On 10/2/25 3:25 AM, Alexander Bokovoy wrote:
On Чцв, 02 кас 2025, Brad House via FreeIPA-users wrote:
I have a locked down network (both ingress and egress) where neither
the freeipa server nor the clients has direct internet access, yet have
the need to use an external IDP with FreeIPA for authentication.
According to this diagram:
https://freeipa.readthedocs.io/en/latest/_images/plantuml-453b55f8632265d0a07df90253856b12b0c9bbc0.png
The oidc_child is what needs access to the IDP to get the device code
and verify it. Also via the docs it says "oidc_child uses curl and
cjose libraries to implement OAuth 2.0 communication."
I'm using Okta as the IDP, and while I could, in theory use
https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json to allow egress
through my firewall that is likely to break as ips get added or removed
over time. I have a proxy configured on a separate host that I use for
this sort of purpose that can allow based on an allow list of domain
names (rather than ips) so I don't need to configure firewall rules on
my freeipa servers to connect directly to okta, while still maintaining
the desired level of security.
It doesn't appear (unless I'm missing it) that there is any direct
proxy configuration for this purpose. That said, since libcurl is
used, and it typically honors environment variables like
http_proxy/https_proxy I wonder if injecting an environment via
`/etc/systemd/system/XXXX.service.d/override.conf` might work. Looking
for guidance here before I start going down this rabbit hole, figured
someone might know off the top of their head.
I'm also not sure what is responsible for spawning the oidc_child so
not sure what service to inject such an environment into if that would
even work. Is it the KDC itself maybe?
oidc_child is spawned by ipa-otpd daemon which, in turn, is spawned by
systemd when someone accesses /run/krb5kdc/DEFAULT.socket. On its side,
ipa-otpd daemon uses /etc/ipa/default.conf as its EnvironmentFile.
systemd.exec(5) says for EnvironmentFile= option:
....
Empty lines, lines without an "=" separator, or lines starting with ";"
or "#" will be ignored, which may be used for commenting.
....
The files listed with this directive will be read shortly before the
process is executed (more specifically, after all processes from a
previous unit state terminated. This means you can generate these files
in one unit state, and read it with this option in the next. The files
are read from the file system of the service manager, before any file
system changes like bind mounts take place).
....
So this means you can modify /etc/ipa/default.conf to add http_proxy or
HTTPS_PROXY.
Note that we already use this mechanism to pass oidc_child_debug_level,
as described in the man page for default.conf(5).
Great, thank you, I'll give this a shot.
-Brad
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
