On ma, 17 kesä 2019, Elena Fedorov wrote:
This is a very good explanation, Alexander!
This is unfortunate that I can not intercept user credentials at logon.
I have a mix of different users, some of them are native FreeIPA users
which can authenticate no problem. But there are also some users that are
not from free ipa. I need to figure out that these are foreign users and
not fail authentication but instead authenticate them as a different
predefined valid IPA user.
I also need to preserve the credentials that they entered in the Front end
to communicate them to another application.
Can I map users with a certain logon name , for example
<user>@foreignDomain, to a specific user in IPA using a sasl mapping?
You
certainly can create a mapping that would try that. However, they
still need to have Kerberos tickets somehow.
See ipaserver/rpcserver.py:login_password class for the details --
__call__() and kinit() methods are key there.
Note that, alternatively, we have certificate-based authentication on
/ipa/session/login_x509 endpoint (needs to be enabled with ipa-advise
advices). You can issue certificates to all these external users and
assign multiple certificates to the same IPA user. Then they will be
able to authenticate as that IPA user. You wouldn't have their
individual passwords because there are no passwords, of course.
If I added a new SASL mechanism and force to use it from the front
end,
would I be able to use it before SASL GSS-SPNEGO or SASL GSSAPI are
invoked?
No.
Thanks,
Elena Fedorov
Senior Managing Consultant, IBM Analytics Cloud Expert Services SDK API
T:613-356-6106
From: Alexander Bokovoy <abokovoy(a)redhat.com>
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Rob Crittenden <rcritten(a)redhat.com>, Elena Fedorov
<Elena.Fedorov(a)ca.ibm.com>
Date: 06/17/2019 04:25 PM
Subject: [EXTERNAL] Re: [Freeipa-users] Re: Get username and password
via bind preop plugin in FreeIPA
On ma, 17 kesä 2019, Elena Fedorov via FreeIPA-users wrote:
>
>Hi Rob,
>Thanks for your reply.
>
>The front end is the RedHat Identity Management portal (on Apache HTTP
>server).
>
>After I enter 'Username' and 'Password', I see that the server
performs
>various searches like searches username(a)domain.com and
uid=username,<FQDN>.
>
>If the user is found my bind pre-op plugin is called with a user DN
(SIMPLE
>BIND ).
>
>If the user is not found, then my pre-op BIND plugin is called, ... but
>with an empty dn value.
>
>What I am looking for is to get the value of the username in the plugin,
>even if the user is not found in FreeIPA.
>
>I am not sure if SASL interferes with this process of invoking the pre-op
>BIND plugin, maybe it's irrelevant..
>
>I see entries in the access log as : " conn=393 op=1 BIND dn=""
method=sasl
>version=3 mech=GSSAPI".
>
>My main problem is that when the user value provided via the front end is
>not found in Free IPA, I can not get that username, entered in the Front
>Portal, in my pre-op BIND plugin.
That's correct and you cannot get that fixed. IPA framework does not
work with non-existing users. Any user that can login to web UI (or use
JSON-RPC) has to have two properties:
- it has to be able to obtain a Kerberos service ticket to HTTP/..
service that can be used to request a service ticket to LDAP service
on behalf of that user (S4U2Proxy/S4U2Self operation). A normal IPA
user or a user from a trusted Active Directory forest does this
directly with they Kerberos tickets. For password-based logon this
happens in IPA framework where we use username/password to request
TGT for that user.
- After a service ticket to LDAP on behalf of the said user is
obtained, we authenticate to LDAP via SASL GSS-SPNEGO or SASL GSSAPI.
At this point the name of the principal in the ticket is used by
389-ds to map to a specific DN, via existing mapping rules in
cn=mapping,cn=sasl,cn=config. See
install/updates/71-idviews-sasl-mapping.update to understand how it
works for AD users -- they get mapped to their ID views entry in the
Default Trust View.
If neither of these two properties fulfilled, no access can be given in
LDAP and connection is denied. IPA framework doesn't use anything else
than SASL GSS-SPNEGO / SASL GSSAPI to authenticate to LDAP.
Where does your user come from?
>
>Is it possible to get the username entered in the Front end (even if it
>does not correspond to a valid user) to be captured via a custom plugin?
>Maybe not with the BIND pre-op Plugin but with a different type of plugin?
>
>Any tips, suggestions are very much appreciated.
>
>Thanks,
>Elena.
>
>
>
>From: Rob Crittenden <rcritten(a)redhat.com>
>To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>Cc: Elena Fedorov <Elena.Fedorov(a)ca.ibm.com>
>Date: 06/17/2019 03:09 PM
>Subject: [EXTERNAL] Re: [Freeipa-users] Get username and password
via
> bind preop plugin in FreeIPA
>
>
>
>Elena Fedorov via FreeIPA-users wrote:
>> Hello,
>> I have FreeIPA version 4.6.4, api_version 2.229
>>
>> The system supports sasl bind version 3, mech GSSAPI.
>>
>> I need to support logon from the front end for users who are not part of
>> the FreeIPA directory server.
>> For such users I will need to bind as a predefined existing Free IPA
>> account.
>>
>> The problem is I can not capture a username (entered in the front end)
>> in the pre-op bind plugin.
>>
>> FreeIPA does not even call the pre-op plugin if it can not find a
>> username, entered in the front end, in the Directory Server.
>>
>> What can I do to grab a username from the front end?
>
>I'm not quite sure I follow what you want to do, particularly how SASL
>fits in.
>
>What frontend are you talking about? How are you binding LDAP? Simple or
>SASL?
>
>rob
>
>
>
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
>List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
>List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland