<div dir="ltr"> <div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Date: Wed, 10 Aug 2016 09:02:29 +0200 From: Petr Spacek <<a href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>> To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?) Message-ID: <<a href="mailto:e6b5b192-5acf-dacc-8765-994e623499a8@redhat.com">e6b5b192-5acf-dacc-8765-994e623499a8@redhat.com</a>> Content-Type: text/plain; charset=windows-1252 On 9.8.2016 21:37, Joe Thielen wrote: > First off, let me say THANK YOU to all of you who've helped make FreeIPA > what it is. I think it's a fantastic project and it's amazing what it has > achieved. > > Second off, I'm still quite new to FreeIPA, especially the internals. This > includes Kerberos. I'm also very very limited at Python (I come from a PHP > background - please don't hold it against me). I have toyed around with > LDAP a little bit before looking at FreeIPA. > > After re-reading this e-mail I think it'd be important to note here at the > top that my focus is on web-based apps and non-kerberized clients. The web > app server would be an IPA client. I don't foresee a lot of terminal-based > stuff going on, aside from potential admin CLI tasks (for the web-based > app). > > I apologize in advance for the length of this e-mail. I have searched, a > lot, to try and answer my own questions. That's actually how I found > FreeIPA in the first place. I've looked at the site/wiki, the mailing list > archive, and the Internet in general. But I've been unable to find a > solution, or suggestions, which achieves exactly what I'm looking for. It > may be that I'm just using the wrong terminology and/or getting lost in the > buzzwords. > > What I'm trying to figure out is if there is a way to centrally manage > sessions, in addition to everything else FreeIPA currently does. I'm not > necessarily just talking about WebUI sessions, I'd like external web apps > to be able to make use of it too. And, I'd like to be able to manage them > via the WebUI. > > For example, let's say "joe" logs in to the WebUI (OR another web app tied > to FreeIPA). Now, on another computer, "admin" logs into the WebUI. Can > admin have a way to see that "joe" logged in, and, if need be, kill Joe's > session? > > I'd like for it to maintain history. For each login/session, I'd like to > see who logged in, when, from where, what their last access was, when they > logged out (or if their session timed out), and the logout reason (manual > logout, session timeout, or admin intervention). > > But like I said, I'm not just looking for WebUI sessions. > > Let's say I create a web app. I put it on a machine which is an IPA > client. Thanks to the wealth of documentation and options, I have a > variety of methods to achieve authentication. FreeIPA makes this great, > and for that I'm thankful. However, in most of the documentation, it just > says "create the session" cookie, and the rest is left as an exercise to > the reader. I'm familiar with web apps and have implemented session > management before. What I'd love to see is FreeIPA to be able to handle > not just the auth but also the session management. > > Why? Because I'd not like to have to re-invent the wheel. And I'm trying > to see if there is already some method to do this that I'm just > fundamentally missing. Or at least if there are enough pieces that I could > put together to make it happen. > > For "fun", I've tried to set up auth using different methods. I've > successfully set it up using intercept_form_submit_module and > lookup_identity_module. That's pretty neat, works great for auth. But, as > far as I can tell, this method doesn't create a session or login trail in > the memcached DB. In fact, I can't really find any trail aside from the > Kerberos logging messages in /var/log/krbkdc.log. > > I've also used Tobias Sette's php-freeipa from GitHub. That works great > too... for auth. And since that uses the JSON API, it looks like it does > create a record in the memcached DB. So I suppose this could be one way > in, maybe by a FreeIPA plugin? > > I guess I'm running in circles because then again I think... "what about > pure Kerberos" clients... or those using intercept_form_submit_module? > I'm not familiar with PAM. But from what I can tell, I assume there is a > way to add a "pluggable" module for it too. But on the server? i.e., if a > Kerberos session is established, is there a way, via PAM (or something > else?) to log that session to the FreeIPA server? I think this is kinda > what Kerberos is trying to get away from, but for the use cases I'm > thinking of, it'd be a big feature. In my searching I've seen things like > nss_mysql which look interesting, but of course wouldn't mesh with the > FreeIPA WebUI memcached method. > > Speaking of which, I know that memcached is not by any means a permanent > session log, and I understand it's not intended to be. So would this go > into the LDAP tree? Would this clog it up too much? I'm looking to store > a year of info... or more depending on the scenario. > > I've briefly looked at the Apache Shiro project. I'm not a Java guy, but > from I'm reading it kind of has the right idea. It even notes that the > session management portions can be accessed from other apps (on other > machines) and not necessarily from Java. But due to the whole thing being > a mostly-Java product, I get lost far too easily. If this were already in > FreeIPA I think that's kind of what I'm looking for. > > A single source of session information on the server. Along with the > ability to view/search it via the FreeIPA WebUI (which I assume would mean > it'd come from the JSON API). > > For someone creating a new app from scratch, this would not only cover the > user/IdM and auth items, but also session management, and allow for more > administrative control (kill a session administratively). I think this > would really decrease the barrier to entry and give app authors a "known > good" path to follow. Especially smaller, domain- or niche-specific > projects. > > I've looked at the FreeIPA session recording page ( > <a href="http://www.freeipa.org/page/Session_Recording" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Session_Recording</a>). That looks neat. However, > if I'm reading it right, it's just for terminal sessions. It mentions > being able to record login info, but being a newbie I can't quite follow > exactly how it's achieving this goal (is that part all a function of tlog?). > > Anyway, again, I apologize for this very long e-mail. Am I totally barking > up the wrong tree? Is this something FreeIPA can do and I just haven't > figured out how? Or would it require far too much customization and/or be > too far outside of the core functionality? Any hints, suggestions, or even > criticism would be appreciated. Hello, I'm not a web-app guy but I would recommend you to look at SAML protocol and project Keycloak (which can be integrated with FreeIPA). AFAIK SAML gives you single-sign-on + ability to forcibly log-out users (kill their sessions). Still, it does not give you one central session (while still allowing the central management). Hopefully others will be able to elaborate on this. -- Petr^2 Spacek </blockquote></div> </div><div class="gmail_extra">Hi Petr. Thanks for your reply. I did look at SAML before I found FreeIPA. I was able to get it up and running (simpleSAMLphp - both server and client), but I didn't find that it did what I wanted it to do. </div><div class="gmail_extra">Hey project Keycloak looks neat, I will look further into that! </div><div class="gmail_extra">Thanks again. </div></div>