On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote:
> I am not saying “instead of”. We are using standard authetication provided by
> FreeIPA, but I want to protect Web UI interface from unwanted attention as it
> is, unfortunately, exposed to entire internet. I’d be much happier if Apache
> could reject (or redirect) any client which is not presenting required
> certificate even before any authentication attempt is started.
> That is not to say that the whole server is exposed, but 443 port is.
Thanks for explaining.
> Ar laipniem sveicieniem,
> Ivars Strazdiņš
> > On 2017. gada 29. maijs, at 17:07, Fraser Tweedale <ftwee...@redhat.com>
> > wrote:
> > On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via
> > FreeIPA-users wrote:
> >> On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote:
> >>> Hi there,
> >>> our IPA servers' https port is exposed to internet. I wanted to restrict
> >>> access to Web UI by requesting a user certificate issued by IPA and
> >>> enabling Apache setting "NSSVerifyClient require" (or "optional") in
> >>> /etc/httpd/conf.d/nss.conf
> >>> This, however, broke "ipa" command, which now started to fail like:
> >>> [user@im conf.d]$ ipa user-show user
> >>> ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json':
> >>> (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
> >>> Questions:
> >>> Is it possible for "ipa" command to present sertificate to Apache server?
> > Hi Ivars,
> > I am curious about your use case. Is there some reason why you need
> > certificate authentication instead of Kerberos? Knowing why you
> > want to do this will help us decide when or whether to implement
> > this.
> > Thanks,
> > Fraser
> >> Not possible yet. Note that it is not only an issue of 'ipa' command,
> >> there are also other commands that are used for join operation and
> >> also require access to the HTTPS end point.
> >> Prior to FreeIPA 4.5 there is no way to enable certificate
> >> authentication to web UI at all. In 4.5 we added ability to authenticate
> >> with certificates to web UI. However, none of the enrollment tools and
> >> 'ipa' utility were changed to allow such method.
> >> It would probably be good to open a ticket to make sure cert-based
> >> authentication would be supported by 'ipa' and enrollment tools.
> >>> Anything else is going to break by such approach?
> >> See above.
> >> --
> >> / Alexander Bokovoy
> >> _______________________________________________
> >> FreeIPA-users mailing list -- firstname.lastname@example.org
> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org