Make doing basic testing of Kerberos ticket forwarding and system setup

easier.
This commit is contained in:
rcritten@redhat.com 2007-09-25 08:37:45 -04:00
parent fddae7a8a2
commit 0b65e95b57
4 changed files with 203 additions and 12 deletions

View File

@ -1,8 +1,8 @@
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
# Require kerberos authentication for the entire server
ProxyRequests Off
<LocationMatch />
<Proxy *>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
@ -13,11 +13,6 @@
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /errors/unauthorized.html
</LocationMatch>
ProxyRequests Off
<Proxy *>
RewriteEngine on
Order deny,allow
Allow from all
@ -33,35 +28,83 @@ ProxyRequests Off
</Proxy>
# The URI's with a trailing ! are those that aren't handled by the proxy
ProxyPass /errors/ !
ProxyPass /cgi-bin !
ProxyPass /errors !
ProxyPass /ipa !
#ProxyPass /ipatest !
ProxyPass / http://localhost:8080/
ProxyPassReverse /cgi-bin !
ProxyPassReverse /errors !
ProxyPassReverse /ipa !
#ProxyPassReverse /ipatest !
ProxyPassReverse / http://localhost:8080/
# Configure the XML-RPC service
Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
Alias /errors "/usr/share/ipa/html"
<Directory "/usr/share/ipa/ipaserver">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /errors/unauthorized.html
SetHandler mod_python
PythonHandler ipaxmlrpc
PythonDebug Off
# Some IPA-specific configuration options
PythonOption IPADebug Off
# this is pointless to use since it would just reload ipaxmlrpc.py
PythonAutoReload Off
</Directory>
Alias /errors "/usr/share/ipa/html"
# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
AllowOverride None
Satisfy Any
Allow from all
</Directory>
# Protect our CGIs
<Directory /var/www/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms $REALM
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /errors/unauthorized.html
</Directory>
#Alias /ipatest "/usr/share/ipa/ipaserver"
#<Directory "/usr/share/ipa/ipaserver">
# AuthType Kerberos
# AuthName "Kerberos Login"
# KrbMethodNegotiate on
# KrbMethodK5Passwd off
# KrbServiceName HTTP
# KrbAuthRealms $REALM
# Krb5KeyTab /etc/httpd/conf/ipa.keytab
# KrbSaveCredentials on
# Require valid-user
# ErrorDocument 401 /errors/unauthorized.html
#
# SetHandler mod_python
# PythonHandler test_mod_python
#
# PythonDebug Off
#
#</Directory>

View File

@ -0,0 +1,53 @@
Diagnosing Kerberos credentials cache problems is difficult.
The first thing to try is to set LogLevel to debug in
/etc/httpd/conf/httpd.conf and restart Apache.
Look in /var/log/httpd/error_log for any problems.
Also check out /var/log/krb5kdc.log
To simplify things and test just Kerberos ticket forwarding:
The first test is with a CGI:
- copy test.py /var/www/cgi-bin
- chmod +x /var/www/cgi-bin/test.py
- kinit admin (or some other existing user)
- curl -u : --negotiate http://yourhost.fqdn/cgi-bin/test.py
For yourhost.fqdn use the fully-qualified hostname of your webserver.
The output should look something like:
KRB5CCNAME is FILE:/tmp/krb5cc_apache_TiMAbq
Sucessfully bound to LDAP using SASL mechanism GSSAPI
This CGI uses the forwarded credentials to make an authenticated LDAP
connection. If this fails it means that Apache is not properly storing
the kerberos credentials.
If that works, the second test more closely models the way that IPA works.
- copy test_mod_python.py /usr/share/ipa/ipaserver
- uncomment the entries for ipatest in /etc/httpd/conf.d/ipa.conf. There are
entries for ProxyPass and ProxyReversePass, an Alias and a Directory
- restart Apache
- curl -u : --negotiate http://yourhost.fqdn/ipatest/
For yourhost.fqdn use the fully-qualified hostname of your webserver.
The output should look something like:
KRB5CCNAME: FILE:/tmp/krb5cc_apache_c0MU9o<br>
GATEWAY_INTERFACE: CGI/1.1<br>
...
SCRIPT_FILENAME: /usr/share/ipa/ipaserver/<br>
REMOTE_PORT: 45691<br>
REMOTE_USER: rcrit@GREYOAK.COM<br>
AUTH_TYPE: Negotiate<br>
KRB5CCNAME is FILE:/tmp/krb5cc_apache_c0MU9o<br>
Sucessfully bound to LDAP using SASL mechanism GSSAPI<br>
It should print all of the environment variables available to mod_python
and do a GSSAPI LDAP connection.

View File

@ -0,0 +1,42 @@
#!/usr/bin/python
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# A test CGI that tests that the Kerberos credentials cache was created
# properly in Apache.
import ldap
import ldap.sasl
import os
sasl_auth = ldap.sasl.sasl({}, "GSSAPI")
conn = ldap.initialize("ldap://localhost:389/")
conn.protocol_version = 3
print "Content-type: text/plain"
print ""
try:
print "KRB5CCNAME is", os.environ["KRB5CCNAME"]
try:
conn.sasl_interactive_bind_s("", sasl_auth)
except ldap.LDAPError,e:
print "Error using SASL mechanism", sasl_auth.mech, str(e)
else:
print "Sucessfully bound to LDAP using SASL mechanism", sasl_auth.mech
conn.unbind()
except KeyError,e:
print "not set."

View File

@ -0,0 +1,53 @@
#!/usr/bin/python
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# A test CGI that tests that the Kerberos credentials cache was created
# properly in Apache.
import ldap
import ldap.sasl
import os
from mod_python import apache
def handler(req):
req.content_type = "text/plain"
req.send_http_header()
do_request(req)
return apache.OK
def do_request(req):
sasl_auth = ldap.sasl.sasl({}, "GSSAPI")
conn = ldap.initialize("ldap://localhost:389/")
conn.protocol_version = 3
req.add_common_vars()
for e in req.subprocess_env:
req.write("%s: %s<br>\n" % (e, req.subprocess_env[e]))
try:
req.write("KRB5CCNAME is %s<br>\n" % req.subprocess_env["KRB5CCNAME"])
os.environ["KRB5CCNAME"] = req.subprocess_env["KRB5CCNAME"]
try:
conn.sasl_interactive_bind_s("", sasl_auth)
except ldap.LDAPError,e:
req.write("Error using SASL mechanism %s %s<br>\n" % (sasl_auth.mech, str(e)))
else:
req.write("Sucessfully bound to LDAP using SASL mechanism %s<br>\n" % sasl_auth.mech)
conn.unbind()
except KeyError,e:
req.write("KRB5CCNAME is not set.")