<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 07/30/2013 09:11 AM, Matt . wrote:
<blockquote
cite="mid:CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi all,<br>
<br>
We have found something out.<br>
<br>
</div>
When you add a user (like cmdtestuser) to
FreeIPA and add it to group:<br>
<br>
</div>
- admins<br>
</div>
- trust admins<br>
</div>
- editors<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
This does not matter really if you just trying to do authentication.<br>
This would matter if you start to execute administrative commands
with the user. As a starting point putting user into admins group
would enable him to do everything. However in general we suggest
that you <br>
Identify operations that your application would perform<br>
Identify permissions and privileges needed for those operations<br>
Create a role that grants those privileges<br>
Associate the user to the role (directly) or via a new group that
you would create.<br>
<br>
Bottom line after you sort out the authentication and ticket
delegation you would need to think about access control and reduce
the privileges of your PHP application to only operations it really
needs to perform.<br>
<br>
<blockquote
cite="mid:CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div><br>
</div>
And you add this same useraccount to a Linux box and
do a "su cmdtestuser" you are able to do a "kinit" abd
give your password that user has in FreeIPA.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
How do you "add" it? Do you actually define a local user? That would
be wrong.<br>
<br>
<blockquote
cite="mid:CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<br>
</div>
After this you can run a curl script from the
commandline with a "add_user" and actually add that user
to IPA. So that works.<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Yes because you effectively ran a ipa user-add command just
yourselves using curl. <br>
<br>
<blockquote
cite="mid:CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div><br>
</div>
That is what we actually want to do from PHP but testing
this with a HTTP/HTTPD user in IPA doesn't work.<br>
<br>
</div>
</div>
</div>
</div>
</blockquote>
Are you talking about local HTTP user that was added to the local
/etc/passwd file?<br>
Of cause it would not work. You need to run your application using a
user (principal) that IPA (Kerberos) recognizes.<br>
<br>
<br>
<blockquote
cite="mid:CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Shouldn't that be possible ?<br>
</div>
</div>
</div>
</blockquote>
<br>
It is possible.<br>
And you can do it two ways: you can use end user identity to perform
operations against IPA or you can give privileges to the PHP
application to perform operation using its own identity. The former
is preferable. In the latter case you sort of hand keys to the
kingdom to the PHP application and even if you confine its
privileges as I described above you would <br>
have to build access control into your PHP application if you want
to allow different admins to perform different operations via your
PHP application. <br>
So the best would be to use user identity so please use Alexander's
article and make your PHP application acquire ticket on user behalf.
Make your users members of the admin group for testing purposes to
sort the authentication issues but once done define the right
privileges for them so that they can execute only the commands that
they are entitled to execute.<br>
<br>
<br>
HTH<br>
<br>
<blockquote
cite="mid:CAPNQp05ib3eCgtk6JoFWc2xcY2aDsWsLfD--WOvcAPgZi-E0rA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
I hope so!<br>
<br>
</div>
Cheers,<br>
<br>
Matt<br>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/7/26 Petr Vobornik <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">On 07/26/2013 04:37 PM, Rob Crittenden
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Zip Ly wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Normally if IPA has a well documented API then my
approach would be:<br>
user --> (internet) --> webserver --> lPA
API --> IPA server<br>
But since there isn't much info about the API then
my approach would be:<br>
user --> (internet) --> webserver --> a PHP
script which acts as an<br>
custom API --> IPA serve<br>
The problem is I don't know which commands are
available en which<br>
values/params I should send. For example:<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#"
target="_blank">http://www.freeipa.org/docs/1.2/Administrators_Reference/en-US/html/chap-Administration_Reference-XML_RPC_Application_Programming_Interface_API_Documentation.html#</a><br>
<br>
These are commands for xml rpc. Without examples
it's difficult to find<br>
out how to use it.<br>
</blockquote>
<br>
The API changed between v1 and v2/3, so these docs are
not right for<br>
your purposes.<br>
<br>
We haven't formally documented the API (either json or
xml-rpc) yet<br>
because it is still somewhat in flux. The API is baked
into the ipa<br>
client, so any command you can run from there is the
equivalent of a<br>
json/xml-rpc command, just substituting underscore for
dash.<br>
<br>
About the closest we have is API.txt in the source
tree. This is really<br>
designed to be read by a computer but it outlines each
command and the<br>
options it takes, and the output it returns.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
But they are different from this example:<br>
<a moz-do-not-send="true"
href="http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/"
target="_blank">http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/</a><br>
<br>
In this example a "user_find" command is used, but
this command cannot<br>
be found in the official xml rpc document above.<br>
In ssh I can display a list of commands with "ipa
help commands" I don't<br>
know if they are all supported in "/ipa/json" I
probably need to replace<br>
all dashes with underscores (correct me if I'm
wrong).<br>
</blockquote>
<br>
The same commands and options are available over json
as xml-rpc.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
If I want to display all the supported params from
one certain command<br>
for example "ipa help user-find". Then, are all the
double dashed params<br>
also the supported params which I can send with
JSON?<br>
</blockquote>
<br>
Yes.<br>
</blockquote>
<br>
</div>
</div>
Note that for some LDAP attributes dash param names may be
different than API option names. It those cases the correct
one is LDAP attribute name.<br>
<br>
Use `ipa show-mappings command-name` to find the correct
names.
<div class="im HOEnZb"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I prefer using the native API if there is one (hidden
somewhere),<br>
because I don't want to reinvent the wheel with
security leaks which I'm<br>
not aware of. Especially when I need to execute CLI
commands from<br>
the PHP scripts.<br>
</blockquote>
<br>
The native API is json/xml-rpc. They are currently
equivalent. In the<br>
near future we are going to mark xml-rpc as deprecated
and it will start<br>
to fall behind in features, and eventually we may drop
it altogether.<br>
<br>
rob<br>
<br>
</blockquote>
<br>
</div>
<span class="HOEnZb"><font color="#888888">
-- <br>
Petr Vobornik</font></span>
<div class="HOEnZb">
<div class="h5"><br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>