On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: > I am not saying “instead of”. We are using standard authetication provided by > FreeIPA, but I want to protect Web UI interface from unwanted attention as it > is, unfortunately, exposed to entire internet. I’d be much happier if Apache > could reject (or redirect) any client which is not presenting required > certificate even before any authentication attempt is started. > That is not to say that the whole server is exposed, but 443 port is. > Thanks for explaining.
Cheers, Fraser > Ar laipniem sveicieniem, > Ivars Strazdiņš > > > On 2017. gada 29. maijs, at 17:07, Fraser Tweedale <ftwee...@redhat.com> > > wrote: > > > > On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via > > FreeIPA-users wrote: > >> On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote: > >>> Hi there, > >>> our IPA servers' https port is exposed to internet. I wanted to restrict > >>> access to Web UI by requesting a user certificate issued by IPA and > >>> enabling Apache setting "NSSVerifyClient require" (or "optional") in > >>> /etc/httpd/conf.d/nss.conf > >>> This, however, broke "ipa" command, which now started to fail like: > >>> [user@im conf.d]$ ipa user-show user > >>> ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json': > >>> (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. > >>> > >>> Questions: > >>> Is it possible for "ipa" command to present sertificate to Apache server? > >>> > > Hi Ivars, > > > > I am curious about your use case. Is there some reason why you need > > certificate authentication instead of Kerberos? Knowing why you > > want to do this will help us decide when or whether to implement > > this. > > > > Thanks, > > Fraser > > > >> Not possible yet. Note that it is not only an issue of 'ipa' command, > >> there are also other commands that are used for join operation and > >> also require access to the HTTPS end point. > >> > >> Prior to FreeIPA 4.5 there is no way to enable certificate > >> authentication to web UI at all. In 4.5 we added ability to authenticate > >> with certificates to web UI. However, none of the enrollment tools and > >> 'ipa' utility were changed to allow such method. > >> > >> It would probably be good to open a ticket to make sure cert-based > >> authentication would be supported by 'ipa' and enrollment tools. > >> > >>> Anything else is going to break by such approach? > >> See above. > >> -- > >> / Alexander Bokovoy > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
