[Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

[Petr Spacek]

On 9.8.2016 21:37, Joe Thielen wrote:
> First off, let me say THANK YOU to all of you who've helped make FreeIPA
> what it is.  I think it's a fantastic project and it's amazing what it has
> achieved.
> 
> Second off, I'm still quite new to FreeIPA, especially the internals.  This
> includes Kerberos.  I'm also very very limited at Python (I come from a PHP
> background - please don't hold it against me).  I have toyed around with
> LDAP a little bit before looking at FreeIPA.
> 
> After re-reading this e-mail I think it'd be important to note here at the
> top that my focus is on web-based apps and non-kerberized clients.  The web
> app server would be an IPA client.  I don't foresee a lot of terminal-based
> stuff going on, aside from potential admin CLI tasks (for the web-based
> app).
> 
> I apologize in advance for the length of this e-mail.  I have searched, a
> lot, to try and answer my own questions.  That's actually how I found
> FreeIPA in the first place.  I've looked at the site/wiki, the mailing list
> archive, and the Internet in general.  But I've been unable to find a
> solution, or suggestions, which achieves exactly what I'm looking for.  It
> may be that I'm just using the wrong terminology and/or getting lost in the
> buzzwords.
> 
> What I'm trying to figure out is if there is a way to centrally manage
> sessions, in addition to everything else FreeIPA currently does.  I'm not
> necessarily just talking about WebUI sessions, I'd like external web apps
> to be able to make use of it too.  And, I'd like to be able to manage them
> via the WebUI.
> 
> For example, let's say "joe" logs in to the WebUI (OR another web app tied
> to FreeIPA).  Now, on another computer, "admin" logs into the WebUI.  Can
> admin have a way to see that "joe" logged in, and, if need be, kill Joe's
> session?
> 
> I'd like for it to maintain history.  For each login/session, I'd like to
> see who logged in, when, from where, what their last access was, when they
> logged out (or if their session timed out), and the logout reason (manual
> logout, session timeout, or admin intervention).
> 
> But like I said, I'm not just looking for WebUI sessions.
> 
> Let's say I create a web app.  I put it on a machine which is an IPA
> client.  Thanks to the wealth of documentation and options, I have a
> variety of methods to achieve authentication.  FreeIPA makes this great,
> and for that I'm thankful.  However, in most of the documentation, it just
> says "create the session" cookie, and the rest is left as an exercise to
> the reader.  I'm familiar with web apps and have implemented session
> management before.  What I'd love to see is FreeIPA to be able to handle
> not just the auth but also the session management.
> 
> Why?  Because I'd not like to have to re-invent the wheel.  And I'm trying
> to see if there is already some method to do this that I'm just
> fundamentally missing.  Or at least if there are enough pieces that I could
> put together to make it happen.
> 
> For "fun", I've tried to set up auth using different methods.  I've
> successfully set it up using intercept_form_submit_module and
> lookup_identity_module.  That's pretty neat, works great for auth.  But, as
> far as I can tell, this method doesn't create a session or login trail in
> the memcached DB.  In fact, I can't really find any trail aside from the
> Kerberos logging messages in /var/log/krbkdc.log.
> 
> I've also used Tobias Sette's php-freeipa from GitHub.  That works great
> too... for auth.  And since that uses the JSON API, it looks like it does
> create a record in the memcached DB.  So I suppose this could be one way
> in, maybe by a FreeIPA plugin?
> 
> I guess I'm running in circles because then again I think... "what about
> pure Kerberos" clients...  or those using intercept_form_submit_module?
> I'm not familiar with PAM.  But from what I can tell, I assume there is a
> way to add a "pluggable" module for it too.  But on the server?  i.e., if a
> Kerberos session is established, is there a way, via PAM (or something
> else?) to log that session to the FreeIPA server?   I think this is kinda
> what Kerberos is trying to get away from, but for the use cases I'm
> thinking of, it'd be a big feature.  In my searching I've seen things like
> nss_mysql which look interesting, but of course wouldn't mesh with the
> FreeIPA WebUI memcached method.
> 
> Speaking of which, I know that memcached is not by any means a permanent
> session log, and I understand it's not intended to be.  So would this go
> into the LDAP tree?  Would this clog it up too much?  I'm looking to store
> a year of  info... or more depending on the scenario.
> 
> I've briefly looked at the Apache Shiro project.  I'm not a Java guy, but
> from I'm reading it kind of has the right idea.  It even notes that the
> session management portions can be accessed from other apps (on other
> machines) and not necessarily from Java.  But due to the whole thing being
> a mostly-Java product, I get lost far too easily.  If this were already in
> FreeIPA I think that's kind of what I'm looking for.
> 
> A single source of session information on the server.  Along with the
> ability to view/search it via the FreeIPA WebUI (which I assume would mean
> it'd come from the JSON API).
> 
> For someone creating a new app from scratch, this would not only cover the
> user/IdM and auth items, but also session management, and allow for more
> administrative control (kill a session administratively).  I think this
> would really decrease the barrier to entry and give app authors a "known
> good" path to follow.  Especially smaller, domain- or niche-specific
> projects.
> 
> I've looked at the FreeIPA session recording page (
> http://www.freeipa.org/page/Session_Recording).  That looks neat.  However,
> if I'm reading it right, it's just for terminal sessions.  It mentions
> being able to record login info, but being a newbie I can't quite follow
> exactly how it's achieving this goal (is that part all a function of tlog?).
> 
> Anyway, again, I apologize for this very long e-mail.  Am I totally barking
> up the wrong tree?  Is this something FreeIPA can do and I just haven't
> figured out how?  Or would it require far too much customization and/or be
> too far outside of the core functionality?  Any hints, suggestions, or even
> criticism would be appreciated.

Hello,

I'm not a web-app guy but I would recommend you to look at SAML protocol and
project Keycloak (which can be integrated with FreeIPA).

AFAIK SAML gives you single-sign-on + ability to forcibly log-out users (kill
their sessions). Still, it does not give you one central session (while still
allowing the central management).

Hopefully others will be able to elaborate on this.

-- 
Petr^2 Spacek