[Freeipa-users] Transporting Identity Metadata from Apache proxy to backend web application

[Plotters via FreeIPA-users]

Hi,

Using the Kerberos and the Apache plugins mod_auth_gssapi and 
mod_lookup_identity the following flow is working:

1. User is authenticated using kinit
2. Apache authenticates the user
3. The proxy transports the meta data of the user (SSSD provides the user info)
4. The meta data is added to the header and proxied to the backend server. 

The Apache configuration looks like this:

<LocationMatch "/private">

    ProxyPass http://localhost:2001/
    ProxyPassReverse http://localhost:2001/

    RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
    RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
    RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
    RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}

    LookupUserAttr givenname REMOTE_USER_FIRSTNAME
    RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e

    LookupUserAttr sn REMOTE_USER_LASTNAME
    RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e

    LookupUserAttr preferredLanguage REMOTE_USER_LANGUAGE
    RequestHeader set X-SSSD-REMOTE_USER_LANGUAGE %{REMOTE_USER_LANGUAGE}e

    LookupUserGroups REMOTE_USER_GROUPS ","
    RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e

</LocationMatch>

This works fine, but not all meta data is retrieved:

x-sssd-auth_type : [Negotiate]
x-sssd-remote_user : [plott...@example.com]
x-sssd-remote_user_firstname : [(null)]
x-sssd-remote_user_groups : [ipausers]
x-sssd-remote_user_language : [(null)]
x-sssd-remote_user_lastname : [(null)]

Is there a ACL in FreeIPA which has to be adapted to use this meta data? I 
added preferredLanguage in the SSSD.conf file like this:

[ifp]
allowed_uids = ipaapi, root
user_attributes = +preferredLanguage, +firstName, +lastName

And the log shows this works:

   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed 
attr preferredLanguage to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed 
attr firstName to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed 
attr lastName to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr name to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr uidNumber to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr gidNumber to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr gecos to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr homeDirectory to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr loginShell to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr groups to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr domain to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr domainname to whitelist
   *  (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default 
attr extraAttributes to whitelist

Thanks in advance for any pointers to solve this. Or where to look for ACL in 
the ipa logging. LDAP doesn't show anything. 

Best regards, Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure