Dmitri Pal wrote:
> On 03/10/2015 10:22 AM, Rob Crittenden wrote:
>> K SHK wrote:
>>> hi,
>>> My hortonworks hadoop cluster is keberized with FreeIPA and works
>>> splendid :)
>>> I want to clarify if SSL authentication with out a login/password will
>>> work against FreeIPA...
>>> ie. client connects to apache webserver over SSL, and sets in
>>> username via
>>> and the webserver will get the valid ticket from freeIPA...
>>> any idea what type of certificate and apache modules will be needed to
>>> accomplish this?
>> IPA doesn't support user SSL certificates at the moment, so that's the
>> first hurdle. It is being worked on for 4.2. You'd need to include the
>> PKINIT EKU in the client cert, something that should be configurable
>> when the work is done.
>> The second problem is that the IPA PKINIT configuration is rather
>> incomplete at the moment. I'm not sure if it is sufficient in it's
>> current state, even with properly formatted certificates.
>> And even further, I"m not familiar enough with PKINIT to know whether a
>> web-based SSL authentication is enough to get a ticket.
>> rob
> I think it is but the biggest problem is remapping the identities from
> the cert to users in identity system - IPA in this case.
> I will file a ticket.

IIRC with PKINIT the principal is encoded in the certificate so no
mapping is required.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to