Improving radicale kerberos auth
My current setup for Radicale and Infcloud for my web interface to my calendars depends on ldap authentication at the reverse-proxy level.
I hacked the frontend in my branch of infcloud to use the browser localStorage javascript/devtools feature so I don't have to enter my username and password every time. Yes, it's insecure, and yes, I don't care.
Using my web calendar works very well. However, when I go to download an event (usually to email it to someone to invite them), I get prompted with the browser basic auth prompt. So I got tired of having to do that, at least the first time in every session, and I wanted to find a better way. I use kerberos (gssapi) authentication in other places on my web server, and I wanted to bring that here.
So I spent a bunch of time experimenting, and I learned that I didn't need to change the infcloud or radicale apps at all! Configuration of the apache httpd reverse proxy, and also my radicale rights file was all I needed.
Changes to apache httpd config
I only needed to change one line in my main config file: which auth.cnf file to include:
RewriteEngine On RewriteRule ^/radicale$ /radicale/ [R,L] <Location "/radicale/"> ProxyPreserveHost On Include conf.d/auth-gssapi.cnf Require valid-user AuthName "GSSAPI protected" ProxyPass http://localhost:5232/ retry=20 connectiontimeout=300 timeout=300 ProxyPassReverse http://localhost:5232/ RequestHeader set X-Script-Name /radicale </Location>
Changes to auth-gssapi.cnf
I added entries to auth-gssapi.cnf, which was mostly complete.
AuthType GSSAPI GssapiUseSessions On Session On SessionCookieName s1_session path=/; GssapiCredStore keytab:/etc/httpd/keytab GssapiCredStore ccache:/etc/httpd/krb5.cache SessionHeader S1SESSION GssapiSessionKey file:/etc/httpd/gssapisession.key GssapiImpersonate On GssapiDelegCcacheDir /run/httpd/ccache GssapiDelegCcachePerms mode:0660 gid:apache GssapiUseS4U2Proxy On GssapiAllowedMech krb5 GssapiBasicAuth On GssapiBasicAuthMech krb5 GssapiLocalName On GssapiNameAttributes json AuthBasicProvider ldap AuthLDAPGroupAttribute member AuthLDAPSubGroupClass group AuthLDAPGroupAttributeIsDN On AuthLDAPURL "ldaps://dns1.ipa.internal.com:636 dns2.ipa.internal.com:636/cn=users,cn=accounts,dc=ipa,dc=internal,dc=com?uid,memberof,gecos?sub?(objectClass=person)" #GSS_NAME returns username@IPA.EXAMPLE.COM which merely needs additional rules in /etc/radicale/rights RequestHeader set X_REMOTE_USER "%{GSS_NAME}e" # Does not work #RequestHeader set X_GROUPS "%{AUTHENTICATE_memberOf}e" # mostly useless values #RequestHeader set X_REMOTE_GSS "%{GSS_NAME_ATTRS_JSON}e"
Changes to radicale rights file
My radicale setup uses /etc/radicale/rights to define the ACLS. The examples in the file are very useful. I merely needed to repeat entries and add the domain name.
# default, which was already here [principal] user: .+ collection: {user} permissions: RW # new entry [principal-domain] user: (.+)@IPA.INTERNAL.COM collection: {0} permissions: RW # default [calendars] user: .+ collection: {user}/[^/]+ permissions: rw # new entry [calendars-domain] user: (.+)@IPA.INTERNAL.COM collection: {0}/[^/]+ permissions: rw # Specific calendars [user8-read-bgstack15-1] user: user8 collection: bgstack15 permissions: R [user8-read-bgstack15-2] user: user8 collection: bgstack15/c86bcd9f-7526-8083-ca5c-c68bc664ae03 permissions: rwi # new entries [user8-read-bgstack15-1-domain] user: user8@IPA.INTERNAL.COM collection: bgstack15 permissionsS: R [user8-read-bgstack15-2-domain] user: user8@IPA.INTERNAL.COM collection: bgstack15/c86bcd9f-7526-8083-ca5c-c68bc664ae03 permissions: rwi
I find it worth duplicating entries, to accomplish my goal of being able to seamlessly download calendar events in my browser.
Comments