Fedora

Here is a little utility I’ve worked up while working with the Openstack Keystone code.

To extract the token out of the JSON, use the following pyton script

#!/usr/bin/python

from sys import stdin
import json
print json.load(stdin)['access']['token']['id']

Which I save in ~/bin/extract_keystone_id.py

Here’s the Curl to fetch a token from Keystone, assuming you ‘ve loaded up the sample data from the unit tests:

curl -v   -H "Content-Type:application/json"  -s  -H "Accept:applicaton/json"  -d '{"auth":{"passwordCredentials":{"userId":"foo", "password":"foo2"} ,"tenantName":"bar"}}'   -X POST  http://0.0.0.0:35357/v2.0/tokens  | ~/bin/extract_keystone_id.py

A recent change in the structure of the Openstack Keystone architecture resulted in the loss of support for an LDAP Backend. I’ve been working to rectify that.  Here’s my set up and the design decisions I’ve made so far.  Since this code is not yet submitted for code review,  there is a good chance that it will change prior to deployment.

Users will be stored in a flat collection. ou=Users,$SUBTREE and be based on the standard LDAP objectClass inetOrgPerson which is defined in /etc/openldap/schema/inetorgperson.ldif. Currently, only two fields are used: cn and sn. cn is used for the bind call, and is the id field in the user object.

Tenants are in a collection that is a peer to Users. Tenants are instancs of the groupOfNames object class defined in /etc/openldap/schema/core.ldif. Tenant membership is indicated by the presence of the User’s DN in the tenant’s members attribute.

Roles are instances of the LDAP object class organizationalRole defined in /etc/openldap/schema/core.ldif. Role assignment is indicated by the presence of the User’s DN in the roleOccupant attribute.

Configuration of LDAP for the Keystone server is provided by the [LDAP] stanza in the appropriate keystone.conf file. Here are the supported values

• url
• user
• password
• suffix
• use_dumb_member
• user_tree_dn
• tenant_tree_dn
• role_tree_dn

And an example of what my config file looks like:

[ldap]
url = ldap://localhost
tree_dn = dc=younglogic,dc=com
user_tree_dn = ou=Users,dc=younglogic,dc=com
role_tree_dn = ou=Roles,dc=younglogic,dc=com
tenant_tree_dn = ou=Groups,dc=younglogic,dc=com
user = dc=Manager,dc=younglogic,dc=com
password = freeipa4all
backend_entities = ['Tenant', 'User', 'UserRoleAssociation', 'Role']
suffix =cn=younglogic,cn=com

[identity]
driver = keystone.identity.backends.ldap.Identity

Not all of these fields need to be specified. It is expected that the user will supply simply the suffix field, and not override the values of user_tree_dn,role_tree_dn, or tenant_tree_dn.

backend_entities is not currently honored. It is expected that LDAP will instead either manage all of these or non e of them, with token management handled by a different backend provider.

use_dumb_member is still honored from the previous incarnation, but has not been tested, nor do I understand the intention of this code.

The unit tests for the LDAP code use a common code sournce with the other Identity management backends. To run just the LDAP unit tests, from the Keystone directory, run

 python ./run_tests.py  test_backend_ldap

Additionally, the unit tests can be run against a live OpenLDAP server by running.

 python ./run_tests.py  _ldap_livetest

All tests pass successfully on my development machine as of this posting.

I’m running Fedora 16, which supports OpenLDAP. Specifically I am running openldap-servers-2.4.26-5.fc16.x86_64. To start the service, run

sudo service slapd start

To configure the server, I use a file I call manager.ldif:

dn:  olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=younglogic,dc=com
-
replace: olcRootDN
olcRootDN: dc=Manager,dc=younglogic,dc=com
-
add: olcRootPW
olcRootPW: {SSHA}lBDIdfwvZkITal0k9tdhiCUolxpf6anu

You should modify the suffix for your organization.
Execute the configuration with:

 sudo ldapmodify -Y EXTERNAL -H ldapi:///  -f ./manager.ldif

And test that you can now do a simple bind to the localhost server.

ldapsearch -x -D "dc=Manager,dc=younglogic,dc=com" -H ldap://localhost  -w freeipa4all  -b ou=Groups,dc=younglogic,dc=com "(objectClass=*)"

Now set up the subtree for Keystone. I use file I call org.ldif

dn: dc=younglogic,dc=com
dc: younglogic
objectClass: dcObject
objectClass: organizationalUnit
ou: younglogic

dn: ou=Groups,dc=younglogic,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,dc=younglogic,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,dc=younglogic,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

Technically, the Roles ou is not required. My original thought was that this collection would contain the superset of roles possible for all of the Tenants. However, I have not implemented that.

Current code is commited to Github I will update this link if I rebase the branch.

Update: fixed typos in the config file segment. user_tree_dn etc should start with ou, not cn.

The documentation on the OpenLDAP site discusses modifying the ldif files used to start up the server.  If you try to do this on a Fedora or Debian based install,  you will find that the server does not start up.  The HASH of the files is stored and compared with the contents at start up time.  There is a better way.

On my OpenLDAP install,  there are three databases served by SLAPD.  The first two  are for  configuration and  monitoring.  The third is the one that acts as the backing store for authentication and other data that is publicly served.  When the server starts up,  it is configured with a common name of   cn=example,cn=com,  which is obviously sample data.  To modify this,  requires changing the values in the config database.

Below is an ldif file that would change the Common name, as well as set the userid and password for managing the directory

dn:  olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=younglogic,dc=com
-
replace: olcRootDN
olcRootDN: dc=Manager,dc=younglogic,dc=com
-
add: olcRootPW
olcRootPW: {SSHA}lBDIdfwvZkITal0k9tdhiCUolxpf6anu

I generated the HASH using the slappasswd command line tool.
To modify the config, you then execute ldapmodify.

sudo ldapmodify -Y EXTERNAL -H ldapi:///  -f /home/ayoung/etc/managerbase.ldif

What is this EXTERNAL? It is a SASL mechanism that uses the underlying system configured authentication. This is the NSS value that you would get back from getent. The default install protects the configuration database using the root credentials. The URL ldapi:/// is a Unix socket connection to /var/run/ldapi.

What happens if you want to modify the configuration pragmatically? The steps to make a SASL External connection are not to clear.  In order to figure out how to do it, I’ve started poking inside of the ldapmodify code from the openldap source. The CLI tools are under openldap/clients/tools/. The connection is created in the file common.c. From what I’ve seen elsewhere on the web, I know it needs to resolve to one of the ldap*bind calls. In my file, inside the function tool_bind, I see it on line 1469

	rc = ldap_sasl_interactive_bind_s(
          ld, binddn, sasl_mech,
	   sctrlsp, NULL, sasl_flags, lutil_sasl_interact, defaults )

Now, I’ve run this through ltrace and I’ve seen

ldap_sasl_interactive_bind_s(0x1abf290, 0, 0x1abf030, 0, 0

So I know to expect binddn to be null, and sasl_mech needs to have a real value. Look in the argument parsing part of the code for the -Y flag tells that this is a pass through of the string passed on the command line.

    case 'Y':
        /*error chcking ellided here*/
	sasl_mech = ber_strdup( optarg );

So that should be the string EXTERNAL for our purposes.

The next two parameters are 0, sctrlsp and (surprise) NULL.

sasl_flags looks like it is set to the default in the top of the file and never modified in our code path:

unsigned	sasl_flags = LDAP_SASL_AUTOMATIC;

That leaves the last two parameters. One is a callback function lutil_sasl_interact and one is the defaults structure. The function lutil_sasl_interact is defined in the file openldap/libraries/liblutil/sasl.c. Between it and the function interaction which it calls, we are talking about 200 lines of code. For now, I am just going to cut and paste that code into my C file and get all of the headers coorect to run it. Later, I’ll step through it in the debugger to see what it is really doing.

The defaults structure is also defined in the sasl/c file specified above. From the ldap_bind man page:

The interact function uses the provided defaults to handle requests from the SASL library for particular authentication parameters. There is no defined format for the defaults information; it is up to the caller to use whatever format is appropriate for the supplied interact function. The sasl_interact parameter comes from the underlying SASL library. When used with Cyrus SASL this is an array of sasl_interact_t structures. The Cyrus SASL library will prompt for a variety of inputs, including:…

Again, I will cut and paste this code into my file and get it running. In order to compile I need to add the flags

CFLAGS=-lldap -llber -lsasl2 -g -I/usr/include/sasl

Once I can compile and run, I can dump out the contents of the config directory. Stepping through the code I discover a few things. In the code that builds the defaults, the non-zero values are. defaults->authcid = “root” and defaults->mech “EXTERNAL”. When the function lutil_sasl_interact is called, the parameters are: The ldap structure from our init, flags=0, defaults, and in, which is cast to at sasl_interact_t. The only part of this that seems interesting to us is that it requests SASL_CB_USER from interact, which basically checks the user is root. The code then makes the most elegant use of a goto that I’ve seen in a long while, skips a whole load of interactive code, and returns the default:

use_default:
		/* input must be empty */
		interact->result = (dflt && *dflt) ? dflt : "";
		interact->len = strlen( interact->result )

This says to me that the interaction callback function could be reduced to:

int do_interact(
	LDAP *ld,
	unsigned flags,
	void *defaults,
	void *in )
{
	sasl_interact_t *interact = in;
	lutilSASLdefaults * sasl_defaults = (lutilSASLdefaults *)defaults;
	const char *dflt = interact->defresult;
	dflt = sasl_defaults->authzid;
	interact->result = (dflt && *dflt) ? dflt : "";
	interact->len = strlen( interact->result );
	return LDAP_SUCCESS;
}

But now I see that the defaults passed in are defined external to the ldap code. We can drop all of the pointers except the one to the authzid. In fact, we can just make this a char *.

Here’s the code in a functional state. It leaks memory, which would need to be cleaned up for a real application.

#include <sasl.h>
#include <ldap.h>
#include <stdio.h>

int do_interact(
		LDAP *ld,
		unsigned flags,
		void *defaults,
		void *in )
{
  sasl_interact_t *interact = in;
  char * sasl_defaults = (char  *)defaults;
  const char *dflt = interact->defresult;
  dflt = sasl_defaults;
  interact->result = (dflt && *dflt) ? dflt : "";
  interact->len = strlen( interact->result );
  return LDAP_SUCCESS;
}

int main(){
  printf("Start\n");
  LDAP *ldap;
  int rc;
  struct berval *servercredp;
  unsigned long version = LDAP_VERSION3;
  LDAPMessage *res;
  char ** vals;
  int message_count;
  int i,j,k;

  if (( rc = ldap_initialize(&ldap,  "ldapi:///")) != LDAP_SUCCESS)
    {
      perror ( NULL );
      return( 1 );
    }

  rc = ldap_set_option(ldap,
		       LDAP_OPT_PROTOCOL_VERSION,
		       (void*)&version);
  char * defaults;
  char * sasl_mech = "EXTERNAL";
  char * sasl_realm = NULL;
  char * sasl_authc_id = NULL;
  char * sasl_authz_id = NULL;
  struct berval	passwd = { 0, NULL };
  unsigned	sasl_flags = LDAP_SASL_AUTOMATIC;
  LDAPControl	**sctrlsp = NULL;

  ldap_get_option( ldap, LDAP_OPT_X_SASL_AUTHZID, &defaults );

  char *	binddn = NULL;
  rc = ldap_sasl_interactive_bind_s( ldap, binddn, sasl_mech,
				     sctrlsp,
				     NULL, sasl_flags, do_interact, defaults );

  if ((rc =  ldap_search_ext_s
       (
	ldap,
	"cn=config",
	LDAP_SCOPE_SUBTREE,
	"(objectClass=*)",
	NULL,
	0,
	NULL,
	NULL,
	NULL,
	0,
	&res ) != LDAP_SUCCESS))
    {
      printf("ldap_search  failed with 0x%x.\n",rc);
      perror ( NULL );
      return( 1 );
    }
  LDAPMessage *entry = ldap_first_entry( ldap, res );

  int entry_count = ldap_count_entries(ldap, res);
  for (i = 0 ; i < entry_count; i++){
    printf("dn: %s\n",ldap_get_dn(ldap, entry));
    BerElement * ber;
    char * attribute = ldap_first_attribute(ldap,entry, &ber);
    while(attribute){
      printf ("attribute = %s\n",attribute);
      attribute = ldap_next_attribute(ldap,entry, ber);
    }
    ber_free(ber,0);
    entry = ldap_next_entry(ldap, entry);

  }
  return 0;

}

Note: The reason I do SASL using a -I option in the makefile instead of sasl/sasl.h is that the code formatter is messing it up.

The Domain Name System (DNS) is an essential part of systems management. If you need to manage multiple physical hosts you’d really benefit by a degree of control of some subset of DNS. With Virtual machines, the sheer number of hosts created demand a responsive DNS. Kerberos, X509 and other security mechanisms require a proper DNS configuration. Yet, for many organizations, DNS is locked down by IT to a very static set of records. Earlier articles discussed User Groups, Host Groups, and Netgroups. The final installment in this series discsusses how to delegate DNS Zone management in FreeIPA.

First, create a Zone for the project, and one DNS record

[root@f16server ~]# ipa dnszone-add beowulf.younglogic.com
Authoritative nameserver: f16server.ayoung.boston.devel.redhat.com
Administrator e-mail address [hostmaster.beowulf.younglogic.com.]:
Zone name: beowulf.younglogic.com
Authoritative nameserver: f16server.ayoung.boston.devel.redhat.com.
Administrator e-mail address: hostmaster.beowulf.younglogic.com.
SOA serial: 2012110201
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Dynamic update: FALSE
[root@f16server ~]# ipa dnsrecord-add
Zone name: beowulf.younglogic.com
Record name: www1
[A record]: 10.10.2.1
[AAAA record]: feed:0123::babe
Record name: www1
A record: 10.10.2.1
AAAA record: feed:0123::babe

Here’s the LDAP details of what we just created:

[root@f16server ~]# ipa dnszone-show beowulf.younglogic.com --all --raw
dn: idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
idnsname: beowulf.younglogic.com
idnssoamname: f16server.ayoung.boston.devel.redhat.com.
idnssoarname: hostmaster.beowulf.younglogic.com.
idnssoaserial: 2012110201
idnssoarefresh: 3600
idnssoaretry: 900
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnszoneactive: TRUE
idnsallowdynupdate: FALSE
nsrecord: f16server.ayoung.boston.devel.redhat.com.
objectclass: top
objectclass: idnsrecord
objectclass: idnszone

Notice that the A and AAAA records are not visible in the DNS Zone object. Since we are not just modifying values of attributes, we can’t perform the same type of delegation as we did with User Groups, Host Groups or Netgroups. Lets take a look at the LDAP details of the Record.

[root@f16server ~]# ipa dnsrecord-show beowulf.younglogic.com www1 --all --raw
dn: idnsname=www1,idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
idnsname: www1
arecord: 10.10.2.1
aaaarecord: feed:0123::babe
objectclass: top
objectclass: idnsrecord

A and AAAA records that have the same idnsname go into the same LDAP object. PTR and CNAME records would all be put into additional attributes of this object if they, too, had the same idnsname. This LDAP object is a subordinate object to the Zone, beowulf.younglogic.com.

Thus, we can use the Subtree permission type to manage access to this resource. The subtree is the distinguished name (DN) of the DNS Zone.

[root@f16server ~]# ipa permission-add 'beowulf-dns-modify'  --permissions=add,delete
[Attributes]:
[Type]:
[Member of group]:
[Filter]:
[Subtree]: idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
[Target group]:
-------------------------------------
Added permission "beowulf-dns-modify"
-------------------------------------
  Permission name: beowulf-dns-modify
  Permissions: add, delete
  Subtree: ldap:///idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com

We could use the objectname and cn as we did before, but  subtree is better documentation to our intent.

Again, we need to add the permission to the privilege.

[root@f16server ~]# ipa privilege-add-permission beowulf-manage --permission=beowulf-dns-modify
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project
  Permissions: beowulf-manage, beowulf-manage-group, beowulf-hostgroup-modify,
               beowulf-netgroup-modify, beowulf-dns-modify
  Granting privilege to roles: beowulf-managers
-----------------------------
Number of permissions added 1
-----------------------------

Test it out with the admiyo account (that already has the Role beowulf-managers. This time, we’ll add both an A and AAAA record, which are managed by the same object in BINDs LDAP backend.

[root@f16server ~]# ipa privilege-add-permission beowulf-manage --permission=beowulf-dns-modify
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project
  Permissions: beowulf-manage, beowulf-manage-group, beowulf-hostgroup-modify,
               beowulf-netgroup-modify, beowulf-dns-modify
  Granting privilege to roles: beowulf-managers
-----------------------------
Number of permissions added 1
-----------------------------
[root@f16server ~]# kinit admiyo
Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM:
[root@f16server ~]# ipa dnsrecord-add
Zone name: beowulf.younglogic.com
Record name: mail1
[A record]: 10.10.2.3
[AAAA record]: feed:babe:beef::cafe
  Record name: mail1
  A record: 10.10.2.3
  AAAA record: feed:babe:beef::cafe

These four articles have attempted to show how the access controls of FreeIPA allow a system administrator to delegate specific actions to power users in their organization. From the simplest and most targeted of Target Groups, through simple and then more complex filter queries, then finally subtree queries. While FreeIPA can abstract you away from having to understand LDAP,  it does not prevent you from doing so.  Instead,  LDAP know how built on top of the structure provided with FreeIPA can help to craft secure and flexible delegation policy.

The last two articles described how to delegate management of user groups and host groups. The other way to manage both hosts and users in FreeIPA is with Netgroups. Although Netgroups are a concept from NIS, FreeIPA takes them to the next level, and makes them into containers capable of managing both users and groups. This article shows how to delegate the control of a netgroup to a specified user.

First, create a netgroup

[root@f16server ~]# ipa netgroup-add
Netgroup name: beowulf-netgroup
Description: Beowulf Resources
---------------------------------
Added netgroup "beowulf-netgroup"
---------------------------------
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  IPA unique ID: 71ea8d08-5530-11e1-9487-525400ff995b

To illustrate the differences between user groups, host groups, and netgroups, lets add some elements to the netgroup.

[root@f16server ~]# ipa netgroup-add-member beowulf-netgroup
[member user]: admiyo
[member group]: editors
[member host]: www1.ayoung.boston.devel.redhat.com
[member host group]: beowulf-hosts
[member netgroup]:
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  Member User: admiyo
  Member Group: editors
  Member Host: www1.ayoung.boston.devel.redhat.com
  Member Hostgroup: beowulf-hosts

This shows the LDAP underpinning of the FreeIPA code. Note where the entities are stored.

[root@f16server ~]# ipa netgroup-show beowulf-netgroup --all --raw
  dn: ipauniqueid=71ea8d08-5530-11e1-9487-525400ff995b,cn=ng,cn=alt,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  cn: beowulf-netgroup
  description: Beowulf Resources
  nisdomainname: ayoung.boston.devel.redhat.com
  ipauniqueid: 71ea8d08-5530-11e1-9487-525400ff995b
  memberhost: fqdn=www1.ayoung.boston.devel.redhat.com,cn=computers,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  memberhost: cn=beowulf-hosts,cn=hostgroups,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  memberuser: cn=editors,cn=groups,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  memberuser: uid=admiyo,cn=users,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  objectclass: ipaobject
  objectclass: ipaassociation
  objectclass: ipanisnetgroup

Note that both users and user groups are in the memberuser field, where as hosts and host groups are in the memberhost field.

So to be able to modify the netgroup, the user needs permissions to the memberuser and memberhost attributes. For the objectclass, specify ipanisnetgroup.

Before moving on I deleted these members, as I want to use them again later on for testing.

[root@f16server ~]# ipa permission-add 'beowulf-netgroup-modify'  --permissions=write --attrs=memberhost,memberuser  --filter='(&(cn=beowulf-netgroup)(objectclass=ipanisnetgroup ))'
------------------------------------------
Added permission "beowulf-netgroup-modify"
------------------------------------------
  Permission name: beowulf-netgroup-modify
  Permissions: write
  Attributes: memberhost, memberuser
  Filter: (&(cn=beowulf-netgroup)(objectclass=ipanisnetgroup ))

[root@f16server ~]# ipa privilege-add-permission beowulf-manage --permission=beowulf-netgroup-modify
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project
  Permissions: beowulf-manage, beowulf-manage-group, beowulf-hostgroup-modify,
               beowulf-netgroup-modify
  Granting privilege to roles: beowulf-managers
-----------------------------
Number of permissions added 1
-----------------------------

Finally, to test.

[root@f16server ~]# kinit admiyo
Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM:
[root@f16server ~]# ipa netgroup-add-member beowulf-netgroup --hosts www1.ayoung.boston.devel.redhat.com --users admiyo
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  Member User: admiyo
  Member Group: editors
  Member Host: www1.ayoung.boston.devel.redhat.com
  Member Hostgroup: beowulf-hosts
-------------------------
Number of members added 2
-------------------------
[root@f16server ~]# ipa netgroup-remove-member beowulf-netgroup --hosts www1.ayoung.boston.devel.redhat.com --users admiyo
  Netgroup name: beowulf-netgroup
  Description: Beowulf Resources
  NIS domain name: ayoung.boston.devel.redhat.com
  Member Group: editors
  Member Hostgroup: beowulf-hosts
---------------------------
Number of members removed 2
---------------------------

Again, I deleted the elements that I added as admin before. If you add the same entry twice, you will get errors. You can delete them as the delegated user as well as add them.

Since Netgroups can be used pretty much anywhere that user groups and hostgroups can be used (SUDO, and HBAC especially) they are likely to become your first point of contact for management. Like user groups and hosts groups, they both provide nesting. In fact, a netgroup can be nested inside a host group or a user group, and elements will gain membership in the corresponding host groups or user groups.

Last article I discussed delegating the authority to manage group membership using FreeIPA. A related topic delegating the ability to manage groups of hosts. There are two different collections for managing hosts: host groups, and netgroups. The approach to delegating authority for managing each of these is similar, but with important differences. First up: hostgroups.

To create a hostgroup for Beowulf hosts:

[root@f16server ~]# ipa hostgroup-add beowulf-hosts
Description: Hosts for the Beowulf project
-------------------------------
Added hostgroup "beowulf-hosts"
-------------------------------
  Host-group: beowulf-hosts
  Description: Hosts for the Beowulf project

Unlike the user groups, there is no preset form of ACI Permission for specifying a host group. Instead, we will have to specify the LDAP object that we wish to grant permission on. Again, it will be on the “member” attribute. Lets look at what we just created. To Look at the underlying LDAP object of something in FreeIPA, we use the entity-show command coupled with the –raw and –all flags

[root@f16server ~]# ipa hostgroup-show beowulf-hosts --all --raw
  dn: cn=beowulf-hosts,cn=hostgroups,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  cn: beowulf-hosts
  description: Hosts for the Beowulf project
  ipauniqueid: 70999114-5513-11e1-bde4-525400ff995b
  mepmanagedentry: cn=beowulf-hosts,cn=ng,cn=alt,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
  objectclass: ipaobject
  objectclass: ipahostgroup
  objectclass: nestedGroup
  objectclass: groupOfNames
  objectclass: top
  objectclass: mepOriginEntry

In order to specify this object, we will use the combination of the objectclass an a uniqu identifier. The best unique ID is the text value of the host group name, held in the common name field: cn: beowulf-hosts. THe appropriate objectclass is ipahostgroup, as that is the only one that indicates this is a group of hosts, all of the other objectclasses can potentially be used for other things. Here’s what creating the ACI Permission looks like (to include adding it to the privilge).

[root@f16server ~]# ipa permission-add 'beowulf-hostgroup-modify'  --permissions=write --attrs=member  --filter='(&(cn=beowulf-hosts)(objectclass=ipahostgroup ))'
-------------------------------------------
Added permission "beowulf-hostgroup-modify"
-------------------------------------------
  Permission name: beowulf-hostgroup-modify
  Permissions: write
  Attributes: member
  Filter: (&(cn=beowulf-hosts)(objectclass=ipahostgroup ))
[root@f16server ~]# ipa privilege-add-permission beowulf-manage --permission=beowulf-hostgroup-modify
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project
  Permissions: beowulf-manage, beowulf-manage-group, beowulf-dns-manage,
               beowulf-hostgroup-modify
  Granting privilege to roles: beowulf-managers
-----------------------------
Number of permissions added 1
-----------------------------

Since the user admiyo already has a role that contains this privilege, that user should now be able to manage adding and removing hosts from that host group.

[root@f16server ~]# kinit admiyo
Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM:
[root@f16server ~]# ipa hostgroup-add-member beowulf-hosts --hosts www1.ayoung.boston.devel.redhat.com
  Host-group: beowulf-hosts
  Description: Hosts for the Beowulf project
  Member hosts: www1.ayoung.boston.devel.redhat.com
-------------------------
Number of members added 1
-------------------------

It took me a few tries to get the filter correct for this one. Note that the operators are prefix. Some filters will get through the CLI fine, but won’t select the object you want. To confirm that you do have the right object, I recommend using ldapsearch to get the query right before adding the permission.

[root@f16server ~]#  ldapsearch -x -b "dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" "(&( cn=beowulf-hosts)(objectclass=ipahostgroup))"
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&( cn=beowulf-hosts)(objectclass=ipahostgroup))
# requesting: ALL
#

# beowulf-hosts, hostgroups, accounts, f16server.ayoung.boston.devel.redhat.com
dn: cn=beowulf-hosts,cn=hostgroups,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
objectClass: ipaobject
objectClass: ipahostgroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
objectClass: mepOriginEntry
cn: beowulf-hosts
description: Hosts for the Beowulf project
ipaUniqueID: 70999114-5513-11e1-bde4-525400ff995b
mepManagedEntry: cn=beowulf-hosts,cn=ng,cn=alt,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
member: fqdn=www1.ayoung.boston.devel.redhat.com,cn=computers,cn=accounts,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The power of a hierarchical database lies in its access controls. FreeIPA gives you a set of tools that you can use in order to delegate authority using those access controls.

Here’s an example.  Let say you are running a web site where people can create projects.  In order to create a project,  you send in a ticket to  request the project creation.  Once that project has been created,  people ask you to join their projects.  Once the project is created,  as the project lead,  you can add and remove people from the project,  but they have to be in the system.

Yes,  I know,  very theoretical,  where would we ever see an organization like that?

A user named admiyo requests a project for people interested in Beowulf projects.  The IPA Admin creates it. In addition,  the admin has to create a Role, a Privilege, and a Permission  that will allow the user to manage that group,  assign the Permission to the Privilege and the Privilege to the Role.  Finally,  the Admin has to assign that role to the user admiyo.

[root@f16server ~]# ipa group-add beowulf --desc "Imagine a Beowulf Cluster...."
---------------------
Added group "beowulf"
---------------------
  Group name: beowulf
  Description: Imagine a Beowulf Cluster....
  GID: 500400007
[root@f16server ~]# ipa role-add
Role name: beowulf-managers
Description: Manage the Assets of the Beowulf project
-----------------------------
Added role "beowulf-managers"
-----------------------------
  Role name: beowulf-managers
  Description: Manage the Assets of the Beowulf project
[root@f16server ~]# ipa privilege-add
Privilege name: beowulf-manage
Description: Manage the Assets of the Beowulf project
--------------------------------
Added privilege "beowulf-manage"
--------------------------------
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project

For user groups, the simplest way to create the permission is to user the targetgroup keyword.

[root@f16server ~]# ipa permission-add 'beowulf-manage-group' --targetgroup=beowulf --permissions=write --attrs=member
---------------------------------------
Added permission "beowulf-manage-group"
---------------------------------------
  Permission name: beowulf-manage-group
  Permissions: write
  Attributes: member
  Target group: beowulf

Now the assignments:

[root@f16server ~]# ipa role-add-privilege Role name: beowulf-managers
[privilege]: beowulf-manage
  Role name: beowulf-managers
  Description: Manage the Assets of the Beowulf project
  Privileges: beowulf-manage
----------------------------
Number of privileges added 1
----------------------------
[root@f16server ~]# ipa privilege-add-permission Privilege name: beowulf-manage
[permission]: beowulf-manage-group
  Privilege name: beowulf-manage
  Description: Manage the Assets of the Beowulf project
  Permissions: beowulf-manage, beowulf-manage-group
  Granting privilege to roles: beowulf-managers
-----------------------------
Number of permissions added 1
-----------------------------
[root@f16server ~]# ipa role-add-member
Role name: beowulf-managers
[member user]: admiyo
[member group]:
[member host]:
[member host group]:
  Role name: beowulf-managers
  Description: Manage the Assets of the Beowulf project
  Member users: admiyo
  Privileges: beowulf-manage
-------------------------
Number of members added 1
-------------------------

I’d like to point out that I had very little idea what the CLI was going to ask for on these. I just trusted it to walk me through, and it did. The one exception was the creation of the permission,  as it doesn’t prompt for the –attrs field

Now to test it out.

[root@f16server ~]# kinit admiyo
Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM:
[root@f16server ~]# ipa group-add-member
Group name: beowulf
[member user]: kfrog
[member group]:
  Group name: beowulf
  Description: Imagine a Beowulf Cluster....
  GID: 500400007
  Member users: kfrog
-------------------------
Number of members added 1
-------------------------

This same technique can be used with the other entities in FreeIPA. In the future, I’ll show how to do delegation for Host Groups and Netgroups. In theory, delegation of a DNS domain can be done the same way, but I haven’t worked through that yet.

This process can and should be streamlined (I’ve already submitted a ticket for that)  but could be fairly easily scripted, too.

With the release of KRB5 1.10 A Kerberos workstation can finally have two different TGTs from two different KDCs active at the same time. Until this technology makes it into the major distributions, we are stuck with the limitation of the browser only knowing about one TGT/KDC/Realm at a time.  If you find yourself needing to talk to a second KDC without disrupting your primary,  here are the steps you can take.

1. Start firefox as you normally would.
2. Open up a command line prompt
3. Get the Kerberos Configuration file for the new server.  This can be done by copying the new KDC’s  /etc/krb5.conf to a local file.  For this example  ~/etc/krb5-105.conf Set an environment variable pointing to the new file: export KRB5_CONFIG=/home/ayoung/etc/krb5-105.conf
4. decide on a location for a second Kerberos Credential cache and set an environment variable to point to it:  export KRB5CCNAME=/home/ayoung/etc/krb5cc
5. kinit to the new location. echo secretpassword | kinit admin
6. Run firefox from the command line but using a new profile and not talking to the original instance:  firefox –no-remote -P
7. Point the new firefox instance at a web page that is part of the new Kerberos Realm.

When you are done, make sure you shut down the new firefox instance prior to shutting down your default one, or Firefox will reassign your profiel on next start up to be the newly created profile as opposed to your default.

Once The new Kerberos release is available,  I’ll show how to avoid having to do all of the extra steps.

Identity Management (IdM) needs change as an organization grows in size. For an example, I’ll describe a fictional company, and take it from the smallest to largest stages. While, to some degree, the industry of this firm really doesn’t matter, I am going to use a small import business started by a single individual and scale it up to a multinational corporation. As the organization grows in size, the technical needs will drive the scope and scale of the identity management solutions required.
(This is my writing Cross posted from the FreeIPA wiki)

Scenario

Ms. N. Zappa has just come back from a masters degree program in Jakarta. While living in Indonesia, she established connections with several furniture producers, and she starts a small import/export business in the Boston area. She has contacts at a handful of stores already from previous experience. She moves back in with her folks, who have agreed that she can use a section of the garage for storage, and she outsources all technical issues to a small web services firm. They register the domain name ZappasImports.com for her, set up an account a large cloud provider who provide web and email services. Her information management needs are for tracking orders, suppliers, and customers, which she keeps in a set of spreadsheets that she backs up to the cloud on a nightly basis.

When there is just one person in Zappas, the IdM needs are purely between N Zappa and the cloud provider. Her Internet services contractor has set up an account with the Cloud provider. The Zappa account has two users associated with it: nzappa and the contractor. This authentication is done against the Cloud Providers Authentication Database.

Initial Setup

The contractor sets up three applications for Zappas. A static web server, remote backups, and email. The email server is a managed service, and runs on the same email server as many of the other clients of the Cloud Provider. At this point, the Cloud provider is really just an Internet Service Provider. The website has a simple WebDAV interface and runs as a virtual host on shared web server. Remote backups are done via WebDAV. The Cloud provider manages all these services in order to scale up the number of customers it can handle without overloading its own infrastructure. Because the web applications are run on shared servers, they are responsive. If the overall load increases, the Cloud provider can scale up by allocating more virtual machines.

Contractor with multiple Clients

Zappas is not the only company the web services company manages. They have a portfolio of customers. The cloud deployment approach matches their development methods and skill set. They do not want to have a separate account with the cloud provider for each of their clients. Instead, the user accounts are associated with the client accounts. In addition, the web services firm is itself a client of the cloud provider, with systems that are somewhat comparable to those that they are setting up for Zappas.

Initial Growth

There are two potential next steps. One is that the company adds personnel. The other is when Zappas wants to start tracking and authenticating people outside of her company. These are two fairly different directions. They can happen in either order. Lets look at the external issue first.

External Identity Management

After a few months of operations, she realizes that she is having a much lower rate of return customers than she anticipated. She wants to communicate better with the people that have bought from here before to encourage repeat business, as well as to gauge the relative degree of satisfaction her customers have had with their purchases.

Zappa’s sets up a single external application, a customer order portal. This runs on a dedicated virtual machine, and uses a software package that the cloud provider has pre-canned. It uses an internal database, either PostgreSQL or MySQL with a table for user accounts. Authentication is done via Basic-Auth. The system is accessed via Web over SSL. This requires that the Web server have a publicly routed static IP address. The Cloud Provider runs a certificate authority, and issues a certificate for the web service to Zappa’s Imports. The Customer database is pre-populated with email addresses from a spreadsheet. Passwords are set to expired, which allows the users to reset them using their email addresses as verification. She emails her customers about the system and they start using it.

She also starts a blog, to describe the process she goes through to find new furniture, to explain the history behind some of the more interesting designs, and to introduce people to the culture of Indonesia. Again, this starts off as a managed service by the Cloud service provider: a WordPress instance with another dedicated back-end database. At first she enables public commenting, but the high degree of spam dictates that she somehow authenticate the comments. Instead, she decides that the appropriate thing for her business is to limit comments to people that have either purchased or are thinking of purchasing furniture from her. She could choose to use OpenID or a different Web Single Sign on solution, but that provides her no way to cross reference posts with her customer database. She wants to integrate the two systems. She also is not really happy with the order tracking system, and thinks she might want to switch to a different software package. While all three software packages she has been looking at provide embedded Identity management, they are all incompatible with one another. However, all of them support external authentication. She decides to extract the IdM out into a dedicated system in order to federate her customer focused applications more easily.

Internal Identity Management

Her business grows and she gets an office manager. She rents space at a local warehouse and a small office nearby. They set up accounts with a handful of delivery companies and need to be able to integrate the tracking of packages. The international nature of the business dictates that they get an account that specializes in international trade. Zappas has sufficient business going direct to end consumers that they set up a web catalog and order placement system. This dictates that they have a content management system, and that they establish a relationship with professional photographers in the remote countries that can supply their catalog with high quality images. They have a handful of contractors on retainer that can deliver and assemble some of the more complex pieces. The organization grows a little further. The company is producing enough revenue that she has a full time sales manager. During the busy season, she also hires seasonal help.

When Zappas hires her first employee, she needs to set up a new email account. This is likely done in the Cloud provider’s IdM system. She also needs to add the new employees desktop to the back up system. While the new employee is nominally an office manager, in practical terms she is helping with all aspects of the business, which means she needs to be able to perform administrative activities on the systems hosted in the cloud. The IdM solution they’ve chose supports this by adding the user to a group specific to each of the applications.
Analysis

“There is nothing more practical than a good theory.” –Kurt Lewin

There are patterns that show up in all implementations of IdM systems. Recognizing them will help in implementation of future systems.

Delegation

Her organization may look simple, but Zappa’s Imports has most of the identity management needs of a large organization. She has distinct external contacts that she needs to segregate from each other. Each has a different set of permissible activities based on role. , but there are certain activities that the partners can do that the the office manager can’t. With the addition of the sales manager the organization has grown to the point that she can (and must) delegate management responsibilities: this is the critical point for an identity management system. The sales manager needs to be able to hire a temporary worker, give that worker limited access, and then revoke it after the busy period. Perhaps the temp can take orders, but is not allowed to handle returns. In addition, the sales manager needs to be able to schedule and track a contractor that is heading to a customer site to do an assembly.

The IdM system manages three types of relationships. First, it manages the relationship between The cloud provider and Zappa’s imports. Second, it manages relationships between the Zappa’s imports employees. Finally, it manages the relationships between Zappa’s Imports and the people that do business with Zappa’s. From Zappa’s perspective, adding a new application and adding an additional employee are related tasks. At first, both are handled by Ms. Zappa. By the end, are performed by employees who have been delegated the authority to perform these tasks.

Ownership

Probably the largest question in cloud IdM integration is who owns the information. The Zappas customer list and suppliers list are probably the most valuable assets of the company. If the cloud provider wants to maintain its own customers, they need to provide sufficient reason to trust their Id solution. On the other hand, they need to protect their own assets. In their organization, Ms. Zappa is a client, and she can add and remove servers based on her contract and quality of service agreement with the cloud provider. As the organization grows, this is certainly one of the actions she will want to delegate to the CTO, who will later delegate it to the Operations Manager when Zappa’s Imports grows to the size to hire one.
Avoiding Lock In

Although companies like Zappa’s are not going to be jumping from one cloud provider to another each week, they still want to avoid vendor lock in. Zappa’s applications should have no dependencies on elements internal to the cloud provider that cannot be redirected to a different cloud provider. This is going to be more and more important as the company scales up. A Cloud provider can prove to be a poor fit for an organization for multiple reasons, and not all of those can be foreseen upfront. In the case of Zappa’s, technology is an enabler for business, but it is not the company’s forte. By contracting with a decent internet services firm, she has offloaded some of the decisions. She shouldn’t be locked in indefinitely to a technology decision made today that is secondary to the core of the business.

It is helpful to think of the federation of Identity Management systems as single solutions, with carefully specified integration points between the component parts. By having two systems, you firewall off one segment of your users from another. However, it is worth noting that there are a couple issues this does not address. If there are two systems, and one is deemed canonical, and information is pushed from one to the other, they are acting as a single system, and thus the potential for elevation of privileges is still there.

Enterprise

A few years down the road, Zappa’s is doing well, and has grown to a middle sized companies. N Zappa maintains her role as CEO and President, but is completely out of the software side of the company. Dealing with the relationships essential to her business must be supported by technology, not derailed by the management of technology. Zappa’s has all of the major subdivisions that one would expect to see in a middle sized company. Marketing and Sales are now distinct operations. Operations has a full time call center as well as full time employees for deliveries that require assembly. IT has also grown to support the needs of the organization. On the supply side, several employees have been hired in remote offices to handle the purchasing in several countries. The full time Human Resources manager has contracted to a small number of staffing firms for filling the variations the yearly cycle.

Techno Mix

The information systems are now a mix of in-house, application service provider, and cloud hosted applications. Zappa’s works mainly with two cloud providers that offer differentiated offerings due to geographic location and international issues. Applications for supply, foreign tax and travel, and shipping are hosted in a company in Jakarta. The eCommerce web site and partner Business-to-Business portal is hosted stateside. Zappa’s has consolidated IdM in-house, and shares a subset of its user database with the various technology partners.

The load on the cloud providers systems has scaled up with the company. When orders were measured in single-digits per day, billing was likely at a flat rate. At scale, the daily variations and fluctuation are significant. Auditing the systems becomes a requirement for legal and financial reasons. Different portions of Zappa’s have different budgets, and pay for the usage of the cloud out of separate accounts.

Authentication Tokens

For authentication of employees, Zappa’s has moved from a userid/password model to a cryptographically secure system, based on technologies like Kerberos, hardware tokens, smart-cards and so forth. Different systems require the ability to accept different authentication mechanisms: the corporate blog needs a HW token in order to post an article, but allow OpenID authentication for a customer to post a follow up comment. Some of the suppliers and partners have advanced technologically as well, and have their own authentication systems that they want to use when performing business with Zappa’s. The wide number of web sites in use have dictated a single sign on solution that needs to span across the public internet, and that works around the fact that some of the sites only allow network traffic on ports 443 and 80.

By this point, a standardized mechanism for managing the IdM across all of these systems has become essential. Adding in a new application cannot force changes to the schema. Each additional application cannot silo its own user database. Centralized management is a must; replication to remote sites must be rapid. Elevation of privileges is a major risk and the IdM must have rock solid protections built in against it.

The cloud provider is an integral partner to Zappas. It has to provide seamless integration of Identity Management. Trust and audit are two sides of the same issue: Zappas needs to know what is going on at the Cloud provider. Access to the systems running as virtual machines in the cloud has to be tightly managed. At the same time, the cloud provider finds it self in the same relationship with many other companies, some of which are competitors to Zappos. For legal and financial reasons, the cloud providers needs to provide segregation between its clients. The number of clients it is managing means that the system has to work completely automated.

Conclusion

This narrative has attempted to put the scale and scope of identity management issues in a cloud deployment into to perspective. The fictional company matches the needs of many real companies, as well as many non-corporate entities. The scope of the identity management solutions vary with the scope of the problem or number of problems that they attempt to solve. As our fictional company grew, its needs changed, as did the corresponding Identity Management Solution. The ability to tune the software packages that your company uses will help determine how quickly the company can react to new business opportunities or deal with set backs. A larger organization has more contact points, more needs, and thus cannot as easily rewrite the configuration of their applications to deal with a different IdM solution.

Everyone at FUDcon posts a FUDcon update. Everyone at OLS posts and OLS update. They come in massive blocks, and I personally can’t process them all. Adam doesn’t scale. Instead, please post a shorter post with the crucial piece or pieces that you’ve learned, and title it that way. You can mention that you learned it at Fudcon, but please provide a better orienting title to you post. I do really want to read them. Since I can’t make it to all the conferences, I count on you, the community, to provide a filter.

Openstack Keystone is the Identity Management (IdM) gateway for the rest of the Openstack infrastructure.  While it is fairly new code, and not feature complete as of yet,  it does show some interesting aspects of cloud identity management and the issues it involves.  That, of course, begets the question of what is required in a cloud Identity Management gateway.

First of all,  lets look at what IPA manages:

1. Users
2. Hosts
3. Groupings of the above
4. DNS (Not just names for hosts,  but also Kerberos autodiscovery)
5. Policy (Sudo, HBAC. Policy, Directory Server Access)

The primary concept in Keystone not yet in IPA is Multitenancy. This can be thought of a form of Policy on top of groups.  I’ve started writing up the requirements.

Let me restate the definition of multitenancy:

Multitenancy is a policy of an identity management solution where a grouping segregates the visible of entities inside from those outside.

But not everyone will use FreeIPA,  and the Keystone target deployment is somewhat different from FreeIPA   Keystone in particular wants to be able to delegate back to the Tenant the management of their own set of resources in the cloud.

Hmmm… I think I can even convert that to a mission statement:

The mission of Openstack Keystone is to provide single sign-on for cloud management by delegating  IdM control of  the Tenancies to the Tenant Adminstrators.

I’ll leave that up there for a bit to see if someone can do me one better.

What do I mean by delegating to the tenant administrators.  I’ll give a couple examples.

1. If the user has FreeIPA or Active Directory in the home system,  they should be able to use them to Administer access to their own resources in the cloud
2. If a user becomes a reseller of Cloud services,  they should be able to manage nested tenancies for their clients

Here are some requirements of cloud IdM

1. A user who wishes to user the cloud providers IdM solution should be able to provide essential services and access control for users in their organization
2. A private cloud used to manage applications visile from outside the corporate firewall should be able to segregate  their customers, their suppliers, and their partners from each other, while maintaining an integrated  Identity Management Database.
3. Cloud IdM  needs to provide a cryptographically secure system that is at least as strong as that  provided by the users IdM systems.  While Kerberos is not necessarily an option across corporate firewalls due to blocked ports,  the IdM implemented by the Cloud provider has to be based on the same principals. The cloud IdM system must provide a reasonable degree o f trust both the the end user and the system administrator with regard to the identity of one another.

Comments?

So I watched the latest Muppet Movie with my family this weekend and it go me thinking: who would I cast for a Muppet Version of the Princess Bride?

Sick Kid in Bed:  Robin the Frog

Grandpa:  Kermit

Buttercup:  Janice

Westley:  Floyd

Vizzini:  Rizzo the Rat

Inigo Montoya:  Pepe the King Prawn

Fezzik:  Sweetums

Humperdinck: Link Hearthrob

Count Rugen: Professor Bunsen Honeydew

The Albino:  Beaker

Yellin the Spy Master:  Marvin Suggs

Miracle Max:  Waldorf

Valerie:  Statler (in drag)

Impressive Clergyman:  The Swedish Chef

The King: Gonzo the Great

The Queen: Camilla the Chicken

Old Lady Who Boos: Miss Piggy

I was working at a local coffee shop when I noticed an old man walk in.  His hat had a Yin Yang on it.  It struck a memory and I Googled for a list of US Army division patches.  Easy access to modern technology told me more than I expected.  The 29th Infantry Division, the Blue and the Gray, landed at Bloody Omaha on June 6th, 1944.

I walked up to him and asked “You were with the 29th Division in WWII.”  I looked a man Great-Grandfather old, but strong for all that.

“Yes, I was.”

I held out my hand to shake his.  “Thank you.”

He was startled.  He offered me a seat and I took it.  I didn’t think to ask his name yet,  but later found out it was Angelo.

“Most people don’t know what it means.”

“I was an Army officer.  An infantryman.  I owe you a special debt.”  I told him. “My Grandfather was at Utah.  They’ve said that the fighting at Omaha was so fierce that it pulled forces from elsewhere.  If it hadn’t been so bad there, I might not be here.”  Not quite correct, now that I think about it.  William Spelman had managed to get his wife pregnant before deploying to England.  That was my Mom, so I would possibly still be here.  It was my Uncle and Cousins that owe their existence to my Grandfather’s survival.

Our conversation progressed non-linearly.  He had not been in the earlier invasions of Italy or Africa.  His job was specialized, so after Normandy, they shipped him to the pacific theater.  Has was with a unit attached to the 29th, not specifically assigned to it.  The boat that took him back stateside was taking Churchill as well, and the statesman’s quarters had to be re built, delaying their departure.   The late departure meant that he only got eight days of leave before shipping out to join the preparation for the invasion of Luzon.
He told the tale of one comrade, a normally happy-go-lucky guy that became quiet and withdrawn before Luzon.  “I’m not going to make it.”  He told Angelo.  “Everyone thinks that.”  They landed fairly unopposed at Luzon.  They only lost one man:  Angelo’s friend hit the deep water when disembarking and he drowned.

“I felt the same way, if we were going to Japan.”  He confided.  “I owe Truman my life.  If they hadn’t dropped the bomb, well, you know what they were saying?”  I assured him that I did.  The casualty projections for a Japan invasion were staggering.

We returned to talking about Europe.  “My grandfather was drafted.  He was older, and had worked on the rail road.  Back during the depression, he dropped out of school and started on the rail lines.  He was in logistics.  So by the time he deployed he was the company first Sargent.” Also, I realize now, a little inaccurate.  I have a photo of Grandpa Bill in a fairly clean uniform, carrying an M-1 carbine.  The date on the back of the photo is June 7, 1944.  I can’t remember the place, but I suspect it was Marie St. Eglise.  On the sleeve of his Eisenhower Jacket he has the rank of a Staff Sargent.  I had his jacket back when I was in High School, and it had three chevrons and two rockers with the First Sargent diamond in the middle.  I guess he was made Top later than June 6.  “Since he knew logistics, they put him with a transpo company.”

Angelo had been an “invasion specialist.”  Enlisting as young as he could, he had managed to learn cryptographic and radio skills in the days back when a computer was still the name of a human occupation.  They went in early, and broadcast back to the fleet.  I didn’t think to ask how he got in.

“War is horrible.  I heard people screaming ‘Don’t let me die.’”  He paused, lost in the past, momentarily unable to speak. “I don’t talk about this with most people.  My wife passed away a few years back.  I have dreams, and she used to wake me up. I go to the VA.  I have PSTD”   I didn’t correct the misordering of the acronym.

“We had been told they were evil, that the krouts were inhuman.  When we got to Germany, we saw that they were just people.  We thought that we were the good guys.  At some point I realized that they thought that they were the good guys.  We watched these films, you saw them marching so perfectly and you thought that they were unbeatable.  I thought, ‘how are we going to go up against this.’  But war.  War is horrible.  They were people, just like us.”
This was three or four days after the 67th anniversary of the Normandy Landing.  While the press had made a big deal about it on the 50th and 60th anniversaries, this year it had passed with barely a mention in the news, and Angelo was annoyed. “I wasn’t the hero.  It was those guys that didn’t come home that were the heros.”  It was just platitudes.  His face reflected the pain of the memories that came back, the people he had seen dead and dying, the friends and comrades that didn’t come back.

“Some of us will always remember, I assured him.”

Is it wrong of me to post this here?  He talked to me in confidence, the sharing between former soldiers.   But we should remember what those men with Baseball Caps with funny looking logos on it went through.  And what they still go through.

My calculations on Eight Tone Scales was way too manually intensive for me to trust that I got it right. I should check my work.

• generate the set of all strings of intervals of length 8.
1. Generate an array of length 8 and populate it with all 1′s except the first value, which gets a 0.
2. increment each digit. If the digit goes over five, overflow to the next digit. If the last digit overflows, we are done.
3. Sum the digits. If they don’t add up to 8, throw it out
• Convert them to a canonical form. We can make an array of 8 digits into an eight digit integer. Take the highest valued integer for each mode of the scale.
1. Convert the digits into a single eight digit integer.
2. Rotate the array by one and convert it to an 8 digit number.
3. Compare the results of the previous two steps and keep the higher value.
4. Repeat until we’ve rotated through all values in the array.
• Put them into a Set which will only contain unique values to remove duplicates.
• Sort the set

 

Since I am moving on to a Python Project, I figured I’d code it up in python.

#!/usr/bin/python

def increment(intervals, index):
    if index >= len(intervals):
        return False
    intervals[index] += 1
    if intervals[index] > 5:
        intervals[index] = 1
        return increment(intervals, index + 1)
    return True

def sums_to(intervals, sum):
    total = 0
    for val in intervals:
        total += val
    return sum == total

def int_form(intervals):
    value = 0
    for digit in intervals:
        value *= 10
        value += digit
    return value

def rotate(intervals):
    l = intervals[:]
    n = len(l) - 1
    head = l[:n]
    l[:n] = []
    l.extend(head)
    return l

def max_int_form(intervals):
    copy_of = intervals[:]
    max = 0
    for digit in intervals:
        next_int_form = int_form(copy_of)
        if next_int_form > max:
            max = next_int_form
        copy_of = rotate(copy_of)
    return max

intervals = [ 0, 1, 1, 1, 1, 1, 1, 1]
scale_set = set()
count = 0
while increment (intervals,0):
    if sums_to(intervals, 12):
        scale_set.add(max_int_form(intervals))
scales = list(scale_set)
scales.sort()

for scale in scales:
    count += 1
    print scale
print count ," Scales generated"

And the Output:

[ayoung@ayoung python]$ ./eightone.py
21212121
22112121
22112211
22121121
22121211
22122111
22211121
22211211
22212111
22221111
31111122
31111212
31111221
31112112
31112121
31112211
31113111
31121112
31121121
31121211
31122111
31131111
31211112
31211121
31211211
31212111
31221111
31311111
32111112
32111121
32111211
32112111
32121111
32211111
33111111
41111112
41111121
41111211
41112111
41121111
41211111
42111111
51111111
43  Scales generated

How many Eight Tone Scales are there? At first glance, this might seem like a simple CS GRE type question: there are 12 notes, so it would be 12 select 8 unordered.  Not quite:

Why 8 notes:  because in a 4/4 measure,  there are 8 quarter notes,  so if you have  an 8 note scale,  you have one distinct pitch to play per note.

• The bebop  scale is probably the best example of this:  add a #5 to a major scale and not only do you have 8 notes,  but each of the chord tones falls on the down beat,  not just for the Major Triad,  but for the Minor and Dominant seventh as well.
• The Harmonic minor scale can be viewed as the relative minor  plus a flat 9,  with the distinctive minor third just skipping  the minor seventh.  If you add back in the seventh, you get an 8 note scale  that works well for most Eastern European style music.
• The Diminished scale,  consisting of alternating half and whole steps  has 8 notes, and makes for some great runs as well.

So with those in mind,  I was wondering how many other 8 note scale there are.  I will ignore the other qualities that make an 8 note scale interesting for now:  I’m sure each will have some novelty to it.

So 12 choose 8  would give us (12!)/(8!)(4!)  or  495 scales,  the real number is much lower.  In the case of the three examples I post above,  note that the Harmonic Minor option really is just the same as the bebop scale,  just a different mode:  Played A to A instead of C to C.  So I will count these two as one scale, and the diminished scale as one scale.  Thus, all modes will be considered the same scale,  as will all transpositions:  C Bebop Major played from C to C is the same as F Bebop Major played from F to F.    We want to ignore 11 transpositions,  and 7 modes.  That gives me an answer of 6.42…which tells me I did something wrong….hmmm. Really,  we don’t just care about the number of scales,  but we want to be able to generate all of the scales,  and ignore the duplicates.  Lets apply some heuristics to reduce the number of duplications we have.

Another way to look at it is to look at the intervals between each note.  This is actually the more useful apporach,  as it is the template a musician would use to compose a specific instance of a scale.  We’ll use W for whole step and H for Half. For example,  the Bebop major scale is W W H W H  H W H.  Numerically,  this is 2 2 1 2 1 1 2 1  which sums to 12.  So we could look at it as generating the ordered sequences of 8 digits that sum to 12.  One nice feature of this is that we care about 8 distinct notes,  and we still have 8 elements:  the interval from the last note to looping around back to the first is also encapsulated in the sequence.   However,  we’ll have a couple scales unaccounted for with the W/H  approach, namely those that have an interval greater than 2.  How many of those are there?

If we start with 7  half steps,  we have a chromatic scale followed by an interval of 5H,  or a Major fourth in conventional intervals: H H H H H H H 5.

Note that any variation with a tritone in it is going to be a mode of this one.  For example H H 5 H H H H H is just starting on the 5th H.

Running total:  1 Scale.

If we steal a half step from  the 5,  and add it to a H,  we get a W  and an interval of 4H.  HHH HHH W 4.

If we fix the 4 in the first position,  It becomes a simple template like this:

4 XXX XXXX

Where we put the W in each position, and fill in the rest with Hs.

1. 4 WHH HHHH
2. 4 HWH HHHH
3. 4 HHW HHHH
4. 4 HHH WHHH
5. 4 HHH HWHH
6. 4 HHH HHWH
7. 4 HHH HHHW

Running Total:  8 scales

If we steal a half step from the 4,  we can either add it to the W or to one of the H.

•  HHH HHH 3 3
•  HHH HH WW 3

Note if we once again steal a half step,  in order to generate distinct steps from this last 3,  we have to add it to another H.

HHHH WWWW

Which I’ll enumerate later.

In the case of both   HHH HHH 3 3  and  HHH HH WW 3  we can fix the first interval to be an H  and reduce the number of alternatives  by using the other remaining intervals  for the last.

So  in the case of   HHH HHH 3 3   we make the template   H XXX XXX 3 .  The Remaining 3 can go into any of the Xs,  and the rest are filled with Hs.

1. H 3HH HHH 3
2. H H3H HHH 3
3. H HH3 HHH 3  (This one is symetric, which we’ll have to account for in our modes.)
4. H HHH 3HH 3
5. H HHH H3H 3
6. H HHH HH3 3

Running total 14 scales.

For  HHH HH WW 3  There are two  variations:

• H XXX XXX W
• H XXX XXX  3

Note that  these cover all the combinations generated by  W XXX XXX 3.

First we’ll do all combinations where

H XXX XXX  3  Has the fewest permutations.  The Two Ws can be in either order and produce the same scale.

1. H  WWH HHH 3
2. H WHW HHH 3
3. H WHH WHH 3 (Not symmetric due to the 3)
4. H WHH HWH 3
5. H WHH HHW 3
6. H HWW HHH 3
7. H HWH WHH 3
8. H HWH HWH 3
9. H HWH HHW 3
10. H HHW WHH 3
11. H HHW HWH 3
12. H HHW HHW 3
13. H HHH WWH 3
14. H HHH WHW 3
15. H HHH HWW 3

Running total  29 Scales.

It might be tempting to say that the there are 2X15 or 30 variations of   H XXX XXX W:  those where W  precedes 3 and those where 3 precedes W.  However,  scales “wrap around.” So anything of the form 3H is covered by the above combinations.  So we only need to account for scales with 3W in the middle.

1. H 3WH HHH W
2. H H3W HHH W
3. H HH3 WHH W
4. H HHH 3WH W
5. H HHH H3W W

Running total  34 Scales.

The scale HHHHHH5  is the variation with the most half steps.  The one with the least?  Lets start from a scale with None:  The 6th note whole tone scale  W W W W W W.  (From A this would be A B C# D# F G).  If we split any one of those whole tones,  we get a seven note scale with two half steps and five whole steps.  Thus,  we have to split exactly two of them.  Splitting the first two gives us:  H H H H W W W W.  How many variations of this are there?  Again,  lets use the technique of fixing the First,  but now also the last, element of the Set.  We will state that the first element is always H  and the last is always  W.

H X X X X X X W.  This will filter out most modes,  but not all….back to that below. Simplest is all H and Ws together.

1. H HHH WWWW

Running Total 35 Scales

Thos middle 6 places now must get filled by Six intervals,  3 Ws  and   3 Hs.  Another way to think of this is that we can put 0, 1, 2 or 3 Ws between each of the other intervals.    W can have  a run of 3  Injected into H HHHH W like this.  Note that we avoid the 4 in a row patterns from above.

1. H WWW HHHH W
2. H  H WWW HH W
3. H  HH WWW H W

Running total  38 Scales.

Now we can either have W  followed by  WW.  We will  avoid all combinations where Those bump up against another W.

1. H WHW WHH W
2. H WHH WWH W

Running Total 40 Scales

And the opposite pattern WW followed by W:

1. H WWH WHH W (Bebop)
2. H WWH HWH W

Running total 42 Scales.

Bebop Major is W W H W H  H W H  If we wrap this around  by one,  moving the last   interval into the first  position,   we get  H W W H W H  H W,  which is variation 1 above.

The last  variation is where we have alternating H and W.  This is a very symmetric scale.  There are  Only two modes:  The one that starts with H W  and the one that starts with W H.

1. H W H W H W H W  (Diminished)

Which gives a total of 43 scales.

Here’s the complete list:

1. H H H H H H H 5.
2. 4 WHH HHHH
3. 4 HWH HHHH
4. 4 HHW HHHH
5. 4 HHH WHHH
6. 4 HHH HWHH
7. 4 HHH HHWH
8. 4 HHH HHHW
9. H 3HH HHH 3
10. H H3H HHH 3
11. H HH3 HHH 3  (symmetric)
12. H HHH 3HH 3
13. H HHH H3H 3
14. H HHH HH3 3
15. H  WWH HHH 3
16. H WHW HHH 3
17. H WHH WHH 3
18. H WHH HWH 3
19. H WHH HHW 3
20. H HWW HHH 3
21. H HWH WHH 3
22. H HWH HWH 3
23. H HWH HHW 3
24. H HHW WHH 3
25. H HHW HWH 3
26. H HHW HHW 3
27. H HHH WWH 3
28. H HHH WHW 3
29. H HHH HWW 3
30. H 3WH HHH W
31. H H3W HHH W
32. H HH3 WHH W
33. H HHH 3WH W
34. H HHH H3W W
35. H HHH WWWW
36. H WWW HHHH W
37. H  H WWW HH W
38. H  HH WWW H W
39. H WHW WHH W
40. H WHH WWH W
41. H WWH WHH W (Bebop)
42. H WWH HWH W
43. H W H W H W H W  (Diminished,  very symmetric)

So where do my Klezmer Bebop    ( A b C d D# e F g# A )  and My  8 Tone Scale    (E F# G G# A# C# D D# E.) fall in?

The Klezmer Bebop scale is  W H W H H H 3 H  rotated  to  H W H W H H H 3 which is scale 16 above.

The other 8 tone scale is W H H W 3 H H H, rotated to H H H W H H W 3 which is scale 26 above.

The standard blues scale  is usually  3 W H H 3 W,  a 6 tone scale.  Starting on A  this is A C D D# E G A.  This Could obviously be fitted into many of the above scales by splitting either the W or 3 intervals.  If You we are playing over an A Dominant 7th chord,  we can add in the  the Major 3  and Major  6th:  C# and F#.   A C C# D D# E F# G A  Or 3 H H H H W H W.  Rotated to H H H H W H W 3  That is 28 above.

Chatting with co-worker Emily on the bus last night about REST, Git, and IPA lead to an epiphany of sorts. First, a little background.

The term REST (Representational State Transitions) comes from the original researchers attempt to reverse engineer the success of the Web. Moving backwards through time, we come to the original Tim Berners-Lee goal of developing a document sharing protocol. As such, the verb “PUT” maps to the changes of state: if you want to change a document, you PUT the new version of it to its URL.

However, the success of the web has not been based on that side of the HTTP protocol. Success has been based on using GET to fetch things and POST to change them. POST has been successful in that it provides two things you can’t get from the PUT semantics.

First, you can create a new identifier. With PUT, you have to know the URL that you are putting the document to. With POST, the Identifier is created for you.

Second, with PUT, you transmit the entire state of the document, but with POST you can send just small changes.

WebDAV was the first attempt I cam across to implement the whole HTTP protocol as designed. It allowed change the state of the server using PUT. Subversion developers called this “WebDA” as it left of the V–Versioning.

When Linus Torvalds was told that SVN was CVS fixed, his response stated that CVS, and by extension Subversion, we fundamentally flawed. Git does local revision control as well as remote revision control.

One thing that Git and SVN have in common, however, is the Atomic Commit. When you make changes to the state of the repository, you may modify more than one file. If the Commit is not Atomic, changes from two people might get intermingled, and the repository cannot be restored to a stable state. With an Atomic commit, the client sends the sets of changes to all of the files, and they get applied completely before any other changes are applied. A user can view the set of changes after the fact. In SVN, this is shown by revision number, in Git by the Hash of the commit.

So, moving back to REST, does it really make sense to focus on the PUT operator? It can only be used to add something that already has an identifier, it has to change an entire document, and it can’t change more than a single document.

Transactional databases have the concept of a log. A transaction log is a file that you always append to. The only time you delete from the transaction log is if you roll back an incomplete transaction. Once the commit record has been written to the log, the transaction is immutable. Git follows this rule, as do many messaging system. Changing the state of a system then can be viewed as sending the requested changes to a single resource, and allowing them to succeed or fail as a unit. It we allow the definition of PUT to contain only the change to the state of the system, we can PUT to a single URL and transform system wide state.

One advantage to using PUT semantics is that PUT is defined to be Idempotent. If you PUT the same value multiple times, the ensuing state of the system is only transformed once, and the second and succeeding PUTs do not change the system. Git commits are likewise idempotent…well, succeeding attempts to post a commit will fail, but the server will stay in the same state, so it is safe to do multiple times….not quite the same thing, but close enough. The reality is that each change to a git server is uniquely identified by its contents, and all of the changes, all of the indexed content of a git server is immutable. What changes are the branches, the named entry points into the system.

Thus a git based system could allow you to post a file to http://git.projectname.org/repository/e051de5d18522b1f9e0389dda68628a5401fa681 and, assuming that the file you posted matched the SHA256 fingerprint of the file, it would be accepted. So PUT might make sense in that perspective. But it would not a be a human interaction that did all for that, and the success of the Web is based on the Human readable scheme for URLs and the resources they reference.

So the question then is this: does what we now know from distributed revision control systems undermine the RESTful approach? I’d suspect that REST is the narrow center of the spectrum for updating changes on a server. We want to be able to manage state at the entire document level, at the Delta of a document, and via Delta of the overall system. You can represent these last two aspects with a RESTful architecture, but you have to so deliberately by designing them into your REST scheme. However, conceptually, they are outside the scope of the core HTTP approach.

An Identity Management Solution is no good if you can’t use it from your server applications.  Here are the steps you can go through to get your server working along side FreeIPA.

LDAP Approch  using Basic Auth:

The JNDI info you need can be found in: /etc/ipa/default.conf

host=ipa-server-3.ayoung.boston.devel.redhat.com
basedn=dc=ipa-server-3,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com
realm=IPA-SERVER-3.AYOUNG.BOSTON.DEVEL.REDHAT.COM
domain=ayoung.boston.devel.redhat.com
xmlrpc_uri=https://ipa-server-3.ayoung.boston.devel.redhat.com/ipa/xml
ldap_uri=ldapi://%2fvar%2frun%2fslapd-IPA-SERVER-3-AYOUNG-BOSTON-DEVEL-REDHAT-COM.socket
enable_ra=True
ra_plugin=dogtag
mode=production

This should be specified in the IPA server as well as any enrolled IPA client.  Notice also the ldap_uri which should give you the information to connect, as well as the host line which tells you the DNS name of IPA server:  The most important value is the basedn.

Minor complaint:  using an equal sign as the separator between the key and value in this file makes it harder to script than it should be.

I do this to pull out the value for the basedn:

export  IPA_BASE_DN=`grep basedn /etc/ipa/default.conf | sed 's/basedn=//'`

To look up the set of groups you are assigned, you can use a simple bind where you are prompted for your password:

ldapsearch -W -D "uid=$USER,cn=users,cn=accounts,$IPA_BASE_DN" \
           -b "cn=groups,cn=accounts,$IPA_BASE_DN"  \
              "(member=uid=$USER,cn=users,cn=accounts,$IPA_BASE_DN)"

You can replace $USER with ‘Admin’ if you are just getting set up.  LDAP Configuration means that it finds the host  without you having to explicitly specify it.

To set up Tomcat to use LDAP, I tested things out using the manager app that ships with tomcat6. First, add the following stanza to the server.xml file for your tomcat instance. I put it right below the UserDatabase Realm that should be in there.

      <realm classname="org.apache.catalina.realm.JNDIRealm" connectionurl="ldap://localhost:389" rolebase="cn=groups,cn=accounts,dc=ipa-server-3,dc=example,dc=com" rolename="cn" rolesearch="(member={0})" userpattern="uid={0},cn=users,cn=accounts,dc=ipa-server-3,dc=example,dc=com">

I’ll use the classis example.com as the basis for the JDNI lookups.

I modified the web application by changing/var/lib/tomcat6/webapps/manager/WEB-INF/web.xml so that it use the Realm as defined here:

    BASIC
    org.apache.catalina.realm.JNDIRealm

In this solution, user groups are used for the roles. Create a group named manager-gui and add it to yourself, or the user that you want to have access to the WebApp. Now Browse http://yourserver:8080/manager/html and authenticate using the User credentials for IPA.

I’d like to point out that this solution does the Bind as the user, not as an administrator. This means that this session is confined by the access control (ACI) enforced by the Directory Server.

This gets you in the door, and will let you test that the LDAP and JNDI approach using Basic Authentication and Simple Bind works.  This is fine for testing and development, but I would recommend against it for production.  We can do better. In an upcoming article, I show how do the same type of authentication, but using Kerberos credentials and the GSSAPI.

Kerberos is a single sign on solution. AFAICT, it is the only one that solves the problem completely: You confirm that you are who you say you are, and the remote side confirms that it is who you think it is. It doesn’t work over he public internet only due to the fact that most corporate firewalls block the ports it needs.  So  we want to be able to do Kerberos, or its equivalent from the browser.

There are two approaches:  we could try to do it in the context of existing technology, or we could extend the browser.  First a really quick overview.

When using Kerberos you do two things:

1. Go to a centralized location and authenticate yourself

2.  Use something from that centralized place to authenticate yourself to some other service.

Yeah, it is  overly simplified.  I’ll get into more details as I go.

OK:  so this kind of maps to the web single sign on technologies out there.  For example, OAuth and OpenID both work through redirects to a central auth server.  After authenticating yourself, you then receive a redirect back, but this time with an addition value that confirms that the centralized server recognized you.

Why are these not the same?  The devil is in the details.

First off,  when you go to the auth server in Kerberso (called the Key DIstribution center, or KDC)  the  trust is mutual.  The KDC send you something encrypted with your password.  Meaning the KDC has to know your password.  Thus,   you know that the KDC is really the right auth server, or your password won’t work.   WebSSO  doesn’t provide this.  IN fact, when you get redirected to, say, yahoo,  and prompted for a UID and password, you are potentially going to receive a phishing attack.  You provide your auth credentials to the remote server, and you get your token, but it could be configured to accept anything, and to just record your password.

Of course, the fact that you are authenticating with Basic Auth (UserID and Password)  is pretty bad in its own right.

Kerberos uses the Password, but it doesn’t pass across the network.  There is a big difference.  What does back and forth allows you and the KDC to authenticate, but if either side attempts to cheat, it gains no more information than it had before.

The nonce/cookie/token/whatever that you get from a web SSO solution is just a random number.  In most OpenID solutions, the Auth provider does not know anything about the services that it provides auth for, so it can’t say “these are legitimate” and, more importantly,  “these are not legitimate.”  It is easy to extend the systems to authenticate the requester, but it isn’t done baseline by the protocols.

In Kerberos, you get a  ticket specific for some service.  If the service you want the ticket for is unknown to the KDC, you don’t get a service ticket.

OK, so how could we make this work with current technology?  The first step is certificates.

The Auth provider should present to you a certificate, signed by a trusted third party.  Thus, you know the auth provider is who it says it is.  This is necessary but not sufficient.  An attacker can present a certificate that says “I am me”  but you still have to check that  you are talking to who you think you are talking.  Thus, you need to direct which URL provides your auth server, not the requesting service.  This is requirement #1.  Once you auth against your ID server, it should provide you with a certificate with a short lifetime.  This is the certificate that you would use for the remote service.  This is requirement #2.

Much of this can be short circuited.  If your machine has a client certificate, you can use that to authenticate to the remote server without having to go back to the auth server.  Its SSL Certificate can confirm its identity to you.  Since both certificates are signed by trusted third parties, both are confident that they are accurate.  The question, then, is why don’t more people do this?

Cost.  Getting a server that can sign other certificates is trivial.  There is a great Open Source  CA implementation that I happen to work on:  However, getting your CA certificate signed by one of the authorities in the Mozilla  or Internet Explorer known CA list costs big bucks.  $10,000 was one price that I heard quoted.  Lets say it is a million.  The fact is that it costs something significant.

There are other issues.   Probably the most significant is that there is no session timeout.  Once you have a certificate, you are signed in to any site that accepts that certificate.  No user interaction is required.  Ideally, a certificate based approach would be linked with a short, non-cacheable token like “enter the first letter of the day of week followed by a 4 digit PIN”.

User certificates are complicated to administer in the browser.  For example, to remove a certificate in the current version of Mozilla, You have to know to go to “Edit->Preferences->Advanced->Encryption->View Certificate->Your Certificates.  Also, if you accidentally use the wrong one to try and log in to a site, the only way to rectify this problem is to close the browser and go back to the site.  User certificates typically have long lifespans:  A year to two years is not uncommon.  If a certificate times out,  getting a new one can be tricky.

But there is a lot of technology to make it easy, too.  OK a little more crypto background:  A certificate is really just a decorated public key.  If you do SSH, you probably have had to generate a key pair, and then copied the key over to the remote site.  A Certificate takes that public key,  and a trusted service cryptographically ensures that the key is really from you.  So to get a certificate, you need to first generate key pair, then generate a signing request (CSR), send that in to get approved and signed, and get back the certificate.

All of this can be done by the browser.  Mozilla has a internal database that holds your password, and that holds your private keys and  certificates. It is (probably) in  ~/.mozilla/firefox/*.default/cert8.db.

You can see what is in there with  certutil -d ~/.mozilla/firefox/*.default -L

So the mechanisms all exist to do web single sign on with Certificates, but they are painful.  So we have two options:  build out the mechanisms for Certificate web SSO, or make Kerberos SSO  work through the current technology.

To do Kerberos SSO,  here’s what you would need.

Make it possible to get a Ticket granting ticket (TGT)  via  the web browser from the Key distribution Centery (KCD).  This means first setting up an SSL connection between  the browser and the KDC< and then using port 443.  The browser could do a post to the KDC, to request a ticket, buyt the most important part is that the browser pops up a dialog that is unmistakably the enter your Kerberos password/kinit  dialog, and not a phishing attempt.  The browser needs to be involved, and should probably have a spot on the border of the browser that is not in the client area.  This is a tricky design issue, and will require some smarts.

The mechanism to get a service ticket is pretty similar to getting the TGT, but could probably be hidden from the end user.

There should probably be a handful of notifications that are visible to the user.  Getting a TGT requires interaction, but anytime something requests a new service ticket, the user should probably be notified, to prevent requests happening behind his/her back.

One shortcoming with current Keberos implementations is that they only allow one TGT and KDC  at a time.  This limitation is well understood and discussed, and will need to be alleviated prior to Kerbers really being a viable SSO alternative.