freeipa/ipa-server/xmlrpc-server/ipa.conf

#
# VERSION 1 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off

# ipa-rewrite.conf is loaded separately

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive        jar

<Proxy *>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  RewriteEngine on
  Order deny,allow
  Allow from all

  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e

  # RequestHeader unset Authorization
</Proxy>

# The URI's with a trailing ! are those that aren't handled by the proxy
ProxyPass /ipa/ui http://localhost:8080/ipa/ui
ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui

# Configure the XML-RPC service
Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC"

# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"

# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"

<Directory "/usr/share/ipa/ipaserver">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html

  SetHandler mod_python
  PythonHandler ipaxmlrpc
  
  PythonDebug Off

  PythonOption IPADebug Off

  # this is pointless to use since it would just reload ipaxmlrpc.py
  PythonAutoReload Off
</Directory>

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>

# Protect our CGIs
<Directory /var/www/cgi-bin>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
</Directory>

#Alias /ipatest "/usr/share/ipa/ipatest"

#<Directory "/usr/share/ipa/ipatest">
#  AuthType Kerberos
#  AuthName "Kerberos Login"
#  KrbMethodNegotiate on
#  KrbMethodK5Passwd off
#  KrbServiceName HTTP
#  KrbAuthRealms $REALM
#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
#  KrbSaveCredentials on
#  Require valid-user
#  ErrorDocument 401 /ipa/errors/unauthorized.html
#
#  SetHandler mod_python
#  PythonHandler test_mod_python
#  
#  PythonDebug Off
#
#</Directory>
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`#`
			`# VERSION 1 - DO NOT REMOVE THIS LINE`
			`#`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50			`# LoadModule auth_kerb_module modules/mod_auth_kerb.so`

Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`ProxyRequests Off`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50
Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054 2008-02-21 15:25:09 -06:00			`# ipa-rewrite.conf is loaded separately`
Require SSL for the XML-RPC interface 2007-10-19 09:14:30 -05:00
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript. 2007-12-12 08:36:32 -06:00			`# This is required so the auto-configuration works with Firefox 2+`
			`AddType application/java-archive jar`

Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`<Proxy *>`
- Abstracted client class to work directly or over RPC - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication - Update tools to use kerberos - Add User class 2007-08-06 09:05:53 -05:00			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
Generate /etc/httpd/conf.d/ipa.conf from a template so the realm can be set during installation 2007-08-06 09:51:23 -05:00			`KrbAuthRealms $REALM`
- Abstracted client class to work directly or over RPC - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication - Update tools to use kerberos - Add User class 2007-08-06 09:05:53 -05:00			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`ErrorDocument 401 /ipa/errors/unauthorized.html`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`RewriteEngine on`
			`Order deny,allow`
			`Allow from all`

Use ticket forwarding with TurboGears. mod_proxy forwards the principal name and location of the keytab. In order for this keytab to be usable TurboGears and Apache will need to run as the same user. We will also need to listen only on localhost in TG. 2007-09-14 16:19:02 -05:00			`RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
			`# RequestHeader unset Authorization`
			`</Proxy>`

			`# The URI's with a trailing ! are those that aren't handled by the proxy`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`ProxyPass /ipa/ui http://localhost:8080/ipa/ui`
			`ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
			`# Configure the XML-RPC service`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC"`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
Re-root the IPA web UI to /ipa and the XML-RPC interface to /ipaxml. 438021 2008-03-24 14:54:55 -05:00			`# This is where we redirect on failed auth`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`Alias /ipa/errors "/usr/share/ipa/html"`
Re-root the IPA web UI to /ipa and the XML-RPC interface to /ipaxml. 438021 2008-03-24 14:54:55 -05:00
			`# For the MIT Windows config files`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`Alias /ipa/config "/usr/share/ipa/html"`
Re-root the IPA web UI to /ipa and the XML-RPC interface to /ipaxml. 438021 2008-03-24 14:54:55 -05:00
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00			`<Directory "/usr/share/ipa/ipaserver">`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
			`KrbAuthRealms $REALM`
			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`ErrorDocument 401 /ipa/errors/unauthorized.html`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50
			`SetHandler mod_python`
			`PythonHandler ipaxmlrpc`

			`PythonDebug Off`

Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`PythonOption IPADebug Off`
Enable LDAP debugging using the mod_python Apache configuration directive PythonOption IPADebug On/Off 2007-09-21 13:39:52 -05:00
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50			`# this is pointless to use since it would just reload ipaxmlrpc.py`
			`PythonAutoReload Off`
			`</Directory>`
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`# Do no authentication on the directory that contains error messages`
Show (hopefully) useful information if the Kerberos connection fails. 2007-09-24 14:20:34 -05:00			`<Directory "/usr/share/ipa/html">`
			`AllowOverride None`
			`Satisfy Any`
			`Allow from all`
			`</Directory>`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00
			`# Protect our CGIs`
			`<Directory /var/www/cgi-bin>`
			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
			`KrbAuthRealms $REALM`
			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`ErrorDocument 401 /ipa/errors/unauthorized.html`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`</Directory>`

Use a different directory for test programs 2007-09-25 08:50:30 -05:00			`#Alias /ipatest "/usr/share/ipa/ipatest"`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00
Use a different directory for test programs 2007-09-25 08:50:30 -05:00			`#<Directory "/usr/share/ipa/ipatest">`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`# AuthType Kerberos`
			`# AuthName "Kerberos Login"`
			`# KrbMethodNegotiate on`
			`# KrbMethodK5Passwd off`
			`# KrbServiceName HTTP`
			`# KrbAuthRealms $REALM`
			`# Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`# KrbSaveCredentials on`
			`# Require valid-user`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`# ErrorDocument 401 /ipa/errors/unauthorized.html`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`#`
			`# SetHandler mod_python`
			`# PythonHandler test_mod_python`
			`#`
			`# PythonDebug Off`
			`#`
			`#</Directory>`