Hello,
I created a kerberos wiki page [1] with design of integration into our current
authentication scheme (thanks Dominic for early discussions). Especially
Martin and Tomáš should be interested because it's related to CLI. Please take
a look and reply with questions/comments or ping me via IRC.
[1] https://fedorahosted.org/katello/wiki/KerberosIntegration
Hello,
thank you for questions and other comments you sent in separate emails.
Answers are below in text
> > [1] https://fedorahosted.org/katello/wiki/KerberosIntegration
>
> A couple of questions / points:
>
> 1) Is it going to be GSSAPI all the way or some direct Kerberos?
GSSAPI is used only on client side. The Signo side uses rkerberos which uses
kerberos directly.
> 2) What does rack-auth-krb have that mod_auth_kerb does not?
It's web server agnostic. Although we use Apache atm, we can switch to nginx
when we migrate to mod_passenger. Also it's written in ruby which our team
speaks.
> 3) The gssapi is now packaged:
>
> https://koji.fedoraproject.org/koji/packageinfo?packageID=16455
>
> I'll now work to get them to composes.
Wonderful!
> 4) It would be good if Bryan or perhaps someone from the Katello team
> fixed
>
> https://bugzilla.redhat.com/show_bug.cgi?id=975332
>
> 5) For the "Creating principal will be out of a scope of katello" –
> this can be scripted with the IPA commands – namely ipa
> service-add.
>
> 6) For the "This file must exist before Signo is started" – again,
> use IPA command – ipa-getkeytab.
Does this mean we'd depend on FreeIPA? Or do these commands work with other
kerberos systems as well? Is it sufficient to install freeipa-admintools to use
it (or other package)?
> 7) For the "Fallback to other backends - how we'll decide which one to
> use" – this is obviously on admin to decide and configure, with
> Katello providing sensible default. If you go with Kerberos but you
> will probably need to at least support the password change. Of
> course, you can just redirect to the IPA server to do that.
>
> 8) For the "Do we want to ensure clocks are synced" – do you plan
> for the systems to be enrolled as IPA clients? If yes, the setup of
> IPA client side will take care of this.
I don't think so.
Thanks
–
Marek