> least
> compare the state of the switch. The ACIs in the masters tree forbid 
> any
> access to ipaConfigString entries except for principals with 'System:
> Read IPA Masters' permission. Martin Basti and Petr Spacek have
> suggested that I introduce a new permission for the task. I haven't
> figured out how to configure and assign a new permission. Right now 
> my
> experimental code uses this ACI:
> 
> 
> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConf
> igString")(version
> 3.0; acl "Compare enabledService access to masters"; allow(search,
> compare) userdn = "ldap:///all";)
> 
> 
> I found ipaserver.install.service.Service and SimpleServiceInstance 
> in
> the FreeIPA sources. As far as I understand the use of the classes, 
> they
> are used in the installers to configure service instances. However 
> the
> kdcproxy service instance is going to be special. It has no 1:1 
> relation
> to a system service. Instead it shares a system service (Apache 
> HTTPD)
> with the HttpInstance for FreeIPA's webui. AFAIK no other service
> instance has such a relation.
> 
> 
> Finally I haven't figured out the best way to configure the instance. 
> An
> admin should be able to enable / disable KDC proxy. Should I write a
> script or a ipa plugin for the job?

IMHO, use a global switch and put the control in the ipa config plugin.
We shouldn't over-engineer this.

Nathaniel