Authentication to FreeIPA
There are two use-cases for authentication to the FreeIPA API:
- Authentication with the service Kerberos ticket (su mode, password recovery, OpenID, SAML, SSO,...)
- Authentication using the user-supplied credentials (Kerberos ticket from the user, username+password)
Authentication with the service Kerberos ticket
This is "su mode", the service edits user data on his behalf, has to be used sparingly as it can edit every user password. Ideally has to be used only for resetting the password.
Authentication using the user-supplied credentials
This requires a connection to the FreeIPA client per user to get a session for his behalf. This session is then used to modify his data. User credentials have to be known in order for this to work. It's not possible to change other data than the users'.