#1359 dogtag should support GSSAPI based auth in conjuction with FreeIPA
Closed: fixed 4 years ago Opened 6 years ago by simo.

When used within the FreeIPA project dogtag should allow authenticating using GSSAPI. Users can be mapped to the FreeIPA directory suffix in this case.
Using GSSAPI would allow the IPA framework to foully delegate to dogtag's ACLs some operations requested by users.

It would be nice to ship support for GSSAPI authentication in Dogtag itself, and
the IPA authorization plugin as part of IPA (IMO).

The feature request is related to #649, maybe even a duplicate of #649. I can't tell for sure because the other ticket has no description, just a title.

use-case 1:
Use a GSSAPI-authenticated CA profile to issue a certificate via a GUI. The CA profile should support searching LDAP groups for authZ data, such that the $username@EXAMPLE.COM principal would be mapped to a LDAP DN. Membership in a LDAP groupofnames or groupofuniquenames group would authorize access to that specific profile.

$username@EXAMPLE.COM -> maps to uid=$username,ou=users,dc=example,dc=com
uniqueMember: uid=$username,ou=users,dc=example,dc=com
would authorize access to that profile

This would give users self-service access to create certificates, but provide a facility for limiting what kind of certificates could be issued based on group.

use-case 2:
same as above, but should work via pki cli command

use-case 3: agents should be able to authorize agent-approved certs via GSSAPI auth rather than certificate authentication in GUI.

use-case 4: agents should be able to authorize agent-approved certs via GSSAPI auth rather than certificate authentication in pki CLI.

Pushing this to the 10.3 backlog after discussion with Ade and Fraser. This isn't needed for the first cut of Dogtag 10.3 since FreeIPA will not consume it yet.

Per CS Bug/Ticket Triage held 04/19/2016: 10.4

Confirmed with Fraser.

Note: we also want to add GSS-API support to the pki command line tool,
so that it can use Kerberos ticket to authenticate as an alternative to
X.509 cert.

It may make sense to break that out as a separate ticket, but I'll
leave it here as a comment for now.

Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - blocker

Metadata Update from @simo:
- Issue assigned to ftweedal
- Issue set to the milestone: 10.4

4 years ago

7 patches pushed to master

  • 67d51413323e1d55fdc04ca5edf5d9f05afb0ebe Update ACLInterceptor to support external principals
  • ef84ef36be06944a7f6338ed022f13e066cd5c32 Update SessionContextInterceptor to handle external principals
  • 76f60251f7e1b2f1f9ad1752121c0c5cb1cb5b8b Update AuthMethodInterceptor to handle external principals
  • 433c7b70d7dd8609dea31b28aee042e48a41ac9f Add IAuthToken implementation for external principals
  • 00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e Add groups and request attributes to external principals
  • 4cf87aa3babc4c7d8ea60a46cb548ebfee493ae4 CertProcessor: extract method setAuthTokenIntoRequest
  • 295cb2f175711a85f371c0fa93c584ad235066e4 Define AgentCertAuthentication token keys in IAuthToken

Metadata Update from @ftweedal:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None

4 years ago

Per PKI Bug Council of 03/23/2017: downgrading to critical

Metadata Update from @mharmsen:
- Issue priority set to: critical (was: blocker)

4 years ago

Five more commits to close this out:

  • b099b631bb49e17e0aa4cd8c7a818ba1c923ec92 Add authn manager that reuses auth token from session
  • dcc42ad4ed7fcbc566b7cf7ce1cbfae93b24a9a9 Add ExternalProcessConstraint for request validation
  • f67071910c6b74790f7ad75329f05e599076dee4 CertProcessor: set external principal attributes into request
  • a35c6cde1047e305142bec839b8953d90008c127 Allow arbitrary user data in cert request
  • 786d40f231f3636db381a835ce78904362ea72d0 CMS.getLogMessage: escape format elements in arguments

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.3 (was: 10.4)

4 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.