F21 Self Contained Change: Web Application Authentication

Jaroslav Reznik jreznik at redhat.com
Wed May 14 12:13:38 UTC 2014

= Proposed Self Contained Change: Web Application Authentication = 

Change owner(s): Jan Pazdziora <jpazdziora at redhat.com>,  Jakub Hrozek

On operating system level, there are numerous authentication and identity 
lookup mechanisms, some of them using sssd. With new Apache modules and new 
sssd, some of those mechanisms become more easily consumable by web 
applications. Various web application environments and frameworks can then 
consume results of the authentication and information retrieval using 
environment variables similar to REMOTE_USER.

== Detailed Description ==
With mod_authnz_pam, PAM authentication and access checks are available to web 
applications, allowing wider combination of authentication and access 
controls. One specific target is host-based access control rules of FreeIPA 
for Kerberos SSO via pam_sss and sssd.

The mod_intercept_form_submit module makes it possible to enable the PAM 
authentication of mod_authnz_pam on normal logon form handling paths, which 
can then be consumed by web application with fairly minimal changes.

The mod_lookup_identity uses sssd-dbus to retrieve additional attributes like 
name, email address, or group membership, and populates environment variables 
for easy consumption of this information by web applications.

The sssd-dbus implements new service ifp which provides access to additional 
user-related pieces of information. 

== Scope ==
* Proposal owners: Three new packages (Apache modules) and rebase of sssd. 
* Other developers: N/A (not a System Wide Change) 
* Release engineering: N/A (not a System Wide Change) 
* Policies and guidelines: N/A (not a System Wide Change) 
devel-announce mailing list
devel-announce at lists.fedoraproject.org

More information about the devel mailing list