Plotters via FreeIPA-users wrote: > Hi, > > Using the Kerberos and the Apache plugins mod_auth_gssapi and > mod_lookup_identity the following flow is working: > > 1. User is authenticated using kinit > 2. Apache authenticates the user > 3. The proxy transports the meta data of the user (SSSD provides the user > info) > 4. The meta data is added to the header and proxied to the backend server. > > The Apache configuration looks like this: > > <LocationMatch "/private"> > > ProxyPass http://localhost:2001/ > ProxyPassReverse http://localhost:2001/ > > RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} > RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} > RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} > RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} > > LookupUserAttr givenname REMOTE_USER_FIRSTNAME > RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e > > LookupUserAttr sn REMOTE_USER_LASTNAME > RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e > > LookupUserAttr preferredLanguage REMOTE_USER_LANGUAGE > RequestHeader set X-SSSD-REMOTE_USER_LANGUAGE %{REMOTE_USER_LANGUAGE}e > > LookupUserGroups REMOTE_USER_GROUPS "," > RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e > > </LocationMatch> > > This works fine, but not all meta data is retrieved: > > x-sssd-auth_type : [Negotiate] > x-sssd-remote_user : [[email protected]] > x-sssd-remote_user_firstname : [(null)] > x-sssd-remote_user_groups : [ipausers] > x-sssd-remote_user_language : [(null)] > x-sssd-remote_user_lastname : [(null)] > > Is there a ACL in FreeIPA which has to be adapted to use this meta data? I > added preferredLanguage in the SSSD.conf file like this: > > [ifp] > allowed_uids = ipaapi, root > user_attributes = +preferredLanguage, +firstName, +lastName > > And the log shows this works: > > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > allowed attr preferredLanguage to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > allowed attr firstName to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > allowed attr lastName to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr name to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr uidNumber to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr gidNumber to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr gecos to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr homeDirectory to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr loginShell to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr groups to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr domain to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr domainname to whitelist > * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added > default attr extraAttributes to whitelist > > Thanks in advance for any pointers to solve this. Or where to look for ACL in > the ipa logging. LDAP doesn't show anything.
It's been a while, years, since I've configured ifp so I'm quite rusty. I believe you need to use the LDAP attribute names for these, so firstName -> givenname and lastName -> sn (surname). preferedLanguage isn't something that rings a bell to me. What is storing that? Did you extend schema for it? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
