On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote:
> URL: https://github.com/freeipa/freeipa/pull/314
> Author: simo5
> Title: #314: RFC: privilege separation for ipa framework code
> Action: edited
> Changed field: body
> Original value:
> As part of the External Authentication work this PR implements the privilege
> separation portion of the design available here:
> https://www.freeipa.org/page/V4/External_Authentication and implements
> tickets: https://fedorahosted.org/freeipa/ticket/5959 and
> The update process from an old server has not been implemented yet, so this
> is just an RFC request at this stage. Please look at the code and let me know
> if you notice any major issue with it so we can correct mistakes early.
> This PR depends on improvements and fixes to two dependencies:
> mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet
> (all PRs filed, and will be available soon).
> In order to allow trying the code, I made two copr repos with the necessary
> changes available here:
> - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
> - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/
> I tested a new install and both gssapi as well as password authentication
> work (via command line and web browser). I have not tested OTP authentication
> There are 2 fundamental changes in this code:
> - the session handling code has been dropped in favor of deferring session
> handling to mod_auth_gssapi, simplifying the code greatly. As part of this
> change we stop using memcached.
> - the framework configuration is changed to work as a different user from the
> Apache framework and depends on gssproxy in order to be able to access
> necessary credentials. (Apache itself is also using gssproxy and does not
> have direct access to the HTTP keytab.)
> This required two changes in the form-based authentication workflow:
> * The armor cache is obtained via anonymous pkinit as we do not have access
> anymore to the HTTP keytab. This means this PR depends on #62 (until it is
> accepted commits from that PR are in this PR)
> * The actual authentication is done via a loopback HTTP request to apache
> after we obtain a TGT, this is done in order to obtain a session cookie from
> mod_auth_gssapi as well as to be able to immediately discard the TGT and just
> keep the HTTP ticket instead.
> @jcholast @pvoborni Please provide comments on the framework changes.
> @rcritten @abbra do you have ideas on how to deal with dropping a service
> (memcached) on upgrade ?
> Manage your subscription for the Freeipa-devel mailing list:
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
There seem to be a bug in the mailing list posting script when someone
edits a PR description, I see the original text here but not the new
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code