With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.
https://fedorahosted.org/ipsilon/ticket/114
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
18 files changed:
- A keytab if Kerberos authentication is desired
- An unprivileged user to run the Ipsilon code (defaults to 'ipsilon')
- A keytab if Kerberos authentication is desired
- An unprivileged user to run the Ipsilon code (defaults to 'ipsilon')
-Currently there are only two available authentication modules, Kerberos and
+Currently there are only two available authentication modules, GSSAPI and
PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for
you at install time), the Pam module simply uses the PAM stack with a default service
name set to 'remote'.
PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for
you at install time), the Pam module simply uses the PAM stack with a default service
name set to 'remote'.
etc..
Before you run the install script make sure to create an administrative user
etc..
Before you run the install script make sure to create an administrative user
-that can be authenticated either via PAM or Kerberos. The default name the
+that can be authenticated either via PAM or GSSAPI. The default name the
installation script expects is 'admin' but that can be changed with the command
line option named --admin-user
installation script expects is 'admin' but that can be changed with the command
line option named --admin-user
Other options are available by running ipsilon-server-install --help
Other options are available by running ipsilon-server-install --help
-To install a server that allow both Kerberos and PAM authentication use:
+To install a server that allow both GSSAPI (Kerberos) and PAM authentication
+use:
- $ ipsilon-server-install --krb=yes --pam=yes
+ $ ipsilon-server-install --gssapi=yes --pam=yes
This command will generate a default instance called 'idp' (you can change the
default name using the --instance switch). Multiple instance can be installed
This command will generate a default instance called 'idp' (you can change the
default name using the --instance switch). Multiple instance can be installed
summary: IPA helpers
Group: System Environment/Base
License: GPLv3+
summary: IPA helpers
Group: System Environment/Base
License: GPLv3+
-Requires: %{name}-authkrb = %{version}-%{release}
+Requires: %{name}-authgssapi = %{version}-%{release}
Requires: %{name}-authform = %{version}-%{release}
%if 0%{?rhel}
Requires: ipa-client
Requires: %{name}-authform = %{version}-%{release}
%if 0%{?rhel}
Requires: ipa-client
Provides a login plugin to authenticate against the local PAM stack
Provides a login plugin to authenticate against the local PAM stack
Summary: mod_auth_gssapi based login plugin
Group: System Environment/Base
License: GPLv3+
Summary: mod_auth_gssapi based login plugin
Group: System Environment/Base
License: GPLv3+
Requires: mod_auth_gssapi
BuildArch: noarch
Requires: mod_auth_gssapi
BuildArch: noarch
Provides a login plugin to allow authentication via the mod_auth_gssapi
Apache module.
Provides a login plugin to allow authentication via the mod_auth_gssapi
Apache module.
%files authpam
%{python2_sitelib}/ipsilon/login/authpam*
%files authpam
%{python2_sitelib}/ipsilon/login/authpam*
-%files authkrb
-%{python2_sitelib}/ipsilon/login/authkrb*
-%{_datadir}/ipsilon/templates/login/krb.html
+%files authgssapi
+%{python2_sitelib}/ipsilon/login/authgssapi*
+%{_datadir}/ipsilon/templates/login/gssapi.html
%files authldap
%{python2_sitelib}/ipsilon/login/authldap*
%files authldap
%{python2_sitelib}/ipsilon/login/authldap*
WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon
WSGIProcessGroup idp
WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon
WSGIProcessGroup idp
-<Location /idp/login/krb/negotiate>
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms IPA.DEV.LAN
- Krb5KeyTab /etc/httpd/conf/http.keytab
- KrbSaveCredentials off
- KrbConstrainedDelegation off
- KrbLocalUserMapping On
+<Location /idp/login/gssapi/negotiate>
+ AuthType GSSAPI
+ AuthName "GSSAPI Single Sign On Login"
+ GssapiCredStore /etc/httpd/conf/http.keytab
+ GssapiSSLonly On
+ GssapiLocalName on
- ErrorDocument 401 /idp/login/krb/unauthorized
+ ErrorDocument 401 /idp/login/gssapi/unauthorized
+ ErrorDocument 500 /idp/login/gssapi/failed
</Location>
<Directory /usr/libexec>
</Location>
<Directory /usr/libexec>
raise Exception('No IPA tools found!')
# Check if we already have a keytab for HTTP
raise Exception('No IPA tools found!')
# Check if we already have a keytab for HTTP
- if 'krb_httpd_keytab' in opts:
- msg = "Searching for keytab in: %s" % opts['krb_httpd_keytab']
+ if 'gssapi_httpd_keytab' in opts:
+ msg = "Searching for keytab in: %s" % opts['gssapi_httpd_keytab']
print >> sys.stdout, msg,
print >> sys.stdout, msg,
- if os.path.exists(opts['krb_httpd_keytab']):
+ if os.path.exists(opts['gssapi_httpd_keytab']):
print >> sys.stdout, "... Found!"
return
else:
print >> sys.stdout, "... Found!"
return
else:
msg = "Searching for keytab in: %s" % HTTPD_IPA_KEYTAB
print >> sys.stdout, msg,
if os.path.exists(HTTPD_IPA_KEYTAB):
msg = "Searching for keytab in: %s" % HTTPD_IPA_KEYTAB
print >> sys.stdout, msg,
if os.path.exists(HTTPD_IPA_KEYTAB):
- opts['krb_httpd_keytab'] = HTTPD_IPA_KEYTAB
+ opts['gssapi_httpd_keytab'] = HTTPD_IPA_KEYTAB
print >> sys.stdout, "... Found!"
return
else:
print >> sys.stdout, "... Found!"
return
else:
try:
msg = "Trying to fetch keytab[%s] for %s" % (
try:
msg = "Trying to fetch keytab[%s] for %s" % (
- opts['krb_httpd_keytab'], princ)
+ opts['gssapi_httpd_keytab'], princ)
print >> sys.stdout, msg,
subprocess.check_output([IPA_GETKEYTAB,
'-s', server, '-p', princ,
print >> sys.stdout, msg,
subprocess.check_output([IPA_GETKEYTAB,
'-s', server, '-p', princ,
- '-k', opts['krb_httpd_keytab']],
+ '-k', opts['gssapi_httpd_keytab']],
stderr=subprocess.STDOUT)
except subprocess.CalledProcessError, e:
# unfortunately this one is fatal
stderr=subprocess.STDOUT)
except subprocess.CalledProcessError, e:
# unfortunately this one is fatal
# Fixup permissions so only the ipsilon user can read these files
pw = pwd.getpwnam(HTTPD_USER)
# Fixup permissions so only the ipsilon user can read these files
pw = pwd.getpwnam(HTTPD_USER)
- os.chown(opts['krb_httpd_keytab'], pw.pw_uid, pw.pw_gid)
+ os.chown(opts['gssapi_httpd_keytab'], pw.pw_uid, pw.pw_gid)
def configure_server(self, opts):
if opts['ipa'] != 'yes' and opts['ipa'] != 'auto':
return
def configure_server(self, opts):
if opts['ipa'] != 'yes' and opts['ipa'] != 'auto':
return
- if opts['ipa'] != 'yes' and opts['krb'] == 'no':
+ if opts['ipa'] != 'yes' and opts['gssapi'] == 'no':
return
self.logger = logging.getLogger()
return
self.logger = logging.getLogger()
- # Forcibly use krb then pam modules
+ # Forcibly use gssapi then pam modules
if 'lm_order' not in opts:
opts['lm_order'] = []
if 'lm_order' not in opts:
opts['lm_order'] = []
- opts['krb'] = 'yes'
- if 'krb' not in opts['lm_order']:
- opts['lm_order'].insert(0, 'krb')
+ opts['gssapi'] = 'yes'
+ if 'gssapi' not in opts['lm_order']:
+ opts['lm_order'].insert(0, 'gssapi')
opts['form'] = 'yes'
if not any(lm in opts['lm_order'] for lm in ('form', 'pam')):
opts['lm_order'].append('form')
opts['form'] = 'yes'
if not any(lm in opts['lm_order'] for lm in ('form', 'pam')):
opts['lm_order'].append('form')
-class Krb(LoginPageBase):
+class GSSAPI(LoginPageBase):
def root(self, *args, **kwargs):
# Someone typed manually or a robot is walking th tree.
def root(self, *args, **kwargs):
# Someone typed manually or a robot is walking th tree.
return self.lm.redirect_to_path(self.lm.path)
return self.lm.redirect_to_path(self.lm.path)
-class KrbAuth(LoginPageBase):
+class GSSAPIAuth(LoginPageBase):
def root(self, *args, **kwargs):
trans = self.get_valid_transaction('login', **kwargs)
def root(self, *args, **kwargs):
trans = self.get_valid_transaction('login', **kwargs)
if not self.user.is_anonymous:
principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None)
if principal:
if not self.user.is_anonymous:
principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None)
if principal:
- userdata = {'krb_principal_name': principal}
+ userdata = {'gssapi_principal_name': principal}
- userdata = {'krb_principal_name': self.user.name}
+ userdata = {'gssapi_principal_name': self.user.name}
return self.lm.auth_successful(trans, self.user.name,
return self.lm.auth_successful(trans, self.user.name,
else:
return self.lm.auth_failed(trans)
else:
return self.lm.auth_failed(trans)
-class KrbError(LoginPageBase):
+class GSSAPIError(LoginPageBase):
def root(self, *args, **kwargs):
cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
def root(self, *args, **kwargs):
cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
return next_login.page.root(*args, **kwargs)
conturl = '%s/login' % self.basepath
return next_login.page.root(*args, **kwargs)
conturl = '%s/login' % self.basepath
- return self._template('login/krb.html',
- title='Kerberos Login',
+ return self._template('login/gssapi.html',
+ title='GSSAPI Login',
cont=conturl)
# If we get here, negotiate failed
cont=conturl)
# If we get here, negotiate failed
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
- self.name = 'krb'
- self.path = 'krb/negotiate'
+ self.name = 'gssapi'
+ self.path = 'gssapi/negotiate'
self.page = None
self.description = """
self.page = None
self.description = """
-Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi
+GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi
apache plugin for actual authentication. """
self.new_config(self.name)
def get_tree(self, site):
apache plugin for actual authentication. """
self.new_config(self.name)
def get_tree(self, site):
- self.page = Krb(site, self)
- self.page.__dict__['negotiate'] = KrbAuth(site, self)
- self.page.__dict__['unauthorized'] = KrbError(site, self)
- self.page.__dict__['failed'] = KrbError(site, self)
+ self.page = GSSAPI(site, self)
+ self.page.__dict__['negotiate'] = GSSAPIAuth(site, self)
+ self.page.__dict__['unauthorized'] = GSSAPIError(site, self)
+ self.page.__dict__['failed'] = GSSAPIError(site, self)
return self.page
CONF_TEMPLATE = """
return self.page
CONF_TEMPLATE = """
-<Location /${instance}/login/krb/negotiate>
+<Location /${instance}/login/gssapi/negotiate>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
$keytab
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
$keytab
GssapiLocalName on
Require valid-user
GssapiLocalName on
Require valid-user
- ErrorDocument 401 /${instance}/login/krb/unauthorized
- ErrorDocument 500 /${instance}/login/krb/failed
+ ErrorDocument 401 /${instance}/login/gssapi/unauthorized
+ ErrorDocument 500 /${instance}/login/gssapi/failed
def __init__(self, *pargs):
super(Installer, self).__init__()
def __init__(self, *pargs):
super(Installer, self).__init__()
self.pargs = pargs
def install_args(self, group):
self.pargs = pargs
def install_args(self, group):
- group.add_argument('--krb', choices=['yes', 'no'], default='no',
- help='Configure Kerberos authentication')
- group.add_argument('--krb-httpd-keytab',
+ group.add_argument('--gssapi', choices=['yes', 'no'], default='no',
+ help='Configure GSSAPI authentication')
+ group.add_argument('--gssapi-httpd-keytab',
default='/etc/httpd/conf/http.keytab',
help='Kerberos keytab location for HTTPD')
def configure(self, opts):
default='/etc/httpd/conf/http.keytab',
help='Kerberos keytab location for HTTPD')
def configure(self, opts):
- if opts['krb'] != 'yes':
+ if opts['gssapi'] != 'yes':
return
confopts = {'instance': opts['instance']}
return
confopts = {'instance': opts['instance']}
- if os.path.exists(opts['krb_httpd_keytab']):
+ if os.path.exists(opts['gssapi_httpd_keytab']):
confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
- opts['krb_httpd_keytab'])
+ opts['gssapi_httpd_keytab'])
else:
raise Exception('Keytab not found')
else:
raise Exception('Keytab not found')
# Add configuration data to database
po = PluginObject(*self.pargs)
# Add configuration data to database
po = PluginObject(*self.pargs)
- # Update global config, put 'krb' always first
+ # Update global config, put 'gssapi' always first
ph = self.pargs[0]
ph.refresh_enabled()
ph = self.pargs[0]
ph.refresh_enabled()
- if 'krb' not in ph.enabled:
+ if 'gssapi' not in ph.enabled:
enabled = []
enabled.extend(ph.enabled)
enabled = []
enabled.extend(ph.enabled)
- enabled.insert(0, 'krb')
+ enabled.insert(0, 'gssapi')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
- nameid = us.get_data('user', 'krb_principal_name')
+ nameid = us.get_data('user', 'gssapi_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert,
timedelta(validity))
validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert,
timedelta(validity))
- if 'krb' in opts and opts['krb'] == 'yes':
+ if 'gssapi' in opts and opts['gssapi'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'instance': '${NAME}',
'secure': 'no',
'pam': 'no',
'instance': '${NAME}',
'secure': 'no',
'pam': 'no',
'ipa': 'no',
'ldap': 'yes',
'ldap_server_url': 'ldap://${ADDRESS}:45389/',
'ipa': 'no',
'ldap': 'yes',
'ldap_server_url': 'ldap://${ADDRESS}:45389/',
'openid': 'yes',
'openid_extensions': 'Attribute Exchange,Simple Registration,Teams',
'pam': 'no',
'openid': 'yes',
'openid_extensions': 'Attribute Exchange,Simple Registration,Teams',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'ipa': 'no',
'server_debugging': 'True'}