#4 Koji auth requires custom certificates instead of using LDAP or SSO
Opened 8 years ago by ngompa. Modified 3 years ago

Today, Koji is the only aspect of the Fedora infrastructure I know of that still requires custom certificates to be installed into anything that will authenticate with it. Bodhi and others use single sign-on systems powered by Ipsilon, but Koji doesn't even have LDAP support.

The inability to properly integrate Koji into LDAP or SSO identity management systems is a barrier to wider adoption, especially by those who are unused to having such a quirk.

It'd be great if Koji supported LDAP and SSO, and that the Fedora instance migrated to using Ipsilon like everything else we've got deployed.


Hi. I'm, open to adding more authentication options in Koji. Several folks in Fedora have suggested that they would submit patches, but I have yet to see any along that line.

The https://pagure.io/koji/pull-request/92 should allow you to login via any PAM based solution (in my environment I use it against LDAP).

Metadata Update from @yulwang:
- Issue priority set to: Low
- Issue tagged with: groomed

4 years ago

Metadata Update from @yulwang:
- Issue tagged with: backlog

4 years ago

I'm going through the Koji backlog and reviewing old issues.

https://pagure.io/koji/issue/1556 has been filed to track the PAM support (https://pagure.io/koji/pull-request/92)

@ngompa is this particular issue something that you still want/need? If so, would the PAM support be sufficient?

Metadata Update from @dgregor:
- Custom field Size adjusted to None

4 years ago

@ngompa is this particular issue something that you still want/need? If so, would the PAM support be sufficient?

In Mageia, we need some way to do authentication via LDAP. Would the PAM method work for this case? Or should a dedicated LDAP authentication backend be added instead?

I was going to open a new issue, but I found this one.

Can we resurrect this ticket and possibly re-prioritize? I'd like to see if we can work something out for authenticating CentOS Stream users via a more modern authentication method.

The core Koji team has limited bandwidth right now, and this hasn't been a priority because for years existing auth methods have been sufficient.

@bstinson when last we talked I wasn't sure if you were actually going to need a new auth method.

Also, note that the PAM support issue mentioned above has been dropped.

Login to comment on this ticket.

Metadata