Re: [Freeipa-devel] Kerberos implementation issues

2011-06-22 Thread Jim Meyering 
Alexander Bokovoy wrote:
> On 22.06.2011 20:30, Simo Sorce wrote:
 Quick search on the internet did not reveal any.
 I found a Ruby GSSAPI library if this is of any help.
 https://github.com/zenchild/gssapi/wiki
>>>
>>> If only iwhd were written in Ruby rather than C.
>>
>> Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp,
>> shouldn't be too much work, the crypto details are handled by libgssapi
>> anyways.
> That seems to be a common case -- at least for nginx people did go the
> same way https://github.com/fintler/nginx-mod-auth-kerb

Thanks to both of you for the tips.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Kerberos implementation issues

2011-06-22 Thread Jim Meyering 
Dmitri Pal wrote:

>> Dmitri Pal wrote:
>>> On 06/22/2011 07:44 AM, Jim Meyering wrote:
>>>> Our best bet may be to find an embeddable httpd server that supports 
>>>> GSSAPI.
>>>> Do any of you know of one?
>>>>
>>> Quick search on the internet did not reveal any.
>>> I found a Ruby GSSAPI library if this is of any help.
>>> https://github.com/zenchild/gssapi/wiki
>> If only iwhd were written in Ruby rather than C.
>
> Hm I thought everything is written on Ruby nowadays :-)
> at least most of the cloud infrusturucture services we integrate.
>
> Good to hear that something is still written in plain old C.
> Is there any architectural diagram and high level overview of the
> project that we can take a look at?

Sure,

  http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Kerberos implementation issues

2011-06-22 Thread Jim Meyering 
Dmitri Pal wrote:
> On 06/22/2011 07:44 AM, Jim Meyering wrote:
>> Our best bet may be to find an embeddable httpd server that supports GSSAPI.
>> Do any of you know of one?
>>
> Quick search on the internet did not reveal any.
> I found a Ruby GSSAPI library if this is of any help.
> https://github.com/zenchild/gssapi/wiki

If only iwhd were written in Ruby rather than C.

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Kerberos implementation issues

2011-06-22 Thread Jim Meyering 
Sumit Bose wrote:
> On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote:
>> On Tue, 21 Jun 2011 18:28:36 -0400
>> Dmitri Pal  wrote:
>>
>> Dear Dmitri, thanks for the reply. I am reading curl source code
>> now and I notice the distinction between "Negotiate" that comes
>> from SPNEGO, and "GSS-Negotiate". I'm looking for the definition
>> of the latter.
>>
>> > > I am working on adding authentication/authorization
>> > > to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented
>> > > with GNU Microhttpd. [...]
>>
>> > > So far, I gather that so-called "SPNEGO" protocol is what everyone
>> > > uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121).
>> > > There's also a "Kerberos on Widows" thing (4559), which actually
>> > > defines the key pieces such as "WWW-Authenticate: Negotiate".
>>
>> > What web server you are using? It is mostly something that is used
>> > outside the application by the web server itself.
>>
>> As I mentioned, iwhd relies on GNU Microhttpd library to implement
>> a webserver.
>
> According to http://www.gnu.org/software/libmicrohttpd/ there is only
> "Support for basic and digest authentication (optional)". As Dmitri
> already mentioned there is mod_auth_kerb for Apache which offers the
> Negotiate. It does GSSAPI but can handle SPNEGO as well and can
> authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is
> basically used to choose between GSSAPI or NTLMSSP).
>
> As long as GNU Microhttpd library does not support at least GSSAPI, but
> SPNEGO would be important for Windows clients, or can use Apache's
> mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in
> front of iwhd and let Apache forward the principal of the authenticated
> user in e.g. X_FORWARDED_USER header variable.

Unfortunately, replacing (in iwhd) an embedded component like libmicrohttpd
may be er, ... challenging.  iwhd can be configured to as both server
and client, and can use arbitrary port numbers, so deferring to "Apache"
seems infeasible.

For example, one use case is to run two interconnected iwhd servers,
one upstream and another downstream, as demonstrated in iwhd's
t/replication test case.  Even if we were to give up this functionality
(currently not required by any iwhd client), requiring an additional,
private-to-iwhd, kerb-enabled Apache server sounds like disproportionate
overhead for an otherwise small daemon.

Our best bet may be to find an embeddable httpd server that supports GSSAPI.
Do any of you know of one?

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel