Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add endpoint for GSSAPI Authentication #88

Merged
merged 1 commit into from
Feb 20, 2024
Merged

Add endpoint for GSSAPI Authentication #88

merged 1 commit into from
Feb 20, 2024

Conversation

antoniotorresm
Copy link
Collaborator

Add the login_kerberos endpoint for handling GSSAPI authentications. mod_auth_gssapi and gssproxy are included as dependencies. Additional steps are included to the IPA domain addition, such as the addition of the HTTP service and keytab retrieval. Additionally, login_password endpoint is provided as well, which requests a ticket using the user and password passed with the client request.

@antoniotorresm antoniotorresm force-pushed the gssapi branch 3 times, most recently from 7f05e7d to 33b9257 Compare January 9, 2024 14:30
@antoniotorresm antoniotorresm force-pushed the gssapi branch 4 times, most recently from c9cc10d to 78ef05b Compare January 18, 2024 12:18
@antoniotorresm antoniotorresm force-pushed the gssapi branch 3 times, most recently from 48e90e9 to 8440492 Compare January 24, 2024 12:47
@antoniotorresm
Copy link
Collaborator Author

Added a new field to the domain model, keycloak_hostname that will take the hostname for the Keycloak host. I have also added automation for SPN creation and keytab retrieval on AD hosts.

@antoniotorresm antoniotorresm force-pushed the gssapi branch 5 times, most recently from a883a81 to 6d871d3 Compare January 30, 2024 10:31
@f-trivino f-trivino self-requested a review February 8, 2024 14:20
@antoniotorresm
Copy link
Collaborator Author

/retest

f-trivino
f-trivino approved these changes Feb 15, 2024
View reviewed changes
Copy link
Collaborator

@f-trivino f-trivino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!
I have tested the new end-points for IPA and AD use cases using the same curl calls:

curl -k -v -X POST --negotiate -u : https://bridge.ipa.test/bridge/login_kerberos/

curl -k -v -X POST https://bridge.ipa.test/bridge/login_password/ --data 'user=ipauser&password=Secret123'

I think the PR covers the initial feature for IPA and AD, and it can be easily extended later on to cover RHDS/LDAPwithKerberos.

Ref testing, we are enabling RedHatTrustedPipeline and the plan is to run extensive e2e tests there.

abbra
abbra previously requested changes Feb 15, 2024
View reviewed changes
Copy link

@abbra abbra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added few in-line comments.

src/ipa-tuura/domains/utils.py Show resolved Hide resolved
src/ipa-tuura/domains/utils.py Show resolved Hide resolved
src/ipa-tuura/domains/utils.py Outdated Show resolved Hide resolved
@antoniotorresm antoniotorresm force-pushed the gssapi branch 2 times, most recently from 5ef3a5d to c796af2 Compare February 15, 2024 13:15
@antoniotorresm antoniotorresm mentioned this pull request Feb 15, 2024
Open
@antoniotorresm
Add endpoint for GSSAPI Authentication
677065b 
Add the `login_kerberos` endpoint for handling GSSAPI authentications.
mod_auth_gssapi and gssproxy are included as dependencies. Additional
steps are included to the IPA domain addition, such as the addition of
the HTTP service and keytab retrieval. Additionally, `login_password`
endpoint is provided as well, which requests a ticket using the user and
password passed with the client request.

Signed-off-by: Antonio Torres <[email protected]>
@antoniotorresm
Copy link
Collaborator Author

Added Remote-User response header, needed for Keycloak plugin.

@antoniotorresm antoniotorresm dismissed abbra’s stale review February 20, 2024 12:15

Comments addressed.

@f-trivino f-trivino merged commit e6108a3 into freeipa:main Feb 20, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@f-trivino f-trivino f-trivino approved these changes

@abbra abbra abbra left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@antoniotorresm @abbra @f-trivino