This is a very good explanation, Alexander!

This is unfortunate that I can not intercept user credentials at logon.

I have a mix of different users, some of them are native FreeIPA users which can authenticate no problem. But there are also some users that are not from free ipa. I need to figure out that these are foreign users and not fail authentication but instead authenticate them as a different predefined valid IPA user.

I also need to preserve the credentials that they entered in the Front end to communicate them to another application.

Can I map users with a certain logon name , for example <user>@foreignDomain, to a specific user in IPA using a sasl mapping?

If I added a new SASL mechanism and force to use it from the front end, would I be able to use it before SASL GSS-SPNEGO or SASL GSSAPI are invoked?

Thanks,

Elena Fedorov
Senior Managing Consultant, IBM Analytics Cloud Expert Services SDK API
T:613-356-6106

Inactive hide details for Alexander Bokovoy ---06/17/2019 04:25:35 PM---On ma, 17 kesä 2019, Elena Fedorov via FreeIPA-users wrAlexander Bokovoy ---06/17/2019 04:25:35 PM---On ma, 17 kesä 2019, Elena Fedorov via FreeIPA-users wrote: >

From: Alexander Bokovoy <abokovoy@redhat.com>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Rob Crittenden <rcritten@redhat.com>, Elena Fedorov <Elena.Fedorov@ca.ibm.com>
Date: 06/17/2019 04:25 PM
Subject: [EXTERNAL] Re: [Freeipa-users] Re: Get username and password via bind preop plugin in FreeIPA




On ma, 17 kesä 2019, Elena Fedorov via FreeIPA-users wrote:
>
>Hi Rob,
>Thanks for your reply.
>
>The front end is the RedHat Identity Management portal (on Apache HTTP
>server).
>
>After I enter 'Username'  and 'Password', I see that the server performs
>various searches like searches username@domain.com and uid=username,<FQDN>.
>
>If the user is found my bind pre-op plugin is called with a user DN (SIMPLE
>BIND ).
>
>If the user is not found, then my pre-op BIND plugin is called, ... but
>with an empty dn value.
>
>What I am looking for is to get the value of the username in the plugin,
>even if the user is not found in FreeIPA.
>
>I am not sure if SASL interferes with this process of invoking the pre-op
>BIND plugin, maybe it's irrelevant..
>
>I see entries in the access log as : " conn=393 op=1 BIND dn="" method=sasl
>version=3 mech=GSSAPI".
>
>My main problem is that when the user value provided via the front end is
>not found in Free IPA, I can not get that username, entered in the Front
>Portal, in my pre-op BIND plugin.
That's correct and you cannot get that fixed. IPA framework does not
work with non-existing users. Any user that can login to web UI (or use
JSON-RPC) has to have two properties:
- it has to be able to obtain a Kerberos service ticket to HTTP/..
  service that can be used to request a service ticket to LDAP service
  on behalf of that user (S4U2Proxy/S4U2Self operation). A normal IPA
  user or a user from a trusted Active Directory forest does this
  directly with they Kerberos tickets. For password-based logon this
  happens in IPA framework where we use username/password to request
  TGT for that user.

- After a service ticket to LDAP on behalf of the said user is
  obtained, we authenticate to LDAP via SASL GSS-SPNEGO or SASL GSSAPI.
  At this point the name of the principal in the ticket is used by
  389-ds to map to a specific DN, via existing mapping rules in
  cn=mapping,cn=sasl,cn=config. See
  install/updates/71-idviews-sasl-mapping.update to understand how it
  works for AD users -- they get mapped to their ID views entry in the
  Default Trust View.

If neither of these two properties fulfilled, no access can be given in
LDAP and connection is denied. IPA framework doesn't use anything else
than SASL GSS-SPNEGO / SASL GSSAPI to authenticate to LDAP.

Where does your user come from?

>
>Is it possible to get the username entered in the Front end (even if it
>does not correspond to a valid user) to be captured via a custom plugin?
>Maybe not with the BIND pre-op Plugin but with a different type of plugin?
>
>Any tips, suggestions are very much appreciated.
>
>Thanks,
>Elena.
>
>
>
>From: Rob Crittenden <rcritten@redhat.com>
>To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
>Cc: Elena Fedorov <Elena.Fedorov@ca.ibm.com>
>Date: 06/17/2019 03:09 PM
>Subject: [EXTERNAL] Re: [Freeipa-users] Get username and password via
>            bind preop plugin in FreeIPA
>
>
>
>Elena Fedorov via FreeIPA-users wrote:
>> Hello,
>> I have FreeIPA version 4.6.4, api_version 2.229
>>
>> The system supports sasl bind version 3, mech GSSAPI.
>>
>> I need to support logon from the front end for users who are not part of
>> the FreeIPA directory server.
>> For such users I will need to bind as a predefined existing Free IPA
>> account.
>>
>> The problem is I can not capture a username (entered in the front end)
>> in the pre-op bind plugin.
>>
>> FreeIPA does not even call the pre-op plugin if it can not find a
>> username, entered in the front end, in the Directory Server.
>>
>> What can I do to grab a username from the front end?
>
>I'm not quite sure I follow what you want to do, particularly how SASL
>fits in.
>
>What frontend are you talking about? How are you binding LDAP? Simple or
>SASL?
>
>rob
>
>
>



>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org 


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland