On Wed, 03 Aug 2016, Jan Pazdziora wrote:
On Tue, Aug 02, 2016 at 05:57:38PM +0300, Alexander Bokovoy wrote:
On Mon, 01 Aug 2016, Rob Crittenden wrote:
>
> How/where does the UI get a Kerberos ticket for the user?
That's indeed a problem -- even with the PKINIT support in KDC that Simo
is polishing up now, we don't have a way to obtain a ticket on behalf of
the user because Apache would terminate the SSL negotiation and we
wouldn't be able to use user's certificate to do PKINIT negotiation to
obtain a ticket as a user and then continue running on its behalf.
Neither we would get any Kerberos ticket from the client side.
The current idea is to use S4U2Self and the GssapiImpersonate feature
of mod_auth_gssapi 1.4.0, similar to the approach from
http://www.freeipa.org/page/V4/External_Authentication/NSS_Impersonation
Tibor has done the investigation for FreeIPA and is working on some
polished instructions for the FreeIPA WebUI.
Got it. One thing I would correct, though, -- don't use kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
Client credentials may be delegated to the service
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
