Hi folks,
on RHEL8.0, we've set up a small cluster with a FreeIPA server and two clients, one running a browser (Firefox) and the other running a web server (tomcat). (IdM is still configured with the defaults.)
Now, what is the proper way to tackle fine grained access control to the web service? We want to do something like the IdM server GUI, i.e. some users are authorized to use all the functions of the GUI, others are restricted to editing or viewing a limited set of pages, and others are locked out. So far I've looked into host based authentication, but that doen't seem to solve the task at hand. All access control should be done through Kerberos tickets.
A pointer to related documentation would also help.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
Hello Dominik,
I haven't done it myself, but I'd start here:
https://www.freeipa.org/page/Web_App_Authentication
Rafael
On Thu, Apr 16, 2020 at 5:11 AM Dominik Vogt via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi folks,
on RHEL8.0, we've set up a small cluster with a FreeIPA server and two clients, one running a browser (Firefox) and the other running a web server (tomcat). (IdM is still configured with the defaults.)
Now, what is the proper way to tackle fine grained access control to the web service? We want to do something like the IdM server GUI, i.e. some users are authorized to use all the functions of the GUI, others are restricted to editing or viewing a limited set of pages, and others are locked out. So far I've looked into host based authentication, but that doen't seem to solve the task at hand. All access control should be done through Kerberos tickets.
A pointer to related documentation would also help.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 16.04.20 10:09, Dominik Vogt via FreeIPA-users wrote:
Hi folks,
on RHEL8.0, we've set up a small cluster with a FreeIPA server and two clients, one running a browser (Firefox) and the other running a web server (tomcat). (IdM is still configured with the defaults.) [...]
We are using mod_auth_gssapi and mod_authnz_pam with Apache in several setups. The important part is the
require pam-account something
line in the apache config where "something" refers to /etc/pam.d/something
This file has to have the following content: auth required pam_sss.so account required pam_sss.so
On the ipa side you need an HBAC service named "something".
That's it.
Cheers, Ronald
On 4/16/20 10:09 AM, Dominik Vogt via FreeIPA-users wrote:
Hi folks,
on RHEL8.0, we've set up a small cluster with a FreeIPA server and two clients, one running a browser (Firefox) and the other running a web server (tomcat). (IdM is still configured with the defaults.)
Now, what is the proper way to tackle fine grained access control to the web service? We want to do something like the IdM server GUI, i.e. some users are authorized to use all the functions of the GUI, others are restricted to editing or viewing a limited set of pages, and others are locked out. So far I've looked into host based authentication, but that doen't seem to solve the task at hand. All access control should be done through Kerberos tickets.
A pointer to related documentation would also help.
Hi,
there is a section in FreeIPA workshop that would guide you through the required steps: https://github.com/freeipa/freeipa-workshop/blob/master/5-web-app-authnz.rst
HTH, flo
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Thu, Apr 16, 2020 at 06:38:49PM +0200, Florence Blanc-Renaud wrote:
there is a section in FreeIPA workshop that would guide you through the required steps: https://github.com/freeipa/freeipa-workshop/blob/master/5-web-app-authnz.rst
Thank you very much for the information and also to Rafael and Ronald. You have helped me a lot. The documentation looks good.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
freeipa-users@lists.fedorahosted.org
-
Dominik Vogt -
Florence Blanc-Renaud -
Rafael Jeffman -
Ronald Wimmer