So that's the way to go. Let me read some code and I'll be
back with a
proposal. Is that ok or should I take it to another place? Thanks for
your time Rob.
Using this list is fine for now. If you file a PR the discussion will
move there.
rob
11:29, March 4, 2019, "Rob Crittenden via FreeIPA-users"
<freeipa-users(a)lists.fedorahosted.org>:
Edward Valley wrote:
Thank you Rob. By extending ipa-pwd-extop are you sugesting that I
modify it (of course by submitting patches) or that I use it as
the base
for a new plugin? Is the later posible without interference?
Sorry if
it's a silly question, right now I really don't know nothing about
389-ds plugin architecture.
I would probably be far easier to update the existing plugin, you'd just
want to do a lot of due diligence about memory handling, variable
re-use, etc (coverity and clang can be very helpful).
rob
10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users"
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>:
Edward Valley via FreeIPA-users wrote:
You're right, that's one of the options I've
considered and
tested, but
going that way I need to setup several things, use a
PAC file
in order
to Firefox and Chrome to work, take into account mobile
versions too,
configure browsers to trust the proxy's certificate,
optionally
install
a client certificate in browsers (which firefox for
Android
can't do)
and have the proxy to verify it, among other things
that would
require a
PKI infrastructure that I'm not willing to deploy (for
now).
Trust me, I
went through all of this, and it is secure enough, but
it has a few
pitfalls that right now (without coding) there is no
way to
solve. But,
don't you think kerberos authentication is a simpler
and secure
enough
approach? For now, I'm just trying to migrate to FreeIPA
(because it fit
my needs and I think it's a better and tightly integrated
solution) an
existing OpenLDAP backend, which already have the required
hashes and
the automated way for generating it every time users
change their
passwords. Thank you very much for your time.
To do this you'd need to write a 389-ds plugin to intercept
the password
change and write out the hash. You could probably extend the
ipa-pwd-extop plugin to do this as we do something similar
to keep the
userPassword and kerberos credentials in sync.
You just need to be sensitive to security issues here.
Passwords are
available in the clear only in this plugin so any mistake could
potentially expose them.
rob
09:48, March 4, 2019, "Alexander Bokovoy via
FreeIPA-users"
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>:
On ma, 04 maalis 2019, Edward Valley via
FreeIPA-users wrote:
Thanks for your answer. Doing it the way you
propose,
squid uses
basic
authentication, which exposes user names and
passwords
in the
network
because of the simple base64 encoding.
Just set up your clients to use HTTPS proxy
connection in
the browser.
https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
talks about it. Both Chrome-based browsers and
Firefox do
work just fine
with HTTPS connection to the proxy for years now.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...