IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-14 02:11:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
2411377d40
freeipa/install/conf/ipa.conf

153 lines
3.4 KiB
Plaintext
Raw Normal View History

Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443
2008-05-07 08:33:00 -05:00
#
Use Dogtag 10 only when it is available Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-08-23 11:38:45 -05:00
# VERSION 8 - DO NOT REMOVE THIS LINE
Store session cookie in ccache for cli users Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later. https://fedorahosted.org/freeipa/ticket/2331
2012-06-06 21:54:16 -05:00
#
# This file may be overwritten on upgrades.
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443
2008-05-07 08:33:00 -05:00
#
Second (final) part of xmlrpc patch.
0000-12-31 18:09:24 -05:50
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
Make doing basic testing of Kerberos ticket forwarding and system setup easier.
2007-09-25 07:37:45 -05:00
ProxyRequests Off
Second (final) part of xmlrpc patch.
0000-12-31 18:09:24 -05:50
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
#We use xhtml, a file format that the browser validates
SUDO Rule Search and Details Pages The search and details pages for SUDO Rule have been added. Codes that are shared with HBAC have been moved to rule.js. The following methods were renamed for consistency: - ipa_details_load() -> ipa_details_refresh() - ipa_details_display() -> ipa_details_load() The ipa_details_cache has been removed because the cache is now stored in each widget. The index.xhtml has been removed. All references to it has been changed to index.html. The Unselect All checkbox has been fixed. Unnecessary parameter 'container' has been removed. The unit test has been updated and new test data has been added.
2010-11-18 20:17:14 -06:00
DirectoryIndex index.html
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
Increase LimitRequestFieldSize in Apache config to support a 64KiB PAC https://fedorahosted.org/freeipa/ticket/2767
2012-06-14 10:15:30 -05:00
# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054
2008-02-21 15:25:09 -06:00
# ipa-rewrite.conf is loaded separately
Require SSL for the XML-RPC interface
2007-10-19 09:14:30 -05:00
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript.
2007-12-12 08:36:32 -06:00
# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive jar
Generate CRLs and make them available from the IPA web server
2009-08-24 12:42:48 -05:00
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /var/run/httpd/wsgi
Add mod_python adapter and some UI tuning
2009-10-26 06:16:18 -05:00
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen.
2007-09-10 15:33:01 -05:00
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off
ipa-server-install now renders UI assets
2009-11-02 15:16:27 -06:00
Add mod_python adapter and some UI tuning
2009-10-26 06:16:18 -05:00
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
# Turn off mod_msgi handler for errors, config, crl:
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
<Location "/ipa/errors">
SetHandler None
</Location>
<Location "/ipa/config">
SetHandler None
</Location>
<Location "/ipa/crl">
SetHandler None
</Location>
Configure s4u2proxy during installation. This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
2012-01-10 21:39:26 -06:00
KrbConstrainedDelegationLock ipa
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
Tweak the session auth to reflect developer consensus. * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
2012-02-15 09:26:42 -06:00
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
add session manager and cache krb auth This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
2012-02-06 12:29:56 -06:00
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
Tweak the session auth to reflect developer consensus. * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
2012-02-15 09:26:42 -06:00
# Turn off Apache authentication for sessions
Implement password based session login * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095
2012-02-25 12:39:19 -06:00
<Location "/ipa/session/json">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
Store session cookie in ccache for cli users Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later. https://fedorahosted.org/freeipa/ticket/2331
2012-06-06 21:54:16 -05:00
<Location "/ipa/session/xml">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
Implement password based session login * Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095
2012-02-25 12:39:19 -06:00
<Location "/ipa/session/login_password">
Tweak the session auth to reflect developer consensus. * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
2012-02-15 09:26:42 -06:00
Satisfy Any
Order Deny,Allow
Allow from all
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
</Location>
Password change capability for form-based auth IPA server web form-based authentication allows logins for users which for some reason cannot use Kerberos authentication. However, when a password for such users expires, they are unable change the password via web interface. This patch adds a new WSGI script attached to URL /ipa/session/change_password which can be accessed without authentication and which provides password change capability for web services. The actual password change in the script is processed by LDAP password change command. Password result is passed both in the resulting HTML page, but also in HTTP headers for easier parsing in web services: X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error} (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text https://fedorahosted.org/freeipa/ticket/2276
2012-06-06 07:38:08 -05:00
<Location "/ipa/session/change_password">
Satisfy Any
Order Deny,Allow
Allow from all
</Location>
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"
# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"
Make doing basic testing of Kerberos ticket forwarding and system setup easier.
2007-09-25 07:37:45 -05:00
# Do no authentication on the directory that contains error messages
Show (hopefully) useful information if the Kerberos connection fails.
2007-09-24 14:20:34 -05:00
<Directory "/usr/share/ipa/html">
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
SetHandler None
Show (hopefully) useful information if the Kerberos connection fails.
2007-09-24 14:20:34 -05:00
AllowOverride None
Satisfy Any
Allow from all
</Directory>
Make doing basic testing of Kerberos ticket forwarding and system setup easier.
2007-09-25 07:37:45 -05:00
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
# For CRL publishing
Use Dogtag 10 only when it is available Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-08-23 11:38:45 -05:00
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
Consolidate to single WSGI entry point
2010-02-23 11:53:47 -06:00
SetHandler None
Generate CRLs and make them available from the IPA web server
2009-08-24 12:42:48 -05:00
AllowOverride None
Options Indexes FollowSymLinks
Satisfy Any
Allow from all
</Directory>
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
IPA HTTPD config uses /usr/share/static as target for /ipa/ui
2010-08-06 14:43:27 -05:00
# webUI is now completely static, and served out of that directory
rename static to ui Directory rename
2011-01-19 11:26:14 -06:00
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
SetHandler None
AllowOverride None
Ticket Expiration THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app Conflicts: install/static/ipa.js
2010-11-05 18:48:42 -05:00
Satisfy Any
Changes to the install and config files to support deploying the javascript code.
2010-08-03 18:42:03 -05:00
Allow from all
</Directory>
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
Make doing basic testing of Kerberos ticket forwarding and system setup easier.
2007-09-25 07:37:45 -05:00
# Protect our CGIs
<Directory /var/www/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443
2008-05-07 08:33:00 -05:00
ErrorDocument 401 /ipa/errors/unauthorized.html
Make doing basic testing of Kerberos ticket forwarding and system setup easier.
2007-09-25 07:37:45 -05:00
</Directory>
Run ipaserver under mod_wsgi
2010-02-24 12:29:23 -06:00
Add DS migration plugin and password migration page.
2010-01-12 09:40:09 -06:00
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
AllowOverride None
Satisfy Any
Allow from all
Rewrite the migration page using WSGI
2010-10-29 08:38:17 -05:00
Options ExecCGI
AddHandler wsgi-script .py
Add DS migration plugin and password migration page.
2010-01-12 09:40:09 -06:00
</Directory>
Reference in New Issue Copy Permalink