Allow login to WebUI using Kerberos aliases/enterprise principals #420
Conversation
ghost
self-assigned this
|
LGTM and works as expected. Not ACKing only because it's marked as WIP. |
ipaserver/rpcserver.py
Outdated
| @@ -977,7 +960,7 @@ def __call__(self, environ, start_response): | |||
| # Get the ccache we'll use and attempt to get credentials in it with user,password | |||
| ipa_ccache_name = get_ipa_ccache_name() | |||
| try: | |||
| self.kinit(user, self.api.env.realm, password, ipa_ccache_name) | |||
| self.kinit(unicode(user_principal), password, ipa_ccache_name) | |||
There was a problem hiding this comment.
Nitpick: unicode is not necessary, kinit() does the conversion anyway.
There was a problem hiding this comment.
Oh okay I missed that.
|
I would wait with ACKing/pushing this PR until #314 is pushed. |
martbab
force-pushed
the
webui-login-aliases
branch
from
ca157de
to
0061ffc
Compare
martbab
changed the title
|
Now that privilege separation was implemented I have rebased the PR and request a proper review of this patch. |
|
@abbra can you also have a quick look at this PR if it is OK from the trusted user login perspective? |
ipaserver/rpcserver.py
Outdated
| # username is of the form user or of some wild form, e.g. | ||
| # user@REALM1@REALM2 or NetBIOS1\NetBIOS2\user (see normalize_name) | ||
| # user@REALM1@REALM2 or NetBIOS1\NetBIOS2\user |
There was a problem hiding this comment.
The comment is not true because ipapython.kerberos.Principal does not expect NetBIOS1\user, it only expects normal Kerberos principals.
There was a problem hiding this comment.
That's true I will fix that.
ipaserver/rpcserver.py
Outdated
|
|
||
| # wild form username will fail at kinit, so nothing needs to be done | ||
| pass | ||
| if not (user_principal.is_user or user_principal.is_enterprise): |
There was a problem hiding this comment.
This code actually prevents services to contact us. you should also allow user_principal.is_service.
There was a problem hiding this comment.
Does it make sense for a service to use WebUI? Or is the login_kerberos handler used anywhere else? AFAIK it handles only WebUI logins currently.
There was a problem hiding this comment.
login_kerberos can be used by any API user, e.g. any Kerberos principal. I'd prefer to not remove this possibility.
There was a problem hiding this comment.
Thanks for catching this, I have not realized that. I will then remove all restrictions apart from being parseable principal name.
|
@abbra I have a question regarding one of your comments, please review. |
The logic of the extraction/validation of principal from the request and subsequent authentication was simplified and most of the guesswork will be done by KDC during kinit. This also allows principals from trusted domains to login via rpcserver. https://fedorahosted.org/freeipa/ticket/6343
martbab
force-pushed
the
webui-login-aliases
branch
from
0061ffc
to
7ebf113
Compare
|
Thanks. LGTM and works for me with IPA user, IPA host principal, and AD user. The latter cannot yet actually use Web UI but that is a separate PR. |
|
master:
|
ghost
closed this
The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will be done
by KDC during kinit. This allows for using principal aliases/enterprise
principals to log into WebUI and also lays foundation for enabling logons from
users from trusted domains.
https://fedorahosted.org/freeipa/ticket/6343