move IPA-related http runtime directories to common subdirectory

When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Martin Babinsky 2015-05-15 15:37:05 +02:00 committed by Jan Cholasta
parent 0167919ba8
commit 7ff7b1f533
4 changed files with 12 additions and 6 deletions

View File

@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@ -685,7 +687,9 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service

View File

@ -1,4 +1,4 @@
.include /usr/lib/systemd/system/httpd.service
[Service]
Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache

View File

@ -1,3 +1,5 @@
d /var/run/ipa_memcached 0700 apache apache
d /var/run/ipa 0700 root root
d /var/run/httpd/clientcaches 0700 apache apache
d /var/run/httpd/ipa 0700 apache apache
d /var/run/httpd/ipa/clientcaches 0700 apache apache
d /var/run/httpd/ipa/krbcache 0700 apache apache

View File

@ -1,5 +1,5 @@
#
# VERSION 17 - DO NOT REMOVE THIS LINE
# VERSION 18 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@ -66,7 +66,7 @@ WSGIScriptReloading Off
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/clientcaches
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiUseS4U2Proxy on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html