From Fedora Project Wiki
(Fix proposal owners)
(Change announced on 2014-05-14)
Line 79: Line 79:
-->
-->


[[Category:ChangeReadyForWrangler]]
[[Category:ChangeAnnounced]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Revision as of 12:14, 14 May 2014

Web Application Authentication

Summary

On operating system level, there are numerous authentication and identity lookup mechanisms, some of them using sssd. With new Apache modules and new sssd, some of those mechanisms become more easily consumable by web applications. Various web application environments and frameworks can then consume results of the authentication and information retrieval using environment variables similar to REMOTE_USER.

Owner

Current status

  • Targeted release: Fedora 21
  • Last updated: 2014-04-08
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

With mod_authnz_pam, PAM authentication and access checks are available to web applications, allowing wider combination of authentication and access controls. One specific target is host-based access control rules of FreeIPA for Kerberos SSO via pam_sss and sssd.

The mod_intercept_form_submit module makes it possible to enable the PAM authentication of mod_authnz_pam on normal logon form handling paths, which can then be consumed by web application with fairly minimal changes.

The mod_lookup_identity uses sssd-dbus to retrieve additional attributes like name, email address, or group membership, and populates environment variables for easy consumption of this information by web applications.

The sssd-dbus implements new service ifp which provides access to additional user-related pieces of information.

Benefit to Fedora

  • Better integration in large / enterprise deployments.

Scope

  • Proposal owners: Three new packages (Apache modules) and rebase of sssd.
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

N/A (not a System Wide Change)

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change)
  • Blocks product? None.

Documentation

http://www.freeipa.org/page/Web_App_Authentication

Release Notes