Make doing basic testing of Kerberos ticket forwarding and system setup

easier.

ipa-server/xmlrpc-server/ipa.conf

@@ -1,8 +1,8 @@
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
-# Require kerberos authentication for the entire server
+ProxyRequests Off
 
-<LocationMatch />
+<Proxy *>
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
@@ -13,11 +13,6 @@
   KrbSaveCredentials on
   Require valid-user
   ErrorDocument 401 /errors/unauthorized.html
-</LocationMatch>
-
-ProxyRequests Off
-
-<Proxy *>
   RewriteEngine on
   Order deny,allow
   Allow from all
@@ -33,35 +28,83 @@ ProxyRequests Off
 </Proxy>
 
 # The URI's with a trailing ! are those that aren't handled by the proxy
-ProxyPass /errors/ !
+ProxyPass /cgi-bin !
+ProxyPass /errors !
 ProxyPass /ipa !
+#ProxyPass /ipatest !
 ProxyPass / http://localhost:8080/
+ProxyPassReverse /cgi-bin !
 ProxyPassReverse /errors !
 ProxyPassReverse /ipa !
+#ProxyPassReverse /ipatest !
 ProxyPassReverse / http://localhost:8080/
 
 # Configure the XML-RPC service
 
 Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
+Alias /errors "/usr/share/ipa/html"
 
 <Directory "/usr/share/ipa/ipaserver">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /errors/unauthorized.html
 
   SetHandler mod_python
   PythonHandler ipaxmlrpc
   
   PythonDebug Off
 
-  # Some IPA-specific configuration options
-  PythonOption IPADebug Off 
+  PythonOption IPADebug Off
 
   # this is pointless to use since it would just reload ipaxmlrpc.py
   PythonAutoReload Off
 </Directory>
 
-Alias /errors "/usr/share/ipa/html"
-
+# Do no authentication on the directory that contains error messages
 <Directory "/usr/share/ipa/html">
   AllowOverride None
   Satisfy Any
   Allow from all
 </Directory>
+
+# Protect our CGIs
+<Directory /var/www/cgi-bin>
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /errors/unauthorized.html
+</Directory>
+
+#Alias /ipatest "/usr/share/ipa/ipaserver"
+
+#<Directory "/usr/share/ipa/ipaserver">
+#  AuthType Kerberos
+#  AuthName "Kerberos Login"
+#  KrbMethodNegotiate on
+#  KrbMethodK5Passwd off
+#  KrbServiceName HTTP
+#  KrbAuthRealms $REALM
+#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+#  KrbSaveCredentials on
+#  Require valid-user
+#  ErrorDocument 401 /errors/unauthorized.html
+#
+#  SetHandler mod_python
+#  PythonHandler test_mod_python
+#  
+#  PythonDebug Off
+#
+#</Directory>

ipa-server/xmlrpc-server/test/README

@@ -0,0 +1,53 @@
+Diagnosing Kerberos credentials cache problems is difficult.
+
+The first thing to try is to set LogLevel to debug in
+/etc/httpd/conf/httpd.conf and restart Apache.
+
+Look in /var/log/httpd/error_log for any problems.
+
+Also check out /var/log/krb5kdc.log
+
+To simplify things and test just Kerberos ticket forwarding:
+
+The first test is with a CGI:
+
+- copy test.py /var/www/cgi-bin
+- chmod +x /var/www/cgi-bin/test.py
+- kinit admin (or some other existing user)
+- curl -u : --negotiate http://yourhost.fqdn/cgi-bin/test.py
+
+For yourhost.fqdn use the fully-qualified hostname of your webserver.
+
+The output should look something like:
+
+KRB5CCNAME is FILE:/tmp/krb5cc_apache_TiMAbq
+Sucessfully bound to LDAP using SASL mechanism GSSAPI
+
+This CGI uses the forwarded credentials to make an authenticated LDAP 
+connection. If this fails it means that Apache is not properly storing
+the kerberos credentials.
+
+If that works, the second test more closely models the way that IPA works.
+
+- copy test_mod_python.py /usr/share/ipa/ipaserver
+- uncomment the entries for ipatest in /etc/httpd/conf.d/ipa.conf. There are
+  entries for ProxyPass and ProxyReversePass, an Alias and a Directory
+- restart Apache
+- curl -u : --negotiate http://yourhost.fqdn/ipatest/
+
+For yourhost.fqdn use the fully-qualified hostname of your webserver.
+
+The output should look something like:
+
+KRB5CCNAME: FILE:/tmp/krb5cc_apache_c0MU9o<br>
+GATEWAY_INTERFACE: CGI/1.1<br>
+...
+SCRIPT_FILENAME: /usr/share/ipa/ipaserver/<br>
+REMOTE_PORT: 45691<br>
+REMOTE_USER: rcrit@GREYOAK.COM<br>
+AUTH_TYPE: Negotiate<br>
+KRB5CCNAME is FILE:/tmp/krb5cc_apache_c0MU9o<br>
+Sucessfully bound to LDAP using SASL mechanism GSSAPI<br>
+
+It should print all of the environment variables available to mod_python
+and do a GSSAPI LDAP connection.

ipa-server/xmlrpc-server/test/test.py

@@ -0,0 +1,42 @@
+#!/usr/bin/python
+
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+
+# A test CGI that tests that the Kerberos credentials cache was created
+# properly in Apache.
+
+import ldap
+import ldap.sasl
+import os
+
+sasl_auth = ldap.sasl.sasl({}, "GSSAPI")
+conn = ldap.initialize("ldap://localhost:389/")
+conn.protocol_version = 3
+
+print "Content-type: text/plain"
+print ""
+
+try:
+    print "KRB5CCNAME is", os.environ["KRB5CCNAME"]
+
+    try:
+        conn.sasl_interactive_bind_s("", sasl_auth)
+    except ldap.LDAPError,e:
+        print "Error using SASL mechanism", sasl_auth.mech, str(e)
+    else:
+        print "Sucessfully bound to LDAP using SASL mechanism", sasl_auth.mech
+    conn.unbind()
+except KeyError,e:
+    print "not set."

ipa-server/xmlrpc-server/test/test_mod_python.py

@@ -0,0 +1,53 @@
+#!/usr/bin/python
+
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+
+# A test CGI that tests that the Kerberos credentials cache was created
+# properly in Apache.
+
+import ldap
+import ldap.sasl
+import os
+from mod_python import apache
+
+def handler(req):
+        req.content_type = "text/plain"
+        req.send_http_header()
+        do_request(req)
+        return apache.OK
+
+def do_request(req):
+    sasl_auth = ldap.sasl.sasl({}, "GSSAPI")
+    conn = ldap.initialize("ldap://localhost:389/")
+    conn.protocol_version = 3
+
+    req.add_common_vars()
+
+    for e in req.subprocess_env:
+        req.write("%s: %s<br>\n" % (e, req.subprocess_env[e]))
+
+    try:
+        req.write("KRB5CCNAME is %s<br>\n" % req.subprocess_env["KRB5CCNAME"])
+        os.environ["KRB5CCNAME"] = req.subprocess_env["KRB5CCNAME"]
+    
+        try:
+            conn.sasl_interactive_bind_s("", sasl_auth)
+        except ldap.LDAPError,e:
+            req.write("Error using SASL mechanism %s %s<br>\n" % (sasl_auth.mech, str(e)))
+        else:
+            req.write("Sucessfully bound to LDAP using SASL mechanism %s<br>\n" % sasl_auth.mech)
+        conn.unbind()
+    except KeyError,e:
+        req.write("KRB5CCNAME is not set.")