Plotters via FreeIPA-users wrote:
Hi,
Using the Kerberos and the Apache plugins mod_auth_gssapi and mod_lookup_identity the
following flow is working:
1. User is authenticated using kinit
2. Apache authenticates the user
3. The proxy transports the meta data of the user (SSSD provides the user info)
4. The meta data is added to the header and proxied to the backend server.
The Apache configuration looks like this:
<LocationMatch "/private">
ProxyPass
http://localhost:2001/
ProxyPassReverse
http://localhost:2001/
RequestHeader set X-SSSD-REMOTE_USER expr=%{REMOTE_USER}
RequestHeader set X-SSSD-AUTH_TYPE expr=%{AUTH_TYPE}
RequestHeader set X-SSSD-REMOTE_HOST expr=%{REMOTE_HOST}
RequestHeader set X-SSSD-REMOTE_ADDR expr=%{REMOTE_ADDR}
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
RequestHeader set X-SSSD-REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
LookupUserAttr sn REMOTE_USER_LASTNAME
RequestHeader set X-SSSD-REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
LookupUserAttr preferredLanguage REMOTE_USER_LANGUAGE
RequestHeader set X-SSSD-REMOTE_USER_LANGUAGE %{REMOTE_USER_LANGUAGE}e
LookupUserGroups REMOTE_USER_GROUPS ","
RequestHeader set X-SSSD-REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
</LocationMatch>
This works fine, but not all meta data is retrieved:
x-sssd-auth_type : [Negotiate]
x-sssd-remote_user : [plotters(a)EXAMPLE.COM]
x-sssd-remote_user_firstname : [(null)]
x-sssd-remote_user_groups : [ipausers]
x-sssd-remote_user_language : [(null)]
x-sssd-remote_user_lastname : [(null)]
Is there a ACL in FreeIPA which has to be adapted to use this meta data? I added
preferredLanguage in the SSSD.conf file like this:
[ifp]
allowed_uids = ipaapi, root
user_attributes = +preferredLanguage, +firstName, +lastName
And the log shows this works:
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr
preferredLanguage to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr
firstName to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added allowed attr
lastName to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr name
to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
uidNumber to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
gidNumber to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
gecos to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
homeDirectory to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
loginShell to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
groups to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
domain to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
domainname to whitelist
* (2021-10-11 20:18:33): [ifp] [parse_attr_list_ex] (0x2000): Added default attr
extraAttributes to whitelist
Thanks in advance for any pointers to solve this. Or where to look for ACL in the ipa
logging. LDAP doesn't show anything.
It's been a while, years, since I've configured ifp so I'm quite rusty.
I believe you need to use the LDAP attribute names for these, so
firstName -> givenname and lastName -> sn (surname).
preferedLanguage isn't something that rings a bell to me. What is
storing that? Did you extend schema for it?
rob