Re: [Freeipa-users] freeIPA SSL authentication

Tue, 10 Mar 2015 12:15:50 -0700 

On 03/10/2015 01:19 PM, Rob Crittenden wrote:

Dmitri Pal wrote:

On 03/10/2015 10:22 AM, Rob Crittenden wrote:

K SHK wrote:

hi,

My hortonworks hadoop cluster is keberized with FreeIPA and works
splendid :)

I want to clarify if SSL authentication with out a login/password will
work against FreeIPA...

ie. client connects to apache webserver over SSL, and sets in
username via

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername

and the webserver will get the valid ticket from freeIPA...

any idea what type of certificate and apache modules will be needed to
accomplish this?

IPA doesn't support user SSL certificates at the moment, so that's the
first hurdle. It is being worked on for 4.2. You'd need to include the
PKINIT EKU in the client cert, something that should be configurable
when the work is done.

The second problem is that the IPA PKINIT configuration is rather
incomplete at the moment. I'm not sure if it is sufficient in it's
current state, even with properly formatted certificates.

And even further, I"m not familiar enough with PKINIT to know whether a
web-based SSL authentication is enough to get a ticket.

rob


I think it is but the biggest problem is remapping the identities from
the cert to users in identity system - IPA in this case.
I will file a ticket.
https://fedorahosted.org/freeipa/ticket/4942


IIRC with PKINIT the principal is encoded in the certificate so no
mapping is required.

rob

There are several use cases here:
- do PKINIT on the client and then use ST to connect to IPA UI - this is already planned 
- use certificate auth via mod_nss directly to IPA.
The challenge would be to deal with the case when there is no principal (or other good identifier) in the cert and you have to remap. Unfortunately we can't guarantee that principal is in the cert. Some known entities that we need to work with do not have the principal in the cert. 

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to