Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method
On Wed, Aug 17, 2016 at 3:36 PM, Stanislav Laznicka
wrote:
> On 08/16/2016 03:16 PM, Tibor Dudlak wrote:
>
> Hi,
>
> I have edited this patch after review. It should be okay now.
>
> Thank you.
>
> On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik
> wrote:
>
>> On 08/11/2016 07:21 PM, Martin Basti wrote:
>> >
>> >
>> > On 11.08.2016 18:57, Pavel Vomacka wrote:
>> >>
>> >>
>> >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>> >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>> >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>> >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>> >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>> >>>>>>> Got it. One thing I would correct, though, -- don't use
>> >>>>>>> kadmin.local, we
>> >>>>>>> do support setting ok_as_delegate on the service principals via
>> IPA
>> >>>>>>> CLI:
>> >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>> >>>>>>> --ok-as-delegate=BOOL
>> >>>>>>>Client credentials may be delegated to the
>> >>>>>>> service
>> >>>>>> I've tried
>> >>>>>>
>> >>>>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>> >>>>>>
>> >>>>>> but that does not seem to have the same effect as
>> >>>>>>
>> >>>>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>> >>>>>>
>> >>>>>> -- obtaining the delegated certificated fails.
>> >>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are
>> different
>> >>>>> flags.
>> >>>> Right. The following patch adds ok_to_auth_as_delegate to the service
>> >>>> principal.
>> >>>>
>> >>>> I haven't added any tickets to it yet.
>> >>>>
>> >>>>
>> >>> This might deserve also nice Web UI checkbox similar to "Trusted for
>> >>> delegation". CCing Pavel.
>> >>>
>> >> Here is patch with new checkbox. It is without ticket in commit
>> message so
>> >> once we will have the ticket I will send another patch witch updated
>> commit
>> >> message.
>> >
>> > https://fedorahosted.org/freeipa/newticket
>> >
>> > ;-)
>>
>> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
>> might use that.
>>
>>
> Please, add your answers at the end of the previous mail in the future.
>
> Also, your patch raises pep8 errors:
> ./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 > 79
> characters)
> ./ipaserver/rpcserver.py:885:5: E113 unexpected indentation
>
> Could you please fix them?
>
Hi,
thanks for review Stanislav. I understand ./ipaserver/rpcserver.py:885:5:
E113 unexpected indentation, that is my fault but really do not understand
first one. Is there policy that you decided not to patch existing files,
even if there was obviously longer line before patch until it is not
necessary?
Anyway I hope it should be ok now.
Thank you.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From 259686e660d2efca1e6ce3153b6fcf4926df127b Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Tue, 16 Aug 2016 14:13:29 +0200
Subject: [PATCH] Added new authentication method
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
---
ipaserver/plugins/xmlserver.py | 5 -
ipaserver/rpcserver.py | 17 +
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..8be3bd930c18bc602c413aa34d1f766ead59fdc8 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,15 @@ register = Registry()
if api.env.context in ('server', 'lite'):
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+from ipaserver.rpcserver import (wsgi_dispatch, xmlserver, jsonserver_kerb,
+jsonserver_session, login_kerberos, login_x509, login_password,
+change_password, sync_token, xmlserver_session)
register()(wsgi_dispatch)
register
Re: [Freeipa-devel] [PATCH] 0004 Added support for authentication with user certificate
Hi, I have done the python part, you can find it in original thread as you suggested. Thank you. On Tue, Aug 16, 2016 at 12:42 PM, Petr Vobornik wrote: > On 08/16/2016 10:17 AM, Jan Cholasta wrote: > > On 12.8.2016 15:02, Petr Vobornik wrote: > >> On 08/12/2016 02:54 PM, Tibor Dudlak wrote: > >>> Hi, > >>> > >>> I have edited my previous patch. > >>> > >>> On Thu, Aug 11, 2016 at 11:52 AM, Jan Cholasta >>> <mailto:jchol...@redhat.com>> wrote: > >>> > >>> Hi, > >>> > >>> On 11.8.2016 09:55, Tibor Dudlak wrote: > >>> > >>> Hi, > >>> > >>> ... > >>> > >>> > >>> +class login_x509(login_kerberos, KerberosSession, HTTP_Status): > >>> +key = '/session/login_x509' > >>> > >>> login_kerberos already subclasses KerberosSession and > >>> HTTP_Status, no need > >>> to do it again here. In fact, it would be best to split off the > >>> bussiness > >>> logic from login_kerberos into a separate class and inherit both > >>> login_kerberos and login_x509 from it: > >>> > >>> class KerberosLogin(Backend, KerberosSession, HTTP_Status): > >>> def _on_finalize(self): > >>> ... > >>> > >>> def __call__(self, ...): > >>> ... > >>> > >>> class login_kerberos(KerberosLogin): > >>> key = '/session/login_kerberos' > >>> > >>> class login_x509(KerberosLogin): > >>> key = '/session/login_x509' > >>> > >>> Honza > >>> > >>> -- > >>> Jan Cholasta > >>> > >>> > >>> Thank jcholast for review, it should be all right now. > >>> > >>> -- > >>> Tibor Dudlák > >>> Intern - Identity management Special Projects > >>> Red Hat > >>> > >> > >> Tibor, please reuse the original thread and patch number in each patch > >> iteration. But append new patch version. E.g. > >> freeipa-ddudla-0003-2-Added... > >> > >> Starting new thread for each patch revision makes it hard to track. > > > > +1 > > > > As far as the patch is concerned, LGTM. > > > > Anyway, I'd split the patch into two pieces: > > 1. the python part > 2. the webui plugin + related conf > > Reason: there is a wide agreement that #1 will be push. It's not about #2. > > -- > Petr Vobornik > -- Tibor Dudlák Intern - Identity management Special Projects Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method
Hi,
I have edited this patch after review. It should be okay now.
Thank you.
On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik wrote:
> On 08/11/2016 07:21 PM, Martin Basti wrote:
> >
> >
> > On 11.08.2016 18:57, Pavel Vomacka wrote:
> >>
> >>
> >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
> >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
> On Thu, 11 Aug 2016, Jan Cholasta wrote:
> > On 4.8.2016 17:27, Jan Pazdziora wrote:
> >> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
> >>> Got it. One thing I would correct, though, -- don't use
> >>> kadmin.local, we
> >>> do support setting ok_as_delegate on the service principals via IPA
> >>> CLI:
> >>> $ ipa service-mod --help |grep -A1 ok-as-delegate
> >>> --ok-as-delegate=BOOL
> >>>Client credentials may be delegated to the
> >>> service
> >> I've tried
> >>
> >> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
> >>
> >> but that does not seem to have the same effect as
> >>
> >> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
> >>
> >> -- obtaining the delegated certificated fails.
> > That's because ok_as_delegate and ok_to_auth_as_delegate are
> different
> > flags.
> Right. The following patch adds ok_to_auth_as_delegate to the service
> principal.
>
> I haven't added any tickets to it yet.
>
>
> >>> This might deserve also nice Web UI checkbox similar to "Trusted for
> >>> delegation". CCing Pavel.
> >>>
> >> Here is patch with new checkbox. It is without ticket in commit message
> so
> >> once we will have the ticket I will send another patch witch updated
> commit
> >> message.
> >
> > https://fedorahosted.org/freeipa/newticket
> >
> > ;-)
>
> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
> might use that.
> >
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From 9c6c302c8ae2a5108d7ccfe98520c43926fd75bf Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Tue, 16 Aug 2016 14:13:29 +0200
Subject: [PATCH] Added new authentication method
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
---
ipaserver/plugins/xmlserver.py | 3 ++-
ipaserver/rpcserver.py | 17 +
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..1843c0568543951f2c817616d9e988deaab47056 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,13 @@ register = Registry()
if api.env.context in ('server', 'lite'):
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_x509, login_password, change_password, sync_token, xmlserver_session
register()(wsgi_dispatch)
register()(xmlserver)
register()(jsonserver_kerb)
register()(jsonserver_session)
register()(login_kerberos)
+register()(login_x509)
register()(login_password)
register()(change_password)
register()(sync_token)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d036f3c27521f17709672b830d5aa58167c76b34..b45eb5cca43859f20af9d40a84142cfa42c2caa2 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -857,16 +857,16 @@ class jsonserver_kerb(jsonserver, KerberosWSGIExecutioner):
key = '/json'
-class login_kerberos(Backend, KerberosSession, HTTP_Status):
-key = '/session/login_kerberos'
+class KerberosLogin(Backend, KerberosSession, HTTP_Status):
+key = None
def _on_finalize(self):
-super(login_kerberos, self)._on_finalize()
+super(KerberosLogin, self)._on_finalize()
self.api.Backend.wsgi_dispatch.mount(self, self.key)
self.kerb_session_on_finalize()
def __call__(self, environ, start_response):
-self.debug('WSGI login_kerberos.__call__:')
+self.debug('WSGI KerberosLogin.__call__:')
# Get the ccache created by mod_auth_gssapi
user_ccache_name=environ.get('KRB5CCNAME')
@@ -876,6 +876,15 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
return self.finalize_kerberos_acquisition('login_kerberos', user_ccache_name, environ, start_response)
+
+class login_kerberos(KerberosLogin):
+key = '/session/login_kerberos'
+
+
+class login_x509(KerberosLogin)
+key = '/session/login_x509'
+
+
class login_password(Backend, Kerberos
[Freeipa-devel] [PATCH] 0004 Added support for authentication with user certificate
Hi,
I have edited my previous patch.
On Thu, Aug 11, 2016 at 11:52 AM, Jan Cholasta wrote:
> Hi,
>
> On 11.8.2016 09:55, Tibor Dudlak wrote:
>
>> Hi,
>>
>> ...
>>
>
> +class login_x509(login_kerberos, KerberosSession, HTTP_Status):
> +key = '/session/login_x509'
>
> login_kerberos already subclasses KerberosSession and HTTP_Status, no need
> to do it again here. In fact, it would be best to split off the bussiness
> logic from login_kerberos into a separate class and inherit both
> login_kerberos and login_x509 from it:
>
> class KerberosLogin(Backend, KerberosSession, HTTP_Status):
> def _on_finalize(self):
> ...
>
> def __call__(self, ...):
> ...
>
> class login_kerberos(KerberosLogin):
> key = '/session/login_kerberos'
>
> class login_x509(KerberosLogin):
> key = '/session/login_x509'
>
> Honza
>
> --
> Jan Cholasta
>
Thank jcholast for review, it should be all right now.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From b84deeffe5ec7e5565817feffc69768aea345592 Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Fri, 5 Aug 2016 11:47:06 +0200
Subject: [PATCH] Added support for authentication with user certificate
https://fedorahosted.org/freeipa/ticket/5764
---
freeipa.spec.in| 8 +
install/conf/Makefile.am | 1 +
install/conf/xx-ipa-cert-auth.conf | 14 ++
.../freeipa/plugins-dist/cert_auth/cert_auth.js| 169 +
ipaserver/plugins/xmlserver.py | 3 +-
ipaserver/rpcserver.py | 17 ++-
6 files changed, 207 insertions(+), 5 deletions(-)
create mode 100644 install/conf/xx-ipa-cert-auth.conf
create mode 100644 install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 135e9c980011c6c2730c6c29a3c22098e48270d5..19828bc84f1f1d13d4bb0e08a4749da626e9dbb3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -818,6 +818,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+# Experimental external authentication UI plugin - moved into plugins-dist to be disabled by default
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+install install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
+
# DNSSEC config
mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
@@ -1210,6 +1214,9 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/js/plugins-dist
+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
@@ -1232,6 +1239,7 @@ fi
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf
%{_usr}/share/ipa/kdcproxy.conf
+%{_usr}/share/ipa/xx-ipa-cert-auth.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index 5daac776f71c5d01187b46d51044a07bf5fd717a..2e6fbb84902c843fa6e43a96191d5cc58a1213c1 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -6,6 +6,7 @@ app_DATA = \
ipa-kdc-proxy.conf.template \
ipa-pki-proxy.conf \
ipa-rewrite.conf \
+ xx-ipa-cert-auth.conf \
$(NULL)
EXTRA_DIST =\
diff --git a/install/conf/xx-ipa-cert-auth.conf b/install/conf/xx-ipa-cert-auth.conf
new file mode 100644
index ..824d33113446176c0d1a9f6c99e95aa48a7a99c9
--- /dev/null
+++ b/install/conf/xx-ipa-cert-auth.conf
@@ -0,0 +1,14 @@
+# Login with user certificate/smartcard configuration
+# This configuration needs to be loaded after
+
+ AuthType none
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiImpersonate On
+ NSSVerifyClient require
+ NSSUserName SSL_CLIENT_CERT
+ LookupUserByCertificate On
+ WSGIProcessGroup ipa
+ WSGIApplicationGroup ipa
+
diff --git a/install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js b/install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js
new file mode 100644
index ..7dd0c17c83ab34f0c8dc37c789f202ce42d52f52
--- /dev/null
+++ b/install/ui/src/freeipa/plugin
Re: [Freeipa-devel] [PATCH] 0003 Added support for authentication with user certificate
Hi, I think this patch is finished. If it does not suits you and it will not be merged please consider merging PATCH 0001 from http://www.redhat.com/archives/freeipa-devel/2016-August/msg9.html at least. Thank you On Wed, Aug 10, 2016 at 10:17 AM, Tibor Dudlak wrote: > Hi, > > I have improved my previous patch for authentication with user > certificate/smartcard. > This patch includes patches and plugin and apache configuration described > here: http://www.freeipa.org/page/V4/External_Authentication/Setup > It also contains steps to configure and test this feature. Once this patch > is merged and released I will simplify this page to not confuse customers. > > On Fri, Aug 5, 2016 at 3:58 PM, Petr Vobornik wrote: > >> On 08/05/2016 02:57 PM, Tibor Dudlak wrote: >> >... >> >> Let's assume that we will go with this approach and not separate RPM. >> >> 1. ipa.conf version needs to be bumped >> > > We have found another problem with ipa.conf approach so I have moved > configuration of apache for plugin from ipa.conf into completely separated > file to be not configured in FreeIPA by default. As you said it may cause > some security issues and it definitely causes errors when plugin > dependences are not installed nor configured. > > 2. Do not put the web ui plugin in src/freeipa/plugins dir. That is a >> dir for core UI plugins. This one is sort of hybrid - basically a third >> party plugin added to core package but enabled as third party because >> the feature is experimental. >> >> Create rather a new dir for that. E.g. plugins.d as Alexander suggested >> -> freeipa/install/ui/src/plugins.d/cert_auth/cert_auth.js >> >> 3. unrelated and "alternative solution" comments needs to be removed >> from the UI plugin. They were added to the example plugin >> https://pvoborni.fedorapeople.org/plugins/loginauth/loginauth.js mostly >> to help you with the development. >> >> 4. Add comment to freeipa.spec.in describing what the plugin is and why >> it is put there this way. >> >> 5. The plugin itself deserves better description as well. Right now >> there is the general description. >> >> 6. I have not tried it, but make sure that it passes jslint (`jsl -conf >> jsl.conf`) Easiest may be to use temp(i.e. do not include it here) >> jsl.conf e.g.: https://pvoborni.fedorapeople. >> org/plugins/loginauth/jsl.conf >> >> -- >> Petr Vobornik >> > > I hope result of jsl http://pastebin.test.redhat.com/400076 means that > things passed. > Thanks Petr for review and I hope this patch will cover all concerns he > had. > > Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764 > > Thank you. > > -- > Tibor Dudlák > Intern - Identity management Special Projects > Red Hat > -- Tibor Dudlák Intern - Identity management Special Projects Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0003 Added support for authentication with user certificate
Hi,
I have improved my previous patch for authentication with user
certificate/smartcard.
This patch includes patches and plugin and apache configuration described
here: http://www.freeipa.org/page/V4/External_Authentication/Setup
It also contains steps to configure and test this feature. Once this patch
is merged and released I will simplify this page to not confuse customers.
On Fri, Aug 5, 2016 at 3:58 PM, Petr Vobornik wrote:
> On 08/05/2016 02:57 PM, Tibor Dudlak wrote:
> >...
>
> Let's assume that we will go with this approach and not separate RPM.
>
> 1. ipa.conf version needs to be bumped
>
We have found another problem with ipa.conf approach so I have moved
configuration of apache for plugin from ipa.conf into completely separated
file to be not configured in FreeIPA by default. As you said it may cause
some security issues and it definitely causes errors when plugin
dependences are not installed nor configured.
2. Do not put the web ui plugin in src/freeipa/plugins dir. That is a
> dir for core UI plugins. This one is sort of hybrid - basically a third
> party plugin added to core package but enabled as third party because
> the feature is experimental.
>
> Create rather a new dir for that. E.g. plugins.d as Alexander suggested
> -> freeipa/install/ui/src/plugins.d/cert_auth/cert_auth.js
>
> 3. unrelated and "alternative solution" comments needs to be removed
> from the UI plugin. They were added to the example plugin
> https://pvoborni.fedorapeople.org/plugins/loginauth/loginauth.js mostly
> to help you with the development.
>
> 4. Add comment to freeipa.spec.in describing what the plugin is and why
> it is put there this way.
>
> 5. The plugin itself deserves better description as well. Right now
> there is the general description.
>
> 6. I have not tried it, but make sure that it passes jslint (`jsl -conf
> jsl.conf`) Easiest may be to use temp(i.e. do not include it here)
> jsl.conf e.g.: https://pvoborni.fedorapeople.
> org/plugins/loginauth/jsl.conf
>
> --
> Petr Vobornik
>
I hope result of jsl http://pastebin.test.redhat.com/400076 means that
things passed.
Thanks Petr for review and I hope this patch will cover all concerns he
had.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764
Thank you.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From 6f5f0632a238182bbd98be9ecd89121a58e1e17a Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Fri, 5 Aug 2016 11:47:06 +0200
Subject: [PATCH] Added support for authentication with user certificate
https://fedorahosted.org/freeipa/ticket/5764
---
freeipa.spec.in| 8 +
install/conf/Makefile.am | 1 +
install/conf/xx-ipa-cert-auth.conf | 14 ++
.../freeipa/plugins-dist/cert_auth/cert_auth.js| 169 +
ipaserver/plugins/xmlserver.py | 3 +-
ipaserver/rpcserver.py | 5 +
6 files changed, 199 insertions(+), 1 deletion(-)
create mode 100644 install/conf/xx-ipa-cert-auth.conf
create mode 100644 install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 135e9c980011c6c2730c6c29a3c22098e48270d5..19828bc84f1f1d13d4bb0e08a4749da626e9dbb3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -818,6 +818,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+# Experimental external authentication UI plugin - moved into plugins-dist to be disabled by default
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+install install/ui/src/freeipa/plugins-dist/cert_auth/cert_auth.js %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
+
# DNSSEC config
mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
@@ -1210,6 +1214,9 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/js/plugins-dist
+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
@@ -1232,6 +1239,7 @@ fi
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf
%{_usr}/share/ipa/kdcproxy.conf
+%{_usr}/share/ipa/xx-ipa-cert-auth.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index 5daac776f71c5d01187b46d51044a07bf5fd717a..2e6fbb84902c843fa6e43a96191d5cc58a1213c1 100644
--- a/ins
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
Hi Alexander,
On Fri, Aug 5, 2016 at 3:19 PM, Alexander Bokovoy
wrote:
> On Fri, 05 Aug 2016, Tibor Dudlak wrote:
>
>> Hi,
>>
>> I have extended my previous patch for authentication with user
>> certificate/smartcard.
>> ...
>
> Thanks.
>>
>> --
>> Tibor Dudlák
>> Intern - Identity management Special Projects
>> Red Hat
>>
>> Can you rename plugins-dist to something like 'plugins.d'?
> This would be more in line with other parts where multiple additions
> supposed to come and also in line with other projects where a drop-in
> directory is supported.
> --
> / Alexander Bokovoy
>
In our case we need to distribute this plugin in such a way that is not
enabled by default. In fact something like 'plugins.d' as you wrote already
exists ('/usr/share/ipa/ui/js/plugins/'). Main point of creating this new
directory is to separate this inactive plugin from plugins located in
'/usr/share/ipa/ui/js/plugins/' directory where active plugins are. User
can easily enable this plugin, once they desire to enable it, only with
creating symlink into this 'plugins' directory.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
Hi,
I have extended my previous patch for authentication with user
certificate/smartcard. This patch includes patches and plugin described
here: http://www.freeipa.org/page/V4/External_Authentication/Setup
Page also contains steps to configure and test this feature. Once this
patch is merged and released we will simplify this page to not confuse
customers.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764
Thanks.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From e22843f6ab1556528b307951fbcc2476a61a417f Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Fri, 5 Aug 2016 11:47:06 +0200
Subject: [PATCH] Added support for authentication with user certificate
https://fedorahosted.org/freeipa/ticket/5764
---
freeipa.spec.in | 5 +
install/conf/ipa.conf | 14 +++
install/ui/src/freeipa/plugins/cert_auth.js | 179
ipaserver/plugins/xmlserver.py | 3 +-
ipaserver/rpcserver.py | 5 +
5 files changed, 205 insertions(+), 1 deletion(-)
create mode 100644 install/ui/src/freeipa/plugins/cert_auth.js
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 135e9c980011c6c2730c6c29a3c22098e48270d5..2b95b83613ca3720c95f255f7f64dc029195452c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -817,6 +817,8 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+install install/ui/src/freeipa/plugins/cert_auth.js %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
# DNSSEC config
mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
@@ -1210,6 +1212,9 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/js/plugins-dist
+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 3e7435903b2ad8c4ae5bfc48c0c9fca733757d5d..c37819ff2bd2c045404a383631435ad6c24fdaa3 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -77,6 +77,20 @@ WSGIScriptReloading Off
Header always append Content-Security-Policy "frame-ancestors 'none'"
+# Login with user certificate/smartcard configuration
+
+ AuthType none
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiImpersonate On
+ NSSVerifyClient require
+ NSSUserName SSL_CLIENT_CERT
+ LookupUserByCertificate On
+ WSGIProcessGroup ipa
+ WSGIApplicationGroup ipa
+
+
# Turn off Apache authentication for sessions
Satisfy Any
diff --git a/install/ui/src/freeipa/plugins/cert_auth.js b/install/ui/src/freeipa/plugins/cert_auth.js
new file mode 100644
index ..282883d6fe82258405afb167dd61b5d6b0f1a7bd
--- /dev/null
+++ b/install/ui/src/freeipa/plugins/cert_auth.js
@@ -0,0 +1,179 @@
+/* Authors:
+ *Petr Vobornik
+ *Tibor Dudlák
+ *
+ * Copyright (C) 2016 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see
[Freeipa-devel] [PATCH] 0001 Added new authentication method
Hi,
I have added few lines to code to make optional login with personal
certificate (or with smartcard) possible. Some ui changes has to be made.
It is not cosher but it definitely work.
Thank you, Tibor
From 91201035c02a186ad7311880730554925d7bf58e Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Mon, 1 Aug 2016 11:28:05 +0200
Subject: [PATCH] Added new authentication method.
This edit only added few changes to be able to login with personal certificate into IPA server.
---
ipaserver/plugins/xmlserver.py | 3 ++-
ipaserver/rpcserver.py | 5 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..1843c0568543951f2c817616d9e988deaab47056 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,13 @@ register = Registry()
if api.env.context in ('server', 'lite'):
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_x509, login_password, change_password, sync_token, xmlserver_session
register()(wsgi_dispatch)
register()(xmlserver)
register()(jsonserver_kerb)
register()(jsonserver_session)
register()(login_kerberos)
+register()(login_x509)
register()(login_password)
register()(change_password)
register()(sync_token)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d036f3c27521f17709672b830d5aa58167c76b34..a181ecfcb1d01b1c2dd5ee6cb9721d69be8c1863 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -876,6 +876,11 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
return self.finalize_kerberos_acquisition('login_kerberos', user_ccache_name, environ, start_response)
+
+class login_x509(login_kerberos, KerberosSession, HTTP_Status):
+key = '/session/login_x509'
+
+
class login_password(Backend, KerberosSession, HTTP_Status):
content_type = 'text/plain'
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
