Bug 1317379
Summary: | [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | unspecified | |||
Version: | 7.3 | CC: | afarley, apetrova, jcholast, jfenal, jpazdziora, mkosek, nsoman, pvoborni, rcritten, rpattath | |
Target Milestone: | rc | Keywords: | FutureFeature, TechPreview | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.4.0-8.el7 | Doc Type: | Technology Preview | |
Doc Text: |
IdM web UI enables smart card login
The Identity Management (IdM) web UI enables users to log in using smart cards. Note that this feature is experimental and not supported.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1366572 1402820 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 05:51:57 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1343422 | |||
Bug Blocks: | 1366572, 1402820, 1411849 |
Description
Martin Kosek
2016-03-14 07:12:53 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5764 This feature was investigated and implemented as a POC for IdM in RHEL-7.3. Given current IdM Server architecture around it's Web (Apache) service, the solution cannot unfortunately be claimed as ready for production use due to security concerns and lack of privilege separation. Therefore, the feature will be only presented as Experimental feature for users, where they can qualify it, test in their environment and report back if it works and satisfies the expectations/requirements. The feature won't be enabled by default and will require configuration (including API/CLI and Web UI plugins). Upstream feature page is here: http://www.freeipa.org/page/V4/External_Authentication Current configuration procedure is being developed here: http://www.freeipa.org/page/V4/External_Authentication/Setup Given above, I am changing the feature to "Experimental". A new Bugzilla will be created to track "proper" implementation that is secure and better suited for production use. master: https://fedorahosted.org/freeipa/changeset/1c73ac91a4c76cbada91f2b30d8b731b91af5195 https://fedorahosted.org/freeipa/changeset/c36d721a01106e24186bd6b2f0fc74d7af31d5ba Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d25a0725c0e09891bd0df927641dac878dfe6a7d The page http://www.freeipa.org/page/V4/External_Authentication/Setup describes the status of the smart card / x509 certificate authentication in FreeIPA 4.4 and in the upcoming RHEL release. It relies on WebUI plugin and Apache HTTP Server configuration, available from external yum repository. [root@dhcp129-34 ~]# rpm -qi ipa-server Name : ipa-server Version : 4.4.0 Release : 12.el7 Architecture: x86_64 Install Date: Wed 21 Sep 2016 12:16:46 PM EDT Group : System Environment/Base Size : 1019056 License : GPLv3+ Signature : (none) Source RPM : ipa-4.4.0-12.el7.src.rpm Build Date : Fri 16 Sep 2016 05:23:17 AM EDT Build Host : x86-037.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.freeipa.org/ Summary : The IPA authentication server Followed the instruction in the document in comment 8. The certificate on the card was issued by an external CA and the CA was trusted on the browser. The token was loaded on the browser. Password was set for the ipa user, su to the user prompted for new password as the password had expired. Login to IPA web UI using the smartcard pin was successful Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |