Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On 08/08/2016 01:31 PM, Jan Pazdziora wrote: > On Mon, Aug 08, 2016 at 12:52:33PM +0200, Martin Kosek wrote: >> >> I discussed this with Jan Pazdziora on IRC, outside of this mail thread, so >> let >> me repeat my suggestion here. I still think it is premature to add plugins >> like >> that to FreeIPA core git. We are not agreed yet how we will distribute >> FreeIPA >> plugins, so I would not rush adding this plugin to FreeIPA core, especially >> since it is very experimental and not even secure yet. FreeIPA plugin >> distribution should be more thought through and discussed. >> >> As I proposed, this plugin can now live outside of FreeIPA core git, in it's >> own life cycle (maybe in freeipa-plugins github git repo we create?) so that >> it >> can be updated without updating whole FreeIPA core. In this effort, I would >> suggest to only consider updates of >> >> * ipaserver/plugins/xmlserver.py >> * ipaserver/rpcserver.py >> >> as these would have to patched by admin deploying this feature and would be >> overwritten by RPM updates. The plugin itself or server.conf can be deployed >> and installed separatenly, even via other RPM. > > We want the feature (albeit experimental) to be available to upstream > users and downstream customers, with as few steps to take and as few > hoops to jump through as possible. Any bits we can get to users' and > customers' hands via standard means are bits that they don't need to > get from elsewhere, via nonstandard means, with us inventing and > supporting these nonstandards processes. > > Assuming the mere existence of the functionality (which will be > disabled by default) does not decrease security of the default > installations and configuration, I don't see why carrying it poses > a problem. I see your reasoning, I just think it is not strong enough to rush this new method of delivering plugins in before discussing it more broadly. Also, as I mentioned, we may want different life cycle for FreeIPA plugins that we want for FreeIPA core bits. Thus the different repository suggestion. This whole feature is (still) non-standard and experimental, so I do not personally see that big problem in non-standard delivery mechanism. Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On Mon, Aug 08, 2016 at 12:52:33PM +0200, Martin Kosek wrote: > > I discussed this with Jan Pazdziora on IRC, outside of this mail thread, so > let > me repeat my suggestion here. I still think it is premature to add plugins > like > that to FreeIPA core git. We are not agreed yet how we will distribute FreeIPA > plugins, so I would not rush adding this plugin to FreeIPA core, especially > since it is very experimental and not even secure yet. FreeIPA plugin > distribution should be more thought through and discussed. > > As I proposed, this plugin can now live outside of FreeIPA core git, in it's > own life cycle (maybe in freeipa-plugins github git repo we create?) so that > it > can be updated without updating whole FreeIPA core. In this effort, I would > suggest to only consider updates of > > * ipaserver/plugins/xmlserver.py > * ipaserver/rpcserver.py > > as these would have to patched by admin deploying this feature and would be > overwritten by RPM updates. The plugin itself or server.conf can be deployed > and installed separatenly, even via other RPM. We want the feature (albeit experimental) to be available to upstream users and downstream customers, with as few steps to take and as few hoops to jump through as possible. Any bits we can get to users' and customers' hands via standard means are bits that they don't need to get from elsewhere, via nonstandard means, with us inventing and supporting these nonstandards processes. Assuming the mere existence of the functionality (which will be disabled by default) does not decrease security of the default installations and configuration, I don't see why carrying it poses a problem. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On Mon, 08 Aug 2016, Martin Kosek wrote: On 08/05/2016 02:57 PM, Tibor Dudlak wrote: Hi, I have extended my previous patch for authentication with user certificate/smartcard. This patch includes patches and plugin described here: http://www.freeipa.org/page/V4/External_Authentication/Setup Page also contains steps to configure and test this feature. Once this patch is merged and released we will simplify this page to not confuse customers. Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764 Thanks. I discussed this with Jan Pazdziora on IRC, outside of this mail thread, so let me repeat my suggestion here. I still think it is premature to add plugins like that to FreeIPA core git. We are not agreed yet how we will distribute FreeIPA plugins, so I would not rush adding this plugin to FreeIPA core, especially since it is very experimental and not even secure yet. FreeIPA plugin distribution should be more thought through and discussed. As I proposed, this plugin can now live outside of FreeIPA core git, in it's own life cycle (maybe in freeipa-plugins github git repo we create?) so that it can be updated without updating whole FreeIPA core. In this effort, I would suggest to only consider updates of * ipaserver/plugins/xmlserver.py * ipaserver/rpcserver.py as these would have to patched by admin deploying this feature and would be overwritten by RPM updates. The plugin itself or server.conf can be deployed and installed separatenly, even via other RPM. Right. This was my thinking too when I saw the patches. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On 08/05/2016 02:57 PM, Tibor Dudlak wrote: > Hi, > > I have extended my previous patch for authentication with user > certificate/smartcard. This patch includes patches and plugin described here: > http://www.freeipa.org/page/V4/External_Authentication/Setup > Page also contains steps to configure and test this feature. Once this patch > is > merged and released we will simplify this page to not confuse customers. > Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764 > > Thanks. I discussed this with Jan Pazdziora on IRC, outside of this mail thread, so let me repeat my suggestion here. I still think it is premature to add plugins like that to FreeIPA core git. We are not agreed yet how we will distribute FreeIPA plugins, so I would not rush adding this plugin to FreeIPA core, especially since it is very experimental and not even secure yet. FreeIPA plugin distribution should be more thought through and discussed. As I proposed, this plugin can now live outside of FreeIPA core git, in it's own life cycle (maybe in freeipa-plugins github git repo we create?) so that it can be updated without updating whole FreeIPA core. In this effort, I would suggest to only consider updates of * ipaserver/plugins/xmlserver.py * ipaserver/rpcserver.py as these would have to patched by admin deploying this feature and would be overwritten by RPM updates. The plugin itself or server.conf can be deployed and installed separatenly, even via other RPM. Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On 08/05/2016 02:57 PM, Tibor Dudlak wrote: > Hi, > > I have extended my previous patch for authentication with user > certificate/smartcard. This patch includes patches and plugin described here: > http://www.freeipa.org/page/V4/External_Authentication/Setup > Page also contains steps to configure and test this feature. Once this patch > is > merged and released we will simplify this page to not confuse customers. > Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764 > Let's assume that we will go with this approach and not separate RPM. 1. ipa.conf version needs to be bumped 2. Do not put the web ui plugin in src/freeipa/plugins dir. That is a dir for core UI plugins. This one is sort of hybrid - basically a third party plugin added to core package but enabled as third party because the feature is experimental. Create rather a new dir for that. E.g. plugins.d as Alexander suggested -> freeipa/install/ui/src/plugins.d/cert_auth/cert_auth.js 3. unrelated and "alternative solution" comments needs to be removed from the UI plugin. They were added to the example plugin https://pvoborni.fedorapeople.org/plugins/loginauth/loginauth.js mostly to help you with the development. 4. Add comment to freeipa.spec.in describing what the plugin is and why it is put there this way. 5. The plugin itself deserves better description as well. Right now there is the general description. 6. I have not tried it, but make sure that it passes jslint (`jsl -conf jsl.conf`) Easiest may be to use temp(i.e. do not include it here) jsl.conf e.g.: https://pvoborni.fedorapeople.org/plugins/loginauth/jsl.conf -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
Hi Alexander,
On Fri, Aug 5, 2016 at 3:19 PM, Alexander Bokovoy
wrote:
> On Fri, 05 Aug 2016, Tibor Dudlak wrote:
>
>> Hi,
>>
>> I have extended my previous patch for authentication with user
>> certificate/smartcard.
>> ...
>
> Thanks.
>>
>> --
>> Tibor Dudlák
>> Intern - Identity management Special Projects
>> Red Hat
>>
>> Can you rename plugins-dist to something like 'plugins.d'?
> This would be more in line with other parts where multiple additions
> supposed to come and also in line with other projects where a drop-in
> directory is supported.
> --
> / Alexander Bokovoy
>
In our case we need to distribute this plugin in such a way that is not
enabled by default. In fact something like 'plugins.d' as you wrote already
exists ('/usr/share/ipa/ui/js/plugins/'). Main point of creating this new
directory is to separate this inactive plugin from plugins located in
'/usr/share/ipa/ui/js/plugins/' directory where active plugins are. User
can easily enable this plugin, once they desire to enable it, only with
creating symlink into this 'plugins' directory.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0002 Added support for authentication with user certificate
On Fri, 05 Aug 2016, Tibor Dudlak wrote:
Hi,
I have extended my previous patch for authentication with user
certificate/smartcard. This patch includes patches and plugin described
here: http://www.freeipa.org/page/V4/External_Authentication/Setup
Page also contains steps to configure and test this feature. Once this
patch is merged and released we will simplify this page to not confuse
customers.
Addressing ticket: https://fedorahosted.org/freeipa/ticket/5764
Thanks.
--
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From e22843f6ab1556528b307951fbcc2476a61a417f Mon Sep 17 00:00:00 2001
From: Tiboris
Date: Fri, 5 Aug 2016 11:47:06 +0200
Subject: [PATCH] Added support for authentication with user certificate
https://fedorahosted.org/freeipa/ticket/5764
---
freeipa.spec.in | 5 +
install/conf/ipa.conf | 14 +++
install/ui/src/freeipa/plugins/cert_auth.js | 179
ipaserver/plugins/xmlserver.py | 3 +-
ipaserver/rpcserver.py | 5 +
5 files changed, 205 insertions(+), 1 deletion(-)
create mode 100644 install/ui/src/freeipa/plugins/cert_auth.js
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
135e9c980011c6c2730c6c29a3c22098e48270d5..2b95b83613ca3720c95f255f7f64dc029195452c
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -817,6 +817,8 @@ install daemons/dnssec/ipa-ods-exporter
%{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+install install/ui/src/freeipa/plugins/cert_auth.js
%{buildroot}%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
# DNSSEC config
mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
@@ -1210,6 +1212,9 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/js/plugins-dist
+%dir %{_usr}/share/ipa/ui/js/plugins-dist/cert_auth
+%{_usr}/share/ipa/ui/js/plugins-dist/cert_auth/cert_auth.js
Can you rename plugins-dist to something like 'plugins.d'?
This would be more in line with other parts where multiple additions
supposed to come and also in line with other projects where a drop-in
directory is supported.
%dir %{_usr}/share/ipa/ui/images
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index
3e7435903b2ad8c4ae5bfc48c0c9fca733757d5d..c37819ff2bd2c045404a383631435ad6c24fdaa3
100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -77,6 +77,20 @@ WSGIScriptReloading Off
Header always append Content-Security-Policy "frame-ancestors 'none'"
+# Login with user certificate/smartcard configuration
+
+ AuthType none
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiImpersonate On
+ NSSVerifyClient require
+ NSSUserName SSL_CLIENT_CERT
+ LookupUserByCertificate On
+ WSGIProcessGroup ipa
+ WSGIApplicationGroup ipa
+
+
# Turn off Apache authentication for sessions
Satisfy Any
diff --git a/install/ui/src/freeipa/plugins/cert_auth.js
b/install/ui/src/freeipa/plugins/cert_auth.js
new file mode 100644
index
..282883d6fe82258405afb167dd61b5d6b0f1a7bd
--- /dev/null
+++ b/install/ui/src/freeipa/plugins/cert_auth.js
@@ -0,0 +1,179 @@
+/* Authors:
+ *Petr Vobornik
+ *Tibor Dudlák
+ *
+ * Copyright (C) 2016 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see
