Bug 1343422 - [RFE] Add GssapiImpersonate option
Summary: [RFE] Add GssapiImpersonate option
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_auth_gssapi   
(Show other bugs)
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Simo Sorce
QA Contact: Namita Soman
URL:
Whiteboard:
Keywords: FutureFeature
Depends On: 1346883
Blocks: 1317377 1317379 1366572 1402820
TreeView+ depends on / blocked
 
Reported: 2016-06-07 10:07 UTC by Simo Sorce
Modified: 2017-03-14 11:49 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 05:54:44 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Simo Sorce 2016-06-07 10:07:46 UTC
This option is required by the upcoming IdM (ipa-server) release

Comment 1 Petr Vobornik 2016-06-07 10:36:07 UTC
I'll add more info, from pull request<https://github.com/modauthgssapi/mod_auth_gssapi/pull/87/commits/03d965e57abddc0eed2b4987c866b049921d06d7>:

"""
### GssapiImpersonate

This option can be used even if AuthType GSSAPI is not used for given
Location or LocationMatch, to obtain service ticket for a user that was
already authenticated by different module.

The principal of the user is retrieved from the internal r->user
identifier which typically holds the username from the authentication
results.

Make sure the server principal is set to allow to acquire forwardable
tickets to itself from arbitrary users, for use with constrained
delegation, for example with the option +ok_to_auth_as_delegate.

- **Enable with:** GssapiImpersonate On
- **Default:** GssapiImpersonate Off
"""

It is needed for bug 1317377 - IdM,  Web UI: allow Federated authentication.

Comment 7 Kaleem 2016-08-29 10:04:21 UTC
Please provide steps to verify this.

Comment 8 Jan Pazdziora 2016-08-29 11:15:21 UTC
I could likely be tested as part of the smart card / x509 feature testing:

http://www.freeipa.org/page/V4/External_Authentication/Setup

Comment 9 Simo Sorce 2016-08-29 14:48:21 UTC
Please see the page Jan posted.

Comment 10 Scott Poore 2016-09-22 14:30:18 UTC
FYI, I do see that option on an IPA server being used for testing IPA Web UI authentication with smart cards.



[root@auto-hv-02-guest07 ~]# cd /etc/httpd/conf.d

[root@auto-hv-02-guest07 conf.d]# ls
autoindex.conf      ipa-rewrite.conf      userdir.conf
ipa.conf            lookup_identity.conf  welcome.conf
ipa-kdc-proxy.conf  nss.conf              xx-ipa-experimental-x509-auth.conf
ipa-pki-proxy.conf  README

[root@auto-hv-02-guest07 conf.d]# grep -i gssapiimpersonate *
xx-ipa-experimental-x509-auth.conf:  GssapiImpersonate On

Comment 11 Roshni 2016-09-22 14:33:34 UTC
[root@dhcp129-34 ~]# rpm -qi ipa-server
Name        : ipa-server
Version     : 4.4.0
Release     : 12.el7
Architecture: x86_64
Install Date: Wed 21 Sep 2016 12:16:46 PM EDT
Group       : System Environment/Base
Size        : 1019056
License     : GPLv3+
Signature   : (none)
Source RPM  : ipa-4.4.0-12.el7.src.rpm
Build Date  : Fri 16 Sep 2016 05:23:17 AM EDT
Build Host  : x86-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Followed the instruction in the document in comment 8. The certificate on the card was issued by an external CA and the CA was trusted on the browser. The token was loaded on the browser. Password was set for the ipa user, su to the user prompted for new password as the password had expired. Login to IPA web UI using the smartcard pin was successful

Comment 12 Roshni 2016-09-22 14:34:50 UTC
[root@dhcp129-34 ~]# rpm -qi mod_auth_gssapi
Name        : mod_auth_gssapi
Version     : 1.4.0
Release     : 1.el7
Architecture: x86_64
Install Date: Wed 21 Sep 2016 12:16:21 PM EDT
Group       : System Environment/Daemons
Size        : 137027
License     : MIT
Signature   : RSA/SHA256, Wed 27 Jul 2016 11:19:04 AM EDT, Key ID 938a80caf21541eb
Source RPM  : mod_auth_gssapi-1.4.0-1.el7.src.rpm
Build Date  : Tue 21 Jun 2016 10:00:58 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/modauthgssapi/mod_auth_gssapi
Summary     : A GSSAPI Authentication module for Apache

the above build was used for verification

Comment 14 errata-xmlrpc 2016-11-04 05:54:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.