First off, let me say THANK YOU to all of you who've helped make FreeIPA what it is. I think it's a fantastic project and it's amazing what it has achieved.
Second off, I'm still quite new to FreeIPA, especially the internals. This includes Kerberos. I'm also very very limited at Python (I come from a PHP background - please don't hold it against me). I have toyed around with LDAP a little bit before looking at FreeIPA. After re-reading this e-mail I think it'd be important to note here at the top that my focus is on web-based apps and non-kerberized clients. The web app server would be an IPA client. I don't foresee a lot of terminal-based stuff going on, aside from potential admin CLI tasks (for the web-based app). I apologize in advance for the length of this e-mail. I have searched, a lot, to try and answer my own questions. That's actually how I found FreeIPA in the first place. I've looked at the site/wiki, the mailing list archive, and the Internet in general. But I've been unable to find a solution, or suggestions, which achieves exactly what I'm looking for. It may be that I'm just using the wrong terminology and/or getting lost in the buzzwords. What I'm trying to figure out is if there is a way to centrally manage sessions, in addition to everything else FreeIPA currently does. I'm not necessarily just talking about WebUI sessions, I'd like external web apps to be able to make use of it too. And, I'd like to be able to manage them via the WebUI. For example, let's say "joe" logs in to the WebUI (OR another web app tied to FreeIPA). Now, on another computer, "admin" logs into the WebUI. Can admin have a way to see that "joe" logged in, and, if need be, kill Joe's session? I'd like for it to maintain history. For each login/session, I'd like to see who logged in, when, from where, what their last access was, when they logged out (or if their session timed out), and the logout reason (manual logout, session timeout, or admin intervention). But like I said, I'm not just looking for WebUI sessions. Let's say I create a web app. I put it on a machine which is an IPA client. Thanks to the wealth of documentation and options, I have a variety of methods to achieve authentication. FreeIPA makes this great, and for that I'm thankful. However, in most of the documentation, it just says "create the session" cookie, and the rest is left as an exercise to the reader. I'm familiar with web apps and have implemented session management before. What I'd love to see is FreeIPA to be able to handle not just the auth but also the session management. Why? Because I'd not like to have to re-invent the wheel. And I'm trying to see if there is already some method to do this that I'm just fundamentally missing. Or at least if there are enough pieces that I could put together to make it happen. For "fun", I've tried to set up auth using different methods. I've successfully set it up using intercept_form_submit_module and lookup_identity_module. That's pretty neat, works great for auth. But, as far as I can tell, this method doesn't create a session or login trail in the memcached DB. In fact, I can't really find any trail aside from the Kerberos logging messages in /var/log/krbkdc.log. I've also used Tobias Sette's php-freeipa from GitHub. That works great too... for auth. And since that uses the JSON API, it looks like it does create a record in the memcached DB. So I suppose this could be one way in, maybe by a FreeIPA plugin? I guess I'm running in circles because then again I think... "what about pure Kerberos" clients... or those using intercept_form_submit_module? I'm not familiar with PAM. But from what I can tell, I assume there is a way to add a "pluggable" module for it too. But on the server? i.e., if a Kerberos session is established, is there a way, via PAM (or something else?) to log that session to the FreeIPA server? I think this is kinda what Kerberos is trying to get away from, but for the use cases I'm thinking of, it'd be a big feature. In my searching I've seen things like nss_mysql which look interesting, but of course wouldn't mesh with the FreeIPA WebUI memcached method. Speaking of which, I know that memcached is not by any means a permanent session log, and I understand it's not intended to be. So would this go into the LDAP tree? Would this clog it up too much? I'm looking to store a year of info... or more depending on the scenario. I've briefly looked at the Apache Shiro project. I'm not a Java guy, but from I'm reading it kind of has the right idea. It even notes that the session management portions can be accessed from other apps (on other machines) and not necessarily from Java. But due to the whole thing being a mostly-Java product, I get lost far too easily. If this were already in FreeIPA I think that's kind of what I'm looking for. A single source of session information on the server. Along with the ability to view/search it via the FreeIPA WebUI (which I assume would mean it'd come from the JSON API). For someone creating a new app from scratch, this would not only cover the user/IdM and auth items, but also session management, and allow for more administrative control (kill a session administratively). I think this would really decrease the barrier to entry and give app authors a "known good" path to follow. Especially smaller, domain- or niche-specific projects. I've looked at the FreeIPA session recording page ( http://www.freeipa.org/page/Session_Recording). That looks neat. However, if I'm reading it right, it's just for terminal sessions. It mentions being able to record login info, but being a newbie I can't quite follow exactly how it's achieving this goal (is that part all a function of tlog?). Anyway, again, I apologize for this very long e-mail. Am I totally barking up the wrong tree? Is this something FreeIPA can do and I just haven't figured out how? Or would it require far too much customization and/or be too far outside of the core functionality? Any hints, suggestions, or even criticism would be appreciated.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
