[Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

Joe Thielen joe at joethielen.com
Wed Aug 10 12:38:19 UTC 2016 

> Date: Wed, 10 Aug 2016 09:02:29 +0200
> From: Petr Spacek <pspacek at redhat.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA Session Management (WebUI,
>         Kerberos, ...?)
> Message-ID: <e6b5b192-5acf-dacc-8765-994e623499a8 at redhat.com>
> Content-Type: text/plain; charset=windows-1252
>
> On 9.8.2016 21:37, Joe Thielen wrote:
> > First off, let me say THANK YOU to all of you who've helped make FreeIPA
> > what it is.  I think it's a fantastic project and it's amazing what it
> has
> > achieved.
> >
> > Second off, I'm still quite new to FreeIPA, especially the internals.
> This
> > includes Kerberos.  I'm also very very limited at Python (I come from a
> PHP
> > background - please don't hold it against me).  I have toyed around with
> > LDAP a little bit before looking at FreeIPA.
> >
> > After re-reading this e-mail I think it'd be important to note here at
> the
> > top that my focus is on web-based apps and non-kerberized clients.  The
> web
> > app server would be an IPA client.  I don't foresee a lot of
> terminal-based
> > stuff going on, aside from potential admin CLI tasks (for the web-based
> > app).
> >
> > I apologize in advance for the length of this e-mail.  I have searched, a
> > lot, to try and answer my own questions.  That's actually how I found
> > FreeIPA in the first place.  I've looked at the site/wiki, the mailing
> list
> > archive, and the Internet in general.  But I've been unable to find a
> > solution, or suggestions, which achieves exactly what I'm looking for.
> It
> > may be that I'm just using the wrong terminology and/or getting lost in
> the
> > buzzwords.
> >
> > What I'm trying to figure out is if there is a way to centrally manage
> > sessions, in addition to everything else FreeIPA currently does.  I'm not
> > necessarily just talking about WebUI sessions, I'd like external web apps
> > to be able to make use of it too.  And, I'd like to be able to manage
> them
> > via the WebUI.
> >
> > For example, let's say "joe" logs in to the WebUI (OR another web app
> tied
> > to FreeIPA).  Now, on another computer, "admin" logs into the WebUI.  Can
> > admin have a way to see that "joe" logged in, and, if need be, kill Joe's
> > session?
> >
> > I'd like for it to maintain history.  For each login/session, I'd like to
> > see who logged in, when, from where, what their last access was, when
> they
> > logged out (or if their session timed out), and the logout reason (manual
> > logout, session timeout, or admin intervention).
> >
> > But like I said, I'm not just looking for WebUI sessions.
> >
> > Let's say I create a web app.  I put it on a machine which is an IPA
> > client.  Thanks to the wealth of documentation and options, I have a
> > variety of methods to achieve authentication.  FreeIPA makes this great,
> > and for that I'm thankful.  However, in most of the documentation, it
> just
> > says "create the session" cookie, and the rest is left as an exercise to
> > the reader.  I'm familiar with web apps and have implemented session
> > management before.  What I'd love to see is FreeIPA to be able to handle
> > not just the auth but also the session management.
> >
> > Why?  Because I'd not like to have to re-invent the wheel.  And I'm
> trying
> > to see if there is already some method to do this that I'm just
> > fundamentally missing.  Or at least if there are enough pieces that I
> could
> > put together to make it happen.
> >
> > For "fun", I've tried to set up auth using different methods.  I've
> > successfully set it up using intercept_form_submit_module and
> > lookup_identity_module.  That's pretty neat, works great for auth.  But,
> as
> > far as I can tell, this method doesn't create a session or login trail in
> > the memcached DB.  In fact, I can't really find any trail aside from the
> > Kerberos logging messages in /var/log/krbkdc.log.
> >
> > I've also used Tobias Sette's php-freeipa from GitHub.  That works great
> > too... for auth.  And since that uses the JSON API, it looks like it does
> > create a record in the memcached DB.  So I suppose this could be one way
> > in, maybe by a FreeIPA plugin?
> >
> > I guess I'm running in circles because then again I think... "what about
> > pure Kerberos" clients...  or those using intercept_form_submit_module?
> > I'm not familiar with PAM.  But from what I can tell, I assume there is a
> > way to add a "pluggable" module for it too.  But on the server?  i.e.,
> if a
> > Kerberos session is established, is there a way, via PAM (or something
> > else?) to log that session to the FreeIPA server?   I think this is kinda
> > what Kerberos is trying to get away from, but for the use cases I'm
> > thinking of, it'd be a big feature.  In my searching I've seen things
> like
> > nss_mysql which look interesting, but of course wouldn't mesh with the
> > FreeIPA WebUI memcached method.
> >
> > Speaking of which, I know that memcached is not by any means a permanent
> > session log, and I understand it's not intended to be.  So would this go
> > into the LDAP tree?  Would this clog it up too much?  I'm looking to
> store
> > a year of  info... or more depending on the scenario.
> >
> > I've briefly looked at the Apache Shiro project.  I'm not a Java guy, but
> > from I'm reading it kind of has the right idea.  It even notes that the
> > session management portions can be accessed from other apps (on other
> > machines) and not necessarily from Java.  But due to the whole thing
> being
> > a mostly-Java product, I get lost far too easily.  If this were already
> in
> > FreeIPA I think that's kind of what I'm looking for.
> >
> > A single source of session information on the server.  Along with the
> > ability to view/search it via the FreeIPA WebUI (which I assume would
> mean
> > it'd come from the JSON API).
> >
> > For someone creating a new app from scratch, this would not only cover
> the
> > user/IdM and auth items, but also session management, and allow for more
> > administrative control (kill a session administratively).  I think this
> > would really decrease the barrier to entry and give app authors a "known
> > good" path to follow.  Especially smaller, domain- or niche-specific
> > projects.
> >
> > I've looked at the FreeIPA session recording page (
> > http://www.freeipa.org/page/Session_Recording).  That looks neat.
> However,
> > if I'm reading it right, it's just for terminal sessions.  It mentions
> > being able to record login info, but being a newbie I can't quite follow
> > exactly how it's achieving this goal (is that part all a function of
> tlog?).
> >
> > Anyway, again, I apologize for this very long e-mail.  Am I totally
> barking
> > up the wrong tree?  Is this something FreeIPA can do and I just haven't
> > figured out how?  Or would it require far too much customization and/or
> be
> > too far outside of the core functionality?  Any hints, suggestions, or
> even
> > criticism would be appreciated.
>
> Hello,
>
> I'm not a web-app guy but I would recommend you to look at SAML protocol
> and
> project Keycloak (which can be integrated with FreeIPA).
>
> AFAIK SAML gives you single-sign-on + ability to forcibly log-out users
> (kill
> their sessions). Still, it does not give you one central session (while
> still
> allowing the central management).
>
> Hopefully others will be able to elaborate on this.
>
> --
> Petr^2 Spacek
>
>
Hi Petr.  Thanks for your reply.  I did look at SAML before I found
FreeIPA.  I was able to get it up and running (simpleSAMLphp - both server
and client), but I didn't find that it did what I wanted it to do.

Hey project Keycloak looks neat, I will look further into that!

Thanks again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160810/9e2ab8f2/attachment.htm>

More information about the Freeipa-users mailing list