freeipa/install/conf/ipa.conf

#
# VERSION 2 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off


#We use xhtml, a file format that the browser validates
DirectoryIndex index.html


# ipa-rewrite.conf is loaded separately

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive        jar


# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /var/run/httpd/wsgi


# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off


# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
  SetHandler None
</Location>
<Location "/ipa/config">
  SetHandler None
</Location>
<Location "/ipa/crl">
  SetHandler None
</Location>


# Protect /ipa with Kerberos
<Location "/ipa">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>


# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"

# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>


# For CRL publishing
Alias /ipa/crl "/var/lib/pki-ca/publish"
<Directory "/var/lib/pki-ca/publish">
  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all
</Directory>


#  webUI  is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/static"
<Directory "/usr/share/ipa/static">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>


# Protect our CGIs
<Directory /var/www/cgi-bin>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
</Directory>


# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`#`
Make Proxy directive wildcard match more specific so we can play nicer with other apps. 459061 2008-08-14 10:46:10 -05:00			`# VERSION 2 - DO NOT REMOVE THIS LINE`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`#`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50			`# LoadModule auth_kerb_module modules/mod_auth_kerb.so`

Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`ProxyRequests Off`
Second (final) part of xmlrpc patch. 0000-12-31 18:09:24 -05:50
Changes to the install and config files to support deploying the javascript code. 2010-08-03 18:42:03 -05:00
			`#We use xhtml, a file format that the browser validates`
SUDO Rule Search and Details Pages The search and details pages for SUDO Rule have been added. Codes that are shared with HBAC have been moved to rule.js. The following methods were renamed for consistency: - ipa_details_load() -> ipa_details_refresh() - ipa_details_display() -> ipa_details_load() The ipa_details_cache has been removed because the cache is now stored in each widget. The index.xhtml has been removed. All references to it has been changed to index.html. The Unselect All checkbox has been fixed. Unnecessary parameter 'container' has been removed. The unit test has been updated and new test data has been added. 2010-11-18 20:17:14 -06:00			`DirectoryIndex index.html`
Changes to the install and config files to support deploying the javascript code. 2010-08-03 18:42:03 -05:00


Redirect users when they don't use the FQDN on both SSL and non-SSL ports We update the mod_nss configuration (nss.conf) during installation to include ipa-rewrite.conf to handle the SSL side. 433054 2008-02-21 15:25:09 -06:00			`# ipa-rewrite.conf is loaded separately`
Require SSL for the XML-RPC interface 2007-10-19 09:14:30 -05:00
Add automatic browser configuration for kerberos SSO using javascript. This uses the UniversalPreferencesWrite function to set the browser preferences to allow negotiation and ticket forwarding in the IPA domain. A self-signed certificate is generated to sign the javascript. 2007-12-12 08:36:32 -06:00			`# This is required so the auto-configuration works with Firefox 2+`
			`AddType application/java-archive jar`

Generate CRLs and make them available from the IPA web server 2009-08-24 12:42:48 -05:00
Run ipaserver under mod_wsgi 2010-02-24 12:29:23 -06:00			`# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package`
			`# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:`
			`WSGISocketPrefix /var/run/httpd/wsgi`
Add mod_python adapter and some UI tuning 2009-10-26 06:16:18 -05:00
Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. 2007-09-10 15:33:01 -05:00
Run ipaserver under mod_wsgi 2010-02-24 12:29:23 -06:00			`# Configure mod_wsgi handler for /ipa`
			`WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500`
			`WSGIProcessGroup ipa`
			`WSGIApplicationGroup ipa`
			`WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa`
			`WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py`
			`WSGIScriptReloading Off`
ipa-server-install now renders UI assets 2009-11-02 15:16:27 -06:00
Add mod_python adapter and some UI tuning 2009-10-26 06:16:18 -05:00
Run ipaserver under mod_wsgi 2010-02-24 12:29:23 -06:00			`# Turn off mod_msgi handler for errors, config, crl:`
Consolidate to single WSGI entry point 2010-02-23 11:53:47 -06:00			`<Location "/ipa/errors">`
			`SetHandler None`
			`</Location>`
			`<Location "/ipa/config">`
			`SetHandler None`
			`</Location>`
			`<Location "/ipa/crl">`
			`SetHandler None`
			`</Location>`


Run ipaserver under mod_wsgi 2010-02-24 12:29:23 -06:00			`# Protect /ipa with Kerberos`
			`<Location "/ipa">`
			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
			`KrbAuthRealms $REALM`
			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
			`ErrorDocument 401 /ipa/errors/unauthorized.html`
			`</Location>`


Consolidate to single WSGI entry point 2010-02-23 11:53:47 -06:00			`# This is where we redirect on failed auth`
			`Alias /ipa/errors "/usr/share/ipa/html"`

			`# For the MIT Windows config files`
			`Alias /ipa/config "/usr/share/ipa/html"`

Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`# Do no authentication on the directory that contains error messages`
Show (hopefully) useful information if the Kerberos connection fails. 2007-09-24 14:20:34 -05:00			`<Directory "/usr/share/ipa/html">`
Consolidate to single WSGI entry point 2010-02-23 11:53:47 -06:00			`SetHandler None`
Show (hopefully) useful information if the Kerberos connection fails. 2007-09-24 14:20:34 -05:00			`AllowOverride None`
			`Satisfy Any`
			`Allow from all`
			`</Directory>`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00
Consolidate to single WSGI entry point 2010-02-23 11:53:47 -06:00
			`# For CRL publishing`
			`Alias /ipa/crl "/var/lib/pki-ca/publish"`
Generate CRLs and make them available from the IPA web server 2009-08-24 12:42:48 -05:00			`<Directory "/var/lib/pki-ca/publish">`
Consolidate to single WSGI entry point 2010-02-23 11:53:47 -06:00			`SetHandler None`
Generate CRLs and make them available from the IPA web server 2009-08-24 12:42:48 -05:00			`AllowOverride None`
			`Options Indexes FollowSymLinks`
			`Satisfy Any`
			`Allow from all`
			`</Directory>`

Run ipaserver under mod_wsgi 2010-02-24 12:29:23 -06:00
IPA HTTPD config uses /usr/share/static as target for /ipa/ui 2010-08-06 14:43:27 -05:00			`# webUI is now completely static, and served out of that directory`
			`Alias /ipa/ui "/usr/share/ipa/static"`
Changes to the install and config files to support deploying the javascript code. 2010-08-03 18:42:03 -05:00			`<Directory "/usr/share/ipa/static">`
			`SetHandler None`
			`AllowOverride None`
Ticket Expiration THis patch handles Kerberos ticket expiration in the UI. Additionally it removes the mod_atuh_kerb authorization for elements in the static directory, cutting down on the number of round trips required for initializing the web app Conflicts: install/static/ipa.js 2010-11-05 18:48:42 -05:00			`Satisfy Any`
Changes to the install and config files to support deploying the javascript code. 2010-08-03 18:42:03 -05:00			`Allow from all`
			`</Directory>`


Run ipaserver under mod_wsgi 2010-02-24 12:29:23 -06:00
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`# Protect our CGIs`
			`<Directory /var/www/cgi-bin>`
			`AuthType Kerberos`
			`AuthName "Kerberos Login"`
			`KrbMethodNegotiate on`
			`KrbMethodK5Passwd off`
			`KrbServiceName HTTP`
			`KrbAuthRealms $REALM`
			`Krb5KeyTab /etc/httpd/conf/ipa.keytab`
			`KrbSaveCredentials on`
			`Require valid-user`
Refine our web space some more so that everything we reference is in /ipa UI: /ipa/ui XML-RPC: /ipa/xml errors: /ipa/errors config: /ipa/config I had to hardcode that URI into the CSS pages but TurboGears handles the rest of the translations with tg.url(). Added a version to ipa.conf and ipa-rewrite.conf so we can update them in the future if needed with ipa-upgradeconfig 440443 2008-05-07 08:33:00 -05:00			`ErrorDocument 401 /ipa/errors/unauthorized.html`
Make doing basic testing of Kerberos ticket forwarding and system setup easier. 2007-09-25 07:37:45 -05:00			`</Directory>`

Run ipaserver under mod_wsgi 2010-02-24 12:29:23 -06:00
Add DS migration plugin and password migration page. 2010-01-12 09:40:09 -06:00			`# migration related pages`
			`Alias /ipa/migration "/usr/share/ipa/migration"`
			`<Directory "/usr/share/ipa/migration">`
			`AllowOverride None`
			`Satisfy Any`
			`Allow from all`
Rewrite the migration page using WSGI 2010-10-29 08:38:17 -05:00			`Options ExecCGI`
			`AddHandler wsgi-script .py`
Add DS migration plugin and password migration page. 2010-01-12 09:40:09 -06:00			`</Directory>`