Re: [Freeipa-users] freeIPA SSL authentication
thanks Dmitri, I am now testing two-way SSL auth to a Apache webserver using auth_kerb_module which authenticates to IPA, idea is that it will reverse proxy to another server which is under IPA domain. I will try out mod_nss and later PKINIT. thanks for the reply. -KSHK On Tue, Mar 10, 2015 at 7:10 PM, Dmitri Pal wrote: > On 03/10/2015 01:19 PM, Rob Crittenden wrote: > >> Dmitri Pal wrote: >> >>> On 03/10/2015 10:22 AM, Rob Crittenden wrote: >>> K SHK wrote: > hi, > > My hortonworks hadoop cluster is keberized with FreeIPA and works > splendid :) > > I want to clarify if SSL authentication with out a login/password will > work against FreeIPA... > > ie. client connects to apache webserver over SSL, and sets in > username via > > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername > > and the webserver will get the valid ticket from freeIPA... > > any idea what type of certificate and apache modules will be needed to > accomplish this? > IPA doesn't support user SSL certificates at the moment, so that's the first hurdle. It is being worked on for 4.2. You'd need to include the PKINIT EKU in the client cert, something that should be configurable when the work is done. The second problem is that the IPA PKINIT configuration is rather incomplete at the moment. I'm not sure if it is sufficient in it's current state, even with properly formatted certificates. And even further, I"m not familiar enough with PKINIT to know whether a web-based SSL authentication is enough to get a ticket. rob I think it is but the biggest problem is remapping the identities from >>> the cert to users in identity system - IPA in this case. >>> I will file a ticket. >>> https://fedorahosted.org/freeipa/ticket/4942 >>> >>> IIRC with PKINIT the principal is encoded in the certificate so no >> mapping is required. >> >> rob >> > There are several use cases here: > - do PKINIT on the client and then use ST to connect to IPA UI - this is > already planned > - use certificate auth via mod_nss directly to IPA. > > The challenge would be to deal with the case when there is no principal > (or other good identifier) in the cert and you have to remap. > Unfortunately we can't guarantee that principal is in the cert. Some known > entities that we need to work with do not have the principal in the cert. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA SSL authentication
On 03/10/2015 01:19 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 03/10/2015 10:22 AM, Rob Crittenden wrote: K SHK wrote: hi, My hortonworks hadoop cluster is keberized with FreeIPA and works splendid :) I want to clarify if SSL authentication with out a login/password will work against FreeIPA... ie. client connects to apache webserver over SSL, and sets in username via http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername and the webserver will get the valid ticket from freeIPA... any idea what type of certificate and apache modules will be needed to accomplish this? IPA doesn't support user SSL certificates at the moment, so that's the first hurdle. It is being worked on for 4.2. You'd need to include the PKINIT EKU in the client cert, something that should be configurable when the work is done. The second problem is that the IPA PKINIT configuration is rather incomplete at the moment. I'm not sure if it is sufficient in it's current state, even with properly formatted certificates. And even further, I"m not familiar enough with PKINIT to know whether a web-based SSL authentication is enough to get a ticket. rob I think it is but the biggest problem is remapping the identities from the cert to users in identity system - IPA in this case. I will file a ticket. https://fedorahosted.org/freeipa/ticket/4942 IIRC with PKINIT the principal is encoded in the certificate so no mapping is required. rob There are several use cases here: - do PKINIT on the client and then use ST to connect to IPA UI - this is already planned - use certificate auth via mod_nss directly to IPA. The challenge would be to deal with the case when there is no principal (or other good identifier) in the cert and you have to remap. Unfortunately we can't guarantee that principal is in the cert. Some known entities that we need to work with do not have the principal in the cert. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA SSL authentication
Dmitri Pal wrote: > On 03/10/2015 10:22 AM, Rob Crittenden wrote: >> K SHK wrote: >>> hi, >>> >>> My hortonworks hadoop cluster is keberized with FreeIPA and works >>> splendid :) >>> >>> I want to clarify if SSL authentication with out a login/password will >>> work against FreeIPA... >>> >>> ie. client connects to apache webserver over SSL, and sets in >>> username via >>> >>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername >>> >>> and the webserver will get the valid ticket from freeIPA... >>> >>> any idea what type of certificate and apache modules will be needed to >>> accomplish this? >> IPA doesn't support user SSL certificates at the moment, so that's the >> first hurdle. It is being worked on for 4.2. You'd need to include the >> PKINIT EKU in the client cert, something that should be configurable >> when the work is done. >> >> The second problem is that the IPA PKINIT configuration is rather >> incomplete at the moment. I'm not sure if it is sufficient in it's >> current state, even with properly formatted certificates. >> >> And even further, I"m not familiar enough with PKINIT to know whether a >> web-based SSL authentication is enough to get a ticket. >> >> rob >> > I think it is but the biggest problem is remapping the identities from > the cert to users in identity system - IPA in this case. > I will file a ticket. > https://fedorahosted.org/freeipa/ticket/4942 > IIRC with PKINIT the principal is encoded in the certificate so no mapping is required. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA SSL authentication
On 03/10/2015 10:22 AM, Rob Crittenden wrote: K SHK wrote: hi, My hortonworks hadoop cluster is keberized with FreeIPA and works splendid :) I want to clarify if SSL authentication with out a login/password will work against FreeIPA... ie. client connects to apache webserver over SSL, and sets in username via http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername and the webserver will get the valid ticket from freeIPA... any idea what type of certificate and apache modules will be needed to accomplish this? IPA doesn't support user SSL certificates at the moment, so that's the first hurdle. It is being worked on for 4.2. You'd need to include the PKINIT EKU in the client cert, something that should be configurable when the work is done. The second problem is that the IPA PKINIT configuration is rather incomplete at the moment. I'm not sure if it is sufficient in it's current state, even with properly formatted certificates. And even further, I"m not familiar enough with PKINIT to know whether a web-based SSL authentication is enough to get a ticket. rob I think it is but the biggest problem is remapping the identities from the cert to users in identity system - IPA in this case. I will file a ticket. https://fedorahosted.org/freeipa/ticket/4942 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA SSL authentication
K SHK wrote: > hi, > > My hortonworks hadoop cluster is keberized with FreeIPA and works > splendid :) > > I want to clarify if SSL authentication with out a login/password will > work against FreeIPA... > > ie. client connects to apache webserver over SSL, and sets in username via > > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername > > and the webserver will get the valid ticket from freeIPA... > > any idea what type of certificate and apache modules will be needed to > accomplish this? IPA doesn't support user SSL certificates at the moment, so that's the first hurdle. It is being worked on for 4.2. You'd need to include the PKINIT EKU in the client cert, something that should be configurable when the work is done. The second problem is that the IPA PKINIT configuration is rather incomplete at the moment. I'm not sure if it is sufficient in it's current state, even with properly formatted certificates. And even further, I"m not familiar enough with PKINIT to know whether a web-based SSL authentication is enough to get a ticket. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
