766070 – [RFE] Allow forms based kerberos authentication for the IPA UI

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 766070 - [RFE] Allow forms based kerberos authentication for the IPA UI

Summary: [RFE] Allow forms based kerberos authentication for the IPA UI

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	736854
TreeView+	depends on / blocked

Reported:	2011-12-09 23:04 UTC by Dmitri Pal
Modified:	2012-06-20 13:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-2.2.0-3.el6
Doc Type:	Enhancement
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:18:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Dmitri Pal 2011-12-09 23:04:27 UTC

In some cases the machine that the UI should run from is not Linux or can't be a part of the domain. Also the POC deployments of IPA want something more simple that what we currently offer. Some people in POC cases switch to the basic auth as it is the only alternative we provide. This however sets a bad security precedent. To avoid this we should leverage the sessions and S4U ticket transformation work we already doing and offer a form based authentication for IPA UI.  

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2095

Comment 1 Rob Crittenden 2012-02-28 04:14:03 UTC

Backend committed upstream. UI work to come.

master: ee780df13c99a5465cd6df965772260c297a5eb2

ipa-2-2: 135e208a665a6f9b7cbba32371b35f8ea705c9cb

Comment 2 Petr Vobornik 2012-03-02 11:30:50 UTC

UI part committed upstream:

master:
 * 368c624a7445f6d3a34993a3835026bb383506e4
 * c643197b1918e405768f78ea9b4da7f09ee82326 

ipa-2-2:
 * 0dacc8b1f1075fa4956f475fbe717b960a88d353
 * 44aadf7aa9c80ea726c2b8687bb760550d55b0dc

Comment 5 Rob Crittenden 2012-03-21 03:22:11 UTC

Forms-based login and sessions are closely tied.

All forms-based login does is provide a simple screen where username and password can be collected. This is passed to kinit so we can obtain a TGT on behalf of the user. The resulting ccache is stored in a session on the server side and a secure cookie returned to the user. This is easiest to see using curl on the command-line.

$ kdestroy
$ cat login
user=admin&password=password
$ curl -v --dump-header login.response --ssl -k -H 'Content-Type: application/x-www-form-urlencoded' 'https://ipa.example.com/ipa/session/login_password' -X POST -d @login

You'll get a login.response file created that will contain something like:

HTTP/1.1 200 Success
Date: Tue, 28 Feb 2012 18:48:06 GMT
Server: Apache/2.2.21 (Fedora)
Set-Cookie: ipa_session=11dd87c05b377a074bd67cb71c96ced1; httponly; Path=/ipa; secure
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
X-Pad: avoid browser bug

Now use that session to create a new user:

$ cat batch_request.json 
{
    "method":"user_add",
    "params":[[],{"givenname":"tim","sn":"user","krbprincipalname":"joe","all":true}
    ],
    "id":1
}
$ curl -v   -H "Content-Type:application/json" - "Referer: https://rawhide.example/ipa/xml" -H "Accept:application/json"  -H "Accept-Language:en" --cacert /etc/ipa/ca.crt -d  @batch_request.json -X POST -b "ipa_session=11dd87c05b377a074bd67cb71c96ced1; httponly; Path=/ipa; secure" https://rawhide.example.com/ipa/session/json

So now you just logged in and created a new user all without local credentials!

When you log in via forms in the UI (you'll get an option when Negotiate fails or you can go to /ipa/ui/login.html

You can also log out of the UI using the logout button. This destroys your session.

Once you are authenticated using either Kerberos negotation or Forms login you should have identical capabilities. Anything less is a bug.

Note that sessions also improves performance because we don't need to do Kerberos negotiate authentication with every request. There is still a delay when IPA has to fetch data over LDAP because some Kerberos auth is still happening there but it is significantly faster.

Comment 7 Jenny Severance 2012-04-19 14:40:42 UTC

verfified ::

================ final pass/fail report =================
   Test Date: Thu Apr 19 10:39:00 EDT 2012 
   Total : [9] 
   Passed: [9] 
   Failed: [0] 
   Abort : [0]
   Crash : [0]
---------------------------------------------------------
   [   PASS   ]      forms-cli startup  Check for ipa-server package
   [   PASS   ]      forms-cli-01  Destroy credentials
   [   PASS   ]      forms-cli-02  Ensure that json script does not work without a valid session ID
   [   PASS   ]      forms-cli-03  ensure that you cannot get a valid session id with bad credentials.
   [   PASS   ]      forms-cli-04  attempt to create a new group with bad credentials.
   [   PASS   ]      forms-cli-05  Get a valid session id with good credentials.
   [   PASS   ]      forms-cli-06  Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials.
   [   PASS   ]      forms-cli-07  Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials.
   [   PASS   ]      forms-cli-08  Delete the group created in the last step using valid credentials in a form.



version : ipa-server-2.2.0-9.el6.x86_64

Comment 9 Martin Kosek 2012-04-25 12:22:41 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 12 errata-xmlrpc 2012-06-20 13:18:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.