[Freeipa-devel] Community Portal Milestone

Adam Young ayoung at redhat.com
Wed Jun 10 04:11:09 UTC 2015 

On 06/09/2015 04:44 PM, Alexander Bokovoy wrote:
> On Tue, 09 Jun 2015, Drew Erny wrote:
>> Hey, Freeipa, same thread new subtopic.
>>
>> So, I was bouncing some ideas around with another developer (ayoung) 
>> and I think I have a pretty good idea for self-service user 
>> registration.
>>
>> The idea is that I put self-service user registration into its own 
>> application that calls out to ipa user-add after getting admin approval.
>>
>> Workflow goes like this:
>>
>> 1.) User goes to registration page, inputs details into form. 
>> Registration page and application are not part of FreeIPA.
>> 2.) User's registration goes into a non-FreeIPA database, something 
>> like SQLite.
>> 3.) Admin gets a notification email with a link to approve/deny 
>> registration.
>>    A.) Admin clicks approval link, registration application (which 
>> has limited privileges) makes call out to ipa user-add command, 
>> adding the new user to FreeIPA.
>>    B.) Admin click deny link, user is not added.
>> 4.) User's registration information, approved or denied, is deleted 
>> from the external database.
>>
>> This has a couple of advantages. For starters, it provides a layer of 
>> protection against the creation of spam accounts. Accounts do not add 
>> directly to LDAP (inserting to LDAP is a slow operation), instead sit 
>> in intermediate area waiting approval. Second, we don't have to write 
>> a big extension to ipa user-add or staginguser-add that allows 
>> anonymous access to that command. Third, it can be bundled into its 
>> own package and given to the community separate from FreeIPA proper. 
>> Finally, it would allow me to gracefully defer becoming buried up to 
>> my neck in D-Bus notifications and whatever other fanciness we want 
>> to send email, because FreeIPA won't be sending the email.
>>
>> Opinions?
> Sounds good. For external application like your portal to be able to
> call IPA CLI (or JSON) with Kerberos on behalf of an admin, you need to
> support S4U2Proxy configuration. See
> https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/
> for details how to make it working. This would allow you to have an
> application running on a separate IPA client and still be able to re-use
> admin Kerberos credentials to perform the work after admin granted the
> permission to create a user or to reset a password.
I don't think so;  S4U2Proxy would only make sense if the user does not 
have direct access.  I think that, with proper CORS support,  we could 
have the admin users authenticate the new users directly. Should be a 
simpler set up.


>
> See also
> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
> how to communicate to IPA with JSON directly, without any dependency to
> IPA client tools.
>

More information about the Freeipa-devel mailing list