> Date: Wed, 10 Aug 2016 09:02:29 +0200 > From: Petr Spacek <[email protected]> > To: [email protected] > Subject: Re: [Freeipa-users] FreeIPA Session Management (WebUI, > Kerberos, ...?) > Message-ID: <[email protected]> > Content-Type: text/plain; charset=windows-1252 > > On 9.8.2016 21:37, Joe Thielen wrote: > > First off, let me say THANK YOU to all of you who've helped make FreeIPA > > what it is. I think it's a fantastic project and it's amazing what it > has > > achieved. > > > > Second off, I'm still quite new to FreeIPA, especially the internals. > This > > includes Kerberos. I'm also very very limited at Python (I come from a > PHP > > background - please don't hold it against me). I have toyed around with > > LDAP a little bit before looking at FreeIPA. > > > > After re-reading this e-mail I think it'd be important to note here at > the > > top that my focus is on web-based apps and non-kerberized clients. The > web > > app server would be an IPA client. I don't foresee a lot of > terminal-based > > stuff going on, aside from potential admin CLI tasks (for the web-based > > app). > > > > I apologize in advance for the length of this e-mail. I have searched, a > > lot, to try and answer my own questions. That's actually how I found > > FreeIPA in the first place. I've looked at the site/wiki, the mailing > list > > archive, and the Internet in general. But I've been unable to find a > > solution, or suggestions, which achieves exactly what I'm looking for. > It > > may be that I'm just using the wrong terminology and/or getting lost in > the > > buzzwords. > > > > What I'm trying to figure out is if there is a way to centrally manage > > sessions, in addition to everything else FreeIPA currently does. I'm not > > necessarily just talking about WebUI sessions, I'd like external web apps > > to be able to make use of it too. And, I'd like to be able to manage > them > > via the WebUI. > > > > For example, let's say "joe" logs in to the WebUI (OR another web app > tied > > to FreeIPA). Now, on another computer, "admin" logs into the WebUI. Can > > admin have a way to see that "joe" logged in, and, if need be, kill Joe's > > session? > > > > I'd like for it to maintain history. For each login/session, I'd like to > > see who logged in, when, from where, what their last access was, when > they > > logged out (or if their session timed out), and the logout reason (manual > > logout, session timeout, or admin intervention). > > > > But like I said, I'm not just looking for WebUI sessions. > > > > Let's say I create a web app. I put it on a machine which is an IPA > > client. Thanks to the wealth of documentation and options, I have a > > variety of methods to achieve authentication. FreeIPA makes this great, > > and for that I'm thankful. However, in most of the documentation, it > just > > says "create the session" cookie, and the rest is left as an exercise to > > the reader. I'm familiar with web apps and have implemented session > > management before. What I'd love to see is FreeIPA to be able to handle > > not just the auth but also the session management. > > > > Why? Because I'd not like to have to re-invent the wheel. And I'm > trying > > to see if there is already some method to do this that I'm just > > fundamentally missing. Or at least if there are enough pieces that I > could > > put together to make it happen. > > > > For "fun", I've tried to set up auth using different methods. I've > > successfully set it up using intercept_form_submit_module and > > lookup_identity_module. That's pretty neat, works great for auth. But, > as > > far as I can tell, this method doesn't create a session or login trail in > > the memcached DB. In fact, I can't really find any trail aside from the > > Kerberos logging messages in /var/log/krbkdc.log. > > > > I've also used Tobias Sette's php-freeipa from GitHub. That works great > > too... for auth. And since that uses the JSON API, it looks like it does > > create a record in the memcached DB. So I suppose this could be one way > > in, maybe by a FreeIPA plugin? > > > > I guess I'm running in circles because then again I think... "what about > > pure Kerberos" clients... or those using intercept_form_submit_module? > > I'm not familiar with PAM. But from what I can tell, I assume there is a > > way to add a "pluggable" module for it too. But on the server? i.e., > if a > > Kerberos session is established, is there a way, via PAM (or something > > else?) to log that session to the FreeIPA server? I think this is kinda > > what Kerberos is trying to get away from, but for the use cases I'm > > thinking of, it'd be a big feature. In my searching I've seen things > like > > nss_mysql which look interesting, but of course wouldn't mesh with the > > FreeIPA WebUI memcached method. > > > > Speaking of which, I know that memcached is not by any means a permanent > > session log, and I understand it's not intended to be. So would this go > > into the LDAP tree? Would this clog it up too much? I'm looking to > store > > a year of info... or more depending on the scenario. > > > > I've briefly looked at the Apache Shiro project. I'm not a Java guy, but > > from I'm reading it kind of has the right idea. It even notes that the > > session management portions can be accessed from other apps (on other > > machines) and not necessarily from Java. But due to the whole thing > being > > a mostly-Java product, I get lost far too easily. If this were already > in > > FreeIPA I think that's kind of what I'm looking for. > > > > A single source of session information on the server. Along with the > > ability to view/search it via the FreeIPA WebUI (which I assume would > mean > > it'd come from the JSON API). > > > > For someone creating a new app from scratch, this would not only cover > the > > user/IdM and auth items, but also session management, and allow for more > > administrative control (kill a session administratively). I think this > > would really decrease the barrier to entry and give app authors a "known > > good" path to follow. Especially smaller, domain- or niche-specific > > projects. > > > > I've looked at the FreeIPA session recording page ( > > http://www.freeipa.org/page/Session_Recording). That looks neat. > However, > > if I'm reading it right, it's just for terminal sessions. It mentions > > being able to record login info, but being a newbie I can't quite follow > > exactly how it's achieving this goal (is that part all a function of > tlog?). > > > > Anyway, again, I apologize for this very long e-mail. Am I totally > barking > > up the wrong tree? Is this something FreeIPA can do and I just haven't > > figured out how? Or would it require far too much customization and/or > be > > too far outside of the core functionality? Any hints, suggestions, or > even > > criticism would be appreciated. > > Hello, > > I'm not a web-app guy but I would recommend you to look at SAML protocol > and > project Keycloak (which can be integrated with FreeIPA). > > AFAIK SAML gives you single-sign-on + ability to forcibly log-out users > (kill > their sessions). Still, it does not give you one central session (while > still > allowing the central management). > > Hopefully others will be able to elaborate on this. > > -- > Petr^2 Spacek > > Hi Petr. Thanks for your reply. I did look at SAML before I found FreeIPA. I was able to get it up and running (simpleSAMLphp - both server and client), but I didn't find that it did what I wanted it to do.
Hey project Keycloak looks neat, I will look further into that! Thanks again.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
