mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
move IPA-related http runtime directories to common subdirectory
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
parent
0167919ba8
commit
7ff7b1f533
@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
|
||||
mkdir -p %{buildroot}%{_localstatedir}/run/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
|
||||
|
||||
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
|
||||
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||||
@ -685,7 +687,9 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
||||
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
|
||||
# NOTE: systemd specific section
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
%attr(644,root,root) %{_unitdir}/ipa.service
|
||||
|
@ -1,4 +1,4 @@
|
||||
.include /usr/lib/systemd/system/httpd.service
|
||||
|
||||
[Service]
|
||||
Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
|
||||
Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
|
||||
|
@ -1,3 +1,5 @@
|
||||
d /var/run/ipa_memcached 0700 apache apache
|
||||
d /var/run/ipa 0700 root root
|
||||
d /var/run/httpd/clientcaches 0700 apache apache
|
||||
d /var/run/httpd/ipa 0700 apache apache
|
||||
d /var/run/httpd/ipa/clientcaches 0700 apache apache
|
||||
d /var/run/httpd/ipa/krbcache 0700 apache apache
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# VERSION 17 - DO NOT REMOVE THIS LINE
|
||||
# VERSION 18 - DO NOT REMOVE THIS LINE
|
||||
#
|
||||
# This file may be overwritten on upgrades.
|
||||
#
|
||||
@ -66,7 +66,7 @@ WSGIScriptReloading Off
|
||||
AuthName "Kerberos Login"
|
||||
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
|
||||
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
|
||||
GssapiDelegCcacheDir /var/run/httpd/clientcaches
|
||||
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
|
||||
GssapiUseS4U2Proxy on
|
||||
Require valid-user
|
||||
ErrorDocument 401 /ipa/errors/unauthorized.html
|
||||
|
Loading…
Reference in New Issue
Block a user