[Freeipa-devel] Freeipa and Kerberos
Jason Gerard DeRose
jderose at redhat.com
Sun Nov 30 03:29:00 UTC 2008
Stoyan Gaydarov wrote:
> Hi my name is Stoyan and I am working on a project that involves python,
> xmlrpc, and Kerberos, similarly like Freeipa does, and i wanted to see
> if someone could help me in understanding how Freeipa does their
> authentication so that i can do something similar for our project. I
> have looked at the code and saw that the client side uses the xmlrpclib
> that is part of python and it extends the transport layer. This seems
> perfectly reasonable and i understand most of it. However the server
> side is a little more complex. I would like some help understanding what
> is going on. Currently I just use the SimpleXMLRPCServer that is part of
> python and I just extend it. I don't need the server do to anything
> special other then Kerberos authentication so it works well for me. Any
> information about how it works would be greatly appreciated.
>
> -Stoyan
Stoyan,
In a production deployment, freeIPA runs under Apache2 and we use
mod_auth_kerb as our first layer of authentication. For information on
mod_auth_kerb, see:
http://modauthkerb.sourceforge.net/
Our second layer of authentication is to do an LDAP bind using the
user's Kerberos credentials. We rely on LDAP to determine what the user
can and can't do because (at least in v1) all the things a user might do
involve reading from or writing to LDAP. So in freeIPA itself all we
really do is make sure no anonymous access is allow (users always need a
valid Kerberos ticket).
I don't know v1 very well (I pretty much just work on v2), so other
people on the list might be able to fill in more v1 details. However,
authentication in v2 is more or less the same except we also have
development XML-RPC and web-UI servers designed to run from within the
source tree, so these development server don't have the mod_auth_kerb
layer (because they don't run under Apache2).
I hope this helps. Best of luck on your project! And if you get an itch
to work on another Python/Kerberos/XML-RPC project, we *always* welcome
new freeIPA developers!
Cheers,
Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 835 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20081129/91dbc6ca/attachment.sig>
More information about the Freeipa-devel
mailing list