mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-30 10:47:08 -06:00
182fbe3094
kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen.
57 lines
1.3 KiB
Plaintext
57 lines
1.3 KiB
Plaintext
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
|
|
|
|
# Require kerberos authentication for the entire server
|
|
|
|
<LocationMatch />
|
|
AuthType Kerberos
|
|
AuthName "Kerberos Login"
|
|
KrbMethodNegotiate on
|
|
KrbMethodK5Passwd off
|
|
KrbServiceName HTTP
|
|
KrbAuthRealms $REALM
|
|
Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
|
KrbSaveCredentials on
|
|
Require valid-user
|
|
ErrorDocument 401 /errors/unauthorized.html
|
|
</LocationMatch>
|
|
|
|
ProxyRequests Off
|
|
|
|
<Proxy *>
|
|
RewriteEngine on
|
|
Order deny,allow
|
|
Allow from all
|
|
|
|
# We create a subrequest to find REMOTE_USER. Don't do this for every
|
|
# subrequest too (slow and huge logs result)
|
|
RewriteCond %{IS_SUBREQ}% false
|
|
RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
|
|
RequestHeader set X-Forwarded-User %{RU}e
|
|
|
|
# RequestHeader unset Authorization
|
|
</Proxy>
|
|
|
|
# The URI's with a trailing ! are those that aren't handled by the proxy
|
|
ProxyPass /errors/ !
|
|
ProxyPass /ipa !
|
|
ProxyPass / http://localhost:8080/
|
|
ProxyPassReverse /errors !
|
|
ProxyPassReverse /ipa !
|
|
ProxyPassReverse / http://localhost:8080/
|
|
|
|
# Configure the XML-RPC service
|
|
|
|
Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
|
|
|
|
<Directory "/usr/share/ipa/ipaserver">
|
|
|
|
SetHandler mod_python
|
|
PythonHandler ipaxmlrpc
|
|
|
|
PythonDebug Off
|
|
|
|
# this is pointless to use since it would just reload ipaxmlrpc.py
|
|
PythonAutoReload Off
|
|
</Directory>
|
|
|