[Freeipa-users] freeIPA SSL authentication
Rob Crittenden
rcritten at redhat.com
Tue Mar 10 14:22:09 UTC 2015
K SHK wrote:
> hi,
>
> My hortonworks hadoop cluster is keberized with FreeIPA and works
> splendid :)
>
> I want to clarify if SSL authentication with out a login/password will
> work against FreeIPA...
>
> ie. client connects to apache webserver over SSL, and sets in username via
>
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
>
> and the webserver will get the valid ticket from freeIPA...
>
> any idea what type of certificate and apache modules will be needed to
> accomplish this?
IPA doesn't support user SSL certificates at the moment, so that's the
first hurdle. It is being worked on for 4.2. You'd need to include the
PKINIT EKU in the client cert, something that should be configurable
when the work is done.
The second problem is that the IPA PKINIT configuration is rather
incomplete at the moment. I'm not sure if it is sufficient in it's
current state, even with properly formatted certificates.
And even further, I"m not familiar enough with PKINIT to know whether a
web-based SSL authentication is enough to get a ticket.
rob
More information about the Freeipa-users
mailing list