freeipa/ipa-server/xmlrpc-server/ipa.conf

# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off

RewriteEngine on

# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
RewriteRule ^/(.*)          http://$FQDN/$$1 [L,R=301]

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT}  !^443$$
RewriteCond %{REQUEST_URI}  !^/(errors|config)/
RewriteRule ^/(.*)          https://$FQDN/$$1 [L,R=301,NC]

<Proxy *>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
  RewriteEngine on
  Order deny,allow
  Allow from all

  # We create a subrequest to find REMOTE_USER. Don't do this for every
  # subrequest too (slow and huge logs result)
  RewriteCond %{IS_SUBREQ}% false
  RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
  RequestHeader set X-Forwarded-User %{RU}e
  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e

  # RequestHeader unset Authorization
</Proxy>

# The URI's with a trailing ! are those that aren't handled by the proxy
ProxyPass /cgi-bin !
ProxyPass /errors !
ProxyPass /config !
ProxyPass /ipa !
#ProxyPass /ipatest !
ProxyPass / http://localhost:8080/
ProxyPassReverse /cgi-bin !
ProxyPassReverse /errors !
ProxyPassReverse /config !
ProxyPassReverse /ipa !
#ProxyPassReverse /ipatest !
ProxyPassReverse / http://localhost:8080/

# Configure the XML-RPC service

Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
Alias /errors "/usr/share/ipa/html"
Alias /config "/usr/share/ipa/html"

<Directory "/usr/share/ipa/ipaserver">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html

  SetHandler mod_python
  PythonHandler ipaxmlrpc
  
  PythonDebug Off

  PythonOption IPADebug Off

  # this is pointless to use since it would just reload ipaxmlrpc.py
  PythonAutoReload Off
</Directory>

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>

# Protect our CGIs
<Directory /var/www/cgi-bin>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
</Directory>

#Alias /ipatest "/usr/share/ipa/ipatest"

#<Directory "/usr/share/ipa/ipatest">
#  AuthType Kerberos
#  AuthName "Kerberos Login"
#  KrbMethodNegotiate on
#  KrbMethodK5Passwd off
#  KrbServiceName HTTP
#  KrbAuthRealms $REALM
#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
#  KrbSaveCredentials on
#  Require valid-user
#  ErrorDocument 401 /errors/unauthorized.html
#
#  SetHandler mod_python
#  PythonHandler test_mod_python
#  
#  PythonDebug Off
#
#</Directory>
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50			`# LoadModule auth_kerb_module modules/mod_auth_kerb.so`

Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`ProxyRequests Off`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50
Require SSL for the XML-RPC interface 2007-10-19 09:14:30 -05:00			`RewriteEngine on`

Redirect to the FQDN otherwise kerberos auth may fail 2007-11-12 13:47:48 -06:00			`# Redirect to the fully-qualified hostname. Not redirecting to secure`
			`# port so configuration files can be retrieved without requiring SSL.`
			`RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC]`
			`RewriteRule ^/(.*) http://$FQDN/$$1 [L,R=301]`

			`# Redirect to the secure port if not displaying an error or retrieving`
			`# configuration.`
Require SSL for the XML-RPC interface 2007-10-19 09:14:30 -05:00			`RewriteCond %{SERVER_PORT} !^443$$`
Create configuration for MIT Windows kerberos client and install into http://hostname/config so users can point their MIT client at the IPA server and automatically fetch the configuration. 2007-10-29 11:00:48 -05:00			`RewriteCond %{REQUEST_URI} !^/(errors\|config)/`
Redirect to the FQDN otherwise kerberos auth may fail 2007-11-12 13:47:48 -06:00			`RewriteRule ^/(.*) https://$FQDN/$$1 [L,R=301,NC]`
Require SSL for the XML-RPC interface 2007-10-19 09:14:30 -05:00
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`<Proxy *>`
- Abstracted client class to work directly or over RPC - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication - Update tools to use kerberos - Add User class 2007-08-06 09:05:53 -05:00			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
Generate /etc/httpd/conf.d/ipa.conf from a template so the realm can be set during installation 2007-08-06 09:51:23 -05:00			`KrbAuthRealms $REALM`
- Abstracted client class to work directly or over RPC - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication - Update tools to use kerberos - Add User class 2007-08-06 09:05:53 -05:00			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50			`ErrorDocument 401 /errors/unauthorized.html`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`RewriteEngine on`
			`Order deny,allow`
			`Allow from all`

			`# We create a subrequest to find REMOTE_USER. Don't do this for every`
			`# subrequest too (slow and huge logs result)`
			`RewriteCond %{IS_SUBREQ}% false`
			`RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]`
			`RequestHeader set X-Forwarded-User %{RU}e`
Use ticket forwarding with TurboGears. mod_proxy forwards the principal name and location of the keytab. In order for this keytab to be usable TurboGears and Apache will need to run as the same user. We will also need to listen only on localhost in TG. 2007-09-14 16:19:02 -05:00			`RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
			`# RequestHeader unset Authorization`
			`</Proxy>`

			`# The URI's with a trailing ! are those that aren't handled by the proxy`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`ProxyPass /cgi-bin !`
			`ProxyPass /errors !`
Create configuration for MIT Windows kerberos client and install into http://hostname/config so users can point their MIT client at the IPA server and automatically fetch the configuration. 2007-10-29 11:00:48 -05:00			`ProxyPass /config !`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`ProxyPass /ipa !`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`#ProxyPass /ipatest !`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`ProxyPass / http://localhost:8080/`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`ProxyPassReverse /cgi-bin !`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`ProxyPassReverse /errors !`
Create configuration for MIT Windows kerberos client and install into http://hostname/config so users can point their MIT client at the IPA server and automatically fetch the configuration. 2007-10-29 11:00:48 -05:00			`ProxyPassReverse /config !`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`ProxyPassReverse /ipa !`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`#ProxyPassReverse /ipatest !`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`ProxyPassReverse / http://localhost:8080/`

			`# Configure the XML-RPC service`

			`Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`Alias /errors "/usr/share/ipa/html"`
Create configuration for MIT Windows kerberos client and install into http://hostname/config so users can point their MIT client at the IPA server and automatically fetch the configuration. 2007-10-29 11:00:48 -05:00			`Alias /config "/usr/share/ipa/html"`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
			`<Directory "/usr/share/ipa/ipaserver">`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
			`KrbAuthRealms $REALM`
			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
			`ErrorDocument 401 /errors/unauthorized.html`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50
			`SetHandler mod_python`
			`PythonHandler ipaxmlrpc`

			`PythonDebug Off`

Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`PythonOption IPADebug Off`
Enable LDAP debugging using the mod_python Apache configuration directive PythonOption IPADebug On/Off 2007-09-21 13:39:52 -05:00
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50			`# this is pointless to use since it would just reload ipaxmlrpc.py`
			`PythonAutoReload Off`
			`</Directory>`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`# Do no authentication on the directory that contains error messages`
Show (hopefully) useful information if the Kerberos connection fails. 2007-09-24 14:20:34 -05:00			`<Directory "/usr/share/ipa/html">`
			`AllowOverride None`
			`Satisfy Any`
			`Allow from all`
			`</Directory>`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00
			`# Protect our CGIs`
			`<Directory /var/www/cgi-bin>`
			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
			`KrbAuthRealms $REALM`
			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
			`ErrorDocument 401 /errors/unauthorized.html`
			`</Directory>`

Use a different directory for test programs 2007-09-25 08:50:30 -05:00			`#Alias /ipatest "/usr/share/ipa/ipatest"`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00
Use a different directory for test programs 2007-09-25 08:50:30 -05:00			`#<Directory "/usr/share/ipa/ipatest">`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`# AuthType Kerberos`
			`# AuthName "Kerberos Login"`
			`# KrbMethodNegotiate on`
			`# KrbMethodK5Passwd off`
			`# KrbServiceName HTTP`
			`# KrbAuthRealms $REALM`
			`# Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`# KrbSaveCredentials on`
			`# Require valid-user`
			`# ErrorDocument 401 /errors/unauthorized.html`
			`#`
			`# SetHandler mod_python`
			`# PythonHandler test_mod_python`
			`#`
			`# PythonDebug Off`
			`#`
			`#</Directory>`