Dmitri Pal wrote: > On 03/10/2015 10:22 AM, Rob Crittenden wrote: >> K SHK wrote: >>> hi, >>> >>> My hortonworks hadoop cluster is keberized with FreeIPA and works >>> splendid :) >>> >>> I want to clarify if SSL authentication with out a login/password will >>> work against FreeIPA... >>> >>> ie. client connects to apache webserver over SSL, and sets in >>> username via >>> >>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername >>> >>> and the webserver will get the valid ticket from freeIPA... >>> >>> any idea what type of certificate and apache modules will be needed to >>> accomplish this? >> IPA doesn't support user SSL certificates at the moment, so that's the >> first hurdle. It is being worked on for 4.2. You'd need to include the >> PKINIT EKU in the client cert, something that should be configurable >> when the work is done. >> >> The second problem is that the IPA PKINIT configuration is rather >> incomplete at the moment. I'm not sure if it is sufficient in it's >> current state, even with properly formatted certificates. >> >> And even further, I"m not familiar enough with PKINIT to know whether a >> web-based SSL authentication is enough to get a ticket. >> >> rob >> > I think it is but the biggest problem is remapping the identities from > the cert to users in identity system - IPA in this case. > I will file a ticket. > https://fedorahosted.org/freeipa/ticket/4942 >
IIRC with PKINIT the principal is encoded in the certificate so no mapping is required. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
