mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-25 23:56:30 -06:00
Make doing basic testing of Kerberos ticket forwarding and system setup
easier.
This commit is contained in:
parent
fddae7a8a2
commit
0b65e95b57
@ -1,8 +1,8 @@
|
||||
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
|
||||
|
||||
# Require kerberos authentication for the entire server
|
||||
ProxyRequests Off
|
||||
|
||||
<LocationMatch />
|
||||
<Proxy *>
|
||||
AuthType Kerberos
|
||||
AuthName "Kerberos Login"
|
||||
KrbMethodNegotiate on
|
||||
@ -13,11 +13,6 @@
|
||||
KrbSaveCredentials on
|
||||
Require valid-user
|
||||
ErrorDocument 401 /errors/unauthorized.html
|
||||
</LocationMatch>
|
||||
|
||||
ProxyRequests Off
|
||||
|
||||
<Proxy *>
|
||||
RewriteEngine on
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
@ -33,35 +28,83 @@ ProxyRequests Off
|
||||
</Proxy>
|
||||
|
||||
# The URI's with a trailing ! are those that aren't handled by the proxy
|
||||
ProxyPass /errors/ !
|
||||
ProxyPass /cgi-bin !
|
||||
ProxyPass /errors !
|
||||
ProxyPass /ipa !
|
||||
#ProxyPass /ipatest !
|
||||
ProxyPass / http://localhost:8080/
|
||||
ProxyPassReverse /cgi-bin !
|
||||
ProxyPassReverse /errors !
|
||||
ProxyPassReverse /ipa !
|
||||
#ProxyPassReverse /ipatest !
|
||||
ProxyPassReverse / http://localhost:8080/
|
||||
|
||||
# Configure the XML-RPC service
|
||||
|
||||
Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
|
||||
Alias /errors "/usr/share/ipa/html"
|
||||
|
||||
<Directory "/usr/share/ipa/ipaserver">
|
||||
AuthType Kerberos
|
||||
AuthName "Kerberos Login"
|
||||
KrbMethodNegotiate on
|
||||
KrbMethodK5Passwd off
|
||||
KrbServiceName HTTP
|
||||
KrbAuthRealms $REALM
|
||||
Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
||||
KrbSaveCredentials on
|
||||
Require valid-user
|
||||
ErrorDocument 401 /errors/unauthorized.html
|
||||
|
||||
SetHandler mod_python
|
||||
PythonHandler ipaxmlrpc
|
||||
|
||||
PythonDebug Off
|
||||
|
||||
# Some IPA-specific configuration options
|
||||
PythonOption IPADebug Off
|
||||
|
||||
# this is pointless to use since it would just reload ipaxmlrpc.py
|
||||
PythonAutoReload Off
|
||||
</Directory>
|
||||
|
||||
Alias /errors "/usr/share/ipa/html"
|
||||
|
||||
# Do no authentication on the directory that contains error messages
|
||||
<Directory "/usr/share/ipa/html">
|
||||
AllowOverride None
|
||||
Satisfy Any
|
||||
Allow from all
|
||||
</Directory>
|
||||
|
||||
# Protect our CGIs
|
||||
<Directory /var/www/cgi-bin>
|
||||
AuthType Kerberos
|
||||
AuthName "Kerberos Login"
|
||||
KrbMethodNegotiate on
|
||||
KrbMethodK5Passwd off
|
||||
KrbServiceName HTTP
|
||||
KrbAuthRealms $REALM
|
||||
Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
||||
KrbSaveCredentials on
|
||||
Require valid-user
|
||||
ErrorDocument 401 /errors/unauthorized.html
|
||||
</Directory>
|
||||
|
||||
#Alias /ipatest "/usr/share/ipa/ipaserver"
|
||||
|
||||
#<Directory "/usr/share/ipa/ipaserver">
|
||||
# AuthType Kerberos
|
||||
# AuthName "Kerberos Login"
|
||||
# KrbMethodNegotiate on
|
||||
# KrbMethodK5Passwd off
|
||||
# KrbServiceName HTTP
|
||||
# KrbAuthRealms $REALM
|
||||
# Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
||||
# KrbSaveCredentials on
|
||||
# Require valid-user
|
||||
# ErrorDocument 401 /errors/unauthorized.html
|
||||
#
|
||||
# SetHandler mod_python
|
||||
# PythonHandler test_mod_python
|
||||
#
|
||||
# PythonDebug Off
|
||||
#
|
||||
#</Directory>
|
||||
|
53
ipa-server/xmlrpc-server/test/README
Normal file
53
ipa-server/xmlrpc-server/test/README
Normal file
@ -0,0 +1,53 @@
|
||||
Diagnosing Kerberos credentials cache problems is difficult.
|
||||
|
||||
The first thing to try is to set LogLevel to debug in
|
||||
/etc/httpd/conf/httpd.conf and restart Apache.
|
||||
|
||||
Look in /var/log/httpd/error_log for any problems.
|
||||
|
||||
Also check out /var/log/krb5kdc.log
|
||||
|
||||
To simplify things and test just Kerberos ticket forwarding:
|
||||
|
||||
The first test is with a CGI:
|
||||
|
||||
- copy test.py /var/www/cgi-bin
|
||||
- chmod +x /var/www/cgi-bin/test.py
|
||||
- kinit admin (or some other existing user)
|
||||
- curl -u : --negotiate http://yourhost.fqdn/cgi-bin/test.py
|
||||
|
||||
For yourhost.fqdn use the fully-qualified hostname of your webserver.
|
||||
|
||||
The output should look something like:
|
||||
|
||||
KRB5CCNAME is FILE:/tmp/krb5cc_apache_TiMAbq
|
||||
Sucessfully bound to LDAP using SASL mechanism GSSAPI
|
||||
|
||||
This CGI uses the forwarded credentials to make an authenticated LDAP
|
||||
connection. If this fails it means that Apache is not properly storing
|
||||
the kerberos credentials.
|
||||
|
||||
If that works, the second test more closely models the way that IPA works.
|
||||
|
||||
- copy test_mod_python.py /usr/share/ipa/ipaserver
|
||||
- uncomment the entries for ipatest in /etc/httpd/conf.d/ipa.conf. There are
|
||||
entries for ProxyPass and ProxyReversePass, an Alias and a Directory
|
||||
- restart Apache
|
||||
- curl -u : --negotiate http://yourhost.fqdn/ipatest/
|
||||
|
||||
For yourhost.fqdn use the fully-qualified hostname of your webserver.
|
||||
|
||||
The output should look something like:
|
||||
|
||||
KRB5CCNAME: FILE:/tmp/krb5cc_apache_c0MU9o<br>
|
||||
GATEWAY_INTERFACE: CGI/1.1<br>
|
||||
...
|
||||
SCRIPT_FILENAME: /usr/share/ipa/ipaserver/<br>
|
||||
REMOTE_PORT: 45691<br>
|
||||
REMOTE_USER: rcrit@GREYOAK.COM<br>
|
||||
AUTH_TYPE: Negotiate<br>
|
||||
KRB5CCNAME is FILE:/tmp/krb5cc_apache_c0MU9o<br>
|
||||
Sucessfully bound to LDAP using SASL mechanism GSSAPI<br>
|
||||
|
||||
It should print all of the environment variables available to mod_python
|
||||
and do a GSSAPI LDAP connection.
|
42
ipa-server/xmlrpc-server/test/test.py
Normal file
42
ipa-server/xmlrpc-server/test/test.py
Normal file
@ -0,0 +1,42 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
|
||||
# A test CGI that tests that the Kerberos credentials cache was created
|
||||
# properly in Apache.
|
||||
|
||||
import ldap
|
||||
import ldap.sasl
|
||||
import os
|
||||
|
||||
sasl_auth = ldap.sasl.sasl({}, "GSSAPI")
|
||||
conn = ldap.initialize("ldap://localhost:389/")
|
||||
conn.protocol_version = 3
|
||||
|
||||
print "Content-type: text/plain"
|
||||
print ""
|
||||
|
||||
try:
|
||||
print "KRB5CCNAME is", os.environ["KRB5CCNAME"]
|
||||
|
||||
try:
|
||||
conn.sasl_interactive_bind_s("", sasl_auth)
|
||||
except ldap.LDAPError,e:
|
||||
print "Error using SASL mechanism", sasl_auth.mech, str(e)
|
||||
else:
|
||||
print "Sucessfully bound to LDAP using SASL mechanism", sasl_auth.mech
|
||||
conn.unbind()
|
||||
except KeyError,e:
|
||||
print "not set."
|
53
ipa-server/xmlrpc-server/test/test_mod_python.py
Normal file
53
ipa-server/xmlrpc-server/test/test_mod_python.py
Normal file
@ -0,0 +1,53 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 2
|
||||
# of the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
|
||||
# A test CGI that tests that the Kerberos credentials cache was created
|
||||
# properly in Apache.
|
||||
|
||||
import ldap
|
||||
import ldap.sasl
|
||||
import os
|
||||
from mod_python import apache
|
||||
|
||||
def handler(req):
|
||||
req.content_type = "text/plain"
|
||||
req.send_http_header()
|
||||
do_request(req)
|
||||
return apache.OK
|
||||
|
||||
def do_request(req):
|
||||
sasl_auth = ldap.sasl.sasl({}, "GSSAPI")
|
||||
conn = ldap.initialize("ldap://localhost:389/")
|
||||
conn.protocol_version = 3
|
||||
|
||||
req.add_common_vars()
|
||||
|
||||
for e in req.subprocess_env:
|
||||
req.write("%s: %s<br>\n" % (e, req.subprocess_env[e]))
|
||||
|
||||
try:
|
||||
req.write("KRB5CCNAME is %s<br>\n" % req.subprocess_env["KRB5CCNAME"])
|
||||
os.environ["KRB5CCNAME"] = req.subprocess_env["KRB5CCNAME"]
|
||||
|
||||
try:
|
||||
conn.sasl_interactive_bind_s("", sasl_auth)
|
||||
except ldap.LDAPError,e:
|
||||
req.write("Error using SASL mechanism %s %s<br>\n" % (sasl_auth.mech, str(e)))
|
||||
else:
|
||||
req.write("Sucessfully bound to LDAP using SASL mechanism %s<br>\n" % sasl_auth.mech)
|
||||
conn.unbind()
|
||||
except KeyError,e:
|
||||
req.write("KRB5CCNAME is not set.")
|
Loading…
Reference in New Issue
Block a user