thanks Dmitri, I am now testing two-way SSL auth to a Apache webserver using auth_kerb_module which authenticates to IPA, idea is that it will reverse proxy to another server which is under IPA domain. I will try out mod_nss and later PKINIT.
thanks for the reply. -KSHK On Tue, Mar 10, 2015 at 7:10 PM, Dmitri Pal <[email protected]> wrote: > On 03/10/2015 01:19 PM, Rob Crittenden wrote: > >> Dmitri Pal wrote: >> >>> On 03/10/2015 10:22 AM, Rob Crittenden wrote: >>> >>>> K SHK wrote: >>>> >>>>> hi, >>>>> >>>>> My hortonworks hadoop cluster is keberized with FreeIPA and works >>>>> splendid :) >>>>> >>>>> I want to clarify if SSL authentication with out a login/password will >>>>> work against FreeIPA... >>>>> >>>>> ie. client connects to apache webserver over SSL, and sets in >>>>> username via >>>>> >>>>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername >>>>> >>>>> and the webserver will get the valid ticket from freeIPA... >>>>> >>>>> any idea what type of certificate and apache modules will be needed to >>>>> accomplish this? >>>>> >>>> IPA doesn't support user SSL certificates at the moment, so that's the >>>> first hurdle. It is being worked on for 4.2. You'd need to include the >>>> PKINIT EKU in the client cert, something that should be configurable >>>> when the work is done. >>>> >>>> The second problem is that the IPA PKINIT configuration is rather >>>> incomplete at the moment. I'm not sure if it is sufficient in it's >>>> current state, even with properly formatted certificates. >>>> >>>> And even further, I"m not familiar enough with PKINIT to know whether a >>>> web-based SSL authentication is enough to get a ticket. >>>> >>>> rob >>>> >>>> I think it is but the biggest problem is remapping the identities from >>> the cert to users in identity system - IPA in this case. >>> I will file a ticket. >>> https://fedorahosted.org/freeipa/ticket/4942 >>> >>> IIRC with PKINIT the principal is encoded in the certificate so no >> mapping is required. >> >> rob >> > There are several use cases here: > - do PKINIT on the client and then use ST to connect to IPA UI - this is > already planned > - use certificate auth via mod_nss directly to IPA. > > The challenge would be to deal with the case when there is no principal > (or other good identifier) in the cert and you have to remap. > Unfortunately we can't guarantee that principal is in the cert. Some known > entities that we need to work with do not have the principal in the cert. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
