Hi,
Using the Kerberos and the Apache plugins mod_auth_gssapi and
mod_lookup_identity the following flow is working:
1. User is authenticated using kinit
2. Apache authenticates the user
3. The proxy transports the meta data of the user (SSSD provides the user info)
4. The meta data is added to the header and proxied to the backend server.
The Apache configuration looks like this:
<LocationMatch "/private">
ProxyPass http://localhost:2001/
ProxyPassReverse http://localhost:2001/
RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
LookupUserAttr sn REMOTE_USER_LASTNAME
RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
LookupUserAttr preferredLanguage REMOTE_USER_LANGUAGE
RequestHeader set X-SSSD-REMOTE_USER_LANGUAGE %{REMOTE_USER_LANGUAGE}e
LookupUserGroups REMOTE_USER_GROUPS ","
RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
</LocationMatch>
This works fine, but not all meta data is retrieved:
x-sssd-auth_type : [Negotiate]
x-sssd-remote_user : [[email protected]]
x-sssd-remote_user_firstname : [(null)]
x-sssd-remote_user_groups : [ipausers]
x-sssd-remote_user_language : [(null)]
x-sssd-remote_user_lastname : [(null)]
Is there a ACL in FreeIPA which has to be adapted to use this meta data? I
added preferredLanguage in the SSSD.conf file like this:
[ifp]
allowed_uids = ipaapi, root
user_attributes = +preferredLanguage, +firstName, +lastName
And the log shows this works:
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed
attr preferredLanguage to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed
attr firstName to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed
attr lastName to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr name to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr uidNumber to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr gidNumber to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr gecos to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr homeDirectory to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr loginShell to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr groups to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr domain to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr domainname to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default
attr extraAttributes to whitelist
Thanks in advance for any pointers to solve this. Or where to look for ACL in
the ipa logging. LDAP doesn't show anything.
Best regards, Bart
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
