[Freeipa-users] freeIPA SSL authentication

Dmitri Pal dpal at redhat.com
Tue Mar 10 19:10:24 UTC 2015 

On 03/10/2015 01:19 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 03/10/2015 10:22 AM, Rob Crittenden wrote:
>>> K SHK wrote:
>>>> hi,
>>>>
>>>> My hortonworks hadoop cluster is keberized with FreeIPA and works
>>>> splendid :)
>>>>
>>>> I want to clarify if SSL authentication with out a login/password will
>>>> work against FreeIPA...
>>>>
>>>> ie. client connects to apache webserver over SSL, and sets in
>>>> username via
>>>>
>>>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
>>>>
>>>> and the webserver will get the valid ticket from freeIPA...
>>>>
>>>> any idea what type of certificate and apache modules will be needed to
>>>> accomplish this?
>>> IPA doesn't support user SSL certificates at the moment, so that's the
>>> first hurdle. It is being worked on for 4.2. You'd need to include the
>>> PKINIT EKU in the client cert, something that should be configurable
>>> when the work is done.
>>>
>>> The second problem is that the IPA PKINIT configuration is rather
>>> incomplete at the moment. I'm not sure if it is sufficient in it's
>>> current state, even with properly formatted certificates.
>>>
>>> And even further, I"m not familiar enough with PKINIT to know whether a
>>> web-based SSL authentication is enough to get a ticket.
>>>
>>> rob
>>>
>> I think it is but the biggest problem is remapping the identities from
>> the cert to users in identity system - IPA in this case.
>> I will file a ticket.
>> https://fedorahosted.org/freeipa/ticket/4942
>>
> IIRC with PKINIT the principal is encoded in the certificate so no
> mapping is required.
>
> rob
There are several use cases here:
- do PKINIT on the client and then use ST to connect to IPA UI - this is 
already planned
- use certificate auth via mod_nss directly to IPA.

The challenge would be to deal with the case when there is no principal 
(or other good identifier) in the cert and you have to remap.
Unfortunately we can't guarantee that principal is in the cert. Some 
known entities that we need to work with do not have the principal in 
the cert.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list