Edward Valley via FreeIPA-users wrote: > You're right, that's one of the options I've considered and tested, but > going that way I need to setup several things, use a PAC file in order > to Firefox and Chrome to work, take into account mobile versions too, > configure browsers to trust the proxy's certificate, optionally install > a client certificate in browsers (which firefox for Android can't do) > and have the proxy to verify it, among other things that would require a > PKI infrastructure that I'm not willing to deploy (for now). Trust me, I > went through all of this, and it is secure enough, but it has a few > pitfalls that right now (without coding) there is no way to solve. But, > don't you think kerberos authentication is a simpler and secure enough > approach? For now, I'm just trying to migrate to FreeIPA (because it fit > my needs and I think it's a better and tightly integrated solution) an > existing OpenLDAP backend, which already have the required hashes and > the automated way for generating it every time users change their > passwords. Thank you very much for your time.
To do this you'd need to write a 389-ds plugin to intercept the password change and write out the hash. You could probably extend the ipa-pwd-extop plugin to do this as we do something similar to keep the userPassword and kerberos credentials in sync. You just need to be sensitive to security issues here. Passwords are available in the clear only in this plugin so any mistake could potentially expose them. rob > > 09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" > <[email protected]>: > > On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote: > > Thanks for your answer. Doing it the way you propose, squid uses > basic > authentication, which exposes user names and passwords in the > network > because of the simple base64 encoding. > > Just set up your clients to use HTTPS proxy connection in the browser. > > > https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection > talks about it. Both Chrome-based browsers and Firefox do work just fine > with HTTPS connection to the proxy for years now. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
