[Freeipa-devel] Community Portal Milestone
Adam Young
ayoung at redhat.com
Wed Jun 10 04:11:09 UTC 2015
On 06/09/2015 04:44 PM, Alexander Bokovoy wrote:
> On Tue, 09 Jun 2015, Drew Erny wrote:
>> Hey, Freeipa, same thread new subtopic.
>>
>> So, I was bouncing some ideas around with another developer (ayoung)
>> and I think I have a pretty good idea for self-service user
>> registration.
>>
>> The idea is that I put self-service user registration into its own
>> application that calls out to ipa user-add after getting admin approval.
>>
>> Workflow goes like this:
>>
>> 1.) User goes to registration page, inputs details into form.
>> Registration page and application are not part of FreeIPA.
>> 2.) User's registration goes into a non-FreeIPA database, something
>> like SQLite.
>> 3.) Admin gets a notification email with a link to approve/deny
>> registration.
>> A.) Admin clicks approval link, registration application (which
>> has limited privileges) makes call out to ipa user-add command,
>> adding the new user to FreeIPA.
>> B.) Admin click deny link, user is not added.
>> 4.) User's registration information, approved or denied, is deleted
>> from the external database.
>>
>> This has a couple of advantages. For starters, it provides a layer of
>> protection against the creation of spam accounts. Accounts do not add
>> directly to LDAP (inserting to LDAP is a slow operation), instead sit
>> in intermediate area waiting approval. Second, we don't have to write
>> a big extension to ipa user-add or staginguser-add that allows
>> anonymous access to that command. Third, it can be bundled into its
>> own package and given to the community separate from FreeIPA proper.
>> Finally, it would allow me to gracefully defer becoming buried up to
>> my neck in D-Bus notifications and whatever other fanciness we want
>> to send email, because FreeIPA won't be sending the email.
>>
>> Opinions?
> Sounds good. For external application like your portal to be able to
> call IPA CLI (or JSON) with Kerberos on behalf of an admin, you need to
> support S4U2Proxy configuration. See
> https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/
> for details how to make it working. This would allow you to have an
> application running on a separate IPA client and still be able to re-use
> admin Kerberos credentials to perform the work after admin granted the
> permission to create a user or to reset a password.
I don't think so; S4U2Proxy would only make sense if the user does not
have direct access. I think that, with proper CORS support, we could
have the admin users authenticate the new users directly. Should be a
simpler set up.
>
> See also
> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
> how to communicate to IPA with JSON directly, without any dependency to
> IPA client tools.
>
More information about the Freeipa-devel
mailing list