Bug 766070

Summary: [RFE] Allow forms based kerberos authentication for the IPA UI
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: jdennis, jgalipea, mgregg, mkosek, pvoborni
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-3.el6 Doc Type: Enhancement
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:18:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 736854    

Description Dmitri Pal 2011-12-09 23:04:27 UTC 
In some cases the machine that the UI should run from is not Linux or can't be a part of the domain. Also the POC deployments of IPA want something more simple that what we currently offer. Some people in POC cases switch to the basic auth as it is the only alternative we provide. This however sets a bad security precedent. To avoid this we should leverage the sessions and S4U ticket transformation work we already doing and offer a form based authentication for IPA UI.  

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2095
Comment 1 Rob Crittenden 2012-02-28 04:14:03 UTC 
Backend committed upstream. UI work to come.

master: ee780df13c99a5465cd6df965772260c297a5eb2

ipa-2-2: 135e208a665a6f9b7cbba32371b35f8ea705c9cb
Comment 2 Petr Vobornik 2012-03-02 11:30:50 UTC 
UI part committed upstream:

master:
 * 368c624a7445f6d3a34993a3835026bb383506e4
 * c643197b1918e405768f78ea9b4da7f09ee82326 

ipa-2-2:
 * 0dacc8b1f1075fa4956f475fbe717b960a88d353
 * 44aadf7aa9c80ea726c2b8687bb760550d55b0dc
Comment 5 Rob Crittenden 2012-03-21 03:22:11 UTC 
Forms-based login and sessions are closely tied.

All forms-based login does is provide a simple screen where username and password can be collected. This is passed to kinit so we can obtain a TGT on behalf of the user. The resulting ccache is stored in a session on the server side and a secure cookie returned to the user. This is easiest to see using curl on the command-line.

$ kdestroy
$ cat login
user=admin&password=password
$ curl -v --dump-header login.response --ssl -k -H 'Content-Type: application/x-www-form-urlencoded' 'https://ipa.example.com/ipa/session/login_password' -X POST -d @login

You'll get a login.response file created that will contain something like:

HTTP/1.1 200 Success
Date: Tue, 28 Feb 2012 18:48:06 GMT
Server: Apache/2.2.21 (Fedora)
Set-Cookie: ipa_session=11dd87c05b377a074bd67cb71c96ced1; httponly; Path=/ipa; secure
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
X-Pad: avoid browser bug

Now use that session to create a new user:

$ cat batch_request.json 
{
    "method":"user_add",
    "params":[[],{"givenname":"tim","sn":"user","krbprincipalname":"joe","all":true}
    ],
    "id":1
}
$ curl -v   -H "Content-Type:application/json" - "Referer: https://rawhide.example/ipa/xml" -H "Accept:application/json"  -H "Accept-Language:en" --cacert /etc/ipa/ca.crt -d  @batch_request.json -X POST -b "ipa_session=11dd87c05b377a074bd67cb71c96ced1; httponly; Path=/ipa; secure" https://rawhide.example.com/ipa/session/json

So now you just logged in and created a new user all without local credentials!

When you log in via forms in the UI (you'll get an option when Negotiate fails or you can go to /ipa/ui/login.html

You can also log out of the UI using the logout button. This destroys your session.

Once you are authenticated using either Kerberos negotation or Forms login you should have identical capabilities. Anything less is a bug.

Note that sessions also improves performance because we don't need to do Kerberos negotiate authentication with every request. There is still a delay when IPA has to fetch data over LDAP because some Kerberos auth is still happening there but it is significantly faster.
Comment 7 Jenny Severance 2012-04-19 14:40:42 UTC 
verfified ::

================ final pass/fail report =================
   Test Date: Thu Apr 19 10:39:00 EDT 2012 
   Total : [9] 
   Passed: [9] 
   Failed: [0] 
   Abort : [0]
   Crash : [0]
---------------------------------------------------------
   [   PASS   ]      forms-cli startup  Check for ipa-server package
   [   PASS   ]      forms-cli-01  Destroy credentials
   [   PASS   ]      forms-cli-02  Ensure that json script does not work without a valid session ID
   [   PASS   ]      forms-cli-03  ensure that you cannot get a valid session id with bad credentials.
   [   PASS   ]      forms-cli-04  attempt to create a new group with bad credentials.
   [   PASS   ]      forms-cli-05  Get a valid session id with good credentials.
   [   PASS   ]      forms-cli-06  Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials.
   [   PASS   ]      forms-cli-07  Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials.
   [   PASS   ]      forms-cli-08  Delete the group created in the last step using valid credentials in a form.



version : ipa-server-2.2.0-9.el6.x86_64
Comment 9 Martin Kosek 2012-04-25 12:22:41 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 12 errata-xmlrpc 2012-06-20 13:18:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html