thanks Dmitri,

I am now testing two-way SSL auth to a Apache webserver using
auth_kerb_module which authenticates to IPA, idea is that it will reverse
proxy to another server which is under IPA domain.
I will try out mod_nss and later PKINIT.


thanks for the reply.

-KSHK

On Tue, Mar 10, 2015 at 7:10 PM, Dmitri Pal <d...@redhat.com> wrote:

> On 03/10/2015 01:19 PM, Rob Crittenden wrote:
>
>> Dmitri Pal wrote:
>>
>>> On 03/10/2015 10:22 AM, Rob Crittenden wrote:
>>>
>>>> K SHK wrote:
>>>>
>>>>> hi,
>>>>>
>>>>> My hortonworks hadoop cluster is keberized with FreeIPA and works
>>>>> splendid :)
>>>>>
>>>>> I want to clarify if SSL authentication with out a login/password will
>>>>> work against FreeIPA...
>>>>>
>>>>> ie. client connects to apache webserver over SSL, and sets in
>>>>> username via
>>>>>
>>>>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername
>>>>>
>>>>> and the webserver will get the valid ticket from freeIPA...
>>>>>
>>>>> any idea what type of certificate and apache modules will be needed to
>>>>> accomplish this?
>>>>>
>>>> IPA doesn't support user SSL certificates at the moment, so that's the
>>>> first hurdle. It is being worked on for 4.2. You'd need to include the
>>>> PKINIT EKU in the client cert, something that should be configurable
>>>> when the work is done.
>>>>
>>>> The second problem is that the IPA PKINIT configuration is rather
>>>> incomplete at the moment. I'm not sure if it is sufficient in it's
>>>> current state, even with properly formatted certificates.
>>>>
>>>> And even further, I"m not familiar enough with PKINIT to know whether a
>>>> web-based SSL authentication is enough to get a ticket.
>>>>
>>>> rob
>>>>
>>>>  I think it is but the biggest problem is remapping the identities from
>>> the cert to users in identity system - IPA in this case.
>>> I will file a ticket.
>>> https://fedorahosted.org/freeipa/ticket/4942
>>>
>>>  IIRC with PKINIT the principal is encoded in the certificate so no
>> mapping is required.
>>
>> rob
>>
> There are several use cases here:
> - do PKINIT on the client and then use ST to connect to IPA UI - this is
> already planned
> - use certificate auth via mod_nss directly to IPA.
>
> The challenge would be to deal with the case when there is no principal
> (or other good identifier) in the cert and you have to remap.
> Unfortunately we can't guarantee that principal is in the cert. Some known
> entities that we need to work with do not have the principal in the cert.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to