On Fri, 2016-12-09 at 08:31 +0100, Martin Basti wrote: > > On 08.12.2016 22:47, Simo Sorce wrote: > > On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: > >> URL: https://github.com/freeipa/freeipa/pull/314 > >> Author: simo5 > >> Title: #314: RFC: privilege separation for ipa framework code > >> Action: edited > >> > >> Changed field: body > >> Original value: > >> """ > >> As part of the External Authentication work this PR implements the > >> privilege separation portion of the design available here: > >> https://www.freeipa.org/page/V4/External_Authentication and implements > >> tickets: https://fedorahosted.org/freeipa/ticket/5959 and > >> https://fedorahosted.org/freeipa/ticket/4189 > >> > >> The update process from an old server has not been implemented yet, so > >> this is just an RFC request at this stage. Please look at the code and let > >> me know if you notice any major issue with it so we can correct mistakes > >> early. > >> > >> This PR depends on improvements and fixes to two dependencies: > >> mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet > >> (all PRs filed, and will be available soon). > >> In order to allow trying the code, I made two copr repos with the > >> necessary changes available here: > >> - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ > >> - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ > >> > >> I tested a new install and both gssapi as well as password authentication > >> work (via command line and web browser). I have not tested OTP > >> authentication yet. > >> > >> There are 2 fundamental changes in this code: > >> - the session handling code has been dropped in favor of deferring session > >> handling to mod_auth_gssapi, simplifying the code greatly. As part of this > >> change we stop using memcached. > >> - the framework configuration is changed to work as a different user from > >> the Apache framework and depends on gssproxy in order to be able to access > >> necessary credentials. (Apache itself is also using gssproxy and does not > >> have direct access to the HTTP keytab.) > >> This required two changes in the form-based authentication workflow: > >> * The armor cache is obtained via anonymous pkinit as we do not have > >> access anymore to the HTTP keytab. This means this PR depends on #62 > >> (until it is accepted commits from that PR are in this PR) > >> * The actual authentication is done via a loopback HTTP request to > >> apache after we obtain a TGT, this is done in order to obtain a session > >> cookie from mod_auth_gssapi as well as to be able to immediately discard > >> the TGT and just keep the HTTP ticket instead. > >> > >> @jcholast @pvoborni Please provide comments on the framework changes. > >> @rcritten @abbra do you have ideas on how to deal with dropping a service > >> (memcached) on upgrade ? > >> """ > >> > >> -- > >> Manage your subscription for the Freeipa-devel mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > There seem to be a bug in the mailing list posting script when someone > > edits a PR description, I see the original text here but not the new > > text! > > > > Simo. > > > It is expected, > > Changed field: body > Original value: > > I just haven't had time to implement sending a new values (because of format, > of github messages it is not so simple) I may try to finish github > notification RFEs today
Ok thanks, just wanted to make sure you knew about this. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code