[Freeipa-devel] [PATCH] 0001 Added new authentication method
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 2 14:57:38 UTC 2016
On Mon, 01 Aug 2016, Rob Crittenden wrote:
>Tibor Dudlak wrote:
>>Hi,
>>
>>I have added few lines to code to make optional login with personal
>>certificate (or with smartcard) possible. Some ui changes has to be
>>made. It is not cosher but it definitely work.
>>
>>Thank you, Tibor
>>
>
>What about the Apache changes to require a certificate in
>/ipa/session/login_x509?
>
>Does/will this only support a specially crafted certificate subject?
>
>How/where does the UI get a Kerberos ticket for the user?
That's indeed a problem -- even with the PKINIT support in KDC that Simo
is polishing up now, we don't have a way to obtain a ticket on behalf of
the user because Apache would terminate the SSL negotiation and we
wouldn't be able to use user's certificate to do PKINIT negotiation to
obtain a ticket as a user and then continue running on its behalf.
Neither we would get any Kerberos ticket from the client side.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list