[Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)
Joe Thielen
joe at joethielen.com
Wed Aug 10 12:38:19 UTC 2016
> Date: Wed, 10 Aug 2016 09:02:29 +0200
> From: Petr Spacek <pspacek at redhat.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA Session Management (WebUI,
> Kerberos, ...?)
> Message-ID: <e6b5b192-5acf-dacc-8765-994e623499a8 at redhat.com>
> Content-Type: text/plain; charset=windows-1252
>
> On 9.8.2016 21:37, Joe Thielen wrote:
> > First off, let me say THANK YOU to all of you who've helped make FreeIPA
> > what it is. I think it's a fantastic project and it's amazing what it
> has
> > achieved.
> >
> > Second off, I'm still quite new to FreeIPA, especially the internals.
> This
> > includes Kerberos. I'm also very very limited at Python (I come from a
> PHP
> > background - please don't hold it against me). I have toyed around with
> > LDAP a little bit before looking at FreeIPA.
> >
> > After re-reading this e-mail I think it'd be important to note here at
> the
> > top that my focus is on web-based apps and non-kerberized clients. The
> web
> > app server would be an IPA client. I don't foresee a lot of
> terminal-based
> > stuff going on, aside from potential admin CLI tasks (for the web-based
> > app).
> >
> > I apologize in advance for the length of this e-mail. I have searched, a
> > lot, to try and answer my own questions. That's actually how I found
> > FreeIPA in the first place. I've looked at the site/wiki, the mailing
> list
> > archive, and the Internet in general. But I've been unable to find a
> > solution, or suggestions, which achieves exactly what I'm looking for.
> It
> > may be that I'm just using the wrong terminology and/or getting lost in
> the
> > buzzwords.
> >
> > What I'm trying to figure out is if there is a way to centrally manage
> > sessions, in addition to everything else FreeIPA currently does. I'm not
> > necessarily just talking about WebUI sessions, I'd like external web apps
> > to be able to make use of it too. And, I'd like to be able to manage
> them
> > via the WebUI.
> >
> > For example, let's say "joe" logs in to the WebUI (OR another web app
> tied
> > to FreeIPA). Now, on another computer, "admin" logs into the WebUI. Can
> > admin have a way to see that "joe" logged in, and, if need be, kill Joe's
> > session?
> >
> > I'd like for it to maintain history. For each login/session, I'd like to
> > see who logged in, when, from where, what their last access was, when
> they
> > logged out (or if their session timed out), and the logout reason (manual
> > logout, session timeout, or admin intervention).
> >
> > But like I said, I'm not just looking for WebUI sessions.
> >
> > Let's say I create a web app. I put it on a machine which is an IPA
> > client. Thanks to the wealth of documentation and options, I have a
> > variety of methods to achieve authentication. FreeIPA makes this great,
> > and for that I'm thankful. However, in most of the documentation, it
> just
> > says "create the session" cookie, and the rest is left as an exercise to
> > the reader. I'm familiar with web apps and have implemented session
> > management before. What I'd love to see is FreeIPA to be able to handle
> > not just the auth but also the session management.
> >
> > Why? Because I'd not like to have to re-invent the wheel. And I'm
> trying
> > to see if there is already some method to do this that I'm just
> > fundamentally missing. Or at least if there are enough pieces that I
> could
> > put together to make it happen.
> >
> > For "fun", I've tried to set up auth using different methods. I've
> > successfully set it up using intercept_form_submit_module and
> > lookup_identity_module. That's pretty neat, works great for auth. But,
> as
> > far as I can tell, this method doesn't create a session or login trail in
> > the memcached DB. In fact, I can't really find any trail aside from the
> > Kerberos logging messages in /var/log/krbkdc.log.
> >
> > I've also used Tobias Sette's php-freeipa from GitHub. That works great
> > too... for auth. And since that uses the JSON API, it looks like it does
> > create a record in the memcached DB. So I suppose this could be one way
> > in, maybe by a FreeIPA plugin?
> >
> > I guess I'm running in circles because then again I think... "what about
> > pure Kerberos" clients... or those using intercept_form_submit_module?
> > I'm not familiar with PAM. But from what I can tell, I assume there is a
> > way to add a "pluggable" module for it too. But on the server? i.e.,
> if a
> > Kerberos session is established, is there a way, via PAM (or something
> > else?) to log that session to the FreeIPA server? I think this is kinda
> > what Kerberos is trying to get away from, but for the use cases I'm
> > thinking of, it'd be a big feature. In my searching I've seen things
> like
> > nss_mysql which look interesting, but of course wouldn't mesh with the
> > FreeIPA WebUI memcached method.
> >
> > Speaking of which, I know that memcached is not by any means a permanent
> > session log, and I understand it's not intended to be. So would this go
> > into the LDAP tree? Would this clog it up too much? I'm looking to
> store
> > a year of info... or more depending on the scenario.
> >
> > I've briefly looked at the Apache Shiro project. I'm not a Java guy, but
> > from I'm reading it kind of has the right idea. It even notes that the
> > session management portions can be accessed from other apps (on other
> > machines) and not necessarily from Java. But due to the whole thing
> being
> > a mostly-Java product, I get lost far too easily. If this were already
> in
> > FreeIPA I think that's kind of what I'm looking for.
> >
> > A single source of session information on the server. Along with the
> > ability to view/search it via the FreeIPA WebUI (which I assume would
> mean
> > it'd come from the JSON API).
> >
> > For someone creating a new app from scratch, this would not only cover
> the
> > user/IdM and auth items, but also session management, and allow for more
> > administrative control (kill a session administratively). I think this
> > would really decrease the barrier to entry and give app authors a "known
> > good" path to follow. Especially smaller, domain- or niche-specific
> > projects.
> >
> > I've looked at the FreeIPA session recording page (
> > http://www.freeipa.org/page/Session_Recording). That looks neat.
> However,
> > if I'm reading it right, it's just for terminal sessions. It mentions
> > being able to record login info, but being a newbie I can't quite follow
> > exactly how it's achieving this goal (is that part all a function of
> tlog?).
> >
> > Anyway, again, I apologize for this very long e-mail. Am I totally
> barking
> > up the wrong tree? Is this something FreeIPA can do and I just haven't
> > figured out how? Or would it require far too much customization and/or
> be
> > too far outside of the core functionality? Any hints, suggestions, or
> even
> > criticism would be appreciated.
>
> Hello,
>
> I'm not a web-app guy but I would recommend you to look at SAML protocol
> and
> project Keycloak (which can be integrated with FreeIPA).
>
> AFAIK SAML gives you single-sign-on + ability to forcibly log-out users
> (kill
> their sessions). Still, it does not give you one central session (while
> still
> allowing the central management).
>
> Hopefully others will be able to elaborate on this.
>
> --
> Petr^2 Spacek
>
>
Hi Petr. Thanks for your reply. I did look at SAML before I found
FreeIPA. I was able to get it up and running (simpleSAMLphp - both server
and client), but I didn't find that it did what I wanted it to do.
Hey project Keycloak looks neat, I will look further into that!
Thanks again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160810/9e2ab8f2/attachment.htm>
More information about the Freeipa-users
mailing list