Bug 766070
Summary: | [RFE] Allow forms based kerberos authentication for the IPA UI | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3 | CC: | jdennis, jgalipea, mgregg, mkosek, pvoborni |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.2.0-3.el6 | Doc Type: | Enhancement |
Doc Text: |
No documentation needed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 13:18:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 736854 |
Description
Dmitri Pal
2011-12-09 23:04:27 UTC
Backend committed upstream. UI work to come. master: ee780df13c99a5465cd6df965772260c297a5eb2 ipa-2-2: 135e208a665a6f9b7cbba32371b35f8ea705c9cb UI part committed upstream: master: * 368c624a7445f6d3a34993a3835026bb383506e4 * c643197b1918e405768f78ea9b4da7f09ee82326 ipa-2-2: * 0dacc8b1f1075fa4956f475fbe717b960a88d353 * 44aadf7aa9c80ea726c2b8687bb760550d55b0dc Forms-based login and sessions are closely tied. All forms-based login does is provide a simple screen where username and password can be collected. This is passed to kinit so we can obtain a TGT on behalf of the user. The resulting ccache is stored in a session on the server side and a secure cookie returned to the user. This is easiest to see using curl on the command-line. $ kdestroy $ cat login user=admin&password=password $ curl -v --dump-header login.response --ssl -k -H 'Content-Type: application/x-www-form-urlencoded' 'https://ipa.example.com/ipa/session/login_password' -X POST -d @login You'll get a login.response file created that will contain something like: HTTP/1.1 200 Success Date: Tue, 28 Feb 2012 18:48:06 GMT Server: Apache/2.2.21 (Fedora) Set-Cookie: ipa_session=11dd87c05b377a074bd67cb71c96ced1; httponly; Path=/ipa; secure Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8 X-Pad: avoid browser bug Now use that session to create a new user: $ cat batch_request.json { "method":"user_add", "params":[[],{"givenname":"tim","sn":"user","krbprincipalname":"joe","all":true} ], "id":1 } $ curl -v -H "Content-Type:application/json" - "Referer: https://rawhide.example/ipa/xml" -H "Accept:application/json" -H "Accept-Language:en" --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST -b "ipa_session=11dd87c05b377a074bd67cb71c96ced1; httponly; Path=/ipa; secure" https://rawhide.example.com/ipa/session/json So now you just logged in and created a new user all without local credentials! When you log in via forms in the UI (you'll get an option when Negotiate fails or you can go to /ipa/ui/login.html You can also log out of the UI using the logout button. This destroys your session. Once you are authenticated using either Kerberos negotation or Forms login you should have identical capabilities. Anything less is a bug. Note that sessions also improves performance because we don't need to do Kerberos negotiate authentication with every request. There is still a delay when IPA has to fetch data over LDAP because some Kerberos auth is still happening there but it is significantly faster. verfified :: ================ final pass/fail report ================= Test Date: Thu Apr 19 10:39:00 EDT 2012 Total : [9] Passed: [9] Failed: [0] Abort : [0] Crash : [0] --------------------------------------------------------- [ PASS ] forms-cli startup Check for ipa-server package [ PASS ] forms-cli-01 Destroy credentials [ PASS ] forms-cli-02 Ensure that json script does not work without a valid session ID [ PASS ] forms-cli-03 ensure that you cannot get a valid session id with bad credentials. [ PASS ] forms-cli-04 attempt to create a new group with bad credentials. [ PASS ] forms-cli-05 Get a valid session id with good credentials. [ PASS ] forms-cli-06 Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials. [ PASS ] forms-cli-07 Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials. [ PASS ] forms-cli-08 Delete the group created in the last step using valid credentials in a form. version : ipa-server-2.2.0-9.el6.x86_64 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |