Hi, My Web Server is enrolled in the FreeIPA domain, but the clients are external. So login is done via a custom login form - part of the Web Application. In this setup, I know how to authenticate the clients to the Web Application using FreeIPA as a backend - I can use mod_intercept_form_submit, and it works just fine.
But what if I need to obtain Kerberos credentials on behalf of the current user? (I believe, smart people call it "delegation" in Kerberos world). To be more specific - suppose that the Web Application features personal secret vaults, and it uses FreeIPA Vaults as a backend. So, a user X logs in, he wants to see his personal vaults - the Web Application must obtain Kerberos credentials on his behalf (not on HTTP/.... service behalf, because I don't want to make it owner of all vaults). Or another example - suppose that the Web Application manages my infrastructure. So a user X (who is infra-admin) logs in and requests to add a new host to the domain. The Web Application must then go and execute some privileged FreeIPA calls (like host_add etc.). Again, I'd like it to authenticate on behalf of this user X, instead of making the HTTP/... service infra-admin by itself. This way I don't need to store any passwords or keytabs with such sensitive credentials (the infra-admin will always come in person and type his password). Can you please point me to the right direction? Thanks. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org