I have a locked down network (both ingress and egress) where neither the freeipa server nor the clients has direct internet access, yet have the need to use an external IDP with FreeIPA for authentication.
According to this diagram: https://freeipa.readthedocs.io/en/latest/_images/plantuml-453b55f8632265d0a07df90253856b12b0c9bbc0.png The oidc_child is what needs access to the IDP to get the device code and verify it. Also via the docs it says "oidc_child uses curl and cjose libraries to implement OAuth 2.0 communication." I'm using Okta as the IDP, and while I could, in theory use https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json to allow egress through my firewall that is likely to break as ips get added or removed over time. I have a proxy configured on a separate host that I use for this sort of purpose that can allow based on an allow list of domain names (rather than ips) so I don't need to configure firewall rules on my freeipa servers to connect directly to okta, while still maintaining the desired level of security. It doesn't appear (unless I'm missing it) that there is any direct proxy configuration for this purpose. That said, since libcurl is used, and it typically honors environment variables like http_proxy/https_proxy I wonder if injecting an environment via `/etc/systemd/system/XXXX.service.d/override.conf` might work. Looking for guidance here before I start going down this rabbit hole, figured someone might know off the top of their head. I'm also not sure what is responsible for spawning the oidc_child so not sure what service to inject such an environment into if that would even work. Is it the KDC itself maybe? Thanks! -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
