With the release of KRB5 1.10 A Kerberos workstation can finally have two different TGTs from two different KDCs active at the same time. Until this technology makes it into the major distributions, we are stuck with the limitation of the browser only knowing about one TGT/KDC/Realm at a time. If you find yourself needing to talk to a second KDC without disrupting your primary, here are the steps you can take.
Openstack Keystone is the Identity Management (IdM) gateway for the rest of the Openstack infrastructure. While it is fairly new code, and not feature complete as of yet, it does show some interesting aspects of cloud identity management and the issues it involves. That, of course, begets the question of what is required in a cloud Identity Management gateway.
My calculations on Eight Tone Scales was way too manually intensive for me to trust that I got it right. I should check my work.
Chatting with co-worker Emily on the bus last night about REST, Git, and IPA lead to an epiphany of sorts. First, a little background.
An Identity Management Solution is no good if you can’t use it from your server applications. Here are the steps you can go through to get your server working along side FreeIPA.
Kerberos is a single sign on solution. AFAICT, it is the only one that solves the problem completely: You confirm that you are who you say you are, and the remote side confirms that it is who you think it is. It doesn’t work over he public internet only due to the fact that most corporate firewalls block the ports it needs. So we want to be able to do Kerberos, or its equivalent from the browser.
The Dogtag PKI project is a long lived project. It is a Java Web Server based application that predates many of the technologies that now are standards of Java Web development. One requirement that has changed over time is how to access the server remotely. Continue reading
I’ve been working with the PKI/Dogtag code for a while. Over the past couple years, I’ve been more and more comfortable with Git. PKI uses SVN as a centralized Repository. Since Git SVN integration is fairly mature, I’ve been using that to manage my coding. On Monday, I gave a presentation to my team on Git SVN. I’ve taken the outline from the slides and included it here.
Continue reading
I posted before about how I get a patch ready for code review. Since I now also work on the Dogtag PKI project, I’ve extend the script to included configuration information from the projects .git/config.
Continue reading
Fedora and Debian play the role where many chaotic projects get a degree of charm school: they learn to play nice with a lot of other projects. In Fedora, as near as I can tell, there is only one Java based web application packages as part of the distribution: Dogtag, the Public Key Infrastructure server. As we look at how PKI should look in the future, the dearth of comparable applications packaged for Fedora leaves us with the opportunity for defining a logical and simple standard packing scheme. While I am not there yet, this post is the start of my attempts to organize my thoughts on the subject. I’m looking for input.