mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
9d32e61ba5
In commit 157831a287 the version bump was forgotten and therefore the
ipa.conf file is not replaced during upgrade and login using certificate when
single certificate is mapped to multiple users doesn't work.
https://pagure.io/freeipa/issue/6860
Reviewed-By: Martin Basti <mbasti@redhat.com>
229 lines
6.3 KiB
Plaintext
229 lines
6.3 KiB
Plaintext
#
|
|
# VERSION 26 - DO NOT REMOVE THIS LINE
|
|
#
|
|
# This file may be overwritten on upgrades.
|
|
#
|
|
|
|
# Load lookup_identity module in case it has not been loaded yet
|
|
# The module is used to search users according the certificate.
|
|
<IfModule !lookup_identity_module>
|
|
LoadModule lookup_identity_module modules/mod_lookup_identity.so
|
|
</IfModule>
|
|
|
|
ProxyRequests Off
|
|
|
|
#We use xhtml, a file format that the browser validates
|
|
DirectoryIndex index.html
|
|
|
|
|
|
# Substantially increase the request field size to support MS-PAC
|
|
# requests, ticket #2767. This should easily support a 64KiB PAC.
|
|
LimitRequestFieldSize 100000
|
|
|
|
# Increase connection keep alive time. Default value is 5 seconds, which is too
|
|
# short for interactive ipa commands. 30 seconds is a good compromise.
|
|
KeepAlive On
|
|
KeepAliveTimeout 30
|
|
|
|
# ipa-rewrite.conf is loaded separately
|
|
|
|
# This is required so the auto-configuration works with Firefox 2+
|
|
AddType application/java-archive jar
|
|
AddType application/x-xpinstall xpi
|
|
|
|
# Proper header for .tff fonts
|
|
AddType application/x-font-ttf ttf
|
|
|
|
# Enable compression
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
|
|
application/javascript application/json text/css \
|
|
application/x-font-ttf
|
|
|
|
# Disable etag http header. Doesn't work well with mod_deflate
|
|
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
|
|
# Usage of last-modified header and modified-since validator is sufficient.
|
|
Header unset ETag
|
|
FileETag None
|
|
|
|
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
|
|
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
|
|
WSGISocketPrefix /run/httpd/wsgi
|
|
|
|
|
|
# Configure mod_wsgi handler for /ipa
|
|
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
|
|
user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647
|
|
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
|
|
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
|
|
WSGIScriptReloading Off
|
|
|
|
|
|
# Turn off mod_msgi handler for errors, config, crl:
|
|
<Location "/ipa/errors">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/config">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/crl">
|
|
SetHandler None
|
|
</Location>
|
|
|
|
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
|
|
<Location "/ipa">
|
|
AuthType GSSAPI
|
|
AuthName "Kerberos Login"
|
|
GssapiUseSessions On
|
|
Session On
|
|
SessionCookieName ipa_session path=/ipa;httponly;secure;
|
|
SessionHeader IPASESSION
|
|
SessionMaxAge 1800
|
|
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
|
|
|
|
GssapiImpersonate On
|
|
GssapiDelegCcacheDir /var/run/ipa/ccaches
|
|
GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
|
GssapiUseS4U2Proxy on
|
|
GssapiAllowedMech krb5
|
|
Require valid-user
|
|
ErrorDocument 401 /ipa/errors/unauthorized.html
|
|
WSGIProcessGroup ipa
|
|
WSGIApplicationGroup ipa
|
|
Header always append X-Frame-Options DENY
|
|
Header always append Content-Security-Policy "frame-ancestors 'none'"
|
|
|
|
# mod_session always sets two copies of the cookie, and this confuses our
|
|
# legacy clients, the unset here works because it ends up unsetting only one
|
|
# of the 2 header tables set by mod_session, leaving the other intact
|
|
Header unset Set-Cookie
|
|
</Location>
|
|
|
|
# Target for login with internal connections
|
|
Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
|
|
|
|
# Turn off Apache authentication for password/token based login pages
|
|
<Location "/ipa/session/login_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
# Login with user certificate/smartcard configuration
|
|
# This configuration needs to be loaded after <Location "/ipa">
|
|
<Location "/ipa/session/login_x509">
|
|
AuthType none
|
|
GssapiDelegCcacheDir /var/run/ipa/ccaches
|
|
GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
|
NSSVerifyClient require
|
|
NSSUserName SSL_CLIENT_CERT
|
|
LookupUserByCertificate On
|
|
LookupUserByCertificateParamName "username"
|
|
WSGIProcessGroup ipa
|
|
WSGIApplicationGroup ipa
|
|
GssapiImpersonate On
|
|
|
|
GssapiUseSessions On
|
|
Session On
|
|
SessionCookieName ipa_session path=/ipa;httponly;secure;
|
|
SessionHeader IPASESSION
|
|
SessionMaxAge 1800
|
|
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
|
|
|
|
Header unset Set-Cookie
|
|
</Location>
|
|
|
|
<Location "/ipa/session/change_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/sync_token">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
# Custodia stuff is redirected to the custodia daemon
|
|
# after authentication
|
|
<Location "/ipa/keys/">
|
|
ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
|
|
RequestHeader set GSS_NAME %{GSS_NAME}s
|
|
RequestHeader set REMOTE_USER %{REMOTE_USER}s
|
|
</Location>
|
|
|
|
# This is where we redirect on failed auth
|
|
Alias /ipa/errors "/usr/share/ipa/html"
|
|
|
|
# For the MIT Windows config files
|
|
Alias /ipa/config "/usr/share/ipa/html"
|
|
|
|
# Do no authentication on the directory that contains error messages
|
|
<Directory "/usr/share/ipa/html">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 0 seconds"
|
|
</Directory>
|
|
|
|
|
|
# For CRL publishing
|
|
Alias /ipa/crl "$CRL_PUBLISH_PATH"
|
|
<Directory "$CRL_PUBLISH_PATH">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Options Indexes FollowSymLinks
|
|
Satisfy Any
|
|
Allow from all
|
|
</Directory>
|
|
|
|
|
|
# List explicitly only the fonts we want to serve
|
|
Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
|
|
Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
|
|
<Directory "/usr/share/fonts">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 1 year"
|
|
</Directory>
|
|
|
|
|
|
# webUI is now completely static, and served out of that directory
|
|
Alias /ipa/ui "/usr/share/ipa/ui"
|
|
<Directory "/usr/share/ipa/ui">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 1 year"
|
|
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
|
|
ExpiresDefault "access plus 0 seconds"
|
|
</FilesMatch>
|
|
</Directory>
|
|
|
|
# Simple wsgi scripts required by ui
|
|
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
|
|
<Directory "/usr/share/ipa/wsgi">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|
|
|
|
# migration related pages
|
|
Alias /ipa/migration "/usr/share/ipa/migration"
|
|
<Directory "/usr/share/ipa/migration">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|