[Freeipa-devel] another snag with kerberos

Rob Crittenden rcritten at redhat.com
Thu Jul 19 02:13:06 UTC 2007 

Andrew Bartlett wrote:
> On Tue, 2007-07-17 at 11:00 -0400, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> On Tue, 2007-07-17 at 10:33 -0400, John Dennis wrote:
>>>> On Tue, 2007-07-17 at 09:02 -0400, Rob Crittenden wrote:
>>>>> I don't see a way to add headers to the client request using xmlrpclib.py.
>>>> I took a quick look at xmlrpclib.py. I agree there does not seem to be a
>>>> way to add headers in the exported API. However, it's not a complicated
>>>> module and fairly cleanly written so it looks like it would be
>>>> relatively easy to edit the the module and add the authentication
>>>> functionality. This would mean the IPA implementation would have it's
>>>> own private copy of the module but I suspect once it's working a diff
>>>> against the original sent as a patch to upstream would be most welcome
>>>> and then at a later date you can nuke your private copy once upstream
>>>> ships the fix.
>>> Not ideal - but seems workable. Rob - any other options or is this the
>>> way you want to go?
>>>
>>> Karl
>>>
>> After looking at this some more I wonder if we could simply subclass the 
>> Transport method and include the headers that way. I'm not enough of a 
>> python expert to know how large a task this would be.
>>
>> In any case we can't do anything until we find a way to do kerberos SSO 
>> with ticket forwarding using some sort of HTTP engine. 
> 
> Ticket forwarding is on the esoteric end of the kerberos spectrum, and I
> wonder if for IPAv1 we should instead have the XMLRPC server simply be
> trusted?  (Bind as EXTERNAL, then do LDAP proxy authorization). 

I'm all in favor of a solution that will work. Do you have any details 
on how one might do this and whether it is supported by mod_auth_kerb?

The way the communication goes is this:

Web -> Apache/mod_auth_kerb -> RPC client -> RPC server -> LDAP

So we need some way of grabbing the credentials and passing them all the 
way to LDAP so we can bind as the user who is logging into Apache.

Knowing next-to-nothing about SASL I'm going to need some hand-holding 
to get this configured and working.

> This would also allow non-kerberos authentication, and remove a pile of
> complexities that could bite us very badly.  For example:  Even if we
> get the forwarded ticket, will it have an address restriction on it?
> (The mechanism clients have used - dns lookup of target principal - for
> choosing those addresses have sometimes given very poor results). 
> 
> We could then revisit this later, perhaps combined with KDC
> modifications to be far less dependent on client behaviour (Heimdal has
> some very neat solutions, driven by the practical integration needs of
> the University of Stockholm). 

We're committed to MIT at this point.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070718/630b07d4/attachment.bin>

More information about the Freeipa-devel mailing list