diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template index 696e5aab1..9154f5653 100644 --- a/install/share/ipa.conf.template +++ b/install/share/ipa.conf.template @@ -43,7 +43,7 @@ FileETag None # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: -WSGISocketPrefix /run/httpd/wsgi +WSGISocketPrefix $WSGI_PREFIX_DIR # Configure mod_wsgi handler for /ipa @@ -77,10 +77,10 @@ WSGIScriptReloading Off # Uncomment the following to have shorter sessions, but beware this may break # old IPA client tols that incorrectly parse cookies. # SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:$GSSAPI_SESSION_KEY GssapiImpersonate On - GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcacheDir $IPA_CCACHES GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on GssapiAllowedMech krb5 @@ -111,7 +111,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" # This configuration needs to be loaded after AuthType none - GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcacheDir $IPA_CCACHES GssapiDelegCcachePerms mode:0660 gid:ipaapi NSSVerifyClient require NSSUserName SSL_CLIENT_CERT @@ -126,7 +126,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:$GSSAPI_SESSION_KEY Header unset Set-Cookie @@ -146,7 +146,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" # Custodia stuff is redirected to the custodia daemon # after authentication - ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/" + ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/" RequestHeader set GSS_NAME %{GSS_NAME}s RequestHeader set REMOTE_USER %{REMOTE_USER}s @@ -180,9 +180,9 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH" # List explicitly only the fonts we want to serve -Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans" -Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome" - +Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans" +Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome" + SetHandler None AllowOverride None Satisfy Any diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 0fe20e4ef..189506d89 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -41,6 +41,7 @@ class BasePathNamespace(object): HOSTS = "/etc/hosts" ETC_HTTPD_DIR = "/etc/httpd" HTTPD_ALIAS_DIR = "/etc/httpd/alias" + GSSAPI_SESSION_KEY = "/etc/httpd/alias/ipasession.key" OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem" HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/" HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf" @@ -232,6 +233,7 @@ class BasePathNamespace(object): SETUP_DS_PL = "/usr/sbin/setup-ds.pl" SMBD = "/usr/sbin/smbd" USERADD = "/usr/sbin/useradd" + FONTS_DIR = "/usr/share/fonts" USR_SHARE_IPA_DIR = "/usr/share/ipa/" CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif" IPA_HTML_DIR = "/usr/share/ipa/html" @@ -365,6 +367,7 @@ class BasePathNamespace(object): GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' KRB5CC_HTTPD = '/tmp/krb5cc-httpd' IF_INET6 = '/proc/net/if_inet6' + WSGI_PREFIX_DIR = "/run/httpd/wsgi" AUTHCONFIG = None IPA_SERVER_UPGRADE = '/usr/sbin/ipa-server-upgrade' KEYCTL = '/usr/bin/keyctl' diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py index 331afa057..f8be05606 100644 --- a/ipaplatform/debian/paths.py +++ b/ipaplatform/debian/paths.py @@ -56,6 +56,7 @@ class DebianPathNamespace(BasePathNamespace): SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/" SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf" DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key" + GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key" OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem" SBIN_SERVICE = "/usr/sbin/service" CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" @@ -77,6 +78,7 @@ class DebianPathNamespace(BasePathNamespace): HTTPD = "/usr/sbin/apache2ctl" REMOVE_DS_PL = "/usr/sbin/remove-ds" SETUP_DS_PL = "/usr/sbin/setup-ds" + FONTS_DIR = "/usr/share/fonts/truetype" VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/" VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5." CACERT_PEM = "/var/lib/krb5kdc/cacert.pem" @@ -93,5 +95,6 @@ class DebianPathNamespace(BasePathNamespace): IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache" IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock" IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' + WSGI_PREFIX_DIR = "/run/apache2/wsgi" paths = DebianPathNamespace() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 186ee4498..d7456980d 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -147,6 +147,11 @@ class HTTPInstance(service.Service): DOMAIN=self.domain, AUTOREDIR='' if auto_redirect else '#', CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, + FONTS_DIR=paths.FONTS_DIR, + GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY, + IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, + IPA_CCACHES=paths.IPA_CCACHES, + WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR, ) self.ca_file = ca_file if ca_is_configured is not None: