ravada
ravada copied to clipboard
UPC
Authentication via Kerberos
Is your feature request related to a problem? Please describe. The feature request we are looking to hopefully be implemented would be integration with Kerberos authentication such that a user may log in with their Kerberos account at the login portal.
Describe the solution you'd like I am not entirely sure how this would be implemented as my knowledge of authenticating with Kerberos for front-end (website) doesn't extend much beyond using Apache/ModKRB which utilizes Apache's basic authentication module - in my opinion a very crude and non user friendly method of authenticating.
Describe alternatives you've considered We have considered using LDAP as we see it is currently supported with Ravada however our account system (including passwords) is through Kerberos, our current LDAP server is solely used to serve account information such as home directory location, netid, group and user ids.
Let me know if you need any more information.
This is a pretty interesting request @scorrette. Unfortunately, we have limited resources and this feature has not been required by our sponsor. I am sorry, I don't think we will provide this any time soon. Also keep in mind some features require an LDAP server, like groups management. Anyway, I will try to create the source files where the code for this would be implemented if anyone out there would step in to contribute. Thanks for your detailed and thoughtful request.
Hi @frankiejol, sorry for the late response again. I've talked with my director and we will attempt to implement Kerberos Authentication with LDAP for account information. If you could provide us a direction as to where you would like us to implement the code, that would be appreciated. We'll update you as we get through testing it etc.
That is fantastic. I just prepared a branch with very minimal code. I am sorry I never used Kerberos nor I don't know anything about it. I just assume there is a connection to a Kerberos server and a way to check an username/password is valid. The required code will go to the file lib/Ravada/Auth/Kerberos.pm . We also have to find a Kerberos library for perl. At a glance I think we could use Authen::Krb5::Simple https://metacpan.org/pod/Authen::Krb5::Simple but we must do some research here. There are many Kerberos libraries available, I see there are debian packages in my system:
- libauthen-simple-kerberos-perl
- libauthen-krb5-perl
- libauthen-krb5-simple-perl
We have a doc about how to set up a development environment here : https://ravada.readthedocs.io/en/latest/docs/INSTALL_devel.html It may be slightly outdated. @scorrette you may contact us directly via email at [email protected] to help you set this up. We are really looking forward to having this feature implemented.
Hi @frankiejol, thank you for this information! My director took a look and it appears to be a simple implementation using the Authen::Krb5:Simple library and he created a test Perl script to make sure and it worked using the default krb5,conf file found on the system. So I was going to work this into Kerberos.pm and give it a shot. I will get to setting up the development environment within the next week hopefully. It's final exam season so things have been a little hectic. I will keep you up to date.
Hi @frankiejol, I believe I have the code I need in place to test and have the realm set in the config file, what additional steps do I need to take in order for authentication via Kerberos to work, i.e. a way to enable the user of kerberos authentication over DB auth.
Awesome ! I am not sure where are you testing this. Please fork the project in your own github account. Then download it, with git clone [email protected]:scorrette/ravada.git , change to the kerberos branch where I created the file where the code should be:
git checkout feat/kerberos . Edit the file lib/Ravada/Auth/Kerberos.pm and add your code there.
Those instructions may be too sparse, please let me know where you get stuck and let me help you with that.
@frankiejol I had cloned the main repo and then changed into the kerberos feature prior to my last message and had already made the modifications to the Kerberos.pm file as well as added the realm configuration to ravada.conf. I've been attempting to run the code using the development server method discussed in the docs you sent. Despite having the kerberos module setup the way I believe it should be and configured in the ravada.conf, the system defaults to using SQL for login with no apparent errors. Is there a way to force Kerberos login over SQL or a more proper way to test this new setup?
If you would like me to continue with forking the project so you may take a look at the code let me know, I could do that real quick.
Changes have been pushed just now. Please excuse me if there is anything I modified that I shouldn't have, wanted to exhaust all options before asking for help, didn't want to be bothersome. Most of the code made sense as I was going through it and it looked like it should just switch from SQL authentication to Kerberos so long as the kerberos configuration is in place, is this assumption correct?
At a glance it looks fantastic ! I will write a test file to check the module gets loaded properly when the configuration is added. Eventually we will add more test cases.
Fantastic, thank you for the constant support in getting this sorted out, means a great deal to me and my team!
I just made this quick test file. Feel free to grab it and add it to your own fork. https://github.com/UPC/ravada/blob/feat/kerberos/t/66_user_kerberos.t
Test it doing: $ prove -l t/66_user_kerberos.t
So I spotted two small things you have to change. I think it is possible to add code here but I just don't know how. I hope it reads well:
Around line 24:
-sub BUILD($self) {
+sub BUILD {
+ my $self = shift;
And line 38:
- return $KERBEROS->authenticate($self->login, $self->password);
+ return $KERBEROS->authenticate($self->name, $self->password);
Please notice the test will fail around line 68 because it still lacks more code there.
The test did indeed fail around where you marked it. I believe this is ok in our use case however since it appears, after making the modifications in the code you mentioned, we are now able to successfully login using Kerberos. Only issue I ran into was that it errored when attempting to check if the user that was logging in was an admin, for the time being I commented out the line that would die and substituted return 0 for the time being.
Being able to add users to the kerberos server is outside of the scope of what we would like to achieve (a strong preference for only creating new kerberos accounts directly on the krb server). I think as long as there is a way to access a "local" admin that is saved in the database for ravada while allowing all other users to sign in via kerberos we should be good to go.
I see I am able to log in with database accounts if need which is neat. An issue I'm running into after logging in with a Kerberos account is an error: "Missing id_owner" just after logging in and when the Available Machines tab is refreshed. There are templates available on the system however not appearing these users.
Edit1: I just realized its most likely because when a Kerberos User logs in, they are not being recorded into ravada.users, hence no id associated with them.
Edit2: Upon further investigation on how LDAP is implemented, should there be something similar in Kerberos.pm that includes the following line:
Ravada::Auth::SQL::add_user(name => $self->name, is_external => 1, is_temporary => 0, external_auth => 'kerberos');
I am sorry I only took a quick glance to your message. You are correct about the last line. I guess we should improve it to make it automatic for external auth, but you have to call it by now. I want to test it myself, but I am sorry I have no idea about Kerberos. Can you recomend a small guide to install a basic Kerberos server in Ubuntu ?
I just quickly setu p a Krb realm in my PC and tried your code. It works nicely with the last changes we talked the other day. Please make sure you have this two functions in lib/Ravada/Auth/Kerberos.pm
See if it is working, polish the code and create a Pull Request. Hopefully it works as expected and we have this new feature for the very next release 1.6.
sub login($self) {
$self->_connect_kerberos();
my $user_ok = $KERBEROS->authenticate($self->name, $self->password);
$self->_check_user_profile($self->name) if $user_ok;
return $user_ok;
}
sub _check_user_profile {
my $self = shift;
my $user_sql = Ravada::Auth::SQL->new(name => $self->name);
if ( $user_sql->id ) {
if ($user_sql->external_auth ne 'ldap') {
$user_sql->external_auth('ldap');
}
return;
}
Ravada::Auth::SQL::add_user(name => $self->name, is_external => 1, is_temporary => 0
, external_auth => 'kerberos');
}
Hi @frankiejol,
Sorry for the late reply, I am currently on a camping trip so I have spotty data connection and just saw these now (I'll be back in the office next Tuesday). I ended up adding something similar to the modification you just mentioned. Something else I ran into after getting that to successfully work was when you go to modify a kerberos users profile (change their grants or make them admins). I believe it failed cause it assumed external auth to be ldap when it was kerberos. I forgot what modification I did to fix it but please look into this too. What I did might just be a quick bandaid for my purposes.
Hey @scorrette don't worry ! We finish this when you have the time. It just looks so promising I just wanted to check you were on the right track. Have fun !
Hello @scorrette , we left this unfinished. Your last fork had almost everything ready. If you do not have time you may do a PR as it is and I will give the final touch.