I have a locked down network (both ingress and egress) where neither the freeipa server nor the clients has direct internet access, yet have the need to use an external IDP with FreeIPA for authentication.
According to this diagram: https://freeipa.readthedocs.io/en/latest/_images/plantuml-453b55f8632265d0a0... The oidc_child is what needs access to the IDP to get the device code and verify it. Also via the docs it says "oidc_child uses curl and cjose libraries to implement OAuth 2.0 communication."
I'm using Okta as the IDP, and while I could, in theory use https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json to allow egress through my firewall that is likely to break as ips get added or removed over time. I have a proxy configured on a separate host that I use for this sort of purpose that can allow based on an allow list of domain names (rather than ips) so I don't need to configure firewall rules on my freeipa servers to connect directly to okta, while still maintaining the desired level of security.
It doesn't appear (unless I'm missing it) that there is any direct proxy configuration for this purpose. That said, since libcurl is used, and it typically honors environment variables like http_proxy/https_proxy I wonder if injecting an environment via `/etc/systemd/system/XXXX.service.d/override.conf` might work. Looking for guidance here before I start going down this rabbit hole, figured someone might know off the top of their head.
I'm also not sure what is responsible for spawning the oidc_child so not sure what service to inject such an environment into if that would even work. Is it the KDC itself maybe?
Thanks!
On Чцв, 02 кас 2025, Brad House via FreeIPA-users wrote:
I have a locked down network (both ingress and egress) where neither the freeipa server nor the clients has direct internet access, yet have the need to use an external IDP with FreeIPA for authentication.
According to this diagram: https://freeipa.readthedocs.io/en/latest/_images/plantuml-453b55f8632265d0a0... The oidc_child is what needs access to the IDP to get the device code and verify it. Also via the docs it says "oidc_child uses curl and cjose libraries to implement OAuth 2.0 communication."
I'm using Okta as the IDP, and while I could, in theory use https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json to allow egress through my firewall that is likely to break as ips get added or removed over time. I have a proxy configured on a separate host that I use for this sort of purpose that can allow based on an allow list of domain names (rather than ips) so I don't need to configure firewall rules on my freeipa servers to connect directly to okta, while still maintaining the desired level of security.
It doesn't appear (unless I'm missing it) that there is any direct proxy configuration for this purpose. That said, since libcurl is used, and it typically honors environment variables like http_proxy/https_proxy I wonder if injecting an environment via `/etc/systemd/system/XXXX.service.d/override.conf` might work. Looking for guidance here before I start going down this rabbit hole, figured someone might know off the top of their head.
I'm also not sure what is responsible for spawning the oidc_child so not sure what service to inject such an environment into if that would even work. Is it the KDC itself maybe?
oidc_child is spawned by ipa-otpd daemon which, in turn, is spawned by systemd when someone accesses /run/krb5kdc/DEFAULT.socket. On its side, ipa-otpd daemon uses /etc/ipa/default.conf as its EnvironmentFile.
systemd.exec(5) says for EnvironmentFile= option: .... Empty lines, lines without an "=" separator, or lines starting with ";" or "#" will be ignored, which may be used for commenting. .... The files listed with this directive will be read shortly before the process is executed (more specifically, after all processes from a previous unit state terminated. This means you can generate these files in one unit state, and read it with this option in the next. The files are read from the file system of the service manager, before any file system changes like bind mounts take place). ....
So this means you can modify /etc/ipa/default.conf to add http_proxy or HTTPS_PROXY.
Note that we already use this mechanism to pass oidc_child_debug_level, as described in the man page for default.conf(5).
On 10/2/25 3:25 AM, Alexander Bokovoy wrote:
On Чцв, 02 кас 2025, Brad House via FreeIPA-users wrote:
I have a locked down network (both ingress and egress) where neither the freeipa server nor the clients has direct internet access, yet have the need to use an external IDP with FreeIPA for authentication.
According to this diagram: https://freeipa.readthedocs.io/en/latest/_images/plantuml-453b55f8632265d0a0... The oidc_child is what needs access to the IDP to get the device code and verify it. Also via the docs it says "oidc_child uses curl and cjose libraries to implement OAuth 2.0 communication."
I'm using Okta as the IDP, and while I could, in theory use https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json to allow egress through my firewall that is likely to break as ips get added or removed over time. I have a proxy configured on a separate host that I use for this sort of purpose that can allow based on an allow list of domain names (rather than ips) so I don't need to configure firewall rules on my freeipa servers to connect directly to okta, while still maintaining the desired level of security.
It doesn't appear (unless I'm missing it) that there is any direct proxy configuration for this purpose. That said, since libcurl is used, and it typically honors environment variables like http_proxy/https_proxy I wonder if injecting an environment via `/etc/systemd/system/XXXX.service.d/override.conf` might work. Looking for guidance here before I start going down this rabbit hole, figured someone might know off the top of their head.
I'm also not sure what is responsible for spawning the oidc_child so not sure what service to inject such an environment into if that would even work. Is it the KDC itself maybe?
oidc_child is spawned by ipa-otpd daemon which, in turn, is spawned by systemd when someone accesses /run/krb5kdc/DEFAULT.socket. On its side, ipa-otpd daemon uses /etc/ipa/default.conf as its EnvironmentFile.
systemd.exec(5) says for EnvironmentFile= option: .... Empty lines, lines without an "=" separator, or lines starting with ";" or "#" will be ignored, which may be used for commenting. .... The files listed with this directive will be read shortly before the process is executed (more specifically, after all processes from a previous unit state terminated. This means you can generate these files in one unit state, and read it with this option in the next. The files are read from the file system of the service manager, before any file system changes like bind mounts take place). ....
So this means you can modify /etc/ipa/default.conf to add http_proxy or HTTPS_PROXY.
Note that we already use this mechanism to pass oidc_child_debug_level, as described in the man page for default.conf(5).
Great, thank you, I'll give this a shot.
-Brad
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Brad House