I am not saying “instead of”. We are using standard authetication provided by 
FreeIPA, but I want to protect Web UI interface from unwanted attention as it 
is, unfortunately, exposed to entire internet. I’d be much happier if Apache 
could reject (or redirect) any client which is not presenting required 
certificate even before any authentication attempt is started.
That is not to say that the whole server is exposed, but 443 port is.

Ar laipniem sveicieniem,
Ivars Strazdiņš

> On 2017. gada 29. maijs, at 17:07, Fraser Tweedale <ftwee...@redhat.com> 
> wrote:
> 
> On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via FreeIPA-users 
> wrote:
>> On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote:
>>> Hi there,
>>> our IPA servers' https port is exposed to internet. I wanted to restrict 
>>> access to Web UI by requesting a user certificate issued by IPA and 
>>> enabling Apache setting "NSSVerifyClient require" (or "optional") in 
>>> /etc/httpd/conf.d/nss.conf
>>> This, however, broke "ipa" command, which now started to fail like:
>>> [user@im conf.d]$ ipa user-show user
>>> ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json': 
>>> (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
>>> 
>>> Questions:
>>> Is it possible for "ipa" command to present sertificate to Apache server?
>>> 
> Hi Ivars,
> 
> I am curious about your use case.  Is there some reason why you need
> certificate authentication instead of Kerberos?  Knowing why you
> want to do this will help us decide when or whether to implement
> this.
> 
> Thanks,
> Fraser
> 
>> Not possible yet. Note that it is not only an issue of 'ipa' command,
>> there are also other commands that are used for join operation and
>> also require access to the HTTPS end point.
>> 
>> Prior to FreeIPA 4.5 there is no way to enable certificate
>> authentication to web UI at all. In 4.5 we added ability to authenticate
>> with certificates to web UI. However, none of the enrollment tools and
>> 'ipa' utility were changed to allow such method.
>> 
>> It would probably be good to open a ticket to make sure cert-based
>> authentication would be supported by 'ipa' and enrollment tools.
>> 
>>> Anything else is going to break by such approach?
>> See above.
>> -- 
>> / Alexander Bokovoy
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to