[Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

[Joe Thielen]

First off, let me say THANK YOU to all of you who've helped make FreeIPA
what it is.  I think it's a fantastic project and it's amazing what it has
achieved.

Second off, I'm still quite new to FreeIPA, especially the internals.  This
includes Kerberos.  I'm also very very limited at Python (I come from a PHP
background - please don't hold it against me).  I have toyed around with
LDAP a little bit before looking at FreeIPA.

After re-reading this e-mail I think it'd be important to note here at the
top that my focus is on web-based apps and non-kerberized clients.  The web
app server would be an IPA client.  I don't foresee a lot of terminal-based
stuff going on, aside from potential admin CLI tasks (for the web-based
app).

I apologize in advance for the length of this e-mail.  I have searched, a
lot, to try and answer my own questions.  That's actually how I found
FreeIPA in the first place.  I've looked at the site/wiki, the mailing list
archive, and the Internet in general.  But I've been unable to find a
solution, or suggestions, which achieves exactly what I'm looking for.  It
may be that I'm just using the wrong terminology and/or getting lost in the
buzzwords.

What I'm trying to figure out is if there is a way to centrally manage
sessions, in addition to everything else FreeIPA currently does.  I'm not
necessarily just talking about WebUI sessions, I'd like external web apps
to be able to make use of it too.  And, I'd like to be able to manage them
via the WebUI.

For example, let's say "joe" logs in to the WebUI (OR another web app tied
to FreeIPA).  Now, on another computer, "admin" logs into the WebUI.  Can
admin have a way to see that "joe" logged in, and, if need be, kill Joe's
session?

I'd like for it to maintain history.  For each login/session, I'd like to
see who logged in, when, from where, what their last access was, when they
logged out (or if their session timed out), and the logout reason (manual
logout, session timeout, or admin intervention).

But like I said, I'm not just looking for WebUI sessions.

Let's say I create a web app.  I put it on a machine which is an IPA
client.  Thanks to the wealth of documentation and options, I have a
variety of methods to achieve authentication.  FreeIPA makes this great,
and for that I'm thankful.  However, in most of the documentation, it just
says "create the session" cookie, and the rest is left as an exercise to
the reader.  I'm familiar with web apps and have implemented session
management before.  What I'd love to see is FreeIPA to be able to handle
not just the auth but also the session management.

Why?  Because I'd not like to have to re-invent the wheel.  And I'm trying
to see if there is already some method to do this that I'm just
fundamentally missing.  Or at least if there are enough pieces that I could
put together to make it happen.

For "fun", I've tried to set up auth using different methods.  I've
successfully set it up using intercept_form_submit_module and
lookup_identity_module.  That's pretty neat, works great for auth.  But, as
far as I can tell, this method doesn't create a session or login trail in
the memcached DB.  In fact, I can't really find any trail aside from the
Kerberos logging messages in /var/log/krbkdc.log.

I've also used Tobias Sette's php-freeipa from GitHub.  That works great
too... for auth.  And since that uses the JSON API, it looks like it does
create a record in the memcached DB.  So I suppose this could be one way
in, maybe by a FreeIPA plugin?

I guess I'm running in circles because then again I think... "what about
pure Kerberos" clients...  or those using intercept_form_submit_module?
I'm not familiar with PAM.  But from what I can tell, I assume there is a
way to add a "pluggable" module for it too.  But on the server?  i.e., if a
Kerberos session is established, is there a way, via PAM (or something
else?) to log that session to the FreeIPA server?   I think this is kinda
what Kerberos is trying to get away from, but for the use cases I'm
thinking of, it'd be a big feature.  In my searching I've seen things like
nss_mysql which look interesting, but of course wouldn't mesh with the
FreeIPA WebUI memcached method.

Speaking of which, I know that memcached is not by any means a permanent
session log, and I understand it's not intended to be.  So would this go
into the LDAP tree?  Would this clog it up too much?  I'm looking to store
a year of  info... or more depending on the scenario.

I've briefly looked at the Apache Shiro project.  I'm not a Java guy, but
from I'm reading it kind of has the right idea.  It even notes that the
session management portions can be accessed from other apps (on other
machines) and not necessarily from Java.  But due to the whole thing being
a mostly-Java product, I get lost far too easily.  If this were already in
FreeIPA I think that's kind of what I'm looking for.

A single source of session information on the server.  Along with the
ability to view/search it via the FreeIPA WebUI (which I assume would mean
it'd come from the JSON API).

For someone creating a new app from scratch, this would not only cover the
user/IdM and auth items, but also session management, and allow for more
administrative control (kill a session administratively).  I think this
would really decrease the barrier to entry and give app authors a "known
good" path to follow.  Especially smaller, domain- or niche-specific
projects.

I've looked at the FreeIPA session recording page (
http://www.freeipa.org/page/Session_Recording).  That looks neat.  However,
if I'm reading it right, it's just for terminal sessions.  It mentions
being able to record login info, but being a newbie I can't quite follow
exactly how it's achieving this goal (is that part all a function of tlog?).

Anyway, again, I apologize for this very long e-mail.  Am I totally barking
up the wrong tree?  Is this something FreeIPA can do and I just haven't
figured out how?  Or would it require far too much customization and/or be
too far outside of the core functionality?  Any hints, suggestions, or even
criticism would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160809/5db70797/attachment.htm>