ipaplatform, ipa.conf: Use paths variables in ipa.conf.template

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Timo Aaltonen 2017-03-29 11:33:32 +03:00 committed by Christian Heimes
parent 1adb3edea9
commit e6c707b168
4 changed files with 20 additions and 9 deletions

View File

@ -43,7 +43,7 @@ FileETag None
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /run/httpd/wsgi WSGISocketPrefix $WSGI_PREFIX_DIR
# Configure mod_wsgi handler for /ipa # Configure mod_wsgi handler for /ipa
@ -77,10 +77,10 @@ WSGIScriptReloading Off
# Uncomment the following to have shorter sessions, but beware this may break # Uncomment the following to have shorter sessions, but beware this may break
# old IPA client tols that incorrectly parse cookies. # old IPA client tols that incorrectly parse cookies.
# SessionMaxAge 1800 # SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiSessionKey file:$GSSAPI_SESSION_KEY
GssapiImpersonate On GssapiImpersonate On
GssapiDelegCcacheDir /var/run/ipa/ccaches GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiDelegCcachePerms mode:0660 gid:ipaapi
GssapiUseS4U2Proxy on GssapiUseS4U2Proxy on
GssapiAllowedMech krb5 GssapiAllowedMech krb5
@ -111,7 +111,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
# This configuration needs to be loaded after <Location "/ipa"> # This configuration needs to be loaded after <Location "/ipa">
<Location "/ipa/session/login_x509"> <Location "/ipa/session/login_x509">
AuthType none AuthType none
GssapiDelegCcacheDir /var/run/ipa/ccaches GssapiDelegCcacheDir $IPA_CCACHES
GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiDelegCcachePerms mode:0660 gid:ipaapi
NSSVerifyClient require NSSVerifyClient require
NSSUserName SSL_CLIENT_CERT NSSUserName SSL_CLIENT_CERT
@ -126,7 +126,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
SessionCookieName ipa_session path=/ipa;httponly;secure; SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION SessionHeader IPASESSION
SessionMaxAge 1800 SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiSessionKey file:$GSSAPI_SESSION_KEY
Header unset Set-Cookie Header unset Set-Cookie
</Location> </Location>
@ -146,7 +146,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
# Custodia stuff is redirected to the custodia daemon # Custodia stuff is redirected to the custodia daemon
# after authentication # after authentication
<Location "/ipa/keys/"> <Location "/ipa/keys/">
ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/" ProxyPass "unix:${IPA_CUSTODIA_SOCKET}|http://localhost/keys/"
RequestHeader set GSS_NAME %{GSS_NAME}s RequestHeader set GSS_NAME %{GSS_NAME}s
RequestHeader set REMOTE_USER %{REMOTE_USER}s RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location> </Location>
@ -180,9 +180,9 @@ Alias /ipa/crl "$CRL_PUBLISH_PATH"
# List explicitly only the fonts we want to serve # List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans" Alias /ipa/ui/fonts/open-sans "${FONTS_DIR}/open-sans"
Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome" Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"
<Directory "/usr/share/fonts"> <Directory "${FONTS_DIR}">
SetHandler None SetHandler None
AllowOverride None AllowOverride None
Satisfy Any Satisfy Any

View File

@ -41,6 +41,7 @@ class BasePathNamespace(object):
HOSTS = "/etc/hosts" HOSTS = "/etc/hosts"
ETC_HTTPD_DIR = "/etc/httpd" ETC_HTTPD_DIR = "/etc/httpd"
HTTPD_ALIAS_DIR = "/etc/httpd/alias" HTTPD_ALIAS_DIR = "/etc/httpd/alias"
GSSAPI_SESSION_KEY = "/etc/httpd/alias/ipasession.key"
OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem" OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/" HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf" HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
@ -232,6 +233,7 @@ class BasePathNamespace(object):
SETUP_DS_PL = "/usr/sbin/setup-ds.pl" SETUP_DS_PL = "/usr/sbin/setup-ds.pl"
SMBD = "/usr/sbin/smbd" SMBD = "/usr/sbin/smbd"
USERADD = "/usr/sbin/useradd" USERADD = "/usr/sbin/useradd"
FONTS_DIR = "/usr/share/fonts"
USR_SHARE_IPA_DIR = "/usr/share/ipa/" USR_SHARE_IPA_DIR = "/usr/share/ipa/"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif" CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
IPA_HTML_DIR = "/usr/share/ipa/html" IPA_HTML_DIR = "/usr/share/ipa/html"
@ -365,6 +367,7 @@ class BasePathNamespace(object):
GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
KRB5CC_HTTPD = '/tmp/krb5cc-httpd' KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
IF_INET6 = '/proc/net/if_inet6' IF_INET6 = '/proc/net/if_inet6'
WSGI_PREFIX_DIR = "/run/httpd/wsgi"
AUTHCONFIG = None AUTHCONFIG = None
IPA_SERVER_UPGRADE = '/usr/sbin/ipa-server-upgrade' IPA_SERVER_UPGRADE = '/usr/sbin/ipa-server-upgrade'
KEYCTL = '/usr/bin/keyctl' KEYCTL = '/usr/bin/keyctl'

View File

@ -56,6 +56,7 @@ class DebianPathNamespace(BasePathNamespace):
SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/" SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/"
SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf" SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf"
DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key" DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key"
OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem" OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
SBIN_SERVICE = "/usr/sbin/service" SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
@ -77,6 +78,7 @@ class DebianPathNamespace(BasePathNamespace):
HTTPD = "/usr/sbin/apache2ctl" HTTPD = "/usr/sbin/apache2ctl"
REMOVE_DS_PL = "/usr/sbin/remove-ds" REMOVE_DS_PL = "/usr/sbin/remove-ds"
SETUP_DS_PL = "/usr/sbin/setup-ds" SETUP_DS_PL = "/usr/sbin/setup-ds"
FONTS_DIR = "/usr/share/fonts/truetype"
VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/" VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5." VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
CACERT_PEM = "/var/lib/krb5kdc/cacert.pem" CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
@ -93,5 +95,6 @@ class DebianPathNamespace(BasePathNamespace):
IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache" IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock" IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
WSGI_PREFIX_DIR = "/run/apache2/wsgi"
paths = DebianPathNamespace() paths = DebianPathNamespace()

View File

@ -147,6 +147,11 @@ class HTTPInstance(service.Service):
DOMAIN=self.domain, DOMAIN=self.domain,
AUTOREDIR='' if auto_redirect else '#', AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
FONTS_DIR=paths.FONTS_DIR,
GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
IPA_CCACHES=paths.IPA_CCACHES,
WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR,
) )
self.ca_file = ca_file self.ca_file = ca_file
if ca_is_configured is not None: if ca_is_configured is not None: