[Freeipa-devel] [PATCH] 0001 Added new authentication method
Alexander Bokovoy
abokovoy at redhat.com
Wed Aug 3 07:29:52 UTC 2016
On Wed, 03 Aug 2016, Jan Pazdziora wrote:
>On Tue, Aug 02, 2016 at 05:57:38PM +0300, Alexander Bokovoy wrote:
>> On Mon, 01 Aug 2016, Rob Crittenden wrote:
>> >
>> > How/where does the UI get a Kerberos ticket for the user?
>> That's indeed a problem -- even with the PKINIT support in KDC that Simo
>> is polishing up now, we don't have a way to obtain a ticket on behalf of
>> the user because Apache would terminate the SSL negotiation and we
>> wouldn't be able to use user's certificate to do PKINIT negotiation to
>> obtain a ticket as a user and then continue running on its behalf.
>> Neither we would get any Kerberos ticket from the client side.
>
>The current idea is to use S4U2Self and the GssapiImpersonate feature
>of mod_auth_gssapi 1.4.0, similar to the approach from
>
> http://www.freeipa.org/page/V4/External_Authentication/NSS_Impersonation
>
>Tibor has done the investigation for FreeIPA and is working on some
>polished instructions for the FreeIPA WebUI.
Got it. One thing I would correct, though, -- don't use kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
Client credentials may be delegated to the service
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list