Hi,
My Web Server is enrolled in the FreeIPA domain, but the clients are external. So login is done via a custom login form - part of the Web Application. In this setup, I know how to authenticate the clients to the Web Application using FreeIPA as a backend - I can use mod_intercept_form_submit, and it works just fine.
But what if I need to obtain Kerberos credentials on behalf of the current user? (I believe, smart people call it "delegation" in Kerberos world).
To be more specific - suppose that the Web Application features personal secret vaults, and it uses FreeIPA Vaults as a backend. So, a user X logs in, he wants to see his personal vaults - the Web Application must obtain Kerberos credentials on his behalf (not on HTTP/.... service behalf, because I don't want to make it owner of all vaults).
Or another example - suppose that the Web Application manages my infrastructure. So a user X (who is infra-admin) logs in and requests to add a new host to the domain. The Web Application must then go and execute some privileged FreeIPA calls (like host_add etc.). Again, I'd like it to authenticate on behalf of this user X, instead of making the HTTP/... service infra-admin by itself. This way I don't need to store any passwords or keytabs with such sensitive credentials (the infra-admin will always come in person and type his password).
Can you please point me to the right direction? Thanks.
freeipa-users@lists.fedorahosted.org