mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Create configuration for MIT Windows kerberos client and install into
http://hostname/config so users can point their MIT client at the IPA server and automatically fetch the configuration.
This commit is contained in:
parent
859291a706
commit
e40c583b12
@ -12,6 +12,9 @@ app_DATA = \
|
|||||||
certmap.conf.template \
|
certmap.conf.template \
|
||||||
kdc.conf.template \
|
kdc.conf.template \
|
||||||
krb5.conf.template \
|
krb5.conf.template \
|
||||||
|
krb5.ini.template \
|
||||||
|
krb.con.template \
|
||||||
|
krbrealm.con.template \
|
||||||
$(NULL)
|
$(NULL)
|
||||||
|
|
||||||
EXTRA_DIST = \
|
EXTRA_DIST = \
|
||||||
|
2
ipa-server/ipa-install/share/krb.con.template
Normal file
2
ipa-server/ipa-install/share/krb.con.template
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
$REALM $DOMAIN
|
||||||
|
$REALM $DOMAIN admin server
|
19
ipa-server/ipa-install/share/krb5.ini.template
Normal file
19
ipa-server/ipa-install/share/krb5.ini.template
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
[libdefaults]
|
||||||
|
default_realm = $REALM
|
||||||
|
krb4_config = /usr/kerberos/lib/krb.conf
|
||||||
|
krb4_realms = /usr/kerberos/lib/krb.realms
|
||||||
|
dns_lookup_kdc = true
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
$REALM = {
|
||||||
|
admin_server = $FQDN
|
||||||
|
kdc = $FQDN
|
||||||
|
default_domain = $REALM
|
||||||
|
}
|
||||||
|
|
||||||
|
[domain_realm]
|
||||||
|
.$DOMAIN = $REALM
|
||||||
|
$DOMAIN = $REALM
|
||||||
|
|
||||||
|
[logging]
|
||||||
|
# kdc = CONSOLE
|
3
ipa-server/ipa-install/share/krbrealm.con.template
Normal file
3
ipa-server/ipa-install/share/krbrealm.con.template
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
.$REALM $REALM
|
||||||
|
.$REALM. $REALM
|
||||||
|
$REALM $REALM
|
@ -175,6 +175,22 @@ class KrbInstance:
|
|||||||
krb5_fd.write(krb5_conf)
|
krb5_fd.write(krb5_conf)
|
||||||
krb5_fd.close()
|
krb5_fd.close()
|
||||||
|
|
||||||
|
# Windows configuration files
|
||||||
|
krb5_ini = template_file(SHARE_DIR+"krb5.ini.template", self.sub_dict)
|
||||||
|
krb5_fd = open("/usr/share/ipa/html/krb5.ini", "w+")
|
||||||
|
krb5_fd.write(krb5_ini)
|
||||||
|
krb5_fd.close()
|
||||||
|
|
||||||
|
krb_con = template_file(SHARE_DIR+"krb.con.template", self.sub_dict)
|
||||||
|
krb_fd = open("/usr/share/ipa/html/krb.con", "w+")
|
||||||
|
krb_fd.write(krb_con)
|
||||||
|
krb_fd.close()
|
||||||
|
|
||||||
|
krb_realm = template_file(SHARE_DIR+"krbrealm.con.template", self.sub_dict)
|
||||||
|
krb_fd = open("/usr/share/ipa/html/krbrealm.con", "w+")
|
||||||
|
krb_fd.write(krb_realm)
|
||||||
|
krb_fd.close()
|
||||||
|
|
||||||
#populate the directory with the realm structure
|
#populate the directory with the realm structure
|
||||||
args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
|
args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
|
||||||
try:
|
try:
|
||||||
|
@ -6,7 +6,7 @@ ProxyRequests Off
|
|||||||
RewriteEngine on
|
RewriteEngine on
|
||||||
|
|
||||||
RewriteCond %{SERVER_PORT} !^443$$
|
RewriteCond %{SERVER_PORT} !^443$$
|
||||||
RewriteCond %{REQUEST_URI} !^/(errors)/
|
RewriteCond %{REQUEST_URI} !^/(errors|config)/
|
||||||
RewriteRule ^/(.*) https://%{SERVER_NAME}/$$1 [L,R,NC]
|
RewriteRule ^/(.*) https://%{SERVER_NAME}/$$1 [L,R,NC]
|
||||||
|
|
||||||
<Proxy *>
|
<Proxy *>
|
||||||
@ -37,11 +37,13 @@ RewriteRule ^/(.*) https://%{SERVER_NAME}/$$1 [L,R,NC]
|
|||||||
# The URI's with a trailing ! are those that aren't handled by the proxy
|
# The URI's with a trailing ! are those that aren't handled by the proxy
|
||||||
ProxyPass /cgi-bin !
|
ProxyPass /cgi-bin !
|
||||||
ProxyPass /errors !
|
ProxyPass /errors !
|
||||||
|
ProxyPass /config !
|
||||||
ProxyPass /ipa !
|
ProxyPass /ipa !
|
||||||
#ProxyPass /ipatest !
|
#ProxyPass /ipatest !
|
||||||
ProxyPass / http://localhost:8080/
|
ProxyPass / http://localhost:8080/
|
||||||
ProxyPassReverse /cgi-bin !
|
ProxyPassReverse /cgi-bin !
|
||||||
ProxyPassReverse /errors !
|
ProxyPassReverse /errors !
|
||||||
|
ProxyPassReverse /config !
|
||||||
ProxyPassReverse /ipa !
|
ProxyPassReverse /ipa !
|
||||||
#ProxyPassReverse /ipatest !
|
#ProxyPassReverse /ipatest !
|
||||||
ProxyPassReverse / http://localhost:8080/
|
ProxyPassReverse / http://localhost:8080/
|
||||||
@ -50,6 +52,7 @@ ProxyPassReverse / http://localhost:8080/
|
|||||||
|
|
||||||
Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
|
Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
|
||||||
Alias /errors "/usr/share/ipa/html"
|
Alias /errors "/usr/share/ipa/html"
|
||||||
|
Alias /config "/usr/share/ipa/html"
|
||||||
|
|
||||||
<Directory "/usr/share/ipa/ipaserver">
|
<Directory "/usr/share/ipa/ipaserver">
|
||||||
AuthType Kerberos
|
AuthType Kerberos
|
||||||
|
Loading…
Reference in New Issue
Block a user