Re: [Freeipa-users] New User - Possible to point authentication to external KDC

2013-03-04 Thread Dmitri Pal 
On 03/01/2013 07:37 PM, Trey Dockendorf wrote:
> On Tue, Feb 26, 2013 at 1:18 PM, Dmitri Pal  wrote:
>> On 02/26/2013 01:31 AM, Trey Dockendorf wrote:
>>
>>
>> On Feb 25, 2013 1:23 AM, "Dmitri Pal"  wrote:
>>> On 02/23/2013 10:33 PM, Trey Dockendorf wrote:
 I just begun evaluating FreeIPA, after having successfully used 389ds
 for a few months.  The move from 389 ds to FreeIPA is to leverage the
 authorization for host logins and also for simpler management.  The
 University I am deploying at has a campus wide KDC and for security
 and audit reasons I prefer to point my authentication services at that
 Kerberos realm rather than storing passwords.  I have successfully
 implemented this using the 389 ds pam pass through authentication
 plug-in , but have not found any documentation on how to do this same
 thing with FreeIPA.

 The complication with doing this is I do not have even a 1 way trust
 with the KDC.  Getting a trust (even 1-way) is very difficult if not
 impossible, but so far I've been able to make PAM work with that
 situation both using local authentication and now 389 ds, both through
 PAM.  Is it possible to have FreeIPA query a remote KDC while still
 being able to fallback to the local password store (ie external users
 not in campus domain).
>>> IPA uses the 389 DS so it might be possible to configure PAM pass
>>> through but there might be implications because if users are not in IPA
>>> you would not get a ticket and since you cant get a ticket you can't use
>>> UI and CLI. You can still bind using LDAP though as you do with the 389.
>>> So to manage IPA you would still have to have a user in IPA. However you
>>> will have two KDCs and I do not know what implications there would be
>>> for the clients, they might be confused.
>>> Frankly you are better off with 389 now untill we make setting up trusts
>>> with other IPAs or MIT KDCs simple. We did that for AD but it requires a
>>> clean DNS setup. I suspect DNS setup will be an issue in any case.
>>>
 Thanks
 - Trey

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>> ---
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Thanks for the response!  I do plan to have all my users in freeIPA.  My
>> goal is to have my freeIPA install just attempt a password authentication
>> against external KDC via pam on the IPA server before trying the local
>> password store.  With my current 389 setup, clients are unaware of our
>> campus KDC, the authentication is handled my 389 server and currently users
>> in my LDAP who have campus accounts get their password verified via PAM and
>> others in my LDAP use the local password stored in 389.
>>
>> The aspects of IPA aside from 389 are where my uncertainty lies.  For
>> example, if I have LDAP authenticate against an external KDC via PAM, can
>> the user still get a ticket from my IPA?
>>
>> Also getting a trust may not be possible even if freeipa makes the process
>> easier.  This is a politics issue with our campus' main IT group and
>> something I've worked around thus far.
>>
>> Is there anything in changes of the stock 389 that would prevent this from
>> working in IPA?  Also is there a preferred method for enabling plugins in
>> IPA?  Also how could I test this?  Would a client machine joined to my IPA
>> install be the best method?
>>
>> Thanks
>> - Trey
>>
>> If you hit IPA with a kerberos authentication to the best of my knowledge
>> KDC will read the data from LDAP and use it for authentication. It would not
>> do PAM proxy in this case. The pam proxy would be possible only for the LDAP
>> binds so I am not sure whether things would work for you.
>>
>> I see that you try to augment the existing infrastructure but I am not sure
>> I have a clear picture in my mind of the architecture you envision.
>> Is there any chance that you can put together a diagram?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
> Is the pam proxy for LDAP binds you mentioned using the method
> documented here,
> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through ?  That
> is what I have working currently with 389 by itself.
>
> Do any diagrams exist of the existing infrastructure design for
> FreeIPA?  I could augment an existing one to better illustrate my
> intended usage.
>
> A plain text example o

Re: [Freeipa-users] New User - Possible to point authentication to external KDC

2013-03-01 Thread Trey Dockendorf 
On Tue, Feb 26, 2013 at 1:18 PM, Dmitri Pal  wrote:
> On 02/26/2013 01:31 AM, Trey Dockendorf wrote:
>
>
> On Feb 25, 2013 1:23 AM, "Dmitri Pal"  wrote:
>>
>> On 02/23/2013 10:33 PM, Trey Dockendorf wrote:
>> > I just begun evaluating FreeIPA, after having successfully used 389ds
>> > for a few months.  The move from 389 ds to FreeIPA is to leverage the
>> > authorization for host logins and also for simpler management.  The
>> > University I am deploying at has a campus wide KDC and for security
>> > and audit reasons I prefer to point my authentication services at that
>> > Kerberos realm rather than storing passwords.  I have successfully
>> > implemented this using the 389 ds pam pass through authentication
>> > plug-in , but have not found any documentation on how to do this same
>> > thing with FreeIPA.
>> >
>> > The complication with doing this is I do not have even a 1 way trust
>> > with the KDC.  Getting a trust (even 1-way) is very difficult if not
>> > impossible, but so far I've been able to make PAM work with that
>> > situation both using local authentication and now 389 ds, both through
>> > PAM.  Is it possible to have FreeIPA query a remote KDC while still
>> > being able to fallback to the local password store (ie external users
>> > not in campus domain).
>>
>> IPA uses the 389 DS so it might be possible to configure PAM pass
>> through but there might be implications because if users are not in IPA
>> you would not get a ticket and since you cant get a ticket you can't use
>> UI and CLI. You can still bind using LDAP though as you do with the 389.
>> So to manage IPA you would still have to have a user in IPA. However you
>> will have two KDCs and I do not know what implications there would be
>> for the clients, they might be confused.
>> Frankly you are better off with 389 now untill we make setting up trusts
>> with other IPAs or MIT KDCs simple. We did that for AD but it requires a
>> clean DNS setup. I suspect DNS setup will be an issue in any case.
>>
>> >
>> > Thanks
>> > - Trey
>> >
>> > ___
>> > Freeipa-users mailing list
>> > Freeipa-users@redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Thanks for the response!  I do plan to have all my users in freeIPA.  My
> goal is to have my freeIPA install just attempt a password authentication
> against external KDC via pam on the IPA server before trying the local
> password store.  With my current 389 setup, clients are unaware of our
> campus KDC, the authentication is handled my 389 server and currently users
> in my LDAP who have campus accounts get their password verified via PAM and
> others in my LDAP use the local password stored in 389.
>
> The aspects of IPA aside from 389 are where my uncertainty lies.  For
> example, if I have LDAP authenticate against an external KDC via PAM, can
> the user still get a ticket from my IPA?
>
> Also getting a trust may not be possible even if freeipa makes the process
> easier.  This is a politics issue with our campus' main IT group and
> something I've worked around thus far.
>
> Is there anything in changes of the stock 389 that would prevent this from
> working in IPA?  Also is there a preferred method for enabling plugins in
> IPA?  Also how could I test this?  Would a client machine joined to my IPA
> install be the best method?
>
> Thanks
> - Trey
>
> If you hit IPA with a kerberos authentication to the best of my knowledge
> KDC will read the data from LDAP and use it for authentication. It would not
> do PAM proxy in this case. The pam proxy would be possible only for the LDAP
> binds so I am not sure whether things would work for you.
>
> I see that you try to augment the existing infrastructure but I am not sure
> I have a clear picture in my mind of the architecture you envision.
> Is there any chance that you can put together a diagram?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>

Is the pam proxy for LDAP binds you mentioned using the method
documented here,
http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through ?  That
is what I have working currently with 389 by itself.

Do any diagrams exist of the existing infrastructure design for
FreeIPA?  I could augment an existing one to better illustrate my
intended usage.

A plain text example of what I do now , and wish to do with FreeIPA is
something like this...

Client login (SSH, or LDAP from web app, anything that que

Re: [Freeipa-users] New User - Possible to point authentication to external KDC

2013-02-26 Thread Dmitri Pal 
On 02/26/2013 01:31 AM, Trey Dockendorf wrote:
>
>
> On Feb 25, 2013 1:23 AM, "Dmitri Pal"  > wrote:
> >
> > On 02/23/2013 10:33 PM, Trey Dockendorf wrote:
> > > I just begun evaluating FreeIPA, after having successfully used 389ds
> > > for a few months.  The move from 389 ds to FreeIPA is to leverage the
> > > authorization for host logins and also for simpler management.  The
> > > University I am deploying at has a campus wide KDC and for security
> > > and audit reasons I prefer to point my authentication services at that
> > > Kerberos realm rather than storing passwords.  I have successfully
> > > implemented this using the 389 ds pam pass through authentication
> > > plug-in , but have not found any documentation on how to do this same
> > > thing with FreeIPA.
> > >
> > > The complication with doing this is I do not have even a 1 way trust
> > > with the KDC.  Getting a trust (even 1-way) is very difficult if not
> > > impossible, but so far I've been able to make PAM work with that
> > > situation both using local authentication and now 389 ds, both through
> > > PAM.  Is it possible to have FreeIPA query a remote KDC while still
> > > being able to fallback to the local password store (ie external users
> > > not in campus domain).
> >
> > IPA uses the 389 DS so it might be possible to configure PAM pass
> > through but there might be implications because if users are not in IPA
> > you would not get a ticket and since you cant get a ticket you can't use
> > UI and CLI. You can still bind using LDAP though as you do with the 389.
> > So to manage IPA you would still have to have a user in IPA. However you
> > will have two KDCs and I do not know what implications there would be
> > for the clients, they might be confused.
> > Frankly you are better off with 389 now untill we make setting up trusts
> > with other IPAs or MIT KDCs simple. We did that for AD but it requires a
> > clean DNS setup. I suspect DNS setup will be an issue in any case.
> >
> > >
> > > Thanks
> > > - Trey
> > >
> > > ___
> > > Freeipa-users mailing list
> > > Freeipa-users@redhat.com 
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager for IdM portfolio
> > Red Hat Inc.
> >
> >
> > ---
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/ 
> >
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com 
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Thanks for the response!  I do plan to have all my users in freeIPA. 
> My goal is to have my freeIPA install just attempt a password
> authentication against external KDC via pam on the IPA server before
> trying the local password store.  With my current 389 setup, clients
> are unaware of our campus KDC, the authentication is handled my 389
> server and currently users in my LDAP who have campus accounts get
> their password verified via PAM and others in my LDAP use the local
> password stored in 389.
>
> The aspects of IPA aside from 389 are where my uncertainty lies.  For
> example, if I have LDAP authenticate against an external KDC via PAM,
> can the user still get a ticket from my IPA?
>
> Also getting a trust may not be possible even if freeipa makes the
> process easier.  This is a politics issue with our campus' main IT
> group and something I've worked around thus far.
>
> Is there anything in changes of the stock 389 that would prevent this
> from working in IPA?  Also is there a preferred method for enabling
> plugins in IPA?  Also how could I test this?  Would a client machine
> joined to my IPA install be the best method?
>
> Thanks
> - Trey
>
If you hit IPA with a kerberos authentication to the best of my
knowledge KDC will read the data from LDAP and use it for
authentication. It would not do PAM proxy in this case. The pam proxy
would be possible only for the LDAP binds so I am not sure whether
things would work for you.

I see that you try to augment the existing infrastructure but I am not
sure I have a clear picture in my mind of the architecture you envision.
Is there any chance that you can put together a diagram?  

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] New User - Possible to point authentication to external KDC

2013-02-25 Thread Trey Dockendorf 
On Feb 25, 2013 1:23 AM, "Dmitri Pal"  wrote:
>
> On 02/23/2013 10:33 PM, Trey Dockendorf wrote:
> > I just begun evaluating FreeIPA, after having successfully used 389ds
> > for a few months.  The move from 389 ds to FreeIPA is to leverage the
> > authorization for host logins and also for simpler management.  The
> > University I am deploying at has a campus wide KDC and for security
> > and audit reasons I prefer to point my authentication services at that
> > Kerberos realm rather than storing passwords.  I have successfully
> > implemented this using the 389 ds pam pass through authentication
> > plug-in , but have not found any documentation on how to do this same
> > thing with FreeIPA.
> >
> > The complication with doing this is I do not have even a 1 way trust
> > with the KDC.  Getting a trust (even 1-way) is very difficult if not
> > impossible, but so far I've been able to make PAM work with that
> > situation both using local authentication and now 389 ds, both through
> > PAM.  Is it possible to have FreeIPA query a remote KDC while still
> > being able to fallback to the local password store (ie external users
> > not in campus domain).
>
> IPA uses the 389 DS so it might be possible to configure PAM pass
> through but there might be implications because if users are not in IPA
> you would not get a ticket and since you cant get a ticket you can't use
> UI and CLI. You can still bind using LDAP though as you do with the 389.
> So to manage IPA you would still have to have a user in IPA. However you
> will have two KDCs and I do not know what implications there would be
> for the clients, they might be confused.
> Frankly you are better off with 389 now untill we make setting up trusts
> with other IPAs or MIT KDCs simple. We did that for AD but it requires a
> clean DNS setup. I suspect DNS setup will be an issue in any case.
>
> >
> > Thanks
> > - Trey
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thanks for the response!  I do plan to have all my users in freeIPA.  My
goal is to have my freeIPA install just attempt a password authentication
against external KDC via pam on the IPA server before trying the local
password store.  With my current 389 setup, clients are unaware of our
campus KDC, the authentication is handled my 389 server and currently users
in my LDAP who have campus accounts get their password verified via PAM and
others in my LDAP use the local password stored in 389.

The aspects of IPA aside from 389 are where my uncertainty lies.  For
example, if I have LDAP authenticate against an external KDC via PAM, can
the user still get a ticket from my IPA?

Also getting a trust may not be possible even if freeipa makes the process
easier.  This is a politics issue with our campus' main IT group and
something I've worked around thus far.

Is there anything in changes of the stock 389 that would prevent this from
working in IPA?  Also is there a preferred method for enabling plugins in
IPA?  Also how could I test this?  Would a client machine joined to my IPA
install be the best method?

Thanks
- Trey
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] New User - Possible to point authentication to external KDC

2013-02-24 Thread Dmitri Pal 
On 02/23/2013 10:33 PM, Trey Dockendorf wrote:
> I just begun evaluating FreeIPA, after having successfully used 389ds
> for a few months.  The move from 389 ds to FreeIPA is to leverage the
> authorization for host logins and also for simpler management.  The
> University I am deploying at has a campus wide KDC and for security
> and audit reasons I prefer to point my authentication services at that
> Kerberos realm rather than storing passwords.  I have successfully
> implemented this using the 389 ds pam pass through authentication
> plug-in , but have not found any documentation on how to do this same
> thing with FreeIPA.
>
> The complication with doing this is I do not have even a 1 way trust
> with the KDC.  Getting a trust (even 1-way) is very difficult if not
> impossible, but so far I've been able to make PAM work with that
> situation both using local authentication and now 389 ds, both through
> PAM.  Is it possible to have FreeIPA query a remote KDC while still
> being able to fallback to the local password store (ie external users
> not in campus domain).

IPA uses the 389 DS so it might be possible to configure PAM pass
through but there might be implications because if users are not in IPA
you would not get a ticket and since you cant get a ticket you can't use
UI and CLI. You can still bind using LDAP though as you do with the 389.
So to manage IPA you would still have to have a user in IPA. However you
will have two KDCs and I do not know what implications there would be
for the clients, they might be confused.
Frankly you are better off with 389 now untill we make setting up trusts
with other IPAs or MIT KDCs simple. We did that for AD but it requires a
clean DNS setup. I suspect DNS setup will be an issue in any case.   

>
> Thanks
> - Trey
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] New User - Possible to point authentication to external KDC

2013-02-23 Thread Trey Dockendorf 
I just begun evaluating FreeIPA, after having successfully used 389ds
for a few months.  The move from 389 ds to FreeIPA is to leverage the
authorization for host logins and also for simpler management.  The
University I am deploying at has a campus wide KDC and for security
and audit reasons I prefer to point my authentication services at that
Kerberos realm rather than storing passwords.  I have successfully
implemented this using the 389 ds pam pass through authentication
plug-in , but have not found any documentation on how to do this same
thing with FreeIPA.

The complication with doing this is I do not have even a 1 way trust
with the KDC.  Getting a trust (even 1-way) is very difficult if not
impossible, but so far I've been able to make PAM work with that
situation both using local authentication and now 389 ds, both through
PAM.  Is it possible to have FreeIPA query a remote KDC while still
being able to fallback to the local password store (ie external users
not in campus domain).

Thanks
- Trey

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users