Hi,
Using the Kerberos and the Apache plugins mod_auth_gssapi and mod_lookup_identity the following flow is working:
1. User is authenticated using kinit 2. Apache authenticates the user 3. The proxy transports the meta data of the user (SSSD provides the user info) 4. The meta data is added to the header and proxied to the backend server.
The Apache configuration looks like this:
<LocationMatch "/private">
ProxyPass http://localhost:2001/ ProxyPassReverse http://localhost:2001/
RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
LookupUserAttr givenname REMOTE_USER_FIRSTNAME RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
LookupUserAttr sn REMOTE_USER_LASTNAME RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
LookupUserAttr preferredLanguage REMOTE_USER_LANGUAGE RequestHeader set X-SSSD-REMOTE_USER_LANGUAGE %{REMOTE_USER_LANGUAGE}e
LookupUserGroups REMOTE_USER_GROUPS "," RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
</LocationMatch>
This works fine, but not all meta data is retrieved:
x-sssd-auth_type : [Negotiate] x-sssd-remote_user : [plotters@EXAMPLE.COM] x-sssd-remote_user_firstname : [(null)] x-sssd-remote_user_groups : [ipausers] x-sssd-remote_user_language : [(null)] x-sssd-remote_user_lastname : [(null)]
Is there a ACL in FreeIPA which has to be adapted to use this meta data? I added preferredLanguage in the SSSD.conf file like this:
[ifp] allowed_uids = ipaapi, root user_attributes = +preferredLanguage, +firstName, +lastName
And the log shows this works:
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr preferredLanguage to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr firstName to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr lastName to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr name to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr uidNumber to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr gidNumber to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr gecos to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr homeDirectory to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr loginShell to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr groups to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr domain to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr domainname to whitelist * (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr extraAttributes to whitelist
Thanks in advance for any pointers to solve this. Or where to look for ACL in the ipa logging. LDAP doesn't show anything.
Best regards, Bart
Plotters via FreeIPA-users wrote:
Hi,
Using the Kerberos and the Apache plugins mod_auth_gssapi and mod_lookup_identity the following flow is working:
- User is authenticated using kinit
- Apache authenticates the user
- The proxy transports the meta data of the user (SSSD provides the user info)
- The meta data is added to the header and proxied to the backend server.
The Apache configuration looks like this:
<LocationMatch "/private">
ProxyPass http://localhost:2001/ ProxyPassReverse http://localhost:2001/ RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER} RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE} RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST} RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR} LookupUserAttr givenname REMOTE_USER_FIRSTNAME RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e LookupUserAttr sn REMOTE_USER_LASTNAME RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e LookupUserAttr preferredLanguage REMOTE_USER_LANGUAGE RequestHeader set X-SSSD-REMOTE_USER_LANGUAGE %{REMOTE_USER_LANGUAGE}e LookupUserGroups REMOTE_USER_GROUPS "," RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
</LocationMatch>
This works fine, but not all meta data is retrieved:
x-sssd-auth_type : [Negotiate] x-sssd-remote_user : [plotters@EXAMPLE.COM] x-sssd-remote_user_firstname : [(null)] x-sssd-remote_user_groups : [ipausers] x-sssd-remote_user_language : [(null)] x-sssd-remote_user_lastname : [(null)]
Is there a ACL in FreeIPA which has to be adapted to use this meta data? I added preferredLanguage in the SSSD.conf file like this:
[ifp] allowed_uids = ipaapi, root user_attributes = +preferredLanguage, +firstName, +lastName
And the log shows this works:
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr preferredLanguage to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr firstName to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr lastName to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr name to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr uidNumber to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr gidNumber to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr gecos to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr homeDirectory to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr loginShell to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr groups to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr domain to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr domainname to whitelist
- (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr extraAttributes to whitelist
Thanks in advance for any pointers to solve this. Or where to look for ACL in the ipa logging. LDAP doesn't show anything.
It's been a while, years, since I've configured ifp so I'm quite rusty. I believe you need to use the LDAP attribute names for these, so firstName -> givenname and lastName -> sn (surname).
preferedLanguage isn't something that rings a bell to me. What is storing that? Did you extend schema for it?
rob
Hi Rob,
Thanks for the advice. I changed the LDAP attributes in the ifp config file, no luck. The preferredLanguage is default in the IPA LDAP schema. Did not extend the schema.
Do you know where to look to debug this issue?
Best regards, Bart
Plotters via FreeIPA-users wrote:
Hi Rob,
Thanks for the advice. I changed the LDAP attributes in the ifp config file, no luck. The preferredLanguage is default in the IPA LDAP schema. Did not extend the schema.
Do you know where to look to debug this issue
ifp is provided by sssd, you might ask them.
This article also has good info, https://adam.younglogic.com/2014/05/mod_lookup_identity/
rob
Hi Rob,
Thanks, that article helped. It's working now
1. Add to /etc/sssd/sssd.conf [domain/example.com] ldap_user_extra_attrs=email:mail, sn:sn, givenname:givenname, preferredLanguage:preferredLanguage
2. systemctl restart sssd.service
3. sudo sss_cache -E
Best regards, Bart
freeipa-users@lists.fedorahosted.org