[Freeipa-users] freeIPA SSL authentication
Dmitri Pal
dpal at redhat.com
Tue Mar 10 14:43:13 UTC 2015
On 03/10/2015 10:22 AM, Rob Crittenden wrote:
> K SHK wrote:
>> hi,
>>
>> My hortonworks hadoop cluster is keberized with FreeIPA and works
>> splendid :)
>>
>> I want to clarify if SSL authentication with out a login/password will
>> work against FreeIPA...
>>
>> ie. client connects to apache webserver over SSL, and sets in username via
>>
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
>>
>> and the webserver will get the valid ticket from freeIPA...
>>
>> any idea what type of certificate and apache modules will be needed to
>> accomplish this?
> IPA doesn't support user SSL certificates at the moment, so that's the
> first hurdle. It is being worked on for 4.2. You'd need to include the
> PKINIT EKU in the client cert, something that should be configurable
> when the work is done.
>
> The second problem is that the IPA PKINIT configuration is rather
> incomplete at the moment. I'm not sure if it is sufficient in it's
> current state, even with properly formatted certificates.
>
> And even further, I"m not familiar enough with PKINIT to know whether a
> web-based SSL authentication is enough to get a ticket.
>
> rob
>
I think it is but the biggest problem is remapping the identities from
the cert to users in identity system - IPA in this case.
I will file a ticket.
https://fedorahosted.org/freeipa/ticket/4942
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list