Re: [Pki-devel] SPNEGO for Dogtag
On Thu, Nov 12, 2015 at 11:20:10AM +0100, Jan Pazdziora wrote:
On Thu, Nov 12, 2015 at 07:46:25PM +1000, Fraser Tweedale wrote:
> On Thu, Nov 12, 2015 at 08:34:11AM +0100, Jan Pazdziora wrote:
> >
> > I'm a bit confused. Do you try to do the authentication in tomcat
> > or do you try to front-end tomcat with Apache? If you do it in tomcat
> > itself (like the investigation seems to suggest), what is the role
> > of mod_lookup_identity here?
>
> No Apache, no mod_lookup_identity. But a Tomcat Realm
> implementation that does a lookup of principal info via SSSD via
> D-Bus, like what mod_lookup_identity does for Apache.
In general, that is what we tell people not to do.
The goal is to use external authenticatication and identity operations
in frontend server (Apache) and applications / frameworks consuming the
results. The benefit of this approach is that you don't have to
reimplement things when you say want to support additional protocol
-- hopefully, the platform will do it for you in the form of Apache
modules. The mod_auth_openidc is a prime example -- ideally, any
application that consumes results of external authentication (which
was initially done for example to support Kerberos) gets OpenId Connect
for free, just by reconfiguring the frontend Apache HTTP Server.
In this case I would be implementing a Realm module for Tomcat as an
application server (Dogtag to consume the resulting information in
our case). It does not always make sense to put Apache in front of
Tomcat, and we cannot assume such a setup. The similar argument
exists for Nginx; for which a "lookup identity" module was also
implemented.
I was wondering if you (or others) were aware of any existing
implementation for Tomcat.
Cheers,
Fraser
--
Jan Pazdziora | adelton at #ipa*, #brno
Senior Principal Software Engineer, Identity Management Engineering, Red Hat